1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

251 Commits

Author SHA1 Message Date
Stefan Metzmacher
c779270116 r19664: fix compiler warnings...
should _krb5_find_type_in_ad() also take a const?

metze
(This used to be commit addc31bd93)
2007-10-10 14:25:27 -05:00
Andrew Bartlett
f722b07438 r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c

Andrew Bartlett
(This used to be commit 13c9df1d4f)
2007-10-10 14:25:21 -05:00
Andrew Bartlett
3c1e780ec7 r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f17351)
2007-10-10 14:25:03 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Andrew Bartlett
18aa4c6a38 r19568: When we get back a skew error, try with no skew. This allows us to
recover from inheriting an invalid skew from a ccache.

Andrew Bartlett
(This used to be commit 4881f0583d)
2007-10-10 14:24:53 -05:00
Andrew Bartlett
d046e8d0cc r19523: Remove unused functions.
Andrew Bartlett
(This used to be commit 3a3c1040a9)
2007-10-10 14:24:44 -05:00
Stefan Metzmacher
845e288ea4 r17774: this macro is unused
metze
(This used to be commit 2f4aa95f8d)
2007-10-10 14:16:40 -05:00
Stefan Metzmacher
ba4f9bc008 r15988: try to fix the build on au2 IRIX 6.4
metze
(This used to be commit 9e93e6f5fb)
2007-10-10 14:08:46 -05:00
Jelmer Vernooij
7ef96bd3c4 r15876: Fix build on IPv6-less systems.
(This used to be commit 180925659f)
2007-10-10 14:08:36 -05:00
Andrew Tridgell
cdc64c448d r15853: started the process of removing the warnings now that
talloc_set_destructor() is type safe. The end result will be lots less
use of void*, and less calls to talloc_get_type()
(This used to be commit 6b4c085b86)
2007-10-10 14:08:32 -05:00
Andrew Bartlett
c07db9b462 r15511: Using this name causes less warnings on the IBM checker, due to using
the original, rather than equivilant, enum type.

Andrew Bartlett
(This used to be commit 3d43e458a8)
2007-10-10 14:05:44 -05:00
Andrew Bartlett
8792ff810d r15501: Allow interactive password prompting on kerberos as well.
Andrew Bartlett
(This used to be commit 7003c3e8de)
2007-10-10 14:05:42 -05:00
Jelmer Vernooij
46f627ea7a r15384: Improve naming of socket library, disable Requires(.private)? fields in pkg-config files for now as
they break external projects.
(This used to be commit f919fd6655)
2007-10-10 14:05:30 -05:00
Jelmer Vernooij
5c3a1d76ff r15379: Fix shared library build's unresolved dependencies
(This used to be commit 0fafa2e595)
2007-10-10 14:05:29 -05:00
Jelmer Vernooij
6275553bae r15373: Rename SOCKET to LIBSAMBA-SOCKET to prevent name clashes with -lsocket on SUN
boxes.
(This used to be commit c95ad11307)
2007-10-10 14:05:28 -05:00
Jelmer Vernooij
7ff6afd9cc r15366: Use type name rather then typedef directly - fixes build on tcc
(This used to be commit 76c5f37720)
2007-10-10 14:05:27 -05:00
Andrew Bartlett
c2cc10c786 r15356: Remove unused 'flags' argument from socket_send() and friends.
This is in preperation for making TLS a socket library.

Andrew Bartlett
(This used to be commit a312812b92)
2007-10-10 14:05:25 -05:00
Jelmer Vernooij
9220144604 r15313: Fix some dependencies in dso mode
(This used to be commit f0afe9e2ff)
2007-10-10 14:05:09 -05:00
Jelmer Vernooij
620d759f49 r15298: Fix the build using a few hacks in the build system.
Recursive dependencies are now forbidden (the build system
will bail out if there are any).

