1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

389 Commits

Author SHA1 Message Date
Stefan Metzmacher
1312e90279 HEIMDAL:lib/wind: fix wind_ucs4utf8() and wind_ucs2utf8()
Pair-Programmed-With: Arvid Requate <requate@univention.de>

metze
2011-11-16 00:26:41 +01:00
Andrew Tridgell
6b69ecd029 heimdal: handle referrals for 3 part DRSUAPI SPNs
This handles referrals for SPNs of the form
E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are
used during DRS replication when we don't know the dnsHostName of the
target DC (which we don't know until the first replication from that
DC completes).

We use the 3rd part of the SPN directly as the realm name in the
referral.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-10-04 15:08:57 +11:00
Andrew Bartlett
b5c7eb909f heimdal: Try to handle the PAC checking when we are in a cross-realm environment 2011-09-05 11:19:25 +02:00
Stefan Metzmacher
5a8635bca1 s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036) 2011-07-26 02:16:08 +02:00
Stefan Metzmacher
9190345bf5 s4:heimdal: build samba4kgetcred
metze
2011-07-24 23:10:39 +02:00
Stefan Metzmacher
890c30ce46 s4:heimdal: add missing files
metze
2011-07-15 11:15:05 +02:00
Stefan Metzmacher
255e3e18e0 s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b) 2011-07-15 11:15:05 +02:00
Stefan Metzmacher
73b1e1466c s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pac
metze
2011-06-28 19:23:43 +02:00
Stefan Metzmacher
cef06b5ca1 HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()
function

This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze
2011-06-28 18:24:37 +02:00
Stefan Metzmacher
6982ea767d HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master
 and 9b5e304cce in samba/master)
changed the windc_plugin interface, so we need to change the
version number.

metze
2011-06-28 18:24:37 +02:00
Stefan Metzmacher
2996945de6 HEIMDAL:kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze
2011-06-24 18:53:49 +02:00
Stefan Metzmacher
7229b0d5b2 HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze
2011-06-24 18:53:48 +02:00
Stefan Metzmacher
b96efe069b HEIMDAL:kdc: use the correct client realm in the EncTicketPart
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.

metze
2011-06-24 18:53:48 +02:00
Andrew Bartlett
81905585c0 heimdal: Remove getprogname and setprogname from the heimdal import 2011-05-31 00:32:07 +02:00
Stefan Metzmacher
2c46585a42 HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy case
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.

metze
2011-05-18 07:46:36 +02:00
Stefan Metzmacher
3797e46543 HEIMDAL:kdc: pass the correct principal name for the resulting service ticket
Depending on S4U2Proxy the principal name for the resulting
ticket is not the principal of the client ticket.

metze
2011-05-18 07:46:34 +02:00
Stefan Metzmacher
cc0ff48f28 HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksums
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.

metze
2011-05-18 07:46:33 +02:00
Andrew Bartlett
d1cbb9f5ce s4-heimdal: Allow any kvno to match when searching the keytab.
Windows does not use a KVNO when it checks it's passwords, and MIT
doesn't check the KVNO when no acceptor identity is specified (looping
over all keys in the keytab).

Andrew Bartlett
2011-04-16 11:43:05 +02:00
Jelmer Vernooij
431853c846 Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
2011-03-14 23:53:46 +01:00
Stefan Metzmacher
a511d37d83 HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via tgs_parse_request() and _kdc_tgs_rep()
metze
2011-03-04 21:19:05 +01:00
Milan Crha
ea9f72c0c5 s4:heimdal - fix valgrind issue on Fedora 14
This should definitely fix bug #7858.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Feb 25 12:39:21 CET 2011 on sn-devel-104
2011-02-25 12:39:20 +01:00
Matthias Dieter Wallnöfer
68c61a829b Revert "heimdal_build omit #line statments to allow valgrind to work again"
This reverts commit 80e23c68d8.
A better patch has been provided by Milan Crha in the following commit.
2011-02-25 11:54:02 +01:00
Andrew Bartlett
80e23c68d8 heimdal_build omit #line statments to allow valgrind to work again
The lex/yacc files were generated on Fedora 14, and have empty
filenames in #line declarations.  I don't know why this is, but it
seems best just to omit the #line statements.

