1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

90 Commits

Author SHA1 Message Date
Jelmer Vernooij
9ebcd7a0df r26277: Move loadparm context higher up the stack.
(This used to be commit 38fa08310c)
2007-12-21 05:48:03 +01:00
Jelmer Vernooij
fc2f06d31b r26274: Some syntax fixes, remove more global_loadparm instances.
(This used to be commit 3809113d86)
2007-12-21 05:47:58 +01:00
Jelmer Vernooij
43696d2752 r26252: Specify loadparm_context explicitly when creating sessions.
(This used to be commit 7280c1e941)
2007-12-21 05:47:29 +01:00
Jelmer Vernooij
f4a1083cf9 r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack.
(This used to be commit 0721a07aad)
2007-12-21 05:47:04 +01:00
Jelmer Vernooij
ca0b72a1fd r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.
(This used to be commit 56dfcb4f2f)
2007-12-21 05:45:40 +01:00
Stefan Metzmacher
529763a9aa r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/

metze
(This used to be commit 6223c7fddc)
2007-12-21 05:45:02 +01:00
Jelmer Vernooij
60a1046c5c r25430: Add the loadparm context to all parametric options.
(This used to be commit fd697d77c9)
2007-10-10 15:07:31 -05:00
Jelmer Vernooij
98b57d5eb6 r25035: Fix some more warnings, use service pointer rather than service number in more places.
(This used to be commit df9cebcb97)
2007-10-10 15:05:43 -05:00
Jelmer Vernooij
ffeee68e4b r25026: Move param/param.h out of includes.h
(This used to be commit abe8349f9b)
2007-10-10 15:05:38 -05:00
Andrew Bartlett
06a6194ead r24061: Anther part of bug #4823, which is that until now Samba4 didn't parse
the logon hours, even if set.

This code happily stolen from the great work in Samba3 :-)

Andrew Bartlett
(This used to be commit a4939ab629)
2007-10-10 15:01:21 -05:00
Andrew Bartlett
d02d0301be r23503: use hdb_dbc not hdb_openp.
Andrew Bartlett
(This used to be commit 3a21304de0)
2007-10-10 14:53:22 -05:00
Stefan Metzmacher
5f76f986ff r23488: hdb_openp has changed from void * to int...
lha: what is the reason for this? it's really bad to use
     an int for storing a pointer value...

metze
(This used to be commit 625a659856)
2007-10-10 14:53:19 -05:00
Stefan Metzmacher
ad7e7249b6 r21441: create a union for the PrimaryKerberosBlob content
so that ndr_pull will fail if version isn't 3 and we notice
if the format changes...

metze
(This used to be commit 91f7a094cf)
2007-10-10 14:48:35 -05:00
Stefan Metzmacher
6e2d85e38b r21434: - get rid of "krb5Key"
- use "sambaPassword" only as virtual attribute for passing
  the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
  blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
  exacly how longhorn stores them. use password_hash:create_aes_key=yes
  to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
  if configured

TODO:
 - find out how longhorn stores aes keys
 - find out how the Primary:WDigest blob needs to be constructed
   (not supported by w2k)

metze
(This used to be commit e20b53f6fe)
2007-10-10 14:48:34 -05:00
Stefan Metzmacher
ac8669cf5c r21390: move fetching the key version number into the function
which contrusts the keys...

later we need to get the key version number from the
"replPropertyMetaData" attribute entry to the (I assume)
the "unicodePwd" attribute.

msDs-KeyVersionNumber is a constructed attribute,
and is "1" when no "supplementalCredentials" is present.

we need to make some tests with a password change function
which don't give a cleartext to the server...

metze
(This used to be commit 9e43242217)
2007-10-10 14:48:25 -05:00
Stefan Metzmacher
cdafaa15b5 r21363: fallback to fetch the KEYTYPE_ARCFOUR out of the "unicodePwd" attribute
when no krb5key attribute is present or it doesn't contain the KEYTYPE_ARCFOUR
key.

metze
(This used to be commit b4af29da70)
2007-10-10 14:48:20 -05:00
Stefan Metzmacher
bd3d88c69d r21330: move fetching of krb5 keys into its own function
metze
(This used to be commit 0f1eb00b41)
2007-10-10 14:48:13 -05:00
Andrew Bartlett
08976cb3d2 r20639: Commit part 1 of 2.
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.

We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk.  This is much easier than
listing every generated .o file individually.

This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts.  I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.

The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller.  In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.

(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).

Andrew Bartlett
(This used to be commit 75fddbbc08)
2007-10-10 14:37:20 -05:00
Andrew Bartlett
cb785a891b r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
The reason is long and complex, but is due to forwardable tickets:

We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.

However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm.  Heimdal is
case sensitive for realms, and bails out.  (It should just not store
the forwarded ticket).

We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.

Andrew Bartlett
(This used to be commit be4c1a36b0)
2007-10-10 14:30:24 -05:00
Simo Sorce
ea212eb00f r20034: Start using ldb_search_exp_fmt()
(This used to be commit 4f07542143)
2007-10-10 14:28:51 -05:00
Simo Sorce
a9e31b33b5 r19832: better prototypes for the linearization functions:
- ldb_dn_get_linearized
  returns a const string

- ldb_dn_alloc_linearized
  allocs astring with the linearized dn
(This used to be commit 3929c086d5)
2007-10-10 14:28:22 -05:00
Simo Sorce
4889eb9f7a r19831: Big ldb_dn optimization and interfaces enhancement patch
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.

The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.

The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.