I've split up auth_sam.c into auth_sam.c and sam.c. Andrew,
please rename sam.c / move its contents to whatever/wherever you think suits
best.
(This used to be commit 6646384aaf)
2007-10-10 14:05:04 -05:00
Jelmer Vernooij
710ea94988 r15297: Move create_security_token() to samdb as it requires SAMDB (and the rest of LIBSECURITY doesn't)
Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal
Some other dependency fixes
(This used to be commit 5b3ab728ed)
2007-10-10 14:05:04 -05:00
Jelmer Vernooij
0d5587b5d1 r15274: Drop default EXT_LIB_ prefix for external libraries. Fixes issues with local
(empty) libpopt.a overriding global one
(This used to be commit 2f06305e53)
2007-10-10 14:05:00 -05:00
Jelmer Vernooij
68f5ac1fa0 r15258: Another attempt at fixing getaddrinfo on IRIX
(This used to be commit 13d0cec018)
2007-10-10 14:04:27 -05:00
Jelmer Vernooij
c8106b2669 r15256: Use libroken's getaddrinfo if it is not provided by the system. Should
get the build on IRIX a bit further.
(This used to be commit 47d1baf0cf)
2007-10-10 14:04:26 -05:00
Jelmer Vernooij
69b51f702a r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacement
for REQUIRED_SUBSYSTEMS.
(This used to be commit adc8a019b6)
2007-10-10 14:04:18 -05:00
Jelmer Vernooij
e3f2414cf9 r14380: Reduce the size of structs.h
(This used to be commit 1a16a6f1df)
2007-10-10 13:57:16 -05:00
Jelmer Vernooij
3f16241a1d r14363: Remove credentials.h from the global includes.
(This used to be commit 98c4c30513)
2007-10-10 13:57:14 -05:00
Andrew Tridgell
1693d5e507 r14306: fixed two break errors
(This used to be commit 03da4fbcdd)
2007-10-10 13:57:10 -05:00
Andrew Bartlett
c20ea6123f r14202: Oops. When removing a header, we need to replace it.
Andrew Bartlett
(This used to be commit d1ca106f05)
2007-10-10 13:57:00 -05:00
Andrew Bartlett
120c308fa5 r14201: I don't think including roken is going to be a good solution. Let's
try and find the real solution.

Andrew Bartlett
(This used to be commit a512d5dd25)
2007-10-10 13:57:00 -05:00
Andrew Bartlett
18ad7a6c87 r14180: The PAC isn't so special that it deserves a level 0 debug any more.
Andrew Bartlett
(This used to be commit 2ab71ed518)
2007-10-10 13:56:58 -05:00
Jelmer Vernooij
9bd7dd9121 r13926: More header splitups.
(This used to be commit 930daa9f41)
2007-10-10 13:52:26 -05:00
Jelmer Vernooij
3bec2022eb r13844: Remove _PUBLIC_ for now as the proto script seems to make false assumptions
about the data type being known.
(This used to be commit 991bec80e4)
2007-10-10 13:52:15 -05:00
Jelmer Vernooij
c71c86c524 r13842: Make some more functions public.
(This used to be commit aac1b99b36)
2007-10-10 13:52:15 -05:00
Andrew Bartlett
26421fb2dc r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine.  But we should
ensure that we do always get a valid key, to prevent any segfaults.

Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.

Andrew Bartlett
(This used to be commit cfd0df16b7)
2007-10-10 13:51:55 -05:00
Andrew Bartlett
28d78c40ad r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa)
2007-10-10 13:51:26 -05:00
Stefan Metzmacher
6b566e83a6 r12899: - fix warnings on AIX
- fix compilation of auth/kerberos/krb5_init_context.c on AIX

metze
(This used to be commit 0e1ad08a85)
2007-10-10 13:51:00 -05:00
Andrew Bartlett
adab8d3968 r12863: As lha suggested to me a while back, it appears that the
gsskrb5_get_initiator_subkey() routine is bougs.  We can indeed use
gss_krb5_get_subkey().

This is fortunate, as there was a segfault bug in 'initiator' version.

Andrew Bartlett
(This used to be commit ec11870ca1)
2007-10-10 13:50:55 -05:00
Andrew Bartlett
31753e2cfc r12808: Actually, with that we can avoid roken compleatly.
Andrew Bartlett
(This used to be commit 37f342b010)
2007-10-10 13:49:58 -05:00
Andrew Bartlett
a7a8eece69 r12807: I'm wondering if this might fix AIX on the build farm...
Andrew Bartlett
(This used to be commit 8f70d6270a)
2007-10-10 13:49:58 -05:00
Andrew Bartlett
f55ea8bb3d r12804: This patch reworks the Samba4 sockets layer to use a socket_address
structure that is more generic than just 'IP/port'.

It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).

This passes 'make test' as well as kerberos use (not currently in the
testsuite).

The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again.   It also removes nbt_peer_addr, which was being used
for a similar purpose.

It is a large change, but worthwhile I feel.

Andrew Bartlett
(This used to be commit 88198c4881)
2007-10-10 13:49:57 -05:00
Jelmer Vernooij
78c50015bb r12694: Move some headers to the directory of the subsystem they belong to.
(This used to be commit c722f665c9)
2007-10-10 13:49:39 -05:00
Jelmer Vernooij
bc4aebfaec r12670: Make a couple of dependencies stricter
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force
specific modules to always be included
(This used to be commit f9eede3d40)
2007-10-10 13:49:35 -05:00
Andrew Bartlett
906c142423 r12594: Jelmer pushed some proposed header reductions to the list today. This
commits some of these that I know to be correct in the kerberos area.

Andrew Bartlett
(This used to be commit 6787b3737c)
2007-10-10 13:49:00 -05:00
Jelmer Vernooij
d8e35f8828 r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not using
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583ed)
2007-10-10 13:47:45 -05:00
Andrew Bartlett
9a9cb35cbd r12422: Some kerberos comments and clarifications.
Andrew Bartlett
(This used to be commit 31046cd22b)
2007-10-10 13:47:36 -05:00
Andrew Bartlett
221c1512a8 r12411: Add 'net samdump keytab <keytab>'.
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.

