1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

83 Commits

Author SHA1 Message Date
Stefan Metzmacher
6257003dff s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
92141c6b03 s4:kdc: add some const to samba_get_logon_info_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Günther Deschner
535035affc s4-kdc: PAC_GLUE does not depend on hdb anymore.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
38e5d8d4aa s4-kdc/pac_glue: remove old samba_kdc_build_edata_reply().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
714862defd s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Günther Deschner
0501db1a67 s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Günther Deschner
78c0cf292b s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Günther Deschner
77ede580e9 lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Günther Deschner
6d6712fdde s4-kdc/pac_glue: only include required headers.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:54 +01:00
Günther Deschner
c5965c41ae s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:54 +01:00
Günther Deschner
51191bd9d8 s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:54 +01:00
Günther Deschner
97137347f3 s4-kdc/pac-glue: use kerberos_free_data_contents().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-20 23:25:53 +01:00
Jelmer Vernooij
890485bd17 heimdal: Cope with newer Heimdal versions accepting a keyset argument to
hdb_enctype2key.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon May  7 18:33:10 CEST 2012 on sn-devel-104
2012-05-07 18:33:10 +02:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Andrew Bartlett
b69c40ffce auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksum 2012-01-12 18:02:54 +11:00
Andrew Bartlett
49f8113fab s4-kdc Do the KDC PAC checksum validation in the Samba plugin
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know.  We cannot check the KDC signature on incoming trusts.

Andrew Bartlett
2012-01-12 18:02:54 +11:00
Simo Sorce
6bed57788c pac: Fix wrong memory allocation check
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Tue Oct 11 01:18:22 CEST 2011 on sn-devel-104
2011-10-11 01:18:22 +02:00
Stefan Metzmacher
73b1e1466c s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pac
metze
2011-06-28 19:23:43 +02:00
Jelmer Vernooij
a68b59e9a6 source4/kdc: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Andrew Bartlett
a2ce53c1f5 s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett
2011-02-09 01:11:06 +01:00
Matthias Dieter Wallnöfer
136a5d7a26 s4:kdc/*.c - minimise includes
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
2010-12-12 15:20:46 +01:00
Andrew Bartlett
a32ade647d s4-kdc Don't always regenerate the PAC
The PAC was being regenerated on all normal DCs, because they don't
have a msDS-SecondaryKrbTgtNumber attribute.  Instead we need to check
if it's set and not equal to our RODC number, allowing RODCs to trust
the full DCs and itself, but not other RODCs.

Andrew Bartlett
2010-11-15 23:17:05 +00:00
Andrew Tridgell
e26609b667 s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.h
kdc.h conflicts with a heimdal header name
2010-11-12 18:18:55 +11:00
Matthias Dieter Wallnöfer
0e5b77bec4 s4:kdc - use "userAccountControl" always unsigned
It doesn't change much but it's nicer to have it consistent.
2010-10-05 08:43:19 +00:00
Andrew Bartlett
990720b8cd s4-kdc Add function to determine if a hdb entry is a RODC
This is important, as we must ignore the PAC from an RODC.

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Marcel Ritter
6be72df736 Simple fix to prevent crash for non-pac principals
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-04-27 16:41:51 +10:00
Simo Sorce
489f78d19e s4:kdc make function static 2010-02-25 13:01:14 -05:00
Simo Sorce
b116d4e5b9 s4:kdc Streamline client access verification call
Move the core to pac-glue so that other plugins can use it.
2010-01-31 13:25:17 -05:00
Simo Sorce
a097527ab7 s4:kdc Use a clearer name for the samba kdc entry
Renames hdb_samba4_private to samba_kdc_entry
Streamlines members of the entry and the kdc db contextto avoid
unnecessary duplication.
2010-01-28 19:33:34 -05:00
Simo Sorce
b63b9bcd42 s4:windc move windc plugin in its own file
Keep all heimdal related plugin code within wdc-samba4.c
Leave only interfaces common to multiple plugins in pac-glue.c
2010-01-27 14:03:06 -05:00
Simo Sorce
1f2e9e90bd s4:PAC make common functions public 2010-01-27 14:03:06 -05:00
Simo Sorce
82a80b7f71 s4:PAC Streamline pac-glue step 2
Split functions so that no assumption is made about which plugin
is using them
2010-01-27 14:03:06 -05:00
Simo Sorce
85e3561dc9 s4:PAC Streamline pac-glue
First step, preparing to share the code between multiple plugins.
2010-01-27 14:03:06 -05:00
Simo Sorce
67d1af4384 s4:cleanups More trailing spaces and tabs 2009-12-23 15:17:56 -05:00
Andrew Bartlett
47a7a2e442 s4:kerberos Add 'net export keytab' command for wireshark decryption
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain.  Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.

(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).

Andrew Bartlett
2009-07-28 08:52:43 +10:00
Andrew Bartlett
afb6ac247b s4:kdc Tidy up hdb_samba4 some more
This removes the last use of the prefix hdb_ldb and makes it clear
that we pass in 3 global variables to get state information into
hdb_samba4 when used as a keytab.  (And that they belong to
hdb_samba4, not to the KDC)

Andrew Bartlett
2009-07-27 22:41:41 +10:00
Günther Deschner
8db45607f8 libds: share UF_ flags between samba3 and 4.
Guenther
2009-07-13 15:36:06 +02:00
Andrew Bartlett
19413c5249 s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett
2009-06-18 13:49:30 +10:00
Andrew Bartlett
6ef65389fd Don't use crossRef records to find our own domain
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.

Andrew Bartlett
2009-05-26 12:37:09 +10:00
Stefan Metzmacher
15239f742c s4:kdc: avoid c++ reserved word 'private'
metze
2009-02-01 00:17:19 +01:00
Stefan Metzmacher
180245fce0 s4:kdc: allow a trusted domain to get kerberos tickets
metze
2008-12-04 15:45:16 +01:00
Jelmer Vernooij
23302413b3 Remove unused include param/param.h. 2008-10-24 16:37:56 +02:00
Andrew Bartlett
c79dff2e9b Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the:
 - LOCAL-PAC test
 - gensec_gssapi server
 - KDC (where is was already used, the support code refactored from here)

In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.

Andrew Bartlett
(This used to be commit 418b440a7b)
2008-08-28 16:28:47 +10:00
Stefan Metzmacher
d0a8c05cb2 kdc/pac-glue: pull/push the logon_info via the PAC_INFO union
This prepares the next commit...

metze
(This used to be commit 7d297f7fb7)
2008-08-20 15:23:02 +02:00
Stefan Metzmacher
71ce9975fa kdc: we don't need any *_locl.h header from heimdal in the kdc
metze
(This used to be commit feca16dd6d)
2008-06-04 15:39:17 +02:00
Andrew Bartlett
a08e951eb8 Remove unused variable.
(This used to be commit 1de21f5fdd)
2008-03-19 11:15:04 +11:00