1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

94 Commits

Author SHA1 Message Date
Andrew Bartlett
71d80e6be0 s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-13 09:08:27 -04:00
Günther Deschner
257a1f1097 s3-krb5: include krb5pac.h where needed.
Guenther
2010-08-06 15:43:37 +02:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Günther Deschner
e7a6a3ec0d s3: avoid global include of ads.h.
Guenther
2010-08-05 00:32:02 +02:00
Simo Sorce
28c74564c5 cleanups: Trailing spaces, line length, etc... 2010-07-30 16:34:53 -04:00
Simo Sorce
26f1218a36 s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys 2010-07-20 20:02:09 -04:00
Matthieu Patou
57ab910b6f s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
 previous password key when the password is changed. It also check the
 user ticket against previous password.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-06-02 14:32:23 +02:00
Andrew Bartlett
454b0b3f20 s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATA
All the callers just want the PAC_LOGON_INFO, so search for that in
ads_verify_ticket(), and don't bother the callers with the rest of the
PAC.

This change makes sense on it's own (removing boilerplate wrappers
that just confuse the code), but it also makes it much easier to
implement a matching ads_verify_ticket() function in Samba4 for the
s3compat proposal.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-11 22:52:37 +02:00
Günther Deschner
04f8c229de s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
2009-11-27 16:36:00 +01:00
Andrew Bartlett
574a6a8c35 s3:kerberos Rework smb_krb5_unparse_name() to take a talloc context
Signed-off-by: Günther Deschner <gd@samba.org>
2009-04-07 13:25:36 +02:00
Günther Deschner
b0ea179734 s3-kerberos: use KRB5_KT_KEY compat macro.
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
3367812df6 s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
1318fe8c60 Revert "fix for commit d96248a9b4 which broke Heimdal builds"
This does not build.

This reverts commit af736923a5.
2009-02-03 15:32:47 +01:00
Björn Jacke
af736923a5 fix for commit d96248a9b4 which broke Heimdal builds 2009-02-02 09:41:01 -08:00
Dan Sledz
d96248a9b4 Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerberos_keytab parameter.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum.  Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab

For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only

The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.

The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode.  This keytab is only used in
ads_verify_ticket.
2009-02-01 20:23:31 -08:00
Jeremy Allison
9eab2bfaf1 Fix more "ignore return value" warnings from gcc 4.3.
Jeremy
2008-12-30 18:24:39 -08:00
Günther Deschner
0ac8c5d49a kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
Guenther
(This used to be commit 7c4da23be1)
2008-06-24 23:34:05 +02:00
Karolin Seeger
8d7c7c674a Fix typo.
Karolin
(This used to be commit 42fbbeb1ca)
2008-04-10 08:38:54 +02:00
Karolin Seeger
a8124367b4 Fix typos.
Karolin
(This used to be commit 6cee347035)
2008-04-09 16:14:04 +02:00
Volker Lendecke
1ebfc66b2c Use a separate tdb for mutexes
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not
provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC
mutex is needed per-node anyway, so it is perfectly fine to use a local mutex
only.
(This used to be commit f94a63cd8f)
2008-03-10 21:08:45 +01:00
Günther Deschner
965774fa8f Fix some more callers of PAC_DATA.
Guenther
(This used to be commit ea609d1b0e)
2008-02-17 02:12:00 +01:00
Jeremy Allison
43717a16e2 Fix CID 476. Ensure a valid pac_data pointer is always passed to
ads_verify_ticket as it's always derefed.
Jeremy.
(This used to be commit 0599d57eff)
2008-01-11 23:53:27 -08:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Günther Deschner
cd45a258a7 r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines.

Guenther
(This used to be commit 7e4dcf8e7e)
2007-10-10 12:30:38 -05:00
Günther Deschner
3ec8b1702c r24066: Fix memleak found by Volker. We don't leak keys now with MIT and Heimdal.
Guenther
(This used to be commit 7755ad750f)
2007-10-10 12:29:01 -05:00
Volker Lendecke
bf27a77c05 r24065: According to gd, this breaks heimdal. Thanks for checking!
(This used to be commit ea5f53eac8)
2007-10-10 12:29:01 -05:00
Volker Lendecke
d44063715a r24058: Fix some memory leaks in ads_secrets_verify_ticket.
Jeremy, Günther, please review!