Simo.
(This used to be commit a580c871d3)
2007-10-10 14:28:22 -05:00
Stefan Metzmacher
3ba2a9dfcf r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
(This used to be commit cfee02143f)
2007-10-10 14:25:26 -05:00
Andrew Bartlett
3c1e780ec7 r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f17351)
2007-10-10 14:25:03 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Simo Sorce
59b66744f7 r19299: Fix possible memleaks
(This used to be commit 6fad80bb09)
2007-10-10 14:21:04 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Tridgell
b21b119cbc r17824: add a wrapper for the common partitions_basedn calculation
(This used to be commit 09007b0907)
2007-10-10 14:16:45 -05:00
Simo Sorce
a23b63a8e5 r17516: Change helper function names to make more clear what they are meant to do
(This used to be commit ad75cf8695)
2007-10-10 14:15:31 -05:00
Andrew Bartlett
795c279462 r16964: Remove extra debugs no longer required in a working KDC
Implement the 'DES only' flag.

Andrew Bartlett
(This used to be commit 9d42bb4b3d)
2007-10-10 14:10:03 -05:00
Andrew Bartlett
da9a31b228 r16237: Use an appropriate basedn for these searches, so they occour into the
correct partition.

Andrew Bartlett
(This used to be commit f661dafe4e)
2007-10-10 14:09:07 -05:00
Andrew Bartlett
e0bb0e9f95 r16056: Fix errors found by trying to use our kpasswd server and the Apple client.
Andrew Bartlett
(This used to be commit ae2913898c)
2007-10-10 14:08:54 -05:00
Jim McDonough
64fe1e92a5 r15883: Make sure timegm() prototype is available (on systems where we've had to
replace it)
(This used to be commit eef117e445)
2007-10-10 14:08:37 -05:00
Andrew Tridgell
cdc64c448d r15853: started the process of removing the warnings now that
talloc_set_destructor() is type safe. The end result will be lots less
use of void*, and less calls to talloc_get_type()
(This used to be commit 6b4c085b86)
2007-10-10 14:08:32 -05:00
Andrew Tridgell
8d130005a1 r15830: fixed two kdc memory leaks
(This used to be commit cc290ece92)
2007-10-10 14:08:30 -05:00
Jelmer Vernooij
172a83d724 r15573: Fix build of systems that have iconv headers in non-standard locations
Split of system/locale.h header from system/iconv.h

Previously, iconv wasn't being used on these systems
(This used to be commit aa6d66fda6)
2007-10-10 14:05:58 -05:00
Andrew Bartlett
490d6120a9 r15497: I'm not really sure this is correct in terms of how we should be responding to
krbtgt/MY.REALM@MY.REALM

TGS ticket requests, but for the moment, these are still marked as
'server' requests by the kerberos5.c caller.

Andrew Bartlett
(This used to be commit afaee0a6b7)
2007-10-10 14:05:42 -05:00
Andrew Bartlett
835926c879 r15481: Update heimdal/ to match current lorikeet-heimdal.
This includes many useful upstream changes, many of which should
reduce warnings in our compile.

It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.

(This required the rework in hdb-ldb.c included in this commit)

Andrew Bartlett
(This used to be commit ef5604b877)
2007-10-10 14:05:39 -05:00
Andrew Bartlett
7a0b65efce r15480: Patch from lha, to ensure we don't leave a free()'ed element in the
principal on strdup failure.

Andrew Bartlett
(This used to be commit d72fafc1f0)
2007-10-10 14:05:39 -05:00
Andrew Tridgell
4ce5f82979 r14427: don't reference short_princ after it is freed
(This used to be commit 8ca4681861)
2007-10-10 13:57:22 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 1228358767)
2007-10-10 13:52:24 -05:00
Andrew Bartlett
61fe79d022 r13910: Fix the 'your password has expired' on every login. We now consider
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.

Andrew Bartlett
(This used to be commit c530ab5dc6)
2007-10-10 13:52:22 -05:00
Andrew Bartlett
13c1f1b6f1 r13252: Cleanup, both in code, comments and talloc use:
In particular, I've used the --leak-report-full option to smbd to
track down memory that shouldn't be on a long-term context.  This is
now talloc_free()ed much earlier.

Andrew Bartlett
(This used to be commit c6eb74f429)
2007-10-10 13:51:38 -05:00
Andrew Bartlett
654a21178f r13207: Use the new API for using/not using kerbeors in hdb-ldb.c
Update the rootdse module to use the new schema.

Andrew Bartlett
(This used to be commit b0b150d08a)
2007-10-10 13:51:34 -05:00
Andrew Bartlett
28d78c40ad r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa)
2007-10-10 13:51:26 -05:00
Andrew Tridgell
e239a46dbc r13069: adding a hack on instructions from andrew
(This used to be commit 65cf522b5e)
2007-10-10 13:51:21 -05:00
Andrew Bartlett
2d9bd9b3a5 r12681: Allow an entry to have no kerberos keys. This occours when an entry
is new, and has no password.  It may also occour in the future if we
allow PKINIT.  In any case, it shouldn't segfault :-)

Andrew Bartlett
(This used to be commit 686fea241b)
2007-10-10 13:49:37 -05:00
Andrew Bartlett
cf07cd3fee r12631: Now we have fixed the provision script, we don't need to work around
it here.

Andrew Bartlett
(This used to be commit f282fab611)
2007-10-10 13:49:10 -05:00
Andrew Bartlett
c82c9fe7bb r12599: This new LDB module (and associated changes) allows Samba4 to operate
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).

The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code.  We also update the msDS-KeyVersionNumber, and the password
history.  This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.

By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic.  (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB.  This simplfies the KDC code.).

It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e902274321)
2007-10-10 13:49:01 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00