IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is a regression introduced in commit
8dd37327b0.
Now we change 'realm' before calling
ret = krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
as before commit 8dd37327b0.
Without this we'd set entry_ex->entry.principal to
krbtgt/DOMA.EXAMPLE.COM@DOMA.EXAMPLE.COM instead
of krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM,
while we use krbtgt/DOMA.EXAMPLE.COM@DOMB.EXAMPLE.COM as
salt for the keys.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 18 18:56:51 CET 2015 on sn-devel-104
This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This also reverts 51b94ab3fd as our
testing shows Windows 2012R2 does not have this behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This needs to vary depending on if the client requested the canonicalize flag
This was found by our new krb5.kdc test
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)
Otherwise, if we are set to enterprise, we
get back the whole principal as-sent
Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Samuel Cabrero <scabrero@zentyal.com>
This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
This avoids writing invalid memory, because num_keys was calculated
in a wrong way...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
The fix in ac2d31e24c picked the wrong function name. This is meant
to be the remote address, not the local one, if we ever have to re-instate this code.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This new helper function will also be used by pdb_samba_dsdb.
Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Allow us to start if we bind to *either* :: or 0.0.0.0.
Allows us to cope with systems configured as only IPv4
or only IPv6.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-By: Amitay Isaacs <amitay@gmail.com>
Reviewed-By: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun 7 01:01:44 CEST 2014 on sn-devel-104
The event context here was only specified in the server or admin-tool
context, which does not do network communication, so this only caused
a talloc_reference() and never any useful result.
The actual network communication code sets an event context directly
before making the network call.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This only changes the log output, the same error is still returned
Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Including a fix by Arvid Requate <requate@univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This ensures we notice any API changes at compile time.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10464
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ib317d71dea01fc8ef6b6a26455f15a8a175d59f6
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 7 02:18:17 CET 2014 on sn-devel-104
In samba_kdc_firstkey() routine, krb5_get_default_realm() allocates
memory for "realm" but never used afterwards. Free() the leaked memory.
CID: 1107223
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This checks both if host system run-time Heimdal has changed version,
and that the build-time version is supported.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 20 22:26:49 CET 2014 on sn-devel-104
Fixes exportkeytab and a kdc crash when building against heimdal master.
Bug-Debian: http://bugs.debian.org/732342
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
It's called `interface_version` in older Heimdal versions and
`version` in newer versions.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 28 04:17:55 CET 2013 on sn-devel-104
The decrement operation has been missing.
Problem found by Mohammad Ebrahim Abravi <lamp.mia@gmail.com>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.
Also the kdc-policy file was a single funciton library, that's just ridiculous.
The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and
make it static, one less dependency to worry about.
Signed-off-by: Andreas Schneider <asn@samba.org>
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know. We cannot check the KDC signature on incoming trusts.
Andrew Bartlett
This will help users who are used to the kadmin interface, and could
be extended to import existing MIT or Heimdal keys into a Samba4 AD
domain.
To use, add to your krb5.conf
[kdc]
database = {
dbname = samba4:
}
or
[kdc]
database = {
dbname = samba4:/usr/local/samba/etc/smb.conf
}
And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
This avoids keeping the event context around on a the gensec_security
context structure long term.
In the Samba3 server, the event context we either supply is a NULL
pointer as no server-side modules currently use the event context.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This sorts out the correct handling for the 'kvno=255'
problem. Windows will use the previous trust password for 1 hour after
a password set, and indicates that the previous password is being used
by sending current_kvno-1. That maps to 255 if the trust password has
not actually been changed, so the initial trust password is being
used.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the kdc should not be looking for users in GC partial replicas, as
these users do not have all of the attributes needed for the KDC to
operate
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
windows sometimes sends us a kvno of 255 for inter-domain trusts. We
don't yet know why it does this, but it seems that we need to treat
this as an unspecified kvno
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the kdc doesn't want to find users who are in partialReplica
partitions, as they won't have the needed secret info for the kdc to
operate. We need to generate referrals instead
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
the exact value doesn't matter, as both Samba and windows check
against the latest password, but the old default of -1 caused ASN.1
parsing errors on windows, which prevented it answering TGS requests
thanks to Hongwei Sun for finding this from a ttt trace
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
Windows seems to always canonicalize the principal in TGS replies.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
TODO: check why this is needed.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
As mit_samba_update_pac_data() doesn't support adding
S4U_DELEGATION_INFO to the pac (and I have no clue how to add that)
we should disable S4U2Proxy until this is implemented.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
The iface_count, iface_n_bcast, and load_interfaces functions
conflicted with functions of the same name in source3, so the source4
functions were renamed. Hopefully we can actually wrap one around the
other in future.