For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:

password server = ncacn_np:mypdc

Andrew Bartlett
(This used to be commit 272013438f)
2007-10-10 13:47:35 -05:00
Andrew Tridgell
16c7e92cd2 r12064: pass back the socket level error correctly (so we get
NT_STATUS_CONNECTION_REFUSED when a KDC is not listening)
(This used to be commit 0f85fc204c)
2007-10-10 13:47:03 -05:00
Andrew Tridgell
469aad2c48 r12063: fixed the krb5 client code to handle ICMP port unreachable errors, and
error out immediatelly. This prevents a long timeout
(This used to be commit f6c0fccc06)
2007-10-10 13:47:03 -05:00
Andrew Bartlett
42f2bfbd9b r12059: Use random keytab names (so we get different keytabs, rather than
share the MEMORY: keytab).

Andrew Bartlett
(This used to be commit 6c43de2708)
2007-10-10 13:47:02 -05:00
Andrew Bartlett
c7c6b5620b r12056: Some clarification fixes for the keytab code, and use the right
function for enctype to string.

Andrew Bartlett
(This used to be commit ae6c968cb2)
2007-10-10 13:47:02 -05:00
Andrew Bartlett
22f1de0998 r11994: This function no longer needs a special declaration.
Andrew Bartlett
(This used to be commit 88a7b7805c)
2007-10-10 13:46:56 -05:00
Andrew Bartlett
b2c98db507 r11993: As well as making an in-MEMORY keytab, allow a file-based keytab to be updated.
This allows a new password to be written in, and old entries removed
(we keep kvno and kvno-1).

Clean up the code a lot, and add comments on what it is doing...

Andrew Bartlett
(This used to be commit 0a911baaba)
2007-10-10 13:46:56 -05:00
Andrew Bartlett
3a3c53327a r11940: Love has clarified why this code does what it does.
Andrew Bartlett
(This used to be commit 9b3dedbc0b)
2007-10-10 13:46:49 -05:00
Andrew Bartlett
01fc59df42 r11928: More Kerberos musings...
Andrew Bartlett
(This used to be commit 571f9c9c51)
2007-10-10 13:46:48 -05:00
Stefan Metzmacher
1fb2397913 r11601: try to fix the build on IRIX 6.5 us4
abartlet, tridge, lha: is there a better way?

metze
(This used to be commit b2b4969bdc)
2007-10-10 13:45:57 -05:00
Andrew Bartlett
918c7634c2 r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the
TGT.  We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.

This should also allow us to interop with windows KDCs.

If we get an invalid PAC at the TGS stage, we just drop it.

I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy.  This
continues that trend.

Andrew Bartlett
(This used to be commit 36973b1eef)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
4c57d08c52 r11538: More notes on things we need.
Andrew Bartlett
(This used to be commit 890ad0412b)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
3b2a6997b4 r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack.

Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.

Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.

Andrew Bartlett
(This used to be commit 55b89899ad)
2007-10-10 13:45:38 -05:00
Stefan Metzmacher
fb2bceea6e r11400: fix compiler warnings
metze
(This used to be commit a29a107d95)
2007-10-10 13:45:31 -05:00
Andrew Bartlett
524eeac064 r11350: Add some debugs to assist tracking down kerberos issues in future.
(Make it easy to see what was put into the keytab, so we can tell when
gssapi screams that it can't pull it out).

Andrew Bartlett
(This used to be commit c56142c4ac)
2007-10-10 13:45:22 -05:00
Andrew Bartlett
13b0da09ee r11325: Fix up some kerberos notes.
Andrew Bartlett
(This used to be commit 89623af30f)
2007-10-10 13:45:20 -05:00
Andrew Bartlett
040add3d07 r11315: Sorry gd, I just removed all of your code that I just merged...
(We now ask the kerberos libraries to handle getting and unwapping the PAC).

Andrew Bartlett
(This used to be commit 6a0beb29da)
2007-10-10 13:45:18 -05:00
Andrew Bartlett
14a3abd559 r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather
than doing ASN.1 parsing in Samba.

Also use the API function for getting a client from a ticket, rather
than just digging in the structure.

Andrew Bartlett
(This used to be commit 25d5ea6d72)
2007-10-10 13:45:18 -05:00
Andrew Bartlett
a0647a89a8 r11272: In trying to track down why Win2k3 is again rejecting our PAC, ensure
we can round-trip all the way back to a server_info structure, not
just a filled in PAC_DATA. (I was worried about generated fields being
incorrect, or some other logical flaw).

Andrew Bartlett
(This used to be commit 11b1d78cc5)
2007-10-10 13:45:11 -05:00
Jelmer Vernooij
4c5a4a7e02 r11244: Relative path names in .mk files
(This used to be commit 24e1030090)
2007-10-10 13:45:06 -05:00
Andrew Bartlett
b0c7c175b1 r11220: Add the ability to handle the salt prinicpal as part of the
credentials.  This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.