This is what was causing Valgrind on Fedora not to run on Samba
binaries and programs linked to Samba libraries.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 25 11:46:56 CET 2011 on sn-devel-104
2011-02-25 11:46:56 +01:00
Andrew Bartlett
5c12cb0556 heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as well
This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.

Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
2011-02-17 06:40:53 +01:00
Andrew Bartlett
2d9bcc861d s4:heimdal: import lorikeet-heimdal-201101310455 (commit aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f) 2011-02-02 15:19:03 +11:00
Jelmer Vernooij
2f75b53e80 heimdal_build: Add version-script for heimdal_base, hx509 and hcrypto. Convert hbase and hcrypto to libraries. 2010-12-18 00:47:06 +01:00
Jelmer Vernooij
c4a887538d heimdal_build: Add version-script for krb5.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri Dec 17 21:09:25 CET 2010 on sn-devel-104
2010-12-17 21:09:25 +01:00
Jelmer Vernooij
6dc807703d heimdal_build: Add version-script for gssapi. 2010-12-17 20:08:11 +01:00
Jelmer Vernooij
02ff0852e8 heimdal_build: Add version-script for asn1. 2010-12-17 20:06:15 +01:00
Jelmer Vernooij
555d334cf7 heimdal_build: Add version-script for hdb. 2010-12-17 20:01:21 +01:00
Jelmer Vernooij
2ded4668ea heimdal_build: Add version-script for kdc. 2010-12-17 20:00:58 +01:00
Jelmer Vernooij
55192fb3a8 heimdal_build: Add version-script for wind. 2010-12-17 19:55:54 +01:00
Jelmer Vernooij
de8133e3bb heimdal_build: Add version-script for ntlm. 2010-12-17 19:54:09 +01:00
Jelmer Vernooij
b4875d4dba heimdal: Add version script file for hcrypto (unused so far, as hcrypto still needs to be made a proper library). 2010-12-17 19:52:42 +01:00
Jelmer Vernooij
d4cc0d4f47 heimdal_build: Add version-script for roken. 2010-12-17 19:51:37 +01:00
Jelmer Vernooij
dd102a2c4a heimdal_build: Add version-script for com_err. 2010-12-17 19:50:52 +01:00
Matthieu Patou
533ba5a919 heimdal: unset SLIST_ENTRY only if we are with windows
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX.

The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform
is broken because mechqueue.h's definition won't be used as SLIST_HEAD
is already defined.
The definition occurs when net/if.h is included as it includes
sys/queue.h

Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
2010-12-11 00:34:51 +01:00
Andrew Bartlett
c5bea98ddb s4:heimdal: import lorikeet-heimdal-201012010201 (commit 81fe27bcc0148d410ca4617f8759b9df1a5e935c) 2010-12-01 17:00:47 +11:00
Andrew Tridgell
47e8cbe3d6 heimdal: fix for w2000 from lha
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Dec  1 00:59:59 CET 2010 on sn-devel-104
2010-12-01 00:59:59 +01:00
Matthias Dieter Wallnöfer
c4625a84de heimdal:base/heimbase.c - remove an unused variable 2010-11-29 14:14:02 +01:00
Andrew Tridgell
e7dad42bc6 heimdal: added HEIM_BASE_NON_ATOMIC option
This allows heimdal to build without gcc, by not using atomic
operations. We don't need heimdal to be atomic in Samba.
2010-11-17 23:55:39 +11:00
Andrew Tridgell
0cf7189d4a s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERY
this e_data field in a kerberos error packet tells windows to do clock
skew recovery.

