1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

59 Commits

Author SHA1 Message Date
Günther Deschner
eae33e96fc s3-krb5: use and request AES keys in kerberos operations.
Guenther
2012-10-02 16:22:31 +02:00
Jeremy Allison
526e875cec Check error returns from strupper_m() (in all reasonable places). 2012-08-09 12:06:54 -07:00
Günther Deschner
3583419b98 s3-libads: pretty print a keytab list.
Guenther
2012-01-09 10:34:06 +01:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00
Günther Deschner
6768b65123 s3-waf: try to fix the non-ldap-but-krb5 build.
Guenther
2011-04-15 12:37:55 +02:00
Günther Deschner
bf3912be46 s3-libads: avoid crashing in ads_keytab_list().
Heimdal's krb5_kt_start_seq_get() will leave a non 0 fd in the krb5_kt_cursor
struct when it cannot find a given keytab.

Guenther
2010-08-31 23:17:39 +02:00
Simo Sorce
cbe9f879af s3-ads: Fix wrong test in if statement 2010-08-19 11:28:12 -04:00
Simo Sorce
1ab17f13a2 s3-ads: Remove unused wrapper and make function static 2010-08-18 09:37:56 -04:00
Simo Sorce
71dfa62b61 s3-ads: cleanup ads_keytab_list() 2010-08-18 07:47:10 -04:00
Simo Sorce
64d8300a56 s3-ads: cleanup ads_keytab_create_default() 2010-08-18 07:47:10 -04:00
Simo Sorce
3a9912370d s3-ads: cleanup ads_keytab_add_entry() 2010-08-18 07:47:10 -04:00
Simo Sorce
d6d1ed8bdf s3-ads: Split, simplify and cleanup keytab functions
add helper function for both smb_krb5_kt_add_entry_ext() and
ads_keytab_flush()
2010-08-18 07:47:09 -04:00
Andrew Bartlett
71d80e6be0 s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-13 09:08:27 -04:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Günther Deschner
e7a6a3ec0d s3: avoid global include of ads.h.
Guenther
2010-08-05 00:32:02 +02:00
Günther Deschner
04f8c229de s3-kerberos: only use krb5 headers where required.
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.

Guenther
2009-11-27 16:36:00 +01:00
Andrew Bartlett
574a6a8c35 s3:kerberos Rework smb_krb5_unparse_name() to take a talloc context
Signed-off-by: Günther Deschner <gd@samba.org>
2009-04-07 13:25:36 +02:00
Jeremy Allison
1966a947d3 More asprintf warning fixes.
Jeremy.
2008-12-23 11:56:48 -08:00
Günther Deschner
c554080dd9 s3-net: allow to list a keytab generated using net rpc vampire.
Guenther
2008-12-02 12:59:22 +01:00
Günther Deschner
bff20e14c3 kerberos: use KRB5_KT_KEY macro where appropriate.
Guenther
(This used to be commit a042dffd71)
2008-08-29 11:01:34 +02:00
Jeremy Allison
d701d23b60 Fix uninitialized variables.
Jeremy.
(This used to be commit 1db7e00a54)
2008-07-30 16:06:30 -07:00
Günther Deschner
c11fb13864 kerberos: make smb_krb5_kt_add_entry() static.
Guenther
(This used to be commit 04b1847f87)
2008-07-18 16:42:55 +02:00
Günther Deschner
16e44ee112 kerberos: allow to keep entries with old kvno's while creating keytab.
Guenther
(This used to be commit 6194244bd9)
2008-06-30 12:38:40 +02:00
Günther Deschner
52635c6f58 kerberos: rename smb_krb5_kt_add_entry to smb_krb5_kt_add_entry_ext.
Guenther
(This used to be commit 48600a0019)
2008-06-30 12:38:32 +02:00
Günther Deschner
0ac8c5d49a kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
Guenther
(This used to be commit 7c4da23be1)
2008-06-24 23:34:05 +02:00
Günther Deschner
0447e6a0a7 libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.
Guenther
(This used to be commit cb7ace209c)
2008-06-17 19:54:09 +02:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Günther Deschner
110e420196 r23651: Always, always, always compile before commit...
Guenther
(This used to be commit accb40446a)
2007-10-10 12:23:41 -05:00
Günther Deschner
3b1956f9d2 r23650: Fix remaining callers of krb5_kt_default().
Guenther
(This used to be commit b9d7a2962a)
2007-10-10 12:23:41 -05:00
Günther Deschner
a248672932 r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).
Guenther
(This used to be commit 19020d19dc)
2007-10-10 12:23:41 -05:00
Günther Deschner
a2618aa8d5 r23648: Allow to list a custom krb5 keytab file with:
net ads keytab list /path/to/krb5.keytab