Needed for kpasswdd work.

Andrew Bartlett
(This used to be commit cc9d167bab)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
d820c353dc r11218: Always return the mutual authentication reply (needed for kpasswd),
and remove now duplicated unwrap_pac().

Andrew Bartlett
(This used to be commit 90642d54e0)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
532b16f3d5 r11216: Upgrade to gd's PAC extraction code from Samba3. While I still want
to make some this the kerberos library's problem, we may as well use
the best code that is around.

Andrew Bartlett
(This used to be commit a7fe3078a6)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
10989431e5 r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.
I'm also worried this might cause loops, if we get a 'force password
change', and the prompter tries to 'deal with it'.

Andrew Bartlett
(This used to be commit 5bc10c4e47)
2007-10-10 13:45:03 -05:00
Jelmer Vernooij
f4d590662e r11214: Remove scons files (see http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c917)
2007-10-10 13:45:03 -05:00
Andrew Bartlett
372ca26b20 r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579)
2007-10-10 13:45:00 -05:00
Stefan Metzmacher
cffd522b5c r11052: bring samba4 uptodate with the samba4-winsrepl branch,
before the bad merge

metze
(This used to be commit 471c0ca4ab)
2007-10-10 13:44:43 -05:00
Stefan Metzmacher
2ecb46d595 r11037:
(This used to be commit 6913e33840)
2007-10-10 13:42:33 -05:00
Andrew Bartlett
8dfa59372f r10985: To aid in testing, this allows us to easily force kerberos to use UDP or TCP.
Andrew Bartlett
(This used to be commit ae0b4028ff)
2007-10-10 13:39:50 -05:00
Andrew Bartlett
b4a1e760c9 r10945: Free the salt after we are done with it. May need a merge to similar
code in Samba3.

Andrew Bartlett
(This used to be commit 36e302bac8)
2007-10-10 13:39:44 -05:00
Andrew Bartlett
3223cd45ee r10670: Add notes on things that are TODO in Samba4 kerberos land.
Andrew Bartlett
(This used to be commit 5b2114bb9c)
2007-10-10 13:39:16 -05:00
Andrew Bartlett
8407a1a866 r10561: This patch takes over KDC socket routines in Heimdal, and directs them
at the Samba4 socket layer.

The intention here is to ensure that other events may be processed while
heimdal is waiting on the KDC.  The interface is designed to be
sufficiently flexible, so that the plugin may choose how to time
communication with the KDC (ie multiple outstanding requests, looking
for a functional KDC).

I've hacked the socket layer out of cldap.c to handle this very
specific case of one udp packet and reply.  Likewise I also handle
TCP, stolen from the winbind code.

This same plugin system might also be useful for a self-contained
testing mode in Heimdal, in conjunction with libkdc.  I would suggest
using socket-wrapper instead however.

Andrew Bartlett
(This used to be commit 3b09f9e8f9)
2007-10-10 13:39:04 -05:00
Jelmer Vernooij
49839f356f r10513: Reduce some use of pstring. The main reason some parts of the code still
use pstring is next_token() now.
(This used to be commit a5b88bcd42)
2007-10-10 13:38:58 -05:00
Jelmer Vernooij
e337caeed1 r10509: Some more sconscript fixes. Now getting to link stage for smbclient
(This used to be commit 6df956edba)
2007-10-10 13:38:58 -05:00
Andrew Bartlett
51cbc188df r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)

This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.

Also don't set the realm from a ccache, as then it overrides --option=realm=.

Andrew Bartlett
(This used to be commit 194e8f07c0)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
3b7f8ddd9a r10398: Don't do DNS lookups on short names (no .).
Andrew Bartlett
(This used to be commit 77aca9619d)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
b1b5e49f98 r10372: Having gone to all the effort to uppercase the realm, actually set the
upper-case realm.

Andrew Bartlett
(This used to be commit 3e38456dd5)
2007-10-10 13:38:32 -05:00
Andrew Bartlett
65d4da0ff3 r10364: Turn gensec:gssapi on by default, except for a login of the form
-Udomain\\user.

This will probably break in a few configurations, so please let me
know.  I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.

Andrew Bartlett
(This used to be commit 3c0dc570b8)
2007-10-10 13:38:31 -05:00
Jelmer Vernooij
6812c73534 r10348: Add scons scripts for remaining subsystems. Most subsystems build now,
but final linking still fails (as does generating files asn1, et, idl and proto
files)
(This used to be commit 4f0d7f75b9)
2007-10-10 13:38:30 -05:00
Andrew Bartlett
f9263dd102 r10337: This grubby little hack is the implementation of a concept discussed
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at
all for expanding short names into long names.

Using the 'override krb5_init_context' code already in the tree, this
removes the DNS lag on a kerberos session setup/connection.