See [MS-KILE] 2.2.1 KERB-ERROR-DATA

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-17 23:55:39 +11:00
Andrew Bartlett
4908237403 heimdal Build ticket with the canonical server name
We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply as requested.

Andrew Bartlett
2010-11-16 15:30:13 +11:00
Andrew Bartlett
4041640bd6 heimdal Fetch the client before the PAC check, but after obtaining krbtgt_out
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).

Andrew Bartlett
2010-11-15 23:17:05 +00:00
Matthias Dieter Wallnöfer
329f76c410 s4:heimdal - fix the return code of a non-void function
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
2010-11-15 23:14:57 +00:00
Andrew Bartlett
1e29ee3a70 heimdal Fix handling of backwards cross-realm detection for Samba4
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.

The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
2010-11-15 08:47:44 +00:00
Andrew Bartlett
6a27fbbfc4 heimdal Extra files required for merge up to current heimdal 2010-11-15 01:25:06 +00:00
Andrew Bartlett
192a555c9a heimdal regenate lex and yacc files 2010-11-15 01:25:06 +00:00
Andrew Bartlett
f20cf61080 Add attribute macros for Heimdal to use
Heimdal uses HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE,
and we need to provide a link between these and Samba's function
attribute handling.

Andrew Bartlett
2010-11-15 01:25:06 +00:00
Andrew Bartlett
1342185e33 s4:heimdal: import lorikeet-heimdal-201011102149 (commit 5734d03c20e104c8f45533d07f2a2cbbd3224f29) 2010-11-15 01:25:06 +00:00
Andrew Bartlett
aa1c32ccb0 heimdal Return HDB_ERR_NOT_FOUND_HERE to the caller
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.

Andrew Bartlett
2010-11-12 18:18:55 +11:00
Andrew Bartlett
ba127f9849 heimdal Don't dereference NULL in error verify_checksum error path
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Nov 11 10:37:03 UTC 2010 on sn-devel-104
2010-11-11 10:37:03 +00:00
Andrew Tridgell
eee27427d2 heimdal: fixed a shadowed variable warning for error_message
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-08 23:23:07 +00:00
Andrew Bartlett
cb3d6c407e heimdal Add clock-skew handling to DCE-style GSSAPI
The clock skew handling was previously only on properly wrapped
GSSAPI, and was skipped for DCE-style.  This allows the ASN.1 errors
from the krb5_rd_req to suggest parsing as a kerberos error packet.

Andrew Bartlett

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov  8 07:58:09 UTC 2010 on sn-devel-104
2010-11-08 07:58:09 +00:00
Andrew Bartlett
18732b1a4b heimdal Add handling for PAC signatures over all encryption types
There are exceptions from the expected behaviour of 'checksum type
matches key type' that we must deal with here, or else we can't serve
DES-only servers.

Andrew Bartlett
2010-11-02 22:00:46 +11:00
Jelmer Vernooij
3deece5591 s4: Remove the old perl/m4/make/mk-based build system.
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
2010-10-31 02:01:44 +00:00
Andrew Tridgell
b2a565488e s4-heimdal: lex_err_message() should not be static 2010-10-30 23:49:02 +11:00
Andrew Tridgell
4bd7814a4e s4-heimdal: fixed the use of error_message() in heimdal
the lex code in heimdal had a function error_message() which conflicts
with a function from the com_err library. This replaces it with
lex_err_message()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:48:59 +11:00
Andrew Bartlett
f213a97ea0 Add new files for sha512 support 2010-10-03 01:15:04 +00:00
Andrew Bartlett
21460dfc14 s4:heimdal: import lorikeet-heimdal-201010022046 (commit 1bea031b9404b14114b0272ecbe56e60c567af5c) 2010-10-03 01:15:04 +00:00
Matthieu Patou
ab6e3fce04 s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.