Guenther
(This used to be commit a2befee3f2)
2007-10-10 12:23:41 -05:00
Günther Deschner
df63172ad9 r23646: Generalize our internal keytab handling to support a broader range of default
keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also
fixes keytab support with Heimdal (which supports the WRFILE pragma as well
now).

Guenther
(This used to be commit 7ca002f4cc)
2007-10-10 12:23:40 -05:00
Günther Deschner
1ee9650a1d r22479: Add "net ads keytab list".
Guenther
(This used to be commit 9ec76c5427)
2007-10-10 12:19:37 -05:00
Jeremy Allison
42b2ddec8f r21863: Fix debug messages with incorrect function name.
Jeremy.
(This used to be commit d432d81c83)
2007-10-10 12:18:39 -05:00
Günther Deschner
81e4a28718 r21561: It makes absolutely no sense to call krb5_kt_resolve() two times
directly after another.

Guenther
(This used to be commit 76ba11d777)
2007-10-10 12:18:13 -05:00
Gerald Carter
725cb5d7c9 r20486: Always upper case the "host/<sAMAccoutnName>" entry in the keytab file
so apps will know which one to look for,
(This used to be commit d4a5dc3ad5)
2007-10-10 12:16:52 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Jeremy Allison
b68b05854f r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc)
2007-10-10 11:16:28 -05:00
Jeremy Allison
ce8ad0c3b1 r5759: Patch from Doug VanLeuven <roamdad@sonic.net> to add more case/realm/name
permutations to the kerberos keytab.
Jeremy.
(This used to be commit c687e73f24)
2007-10-10 10:55:59 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Jeremy Allison
5ee08e89bf r3502: Tidy up debugging in kerberos_keytab code.
Jeremy.
(This used to be commit 82651c1b17)
2007-10-10 10:53:08 -05:00
Jeremy Allison
917a53cc58 r3492: Fixes from testing kerberos salted principal fix.
Jeremy.
(This used to be commit b356a8fdc5)
2007-10-10 10:53:07 -05:00
Jeremy Allison
2d4725cfa6 r3381: More merging of the #1717 patch. Fixup some erroneous assumptions about
memcpy's into fqdn names. I think the original intent was to create
MYNAME.fqdn.tail.part.
Will need testing to see I haven't broken keytab support.
Jeremy.
(This used to be commit 82acf83040)
2007-10-10 10:53:05 -05:00
Jeremy Allison
cf47845b1c r3379: More merging of kerberos keytab and salting fixes from Nalin Dahyabhai <nalin@redhat.com>
(bugid #1717).
Jeremy.
(This used to be commit 30b8807cf6)
2007-10-10 10:53:05 -05:00
Jeremy Allison
12b0bd2aca r1373: Fix from Guenther Deschner <gd@sernet.de> to ensure last error return is not invalid.
Jeremy.
(This used to be commit 4bdf914cba)
2007-10-10 10:52:08 -05:00
Jeremy Allison
34f985c971 r1243: Fix so this compiles with Heimdal (in Heimdal krb5_kt_cursor is a struct not a pointer).
Jeremy.
(This used to be commit 940f893d48)
2007-10-10 10:52:02 -05:00
Jeremy Allison
2b76b28932 r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come before
it compiles with Heimdal.
Jeremy.
(This used to be commit dd07278b89)
2007-10-10 10:52:01 -05:00
Jeremy Allison
7825677b86 r1222: Valgrind memory leak fixes. Still tracking down a strange one...
Can't fix the krb5 memory leaks inside that library :-(.
Jeremy.
(This used to be commit ad440213aa)
2007-10-10 10:52:00 -05:00