Andrew Bartlett
(This used to be commit de3ceab3d0)
2007-10-10 13:38:29 -05:00
Andrew Bartlett
f3bce652c8 r10286: This patch is ugly and disgusting, but for now it works better than the other
ideas I have had.

When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.

(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).

Andrew Bartlett
(This used to be commit 8a22d46e70)
2007-10-10 13:38:13 -05:00
Andrew Bartlett
5d3d4093b3 r10174: This patch implements generic PAC verification, without assumptions
about the size of the signature.  In particular, this works with AES,
which was previously broken Samba4/Samba4.

Reviewed by metze (and thanks for help with the previous IDL commit).
(This used to be commit 3c8be196cc)
2007-10-10 13:38:06 -05:00
Andrew Bartlett
c42e76f986 r10155: Add more notes on required gsskrb5 functions.
Andrew Bartlett
(This used to be commit cdfcc09343)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
1757f8355c r10145: Allow a variable length signature, so we can support signing with
other than arcfour-hmac-md5.  Currently we still fail to verify other
signatures however.

Andrew Bartlett
(This used to be commit 2e5884fc24)
2007-10-10 13:38:03 -05:00
Andrew Bartlett
1f2f470889 r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.

Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.

I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal.  It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging.  (metze assures me it still has memory leak problems, but
I've started to address some of that).

This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.

On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC.  Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.

One thing doesn't work with this patch:
 - the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken.  I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.

Andrew Bartlett
(This used to be commit a3aba57c00)
2007-10-10 13:36:33 -05:00
Andrew Bartlett
6b14ffe271 r10035: This patch removes the need for the special case hack
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)

This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.

This patch also tries to simplify some principal handling and fixes some
error cases.

Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.

Andrew Bartlett
(This used to be commit 506a7b67ae)
2007-10-10 13:36:31 -05:00
Andrew Bartlett
370f5b9563 r10021: More kerberos notes.
(This used to be commit f36e657a41)
2007-10-10 13:36:30 -05:00
Jelmer Vernooij
b674411eb4 r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinking
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m!
(This used to be commit 200a8f6652)
2007-10-10 13:35:01 -05:00
Andrew Bartlett
24186a80eb r9728: A *major* update to the credentials system, to incorporate the
Kerberos CCACHE into the system.

This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.

It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.

Andrew Bartlett
(This used to be commit 6202267f6e)
2007-10-10 13:34:54 -05:00
Andrew Bartlett
d91a5808f0 r9693: Move the smb_krb5_context setup code to use the new pattern of
tmp_ctx, then steal at the last moment, on success.

andrew Bartlett
(This used to be commit c7a44518ad)
2007-10-10 13:34:41 -05:00
Andrew Bartlett
c496f58c6f r9681: We don't need the full smb_krb5_context here, so just pass the krb5_context.
Andrew Bartlett
(This used to be commit 47699019db)
2007-10-10 13:34:40 -05:00
Andrew Tridgell
b8f4e0796d r9648: this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3f)
2007-10-10 13:34:37 -05:00
Andrew Bartlett
40f56f63be r9415: Remove old kerberos code (including salt guessing code) that has only
caused me pain (and covourty warnings).

Simply gensec_gssapi to assume the properties of lorikeet-heimdal,
rather than having #ifdef around critical features.  This simplifies
the code rather a lot.

Andrew Bartlett
(This used to be commit 11156f556d)
2007-10-10 13:33:36 -05:00
Stefan Metzmacher
79c1c76b26 r9196: - add a note about the Canonicalize KDCOPtion flag
- add a note about old client using the wrong checksum type for GSSAPI
  in the Authenticator

metze
(This used to be commit 07e39bd94c)
2007-10-10 13:31:30 -05:00
Andrew Bartlett
910c1d55c2 r9165: Fix inverted error check in untested code path. (My untested code...)
Andrew Bartlett
(This used to be commit fba7a0edd4)
2007-10-10 13:31:26 -05:00
Andrew Bartlett
8db8279730 r9084: 'resign' the sample PAC for the validation of the signature algorithms.
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.

This involved returning more data from the pac functions, so changed
some callers and split up some functions.

Andrew Bartlett
(This used to be commit d514a74912)
2007-10-10 13:31:15 -05:00
Andrew Tridgell
c77f4a68c6 r8460: removed the unused function krb5_locate_kdc(). It causes a build failure on irix.
Andrew, if you planned on using this in the future then we can put it
back and work out how to make it portable
(This used to be commit eaa74913fe)
2007-10-10 13:23:05 -05:00
Andrew Bartlett
e75c7ff39f r8252: Steal metze's thunder, and prove that with a few small tweaks, we can
now push/pull a sample PAC, and still have the same byte buffer.
(Metze set up the string code, and probably already has a similar
patch).

Unfortunetly win2k3 still doesn't like what we provide, but every step helps.

Also use data_blob_const() when we are just wrapping data for API
reasons.