Andrew Bartlett
2010-10-03 01:15:04 +00:00
Andrew Bartlett
a68f4476f7 heimdal use returned server entry from HDB to compare realms
Some hdb modules (samba4) may change the case of the realm in
a returned result.  Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)

Andrew Bartlett
2010-10-02 09:11:37 +10:00
Andrew Bartlett
4c57095bb7 heimdal: added verbose logging of hemimdal crypto errors 2010-09-30 20:13:34 -07:00
Andrew Tridgell
04e3e27fd1 heimdal: fixed timegm UTC/GMT bug
This was a wonderful bug!

On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-28 19:25:51 -07:00
Andrew Bartlett
f84bdf91d8 heimdal Use a seperate krb5_auth_context for the delegated credentials
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.

Andrew Bartlett
2010-09-28 19:25:50 -07:00
Andrew Bartlett
4be2696644 heimdal Fix DNS name qualification to not mangle IP addresses
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle.  Instead, check if it can be parsed
as a numeric address first, and only then mangle.

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Bartlett
9d33929d76 heimdal Add an error code for use in the RODC
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.

This could also be used to implement 'play dead when the LDAP
server is down'.

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Bartlett
9b5e304cce heimdal Add support for extracting a particular KVNO from the database
This should allow master key rollover.

(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)

Andrew Bartlett
2010-09-29 04:23:07 +10:00
Andrew Tridgell
43d0c2e9ea heimdal: avoid DNS search domain expansion
When you have a domain search list in resolv.conf, and one of the DNS
servers for a searched domain is uncontactable then we would timeout
resolving DNS names.

Avoid this by adding a '.' to the hostname if the hostname already has
a '.' in it, which we assume to mean it is fully qualified.
2010-09-27 23:18:23 +00:00
Karolin Seeger
1cad4304bf s4-heimdal: Fix typo in comment.
Karolin
2010-06-01 09:35:53 +02:00
Stefan Metzmacher
5797b9a913 s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.c
metze
2010-05-11 18:11:05 +02:00
Karolin Seeger
55838a8c02 s4-heimdal: Fix typo in comment.
Karolin
2010-04-13 20:09:13 +02:00
Andrew Bartlett
c8cb17a18c s4:heimdal Create a new PAC when impersonating a user with S4U2Self
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.

Andrew Bartlett
2010-04-10 21:40:59 +10:00
Andrew Bartlett
1d59abc724 s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.

Andrew Bartlett
2010-04-10 21:40:58 +10:00
Karolin Seeger
deccb6cf9a s4-krb5: Fix typos in comment.
Karolin
2010-04-09 09:24:28 +02:00
Andrew Bartlett
1f0467562b s4:heimdal Use correct variable to advance past -- options in kpasswd
This bug was introduced when kpasswd was migrated to a local getarg()
call, in Heimdal commit 7dd146072cd9b56d660a01f4aa20f8d81be356e8

Andrew Bartlett
2010-03-27 19:13:28 +11:00
Andrew Bartlett
64b8b0cdaf s4:heimal Update generated files (cp from Heimdal) 2010-03-27 12:24:00 +11:00
Andrew Bartlett
533024be44 s4:heimdal: import lorikeet-heimdal-201003262338 (commit f4e0dc17709829235f057e0e100d34802d3929ff) 2010-03-27 11:55:22 +11:00
Andrew Bartlett
564d5cd2c4 s4:heimdal New files and supporting logic for heimdal update 2010-03-27 11:53:23 +11:00
Andrew Bartlett
89eaef0253 s4:heimdal: import lorikeet-heimdal-201001120029 (commit a5e675fed7c5db8a7370b77ed0bfa724196aa84d) 2010-03-27 11:51:27 +11:00
Matthias Dieter Wallnöfer
2bdece18c6 kerberos - set the memory to "0"s before freeing the password to prevent security issues 2010-03-16 18:20:51 +01:00
Matthias Dieter Wallnöfer
a6c57472ab heimdal - remove unused variable 2010-03-16 17:11:49 +01:00
Matthias Dieter Wallnöfer
dc5e0d8464 heimdal - fix overlapped identifiers in the "krb5" library 2010-03-16 17:11:49 +01:00
Matthias Dieter Wallnöfer
973001e91a heimdal - free always "ctx->password" when it isn't needed anymore
"strdup" does always create a new object in the memory (through "malloc") which
needs to be freed if it isn't used anymore.
2010-03-16 17:11:48 +01:00
Karolin Seeger
694ab7c5ff s4-heimdal: Fix typos in comment.
Karolin
2010-02-15 12:23:11 +01:00
Stefan Metzmacher
4a4b2a5eaf s4:heimdal: regerenate files
Andrew using cp like in commit ca12e7bc8f
is wrong as that removes #include "config.h" and breaks the build on AIX.