Thanks,

Volker
(This used to be commit 000e096c27)
2007-10-10 12:29:00 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Günther Deschner
6fff735da0 r23647: Use smb_krb5_open_keytab() in smbd as well.
Guenther
(This used to be commit d22c0d291e)
2007-10-10 12:23:41 -05:00
Gerald Carter
b4a39dc10e r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting context flags.
(This used to be commit 903145e957)
2007-10-10 12:23:19 -05:00
Gerald Carter
4caefdf348 r23474: Here's a small patch that disables the libkrb5.so replay cache
when verifying a ticket from winbindd_pam.c.

I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.

There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator.  Checked against MIT 1.5.1.  Have not
researched how Heimdal does it.

My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f7)
2007-10-10 12:23:19 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Jeremy Allison
edccfc9192 r21845: Refactor the sessionsetupX code a little to allow us
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
(This used to be commit c426340fc7)
2007-10-10 12:18:37 -05:00
Günther Deschner
4e00351fd4 r21558: Safe more indent, again no code changes.
Guenther
(This used to be commit 7b18a4730d)
2007-10-10 12:18:13 -05:00
Günther Deschner
59e8bd617b r21557: indent only fix. No code change.
Guenther
(This used to be commit 8ff0903a17)
2007-10-10 12:18:13 -05:00
Günther Deschner
3e946cbb85 r21556: Remove superfluos return check in ads_keytab_verify_ticket().
Guenther
(This used to be commit 020601ea0a)
2007-10-10 12:18:13 -05:00
Volker Lendecke
f8a17bd8bd r18047: More C++ stuff
(This used to be commit 86f4ca84f2)
2007-10-10 11:43:24 -05:00
Gerald Carter
ac25c32322 r17972: revert accidental commit to ads_verify_ticket()
(This used to be commit 95f6b22e51)
2007-10-10 11:39:44 -05:00
Gerald Carter
e53dfa1f4a r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid/gid cache. FIxes a bug in token creation
(This used to be commit fa05708789)
2007-10-10 11:39:44 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Günther Deschner
f777697508 r15523: Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.

Guenther
(This used to be commit a75dd80c62)
2007-10-10 11:16:55 -05:00
Jeremy Allison
b68b05854f r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc)
2007-10-10 11:16:28 -05:00
Günther Deschner
d7174c1a51 r14682: Small cleanup in ads_verify_ticket.
Guenther
(This used to be commit 90df68634b)
2007-10-10 11:15:43 -05:00
Günther Deschner
492af5e918 r14576: Skip remaining keytab entries when we have a clear indication that
krb5_rd_req could decrypt the ticket but that ticket is just not valid
at the moment (either not yet valid or already expired). (This also
prevents an MIT kerberos related crash)

Guenther
(This used to be commit 8a0c1933d3)
2007-10-10 11:15:37 -05:00
Günther Deschner
90603cb3cd r11846: Destroy the TALLOC_CTX on error in the Kerberos session setup and give a
more precise inline comment why PAC verification may fail.

Guenther
(This used to be commit 43b57715e9)
2007-10-10 11:05:29 -05:00
Günther Deschner
879eb0933e r10907: Handle the case when we can't verify the PAC signature because the
ticket was encrypted using a DES key (and the Windows KDC still puts
CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC).

In that case, return to old behaviour and ignore the PAC.

Thanks to Chengjie Liu <chengjie.liu@datadomain.com>.

Guenther
(This used to be commit 48d8a9dd9f)
2007-10-10 11:04:55 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
eb93fc968d r10285: Doh ! Guenther spotted this stupid cut-n-paste bug...
Thanks Guenther !
Jeremy.
(This used to be commit 7335440e48)
2007-10-10 11:03:40 -05:00
Günther Deschner
b552c44b79 r10211: Fix another memleak (this time in the kerberos keytab code)
Guenther
(This used to be commit 9796bf4589)
2007-10-10 11:03:37 -05:00