Andrew Bartlett
(This used to be commit e7c8076fc1)
2007-10-10 13:19:25 -05:00
Andrew Bartlett
c0a78453a7 r8250: More PAC work. We now sucessfully verify the KDC signature from my DC
(I have included the krbtgt key from my test network).

It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.

Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.

Andrew Bartlett
(This used to be commit 3b9558e82f)
2007-10-10 13:19:25 -05:00
Stefan Metzmacher
f1031746e5 r8164: - match the ordering w2k3 uses for the PAC_BUFFER:
LOGON_INFO
   LOGON_NAME
   SRV_CHECKSUM
   KDC_CHECKSUM

- w2k3 also don't use the groupmembership array with rids
  it uses the othersids array

metze
(This used to be commit 2286fad27d)
2007-10-10 13:19:16 -05:00
Stefan Metzmacher
a33178fc72 r8156: I found out that the unknown[2] field of the unknown[4] array is a length too,
it's always 16 bytes smaller than the size in the PAC_BUFFER

we now dump the blob's on LOCAL-PAC with -d 10

metze
(This used to be commit 4ef721ce53)
2007-10-10 13:19:13 -05:00
Stefan Metzmacher
148235a009 r8148: - make the PAC generation code a bit more readable and add some outof memory checks
- move to handmodified pull/push code for PAC_BUFFER
  to get the _ndr_size field and the subcontext size right

- after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive)
  I found out that the first uint32 before the netr_SamInfo3 was also a pointer,
  (and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC)

  w2k3 uses this for unique pointers:

  ptr = ndr->ptr_count * 4;
  ptr |= 0x00020000;
  ndr->ptr_count;

- do one more pull/push round with the sample PAC

metze
(This used to be commit 0eee179415)
2007-10-10 13:19:13 -05:00
Andrew Bartlett
dbd2688c90 r8110: More PAC work. I still can't get WinXP to accept the PAC, but we are
much closer.

This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary.  This is the only way I can explain
the 4 trainling zeros in the signature struct.

Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.

I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.

Andrew Bartlett
(This used to be commit 50a54bf4e9)
2007-10-10 13:19:09 -05:00
Andrew Bartlett
ddffc922df r8001: Also fill in the krbtgt checksum, and make sure to put the right
checksum in the right place...

Andrew Bartlett
(This used to be commit 90d0f502da)
2007-10-10 13:18:57 -05:00
Andrew Bartlett
9a7481bcfe r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2)
2007-10-10 13:18:57 -05:00
Andrew Bartlett
f4e75294be r7991: I forgot to free the keyblock once we are done with it.
Andrew Bartlett
(This used to be commit a68e348375)
2007-10-10 13:18:56 -05:00
Andrew Bartlett
f4607c6e55 r7989: Allow the use of hashed passwords in the kerberos client and server,
and create the in-memory keytab with the correct kvno, if available.

Andrew Bartlett
(This used to be commit 7b7b2b038e)
2007-10-10 13:18:56 -05:00
Andrew Bartlett
5daf957362 r7980: Forgot to add kerberos_pac.c to this config.mk file.
Andrew Bartlett
(This used to be commit bba58a1876)
2007-10-10 13:18:56 -05:00
Andrew Bartlett
66da650727 r7979: Metze reminded me to try one more combination, and we can now verify
the 'PAC', required for interopability with Active Directory.

This is still a cludge, as it doesn't handle different encryption
types, but that should be fairly easy to fix (needs PIDL/IDL changes).

Andrew Bartlett
(This used to be commit 690cfc44ce)
2007-10-10 13:18:56 -05:00
Andrew Bartlett
99777452f0 r7978: A start again on PAC verification. I have noticed that the kerberos
keys appear at the end of the PAC, which I feel is deliberate (it
makes this much easier).

I still can't make it work, but I'm sure we are closer.

Andrew Bartlett
(This used to be commit 6f0e1c80ae)
2007-10-10 13:18:55 -05:00
Andrew Bartlett
f9861c9c5a r7968: Pull the PAC from within GSSAPI, rather than only when using our own
'mock GSSAPI'.

Many thanks to Luke Howard for the work he has done on Heimdal for
XAD, to provide the right API hooks in GSSAPI.

Next step is to verify the signatures, and to build the PAC for the
KDC end.

Andrew Bartlett
(This used to be commit 2e82743c98)
2007-10-10 13:18:55 -05:00
Andrew Tridgell
37e3d02621 r7863: removed an unused variable
(This used to be commit 9ee3dbad6b)
2007-10-10 13:18:44 -05:00
Andrew Bartlett
8bbb77d88a r7862: Updates to the Kerberos notes, based on recent changes and discoveries.
Andrew Bartlett
(This used to be commit 7d791d13bc)
2007-10-10 13:18:44 -05:00
Andrew Bartlett
4432cc73ae r7843: Use the new Heimdal gsskrb_acquire_creds API. This has the right
lifetime constraints, and works with the in-memory keytab.

