sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
115,963 Commits 60 Branches 1,144 Tags 452 MiB
47cebbe215
Commit Graph

728 Commits

Author SHA1 Message Date
Andreas Schneider
13661b6fb0 s4-kdc: Move definitions to kdc-server.h 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
cafd2d365a s4-kdc: Use better and simpler names for the kdc_process_ret enum 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
0314796113 s4-kdc: Put the heimdal kdc config into a private data pointer 
This allows us to make the struct general useable.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
5ddfe5ecd3 s4-kdc: Use smb_krb5_mk_error() in kpasswd implementation 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
c5a02e81ea s4-kdc: Use smb_krb5_mk_error() in kdc implemenation 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
de88bfc770 s4-kdc: Rename heimdal KDC files 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
4aab5ba2ce mit_samba: Allow to use SPNs for AS-REQ 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jun  2 16:35:35 CEST 2016 on sn-devel-144
 2016-06-02 16:35:35 +02:00
Andreas Schneider
8267b2e186 mit_samba: Fix flags that we get a referral tickets 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
7019103bab mit_samba: Return 0 in case of a wrong realm 
The MIT KDC will deal with this correctly for us.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
7a1fd661b0 sdb: Do not create kmod information if we return early 
In case of a wrong realm in a cross forest trust we return early with
just the realm corrected. We need to parse a kdb entry but do not have
all information available. So skip creating the kmod.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
00267c9565 sdb: Fix NULL pointer deference if we return early 
If we return because of a wrong realm in a cross forest trust case, we
do not have a skdc_entry allocated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
3d6e18f210 kdb: Do not allocate memory with size 0 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
84c4b91fc6 sdb: Do not set disallow if we do not have ticket info in the DB 
These things are applied by the incoming ticket by the KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Ralph Boehme
3116e8d3be s4: add a minimal ktutil for selftest 
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:

./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)

This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2016-04-25 10:35:14 +02:00
Andreas Schneider
abfa8e335c mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests 
This correctly handles enterprise principals and ticket renewal.

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 07:57:49 CET 2016 on sn-devel-144
 2016-03-17 07:57:49 +01:00
Andreas Schneider
859c625c82 mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
bb72aec13f mit-kdb: Add support for KDB version 8 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
b0f2165901 mit-kdb: Add support for bad password count 
This fixes the samba4.ldap.password_lockout.python test.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
05cc9b0af9 mit-kdb: Restrict admin/changepw principal db_entry with some flags 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
b76cf191d9 mit-kdb: Return 0 in kdb_samba_db_put_principal() 
This allows the kadmin server to assume an update of a db_entry has
succeeded (while in fact the update_pwd call did the update already).

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
5a6819dbee mit-kdb: Implement KDB function to change passwords 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
f5e86db147 mit-kdb: Use calloc to initialize master keylists. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
fab9fe0177 mit-kdb: Add ks_get_admin_principal() and use it for kadmin users. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
5a4e3adbda mit-kdb: Add ks_create_principal(). 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
742b4c3da8 mit-kdb: Do not allow to get a kadmin ticket as a client. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
e13e9c54f5 mit-kdb: Add more ks_is_kadmin* functions. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
d787d35d97 mit-kdb: Use calloc so both authdata elements are zeroed 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
1b6a085b7f mit-kdb: Do not overwrite the error code in failure case. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
ade958e20b mit-kdb: Add initial MIT KDB Samba driver 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
4865867f59 mit_samba: Setup logging to stdout 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
23c249a88b mit_samba: Add function for handling bad password count 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
9734b5d9ed mit_samba: Add functions to generate random password and salt. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
909e7f9ff6 mit_samba: Add function to change the password 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
77cec013c3 mit_samba: Add ks_is_tgs_principal() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
859a6fba0b mit_samba: Use talloc_zero in mit_samba_context_init(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
597772dbd2 mit_samba: Directly pass the principal and kflags 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
33fcc76aa7 mit_samba: Make mit_samba a shim layer between Samba and KDB 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Günther Deschner
209d4b5b28 mit_samba: Use sdb in the mit_samba plugin 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Günther Deschner
6825a61b0b s4-kdc: Introduce a simple sdb_kdb shim layer 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header. 
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
 2016-01-13 04:43:23 +01:00
Douglas Bagnall
795f4729ca auth: keep track of lastLogon and lastLogonTimestamp 
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.

lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.