metze
2010-02-08 09:59:29 +01:00
Andrew Tridgell
bb009412d3 heimdal: work around differences between GNU and XSI strerror_r()
This is a fairly ugly workaround, but then again, strerror_r() is a
very ugly mess.
2009-12-14 22:29:57 +11:00
Andrew Tridgell
29c87ef830 s4-heimdal: fixed a use-after-free heimdal bug
This caused samba4kinit to segfault on some systems
2009-12-08 15:16:13 +11:00
Kamen Mazdrashki
bf7cc3262e krb5: Fix leaked hx509_context pointer
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-12-08 12:39:10 +11:00
Andrew Bartlett
4f64bc7125 heimdal Fix invalid format string 2009-11-24 11:38:41 +11:00
Andrew Bartlett
dc351a579d s4:heimdal: import lorikeet-heimdal-200911170333 (commit b532c294d974cead40a1183c71be644c6ccc2832)
This fixes up connections to Windows 2003, because the previous import
had a broken arcfour-hmac-md5 implementation (fixed in Heimdal
316fc6ff8ffb0cbb1ef3689685e9977c37405bc4)

Andrew Bartlett
2009-11-17 16:21:29 +11:00
Andrew Bartlett
ca12e7bc8f s4:heimdal Import generated files from heimdal tree
We should be able to rebuild these, but a cp is easier :-)
2009-11-13 23:19:06 +11:00
Andrew Bartlett
4f8ba5ad6a s4:heimdal: import lorikeet-heimdal-200911122202 (commit 9291fd2d101f3eecec550178634faa94ead3e9a1) 2009-11-13 23:19:05 +11:00
Andrew Bartlett
5bc87c14a1 s4:heimdal: import lorikeet-heimdal-200909210500 (commit 290db8d23647a27c39b97c189a0b2ef6ec21ca69) 2009-11-13 23:19:05 +11:00
Matthias Dieter Wallnöfer
9f170bc7ea heimdal - hdb/ext.c - fix a "shadows variable" warning
Renamed the variable "str" in the nested block to "str2" to prevent the collision
with "str" in the main function block.
2009-10-21 17:35:51 +02:00
Andrew Bartlett
3493b62b4b s4:heimdal A real fix for bug 6801
The issue was that we would free the entry after the database, not
knowing that the entry was a talloc child of the database.

Andrew Bartlett
2009-10-14 10:20:01 +11:00
Matthias Dieter Wallnöfer
3393257920 heimdal kerberos - fix memory leak (free the plugin list always - not only in error cases) 2009-10-03 15:49:40 +02:00
Matthias Dieter Wallnöfer
02b289f65b heimdal - fix various warnings
- Shadowed variables
- "const" related warnings
- Parameter names which shadow function declarations
- Non-void functions which have no return value

(patch also ported upstream)
2009-10-03 13:20:52 +02:00
Stefan Metzmacher
16f1ba2558 s4:heimdal/gssapi/krb5: set cred_handle in _gsskrb5_import_cred
metze
2009-09-18 20:34:16 +02:00
Andrew Bartlett
64e2b859d2 s4:heimdal: import lorikeet-heimdal-200908052208 (commit 370a73a74199a5a55188340906e15fd795f67a74)
This removes some of the portability changes made to code under
heimdal/

If these are still required, then we will re-add them with code under
heimdal_build/ (so that we can simply 'drop in' future heimdal
releases).