Andrew Bartlett
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
By having kdc_tcp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_socket, kdc_process_fn_t, kdc_tcp_call and kdc_tcp_socket
private to kdc.c again.
metze
By having kdc_udp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_udp_call and kdc_udp_socket private to
kdc.c again.
metze
Bit shifting is non-trivial in C:-)
This
int32_t a = 0x12340000;
uint32_t b = (a >> 16);
results in 0x00001234, but this
int32_t a = 0xEDCB0000;
uint32_t b = (a >> 16);
results in 0xFFFFEDCB, while we expected 0x0000EDCB.
metze
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
This context is used in ldb, and ldb modules apparently abort if nesting is not
allowed.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Feb 7 20:58:02 CET 2011 on sn-devel-104
We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC. We should get
this from group policy, but for now it's parametric smb.conf options.
Andrew Bartlett
Thanks to Hongwei Sun for the clear description of the algorithim
involved. Importantly, it isn't possible to remove encryption types
from the list, only to add them over the defaults (DES and
arcfour-hmac-md5, and additional AES for DCs and RODCs).
This changes the behaviour for entries with
msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos
reported finding set by ADUC when attempting to store cleartext
passwords.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
The KDC sets different flags for the AS-REQ (this is client-depenent)
and the TGS-REQ to determine if the realm should be forced to the
canonical value. If we do this always, or do this never, we get into
trouble, so it's much better to honour the flags we are given.
Andrew Bartlett
We should never get a cross-realm ticket that was not issued by a full
DC, but if someone claims to have such a thing, reject it rather than
segfaulting on the NULL client pointer.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
The PAC was being regenerated on all normal DCs, because they don't
have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check
if it's set and not equal to our RODC number, allowing RODCs to trust
the full DCs and itself, but not other RODCs.
Andrew Bartlett
This remains an abuse, because it relies on setting into the krb5_principal
structure, but at least it causes less trouble for the server.
Andrew Bartlett
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov 15 00:13:59 UTC 2010 on sn-devel-104
when we are an RODC and we get a request for a principal that we don't
have the right secrets for, we need to proxy the request to a
writeable DC. This happens for both TCP and UDP requests, for both
krb5 and kpasswd
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.
(The proxy code itself is not in this commit).
Andrew Bartlett
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
this also removes the event_context parameter from process model
initialisation. It isn't needed, and is confusing when a process model
init can be called from more than one place, possibly with different
event contexts.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This reverts commit 8a2ce5c47c.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
We should avoid using Kerberos or any other recursive auth mechanism
in ldb backends, but denying Kerberos here won't be enough, so
remove the special case. (Typcially we bind using a different password
space and DIGEST-MD5 or NTLM).
Andrew Bartlett
This includes rewriting the PAC if the original krbtgt isn't to be
trusted, and reading different entries from the DB for the krbtgt
depending on the krbtgt number.
Andrew Bartlett
This means we just set up the system_session etc in one place
and don't diverge between the MIT and Heimdal plugins.
We also now determine if we are an RODC and store some details
that we will need later.
Andrew Bartlett
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
Now it's finally possible that the user can change his password with a DSDB
connection using his credentials.
NOTICE: I had to extract the old password from the SAMDB since I was unable to
find it somewhere else (authinfo for example).
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This changes the calculation to apply the allowed enc types to all
uses of the key (no point allowing a weak kinit to a key the server
wanted strongly protected). It also ensures that all the non-DES keys
are available on the krbtgt in particular, even as it does not have a
msds-SupportedEncryptionTypes attributes.
Andrew Bartlett
"heimdal/waf: Initial work on making it possible to use the system"
as the hdb_check_s4u2self function handling is incorrect.
This reverts commit b099631f42.