IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15635
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8e931fce12)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Apr 16 12:24:55 UTC 2024 on atb-devel-224
This matches the behaviour of Windows.
NOTE: This commit finally works again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The existing implementation did not differentiate between the case where
the relevant component was not present, and that where talloc_strndup()
failed. To correct this situation, put the result into an out parameter
on success and return an error on failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reported by Red Hat internal covscan
leaked_storage: Variable "cursor" going out of scope leaks the storage it points to.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
MIT Kerberos implements krb5_free_enctypes(), Heimdal is missing it and
offers krb5_xfree() instead.
This introduces a wrapper krb5_free_enctypes() around krb5_xfree() for
Heimdal.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Best reviewed with: `git show --word-diff`.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 3 04:53:05 UTC 2023 on atb-devel-224
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We can't unconditionally assume (as we did in
third_party/heimdal_build/wscript_configure) that Heimdal has this type,
since we may have an older system Heimdal that lacks it. We must also
check whether krb5_pac_get_buffer() is usable with krb5_const_pac, and
declare krb5_const_pac as a non-const typedef if not.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows this type to be used in Samba in the future for
both Kerberos implementations
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This matches the other comparisons against krbtgt, kadmin, etc., which
are all case-sensitive.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This will be used later and allows to remove static implementations.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b77.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
error: format string is not a string literal [-Werror,-Wformat-nonliteral]
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Otherwise GSSAPI will consult other mechanisms if available and we can
only cope with krb5 credentials here.
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 30 20:45:23 UTC 2020 on sn-devel-184
This is much better than mapping it to NT_STATUS_UNSUCCESSFUL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Feb 10 17:59:34 UTC 2020 on sn-devel-184
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN is already mapped to
NT_STATUS_INVALID_ACCOUNT_NAME and we need a way to
distinguish between client and server principal
at the NTSTATUS layer too.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>