Andrew Bartlett
2009-08-06 08:44:53 +10:00
Andrew Bartlett
cd1d7f4be7 s4:heimdal: import lorikeet-heimdal-200908050050 (commit 8714779fa7376fd9f7761587639e68b48afc8c9c)
This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.

(Very reasonable, but not required for Samba4's use).

Andrew Bartlett
2009-08-05 12:18:17 +10:00
Andrew Bartlett
8ff1f50b0c s4:kerberos Add support for user principal names in certificates
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ.  (This was a TODO in
the Heimdal KDC)

The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).

Andrew Bartlett
2009-07-28 14:10:47 +10:00
Andrew Bartlett
0c2dca71fa s4:heimdal Extend the 'hdb as a keytab' code
This extends the hdb_keytab code to allow enumeration of all the keys.

The plan is to allow ktutil's copy command to copy from Samba4's
hdb_samba4 into a file-based keytab used in wireshark.

One day, with a few more hacks, we might even make this a loadable
module that can be used directly...

Andrew Bartlett
2009-07-27 22:41:41 +10:00
Andrew Bartlett
6cb81f7b37 s4:heimdal: import lorikeet-heimdal-200907162216 (commit d09910d6803aad96b52ee626327ee55b14ea0de8)
This includes in particular changes to the KDC to resolve bug 6272,
originally by Matthieu Patou <mat+Informatique.Samba@matws.net>.  We
need to sort the AuthorizationData elements to put the PAC first, or
else WinXP breaks when browsed from Win2k8.

Andrew Bartlett
2009-07-17 08:32:01 +10:00
Andrew Bartlett
e25325539a s4:heimdal: import lorikeet-heimdal-200907152325 (commit 2bef9cd5378c01e9c2a74d6221761883bd11a5c5) 2009-07-16 11:31:36 +10:00
Andrew Bartlett
84dca625ca s4:heimdal The implied GSS_C_MUTUAL_FLAG depends on AP_OPTS_MUTUAL_REQUIRED
We had previously assumed it was unconditional.  Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.

Andrew Bartlett
2009-07-16 09:23:35 +10:00
Stefan Metzmacher
5d4d9d333d s4:heimdal: readd heimdal/lib/asn1/asn1parse.y which was parse.y before the last import
Also commit the regenerated files for systems without yacc and lex.

This fixes the build with automatic dependecies for me.

metze
2009-07-06 13:28:11 +02:00
Björn Jacke
e9fc7c5e15 heimdal: don't include <ifaddrs.h> without knowing it's there
this is 73dbbe0d54 re-added. abartlet, please pick this to lorikeet.
2009-07-03 19:13:08 +02:00
Andrew Bartlett
89a074b784 s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ.  Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.

While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).

Andrew Bartlett
2009-06-30 12:11:14 +10:00
Andrew Bartlett
19413c5249 s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett
2009-06-18 13:49:30 +10:00
Andrew Bartlett
9b261c008a s4:heimdal: import lorikeet-heimdal-200906080040 (commit 904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test

A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).

Andrew Bartlett
2009-06-12 07:45:48 +10:00
Björn Jacke
d2bb72d713 s4:heimdal: fix build on FreeBSD
Patch from Timur I. Bakeyev sent to samba-technical:

Heimdal requires openpty() presence. FreeBSD has in in standard libc, so
autodetection works, but compilation fails, as declaration of this function is
missing.