The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.

The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2015-12-15 00:08:57 +01:00
Andreas Schneider
78075cfcda waf: Add talloc as a dependency 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 04:08:30 CEST 2015 on sn-devel-104
 2015-08-05 04:08:30 +02:00
Andreas Schneider
38d7617802 sdb: Assert if the HDB flags will change 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-08-05 01:05:15 +02:00
Andreas Schneider
ab08575405 hdb-samba: Translate SDB errors to HDB errors 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-08-05 01:05:15 +02:00
Günther Deschner
d49b4aafa8 s4-kdc: Use sdb in db-glue and hdb-samba4 
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
 2015-07-30 13:29:27 +02:00
Günther Deschner
99d3719e7d s4-kdc: Introduce a simple sdb_hdb shim layer 
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-30 10:24:26 +02:00
Günther Deschner
85a041bab5 s4-kdc: Introduce sdb a KDC backend abstraction 
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-30 10:24:26 +02:00
Günther Deschner
535035affc s4-kdc: PAC_GLUE does not depend on hdb anymore. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-30 10:24:26 +02:00
Andreas Schneider
1c4dc00a5e s4-kdc: Use smb_krb5_principal_get_(type|realm) in db-glue 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-30 10:24:26 +02:00
Günther Deschner
ae607c0d05 s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. 
This can then be easier shared with MIT's kadmin services for kpasswd services.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE. 
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
1e64e720ae s4-kdc: only use a void* in samba_kdc_entry instead of hdb_entry_ex. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
38e5d8d4aa s4-kdc/pac_glue: remove old samba_kdc_build_edata_reply(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
893963cf78 s4-kdc/mit_samba: add a copy of samba_kdc_build_edata_reply for MIT. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
402b0dab67 s4-kdc/wdc-samba4: add a copy of samba_kdc_build_edata_reply for Heimdal. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Andreas Schneider
52e6d91d34 waf: Make mit_samba a subsystem and do not build with Heimdal 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Andreas Schneider
81471560d9 s4-kdc: Fix a casting warning 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Andreas Schneider
17c8b1a821 s4-kdc: Fix a typo 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Stefan Metzmacher
aded6f6551 s4:dsdb/common: pass optional new_version to samdb_set_password_sid() 
For trust account we need to store version number provided by the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
839645d238 s4:kdc/db-glue: make use of dsdb_trust_search_tdo() 
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
143b654ad2 s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM 
We lookup the principal against our trust routing table
and return HDB_ERR_WRONG_REALM and the realm of the next trust hoop.

Routing within our own forest is not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:21 +02:00
Stefan Metzmacher
3a14835d18 s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal 
We should always return the principal from the values stored in the database.
This also means we need to ignore a missing HDB_F_CANON.

This was demonstrated by running some new tests against windows.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:20 +02:00
Stefan Metzmacher
3943f02691 s4:kdc/db-glue: preferr the previous password for trust accounts 
If no kvno is specified we should return the keys with the lowest value.

For the initial value this means we return the current key with kvno 0 (NULL on
the wire). Later we return the previous key with kvno current - 1.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:20 +02:00
Stefan Metzmacher
f05c0bc639 s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry() 
We should fallback to the current password if the trusted KDC used a wrong kvno.

After commit 6f8b868a29, we always have the
previous password filled. With the trust creation we typically don't
have a TRUST_AUTH_TYPE_VERSION in the current nor in the previous array.
This means current_kvno is 0. And now previous_kvno is 255.

A FreeIPA/MIT KDC uses kvno=1 in the referral ticket, which triggered
the 'Request for unknown kvno 1 - current kvno is 0' case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-07-08 18:38:20 +02:00
Stefan Metzmacher
61de10240e s4:kdc/db-glue: allow principals in form of computer@EXAMPLE.COM 
This should be translated to computer$@EXAMPLE.COM.

