IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Also, correctly format the value as unsigned.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't need to include these any more, and removing them allows us to
simplify the build system for system Heimdal builds.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Fixes:
auth/kerberos/gssapi_pac.c:136:3: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer(&gss_min, &pac_buffer);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:137:3: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:265:4: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer_set(&gss_min, &set);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:273:4: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer_set(&gss_min, &set);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:279:4: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer_set(&gss_min, &set);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:285:5: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer_set(&gss_min, &set);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth/kerberos/gssapi_pac.c:291:2: warning: Value stored to 'gss_maj' is never read <--[clang]
gss_maj = gss_release_buffer_set(&gss_min, &set);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7 warnings generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Jul 8 11:04:15 UTC 2019 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13311
Signed-off-by: Matt Selsky <matthew.selsky@twosigma.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These files should not be executable.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This is the second part for the issue from commit 8bb4fccd. A KDC that
does not return a PAC first triggers this message, then the "resorting
to local user lookup" one. Change the log level for the "obtaining PAC
via GSSAPI gss_get_name_attribute" message as well to avoid spamming the
logs during normal usage. While changing this message, also remove the
discard_const since it is no longer required.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 6 04:27:03 CEST 2016 on sn-devel-144
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006
Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Wed Jul 6 00:40:15 CEST 2016 on sn-devel-144
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that if an enterprise principal is used, we do the
comparison properly
This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.
Otherwise, we get errors like:
Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
With winbindd trying to verify the signature of an application provided
PAC, this message can be easily triggered. Adjust the debug level to
avoid filling up the logs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
gss_get_name_attribute() can return unintialized pac_display_buffer
and later gss_release_buffer() will crash on attempting to release it.
The fix on MIT krb5 side is in 1.10.1, reported in both Debian and MIT upstream:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658514http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7087
We need to initialize variables before using gss_get_name_attribute()
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Jun 6 18:22:51 CEST 2012 on sn-devel-104
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
The remaining gssapi_parse functions were used exclusively in
gensec_krb5. Move them there and make them static.
Signed-off-by: Andreas Schneider <asn@samba.org>
This is clearly a utiliy function generic to gensec. Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.
Signed-off-by: Andreas Schneider <asn@samba.org>
The key type OID is optional, but we require that information to determine if
we should use NEW_SPNEGO.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Mar 8 11:53:57 CET 2012 on sn-devel-104
I'd like Samba to use the native OpenLDAP and MIT Kerberos libs.
Attached are some patches to do that. (relative to git master)
It does not build for me without these.
(OpenIndiana is an off-shoot of OpenSolaris See http://www.openindiana.org)
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat May 7 02:20:14 CEST 2011 on sn-devel-104
Not all kerberos distributions have this function.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 07:39:08 CEST 2011 on sn-devel-104
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.
We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.
Andrew Bartlett