Move initialize_krb5_error_table() into our kerberos startup code,
rather than in the GSSAPI code explitly.  (Hmm, we probably don't need
this at all..)

Andrew Bartlett
(This used to be commit bedf92da5c)
2007-10-10 13:18:42 -05:00
Andrew Bartlett
8a68f96f8c r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytab
support in Heimdal.

This removes the 'ext_keytab' step from my Samba4/WinXP client howto.

In doing this work, I realised that the replay cache in Heimdal is
currently a no-op, so I have removed the calls to it, and therefore
the mutex calls from passdb/secrets.c.

This patch also includes a replacement 'magic' mechanism detection,
that does not issue extra error messages from deep inside the GSSAPI
code.

Andrew Bartlett
(This used to be commit c19d5706f4)
2007-10-10 13:18:41 -05:00
Andrew Bartlett
949deaf9e3 r7687: Some more tests that must be done only when krb5_config is absent.
Andrew Bartlett
(This used to be commit 898f72d196)
2007-10-10 13:18:22 -05:00
Love Hörnquist Åstrand
c3948492d4 r7638: krb5_closelog in heimdal-0.7 not longer leaks memory, so remove that comment
(This used to be commit 3aa80b8e58)
2007-10-10 13:18:16 -05:00
Andrew Bartlett
7a33552d82 r7637: Another useful Heimdal feature we need.
Andrew Bartlett
(This used to be commit 57ddedc954)
2007-10-10 13:18:16 -05:00
Andrew Bartlett
e9fa8f7cce r7509: With the update to Heimdal 20050612 we no longer need krb5_freelog(),
as krb5_closelog() no longer leaks memory.

Andrew Bartlett
(This used to be commit b0bf8a4a5f)
2007-10-10 13:18:02 -05:00
Andrew Tridgell
bce8cda061 r7352: the internal heimdal build change. This changes quite a few things:
- if you want kerberos now, you need to unpack a lorikeet heimdal
   tree in source/heimdal/. If source/heimdal/ does not exist at
   configure time then all kerberos features are disabled. You cannot
   use an external kerberos library for now. That may change later.

 - moved lib/replace/ config stuff to lib/replace/ and create a
   lib/replace/replace.h. That allows the heimdal build to use our
   portability layer, and prevenets duplicate definitions of functions
   like strlcat()

 - if you do enable heimdal, then you will need to do 'make
   HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once
   I explain the problem to jelmer (the problem is the inability to
   set a depend without also dragging in the object list of the
   dependency. We need this for building the heimdal asn1 compiler and
   et compiler.

 - disabled all of the m4 checks for external kerberos libraries. I
   left them in place in auth/kerberos/, but disabled it in
   configure.in

some of the heimdal_build/ code is still very rough, for example I
don't correctly detect the correct awk, flex, bison replacements for
heimdal_build/build_external.sh. I expect to fix that stuff up over
the next few days.
(This used to be commit d4648249b2)
2007-10-10 13:17:45 -05:00
Andrew Bartlett
8107bdec7b r7306: Use a consistant #define for detecting support for the Heimdal krb5
log redirection code.

Andrew Bartlett
(This used to be commit 93335d587d)
2007-10-10 13:17:39 -05:00
Stefan Metzmacher
2c499fe5aa r7303: autodetect the libkdc and our kdc support
btw: I use this for configuring heimdal

>>>
CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \
	CC=gcc-4.0 \
	./configure -C --prefix=$HOME/prefix/heimdal-test \
	--sysconfdir=/etc \
	--enable-shared=no \
	--with-ldb=$HOME/prefix/ldb \
	--without-openldap \
	--without-openssl $@"

echo $CONFIG
eval $CONFIG
>>>

maybe you also want to use --disable-berkeley-db

metze
(This used to be commit 2aec140e00)
2007-10-10 13:17:39 -05:00
Andrew Bartlett
2e787b5b17 r7291: Additional notes on what we require from a kerberos implementation.
Andrew Bartlett
(This used to be commit a8d3493b6f)
2007-10-10 13:17:37 -05:00
Andrew Bartlett
e168c5fefa r7285: It appears that MIT Kerberos does not have the log redirection
facility that I'm using. This should let us compile the non-KDC
components on MIT again.

Andrew Bartlett
(This used to be commit ae9c2d2b54)
2007-10-10 13:17:36 -05:00
Andrew Bartlett
d26f46f72c r7270: A big revamp to the way we handle kerberos errors in Samba4. We now
fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).

To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.

This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.

Andrew Bartlett
(This used to be commit 63272794c4)
2007-10-10 13:17:34 -05:00
Andrew Bartlett
5112e38393 r7258: Fix the final linking error with libkdc - we need to link libhdb as well.
With this fix, I can request tickets from our built-in KDC!