This patch adds proper header detection and inclusion for openpty().
2009-06-08 22:14:49 +02:00
Jeremy Allison
3a88316e23 Fix the build. Looks like no one ever compiled this on a system
with a libintl.h before.
Jeremy.
2009-02-24 12:19:06 -08:00
Jeremy Allison
365925eea3 Start fixing Solaris build failures.
Jeremy.
2009-02-24 11:37:57 -08:00
Stefan Metzmacher
6028e8f346 heimdal: void functions should not return a value
metze
2009-01-31 08:54:01 +01:00
Stefan Metzmacher
2fe137e7bc heimdal:hdb: always include "config.h" first
metze
2009-01-30 19:44:20 +01:00
Stefan Metzmacher
55f663a04b heimdal:camellia: include roken.h
metze
2009-01-30 19:37:06 +01:00
Stefan Metzmacher
e592718c43 heimdal:roken: arg_match_long() should return a value
This should fix a build problem on IRIX.

metze
2009-01-30 18:02:21 +01:00
Stefan Metzmacher
3f09dd0d82 heimdal:roken: arg_printusage() should not try to return a value.
This should fix problems with the IRIX build.

metze
2009-01-30 17:58:57 +01:00
Stefan Metzmacher
9cf1175d33 heimdal:camellia-ntt.c: include config.h as first header
metze
2009-01-30 17:52:37 +01:00
Stefan Metzmacher
cdca75dee6 heimdal: don't include <sys/cdefs.h> without knowing it's there
metze
2009-01-30 17:38:41 +01:00
Stefan Metzmacher
73dbbe0d54 heimdal: don't include <ifaddrs.h> without knowing it's there
metze
2009-01-30 17:38:40 +01:00
Andrew Bartlett
2fc5ca8409 Re-add support for supporting the PAC over domain trusts.
(This was not entered in lorikeet-heimdal.diff, so missed by metze's import).

Andrew Bartlett
2008-11-04 16:06:57 +11:00
Jelmer Vernooij
e7810b1bc2 Use standard heimdal function for finding interfaces - libreplace provides support for the underlying functions now. 2008-11-02 18:14:53 +01:00
Stefan Metzmacher
2b29b71864 s4: import lorikeet-heimdal-200810271034
metze
2008-10-28 08:53:09 +01:00
Jelmer Vernooij
87ec1d2532 Make sure prototypes are always included, make some functions static and
remove some unused functions.
2008-10-20 18:59:51 +02:00
Andrew Bartlett
71022daac2 Add samba4kpasswd and rkpty binaries
smaba4kpasswd will be used to test the kpasswdd componet of the KDC
(which is up until now untested), and rkpty is an expect-like wrapper
we can use to blackbox that utility.

Andrew Bartlett
2008-10-20 20:07:08 +11:00
Andrew Bartlett
6a5547742f Allow the PAC to be passed along during cross-realm authentication 2008-10-06 14:28:27 -07:00
Andrew Bartlett
6ad78f01a5 Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.

I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.

Andrew Bartlett
2008-09-29 22:34:35 -07:00
Andrew Bartlett
baf0b36081 Merge krb5_cksumtype_to_enctype from Heimdal svn -r 23719
(This used to be commit cc1df3c002)
2008-09-03 14:20:30 +10:00
Andrew Bartlett
0b16d70f39 Don't wipe the PAC checksums, the caller may actually need them.
(This used to be commit 9db5a966fc)
2008-08-28 16:19:16 +10:00
Stefan Metzmacher
9430420ba2 heimdal: add missing heimdal/lib/hcrypto/{evp-aes-cts.c,evp-hcrypto.c}, sorry...
metze
(This used to be commit 0c4227e45d)
2008-08-26 21:38:34 +02:00
Stefan Metzmacher
243321b4bb heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.

metze
(This used to be commit 467a1f2163)
2008-08-26 19:46:38 +02:00
Stefan Metzmacher
9080b5d979 heimdal_build: autogenerate the heimdal private/proto headers
Now it's possible to just use a plain heimdal tree in source/heimdal/
without any pregenerated files.