Note the behavior differs between client and server lookup.
In samba_kdc_lookup_client() we need to fallback in case of
NO_SUCH_USER. samba_kdc_lookup_server() needs to do a single search
and only use the result if it's unique.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-24 01:03:16 +02:00
Stefan Metzmacher
ccb6495445 s4:kdc/db-glue: fix memory leak in samba_kdc_lookup_server() 
We need to free enterprise_principal if generated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-06-24 01:03:16 +02:00
Stefan Metzmacher
14b6e0a599 s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt 
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@S4XDOM.BASE%A1b2C3d4
worked while
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@s4xdom.base
failed, if aes keys are used across the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 27 04:02:05 CET 2015 on sn-devel-104
 2015-03-27 04:02:05 +01:00
Günther Deschner
4b12fcebaf s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs. 
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
e2eef86431 s4-kdc/db_glue: use smb_krb5_principal_set_type(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
ac23b7dd52 s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
cebecffd98 s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
2a0e2dd52a s4-kdc/db-glue: use principal_comp_str{case}cmp. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
6d6e411fb8 s4-kdc/db-glue: add principal_comp_str{case}cmp 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
714862defd s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
0501db1a67 s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
78c0cf292b s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
ba1838300c s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
f4b087b483 s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
7afd9e6aca s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
1afd3d3262 s4-kdc: build some kdc components only for Heimdal KDCs. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
77ede580e9 lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
9a0263a7c3 s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Andreas Schneider
a9bcc86504 kdc-db-glue: Remove unused code. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Andreas Schneider
b21b2d596e kdc-db-glue: Do not allocate memory for the principal 
The function we are calling already allocate memory.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Andreas Schneider
aa1431e53f kdc-db-glue: Fix memory cleanup to avoid crashes. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Andreas Schneider
6ada266dcf kdc-db-glue: Fix function format of samba_kdc_message2entry() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Andreas Schneider
b9072d9741 kdc-db-glue: Fix a NULL pointer dereference. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
13cd1d5c58 s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
6d6712fdde s4-kdc/pac_glue: only include required headers. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
c5965c41ae s4-kdc/pac_glue: use ENCTYPE_ARCFOUR_HMAC just like in db_glue. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
e49802a02d s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
51191bd9d8 s4-kdc/pac_glue: use krb5_copy_data_contents in samba_make_krb5_pac(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
c5eb9b388e s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
683ba8a09d s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
3ee26c43b9 s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
0163c9403e s4-kdc/db_glue: use time_t directly instead of KerberosTime. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:54 +01:00
Günther Deschner
668f1e9ab0 s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
75602bf1ae s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
10a06fcd55 s4-kdc/db_glue: use smb_krb5_principal_get_realm(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Stefan Metzmacher
8b2cada705 s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
463be9f676 s4-kdc/db_glue: use smb_krb5_principal_set_realm(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
b705ec95d4 s4-kdc/db_glue: use krb5_copy_principal(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
7296f1b2f5 s4-kdc/db_glue: use smb_krb5_make_principal(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
2b29bfe62a s4-kdc/db_glue: use smb_krb5_keyblock_init_contents(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
07edd10ba5 s4-kdc/db_glue: no need to include kdc/kdc-glue.h header here. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
2f6cdbbb90 s4-kdc/db_glue: no need to NULL entry_ex->entry.generation. 
The whole entry_ex->entry struct is initialized already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
b74413b339 s4-kdc/db_glue: remove unused hdb_entry_ex from samba_kdc_seq(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
d82388501f s4-kdc/db_glue: fix Debug messages. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Günther Deschner
97137347f3 s4-kdc/pac-glue: use kerberos_free_data_contents(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-20 23:25:53 +01:00
Stefan Metzmacher
8421c403e2 s4:kdc: fix realm for outgoing trusts in samba_kdc_trust_message2entry() 
This is a regression introduced in commit
8dd37327b0.

Now we change 'realm' before calling
ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
as before commit 8dd37327b0.