Andrew Bartlett
(This used to be commit d7cd76013b)
2007-10-10 13:17:32 -05:00
Andrew Bartlett
7ea6543ce5 r7257: Ensure the error message can never be uninitialised.
Andrew Bartlett
(This used to be commit fdd964582a)
2007-10-10 13:17:32 -05:00
Andrew Bartlett
089b538163 r7241: The KDC almost links...
Using current lorikeet/heimdal, and with the KDC module enabled (it is
disabled by default), I almost get the KDC to link.

(To enable the KDC for testing, comment out the only line in
smbd/config.m4, and add 'kdc' to the 'server services' line in
smb.conf).
(This used to be commit 26cd4b4f68)
2007-10-10 13:17:30 -05:00
Andrew Bartlett
ab92b82d83 r6882: Put in configure tests and #ifdef to keep Samba building on older Heimdal.
Andrew Bartlett
(This used to be commit f2e9261925)
2007-10-10 13:16:54 -05:00
Andrew Bartlett
e29cb65a90 r6819: More notes on krb5 requirements
Andrew Bartlett
(This used to be commit dbd8459987)
2007-10-10 13:16:47 -05:00
Tim Potter
d441930987 r6810: Rename auth/{ntlmssp,gensec,kerberos} mk and m4 files to be called
config.mk and config.m4 to be consistent with the rest of Samba.
(This used to be commit f377c71e4f)
2007-10-10 13:16:46 -05:00
Jelmer Vernooij
3184d47c42 r6805: Remove two remaining references to gensec_gsskrb5
(This used to be commit a02e077397)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
1d0e2b9569 r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. This
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.

Andrew Bartlett
(This used to be commit a7e2ecfac9)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
c71a11c7ad r6801: It appears that krb5_make_principal, while convenient, is not portable.
Andrew Bartlett
(This used to be commit c8e8fa129e)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
5c6dd5e800 r6800: A big GENSEC update:
Finally remove the distinction between 'krb5' and 'ms_krb5'.  We now
don't do kerberos stuff twice on failure.  The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process.  All modules have been updated to supply a
NULL-terminated list of OIDs.

In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.

Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.

The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line.  It will soon loose the
requirement for a on-disk keytab too.

The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.

Andrew Bartlett
(This used to be commit 0101728d8e)
2007-10-10 13:16:45 -05:00
Rafal Szczesniak
2c08639e02 r6797: Typo fix.
rafal
(This used to be commit 0f9a2aef6c)
2007-10-10 13:16:44 -05:00
Jelmer Vernooij
5b18cf2268 r6795: Make some functions static and remove some unused ones.
(This used to be commit 46509eb899)
2007-10-10 13:16:44 -05:00
Simo Sorce
51b0f62b8f r6794: spellfix
(This used to be commit f5956d1501)
2007-10-10 13:16:44 -05:00
Andrew Bartlett
4f9fa5a81d r6791: My early notes on the particular things I have discovered as I learn
kerberos, and how Microsoft constructs their kerberos implementation.

Andrew Bartlett
(This used to be commit 5fa9be75d9)
2007-10-10 13:16:43 -05:00
Andrew Bartlett
8b2eb02d15 r6727: One more step down the long march to the 'Kerberos domain join'.
This patch allows a suitably patched Heimdal GSSAPI library (detected
in configure) to supply to us the session keys, and further compleats
the gensec_gssapi module.  This is tested for CIFS, but fails for LDAP
at this point (that is what I'll work on next).

We currently fill out the 'session info' from the SAM, like
gensec_krb5 does, but both will need to use the PAC extraction
functions in the near future.

Andrew Bartlett
(This used to be commit 937ee36161)
2007-10-10 13:16:38 -05:00
Andrew Bartlett
369c53ccf4 r6711: Clarify that we are dealing with a salting principal in the kerberos
code, which is certainly not in the form of machine$.

Rework the default salt to match what I just added to the heimdal
server (Samba4 is back on speaking terms with lorikeet heimdal now),
from Luke Howard's post to samba-technical in Nov 2004.

Now to test compatability with MS...

Andrew Bartlett
(This used to be commit d719a0093b)
2007-10-10 13:16:37 -05:00
Stefan Metzmacher
34ae3b1604 r6703: fix the build
metze
(This used to be commit 333f9bdf58)
2007-10-10 13:16:36 -05:00
Andrew Bartlett
a21b7de463 r6701: Updates to our server-side ticket verification code, we now use the
client credentials code to read the secrets.ldb.

Also clean up error handling, and ensure to always set the
last_error_message stuff.

Andrew Bartlett
(This used to be commit 435d229e5d)
2007-10-10 13:16:36 -05:00
Tim Potter
cba367d001 r6521: Include system/network.h to fix compiler warning.
(This used to be commit 45383f6cec)
2007-10-10 13:16:22 -05:00
Tim Potter
932803d3ce r6359: Fix compiler warning with struct sockaddr. I'm sure I fixed this a few
weeks ago - weird.
(This used to be commit 1738761d89)
2007-10-10 13:11:34 -05:00