metze
(This used to be commit da333ca711)
2008-08-26 18:49:17 +02:00
Stefan Metzmacher
a1bbd66b0f heimdal_build: autogenerate table files in heimdal/lib/wind/
metze
(This used to be commit f4cfba26ae)
2008-08-26 18:48:50 +02:00
Stefan Metzmacher
57d4e11023 heimdal_build: add fallback for AC_WARNING_ENABLE()
metze
(This used to be commit 8d6d96898d)
2008-08-26 18:47:49 +02:00
Stefan Metzmacher
f09f67d24d heimdal: remove unused old files
metze
(This used to be commit 94cef56212)
2008-08-26 18:47:48 +02:00
Stefan Metzmacher
1c4b84ee4f heimdal_build: add a fake sqlite keytab implementation
This remove a difference against lorikeet-heimdal.

metze
(This used to be commit 4314df3561)
2008-08-26 14:25:44 +02:00
Stefan Metzmacher
cec74e9b00 Revert "gsskrb5: add support for DCE_STYLE and des and des3 keys"
This reverts commit 86848dd0f2.

This should come back via a merge from heimdal's trunk later.

metze
(This used to be commit 585e5360e2)
2008-08-26 12:30:02 +02:00
Stefan Metzmacher
64826077bf Revert "gsskrb5: always return an acceptor subkey"
This reverts commit 6a8b07c395.

This isn't strictly needed and will come back in the next merge
from heimdal's trunk.

metze
(This used to be commit 8ed040c8c4)
2008-08-26 12:30:02 +02:00
Stefan Metzmacher
e75f1072b6 Revert "krb5: always generate the acceptor subkey as the same enctype as the used service key"
This reverts commit dbb94133e0.

As we fixed gensec_gssapi to only return a session key when it's
have the correct session key, this hack isn't needed anymore.

metze
(This used to be commit 697cd1896b)
2008-08-14 13:13:52 +02:00
Stefan Metzmacher
69d074af81 gsskrb5: always return an acceptor subkey
For non cfx keys it's the same as the intiator subkey.
This matches windows behavior.

metze
(This used to be commit 6a8b07c395)
2008-08-14 13:13:52 +02:00
Stefan Metzmacher
5569132f45 gsskrb5: try to be compatible with windows for gss_wrap* and cfx
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.

metze
(This used to be commit 0fa41a94e4)
2008-08-08 15:29:17 +02:00
Stefan Metzmacher
610b1ada15 krb5: always generate the acceptor subkey as the same enctype as the used service key
With this patch samba4 can use gsskrb5_get_subkey() to get the session key.

metze
(This used to be commit dbb94133e0)
2008-08-08 15:29:16 +02:00
Stefan Metzmacher
4ad02f5185 gsskrb5: add support for DCE_STYLE and des and des3 keys
Only the des keys are tested as windows doesn't support des3

metze
(This used to be commit 86848dd0f2)
2008-08-08 12:52:14 +02:00
Stefan Metzmacher
86c9db8d4a heimdal: add missing files
metze
(This used to be commit b395cd7acd)
2008-08-01 17:49:45 +02:00
Stefan Metzmacher
9f5325ce39 heimdal: add missing file heimdal/lib/gssapi/mech/gss_pseudo_random.c
metze
(This used to be commit 3bd7e68a5c)
2008-08-01 17:27:18 +02:00
Stefan Metzmacher
a925f039ee heimdal: update to lorikeet-heimdal rev 801
metze
(This used to be commit d6c54a66fb)
2008-08-01 16:11:00 +02:00
Stefan Metzmacher
3678411037 gsskrb5: just don't force, but allow the flags when GSS_CF_NO_CI_FLAGS is given
metze
(This used to be commit f10c9ca361)
2008-06-27 12:43:04 +02:00
Stefan Metzmacher
eb192abd3a gsskrb5: fix gss_krb5_cred_no_ci_flags_x_oid_desc variable name
metze
(This used to be commit d88be1a1cb)
2008-06-27 12:43:04 +02:00