Without this we'd set entry_ex->entry.principal to
krbtgt/DOMA.EXAMPLE.COM@DOMA.EXAMPLE.COM instead
of krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM,
while we use krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM as
salt for the keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104
 2015-03-18 18:56:51 +01:00
Andrew Bartlett
7f5740f342 kdc: Ensure we cope with a samAccountName with a space in it 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-12 17:13:42 +01:00
Andrew Bartlett
a1ddee8d2f kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN 
This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-09 09:35:05 +01:00
Andrew Bartlett
f32564d643 kdc: make Samba KDC pass new TGS-REQ and AS-REQ (to self) testing 
This also reverts 51b94ab3fd as our
testing shows Windows 2012R2 does not have this behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
 2015-02-08 08:07:07 +01:00
Andrew Bartlett
01c6991d36 kdc: fixup KDC to use functions portable to MIT krb5 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
 2015-02-08 08:07:07 +01:00
Andrew Bartlett
c1819f5fd1 kdc: Correctly return the krbtgt/realm@REALM principal from our KDC 
This needs to vary depending on if the client requested the canonicalize flag

This was found by our new krb5.kdc test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2015-01-23 05:42:08 +01:00
Andrew Bartlett
69fb2a7616 kdc: Add TODO to remind us where we need to hook for RODC to get secrets 
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2015-01-23 05:42:08 +01:00
Andrew Bartlett
9fc3f1e3d6 kdc: Fix Samba's KDC to only change the principal in the right cases 
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)

Otherwise, if we are set to enterprise, we
get back the whole principal as-sent

Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2015-01-23 05:42:08 +01:00
Andrew Bartlett
86021a081f kdc: Fix enterpise principal name handling 
Based on a patch by Samuel Cabrero <scabrero@zentyal.com>

This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
 2015-01-23 05:42:08 +01:00
Stefan Metzmacher
01c02340c1 s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry() 
This avoids writing invalid memory, because num_keys was calculated
in a wrong way...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-01-21 14:56:07 +01:00
Stefan Metzmacher
8dd37327b0 s4:kdc: add aes key support for trusted domains 
We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
 2014-12-19 15:39:40 +01:00
Stefan Metzmacher
4bb9aca900 s4:kdc: remove unused allow_warnings=True for 'MIT_SAMBA' 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2014-11-25 07:25:45 +01:00
Stefan Metzmacher
e5e5c22353 s4:kdc: comment out unused code in db-glue.c 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2014-11-25 07:25:45 +01:00
Andrew Bartlett
3fc5b2269b Fix commented out code in kpasswd server to use correct function 
The fix in ac2d31e24c picked the wrong function name.  This is meant
to be the remote address, not the local one, if we ever have to re-instate this code.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-09-27 01:35:36 +02:00
Andrew Bartlett
80be6993c9 auth: Split out fetching trusted domain into sam_get_results_trust() 
This new helper function will also be used by pdb_samba_dsdb.

Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-09-01 00:36:42 +02:00
Jeremy Allison
463311422c s3/s4: smbd, rpc, ldap, cldap, kdc services. 
Allow us to start if we bind to *either* :: or 0.0.0.0.

Allows us to cope with systems configured as only IPv4
or only IPv6.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-By: Amitay Isaacs <amitay@gmail.com>
Reviewed-By: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun  7 01:01:44 CEST 2014 on sn-devel-104
 2014-06-07 01:01:43 +02:00
Andrew Bartlett
086c06e361 kerberos: Remove un-used event context argument from smb_krb5_init_context() 
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.

The actual network communication code sets an event context directly
before making the network call.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
 2014-04-28 02:24:57 +02:00
Andrew Bartlett
752b817365 kdc: call authsam_zero_bad_pwd_count on successful AS-REQ 
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-04-02 17:12:47 +02:00
Andrew Bartlett
997e120f66 kdc: Include values from msDS-User-Account-Control-Computed when checking user flags 
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-04-02 17:12:47 +02:00
Andrew Bartlett
10cbd5e430 kdc: Set flags.locked_out on a locked-out user. 
This only changes the log output, the same error is still returned

Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-04-02 17:12:47 +02:00
Andrew Bartlett
3f07737fd4 s4:auth: Add password lockout support to the AD DC 
Including a fix by Arvid Requate <requate@univention.de>

Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-04-02 17:12:46 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords() 
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-04-02 17:12:46 +02:00
Stefan Metzmacher
daadf3b928 s4:kdc: explicitly use allow_warnings=True for MIT_SAMBA 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-04-02 09:03:46 +02:00
Stefan Metzmacher
26f497b83f s4:kdc: make use of gensec_update_ev() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-03-27 00:36:31 +01:00
Andrew Bartlett
83fbdc81cd kdc: Use correct KDC include path when building against the system heimdal 
This ensures we notice any API changes at compile time.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
 2014-03-14 08:17:29 +01:00
Stefan Metzmacher
f7883ae02a s4:lib/socket: simplify iface_list_wildcard() and its callers 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10464
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Change-Id: Ib317d71dea01fc8ef6b6a26455f15a8a175d59f6
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  7 02:18:17 CET 2014 on sn-devel-104
 2014-03-07 02:18:17 +01:00
Santosh Kumar Pradhan
58e7e564d7 kdc: Free the resource which is not used anymore 
In samba_kdc_firstkey() routine, krb5_get_default_realm() allocates
memory for "realm" but never used afterwards. Free() the leaked memory.

CID: 1107223

Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2014-02-21 15:59:28 +01:00
Andrew Bartlett
e758f41113 kdc: Add belts-and-braces check that we fail if the hdb version changes 
This checks both if host system run-time Heimdal has changed version,
and that the build-time version is supported.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 20 22:26:49 CET 2014 on sn-devel-104
 2014-01-20 22:26:49 +01:00
Jeffrey Clark
368208069e Support for Heimdal's unified krb5 and hdb plugin system. 
Fixes exportkeytab and a kdc crash when building against heimdal master.

Bug-Debian: http://bugs.debian.org/732342

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
 2014-01-21 08:30:36 +13:00
Christian Ambach
7964a83447 s4:kdc fix compiler warnings 
about set but unused variables

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2013-12-12 14:21:28 -08:00
Jelmer Vernooij
92489bfed4 Cope with first element in hdb_method having a different name in different heimdal versions. 
It's called `interface_version` in older Heimdal versions and
`version` in newer versions.

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 28 04:17:55 CET 2013 on sn-devel-104
 2013-11-28 04:17:55 +01:00
Andrew Bartlett
8557c692f6 s4-kdc: Improve grammer and clarity of password change failure messages. 
This can still be improved further, but avoid mentioning reasons that
clearly do not apply in this case.

Andrew Bartlett
 2012-09-01 03:33:21 +02:00
Andrew Bartlett
d2c0387d66 s4-kdc: Give information on how long the password history is 
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 31 08:06:17 CEST 2012 on sn-devel-104
 2012-08-31 08:06:17 +02:00
Andrew Bartlett
1ed6070570 lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrap 2012-08-28 07:57:28 +10:00
Matthias Dieter Wallnöfer
f11a1a4a07 s4:kdc/wdc-samba4.c - fix user logins on specific workstations 
The decrement operation has been missing.

Problem found by Mohammad Ebrahim Abravi <lamp.mia@gmail.com>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 2012-08-14 08:37:49 +10:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller" 
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
 2012-06-15 09:18:33 +02:00
Jelmer Vernooij
890485bd17 heimdal: Cope with newer Heimdal versions accepting a keyset argument to 
hdb_enctype2key.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon May  7 18:33:10 CEST 2012 on sn-devel-104
 2012-05-07 18:33:10 +02:00
Simo Sorce
110dad8c9e Make krb5 context initialization not heimdal specific 
Turn the logging data to an opaque pointer.
Ifdef code and use MIT logging function when built against system MIT.
 2012-04-23 16:40:05 -04:00
Simo Sorce
4b29cf5f66 Move kdc_get_policy helper in the lsa server where it belongs. 
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.

Also the kdc-policy file was a single funciton library, that's just ridiculous.

The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.

Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
 2012-04-20 01:53:37 +02:00
Simo Sorce
37e98ff252 Use loadparm helper to find lifetime defaults 
Implictly fixes buggy use of int for time_t
 2012-04-19 18:14:02 -04:00
Simo Sorce
70c303a7f3 auth-krb: Move pac related util functions in a single place. 
Signed-off-by: Andreas Schneider <asn@samba.org>
 2012-04-12 12:06:43 +02:00