1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

60 Commits

Author SHA1 Message Date
Garming Sam
29cccff500 kdc: Send bad password via NETLOGON in RODC
This means that a RWDC will be collecting the badPwdCount to ensure
domain wide lockout.

TODO The parameters should be better constructed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
ef0218a512 hdb: Dupe a copy of repl secrets into the KDC
When you have an RODC, this will force the fetch of secrets if not found here

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Andreas Schneider
dce438e18e s4-kdc: Start the kpasswd service with MIT KDC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
a1d9e8814a s4-kdc: Add MIT Kerberos specific kpasswd code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
6eb1ff9b47 s4-kdc: Register the MIT irpc PAC validation service
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
6b67a39f9f s4-kdc: Add MIT KRB5 based irpc service for PAC validation
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
32e772b4b9 s4-kdc: Add a MIT Kerberos KDC service
This starts the krb5kdc binary shipped with MIT Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Gary Lockyer
8154acfd0d auth: Generate a human readable Authentication log message.
Add a human readable authentication log line, to allow
verification that all required details are being passed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Andreas Schneider
510e504a5b s4-kdc: Switch to the new kpasswd service implementation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:26 +02:00
Andreas Schneider
7e4c996bb1 s4-kdc: Add new kpasswd service Heimdal backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
69749b6130 s4-kdc: Add a new kpasswd service implementation
This function is intended to be be passed to kdc_add_socket(). The
function kpasswd_handle_request() which is called by kpasswd_process()
is Kerberos implementation specific and should be implemented in a
kpasswd-service-<kerberos flavour>.c file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
f9de99ce9b s4-kdc: Move kpasswd_make_error_reply() to a helper file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
3de3f643a8 s4-kdc: Move KDC packet handling functions to kdc-server.c
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
2016-06-19 03:31:32 +02:00
Andreas Schneider
379ed08754 s4-kdc: Rename proxy-heimdal.c to kdc-proxy.c
The plan is to have a KDC-SERVER subsystem later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
de88bfc770 s4-kdc: Rename heimdal KDC files
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Ralph Boehme
3116e8d3be s4: add a minimal ktutil for selftest
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:

./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)

This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Andreas Schneider
ade958e20b mit-kdb: Add initial MIT KDB Samba driver
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
909e7f9ff6 mit_samba: Add function to change the password
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
33fcc76aa7 mit_samba: Make mit_samba a shim layer between Samba and KDB
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Günther Deschner
209d4b5b28 mit_samba: Use sdb in the mit_samba plugin
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Günther Deschner
6825a61b0b s4-kdc: Introduce a simple sdb_kdb shim layer
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Andreas Schneider
78075cfcda waf: Add talloc as a dependency
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 04:08:30 CEST 2015 on sn-devel-104
2015-08-05 04:08:30 +02:00
Günther Deschner
d49b4aafa8 s4-kdc: Use sdb in db-glue and hdb-samba4
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
2015-07-30 13:29:27 +02:00
Günther Deschner
99d3719e7d s4-kdc: Introduce a simple sdb_hdb shim layer
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
85a041bab5 s4-kdc: Introduce sdb a KDC backend abstraction
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
535035affc s4-kdc: PAC_GLUE does not depend on hdb anymore.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
ae607c0d05 s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem.
This can then be easier shared with MIT's kadmin services for kpasswd services.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Andreas Schneider
52e6d91d34 waf: Make mit_samba a subsystem and do not build with Heimdal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
1afd3d3262 s4-kdc: build some kdc components only for Heimdal KDCs.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Stefan Metzmacher
4bb9aca900 s4:kdc: remove unused allow_warnings=True for 'MIT_SAMBA'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00
Stefan Metzmacher
daadf3b928 s4:kdc: explicitly use allow_warnings=True for MIT_SAMBA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 09:03:46 +02:00
Andrew Bartlett
83fbdc81cd kdc: Use correct KDC include path when building against the system heimdal
This ensures we notice any API changes at compile time.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
2014-03-14 08:17:29 +01:00
Simo Sorce
4b29cf5f66 Move kdc_get_policy helper in the lsa server where it belongs.
This was used in only 2 places, db-glue.c and the lsa server.
In db-glue.c it is awkward though, as it forces to use an unconvenient lsa
structure and conversions from time_t to nt_time only to have nt_times
converted back to time_t for actual use. This is silly.

Also the kdc-policy file was a single funciton library, that's just ridiculous.

The loadparm helper is all we need to keep the values consistent, and if we
ever end up doing something with group policies we will care about it when it's
the time. the code would have to change quite a lot anyway.

Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
2012-04-20 01:53:37 +02:00
Andrew Bartlett
49f8113fab s4-kdc Do the KDC PAC checksum validation in the Samba plugin
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know.  We cannot check the KDC signature on incoming trusts.

Andrew Bartlett
2012-01-12 18:02:54 +11:00
Andrew Bartlett
8d3e92d043 s4-kdc: only build hdb plugin if we build against system Heimdal
It is not safe to have a system kadmin use our plugin if we do not
share the same libkrb5.

Andrew Bartlett
2011-12-07 03:09:08 +01:00
Andrew Bartlett
12ce07e53b s4-kdc: Add hdb plugin for samba4, to allow kadmin to work
This will help users who are used to the kadmin interface, and could
be extended to import existing MIT or Heimdal keys into a Samba4 AD
domain.

To use, add to your krb5.conf

[kdc]

database = {
   dbname = samba4:
}

or

[kdc]

database = {
   dbname = samba4:/usr/local/samba/etc/smb.conf
}

And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
2011-11-30 03:22:11 +01:00
Jelmer Vernooij
292fe74971 credentials: Rename library to samba-credentials to avoid name clashes.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
2011-08-18 22:16:38 +02:00
Jelmer Vernooij
a68b59e9a6 source4/kdc: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Andrew Tridgell
ed71c1ef1f s4-auth: rename 'auth' subsystem to 'auth4'
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 15:09:46 +11:00
Andrew Bartlett
f681859eb8 s4-lsa Implement kerberos ticket life policy
We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC.  We should get
this from group policy, but for now it's parametric smb.conf options.

Andrew Bartlett
2010-12-09 18:02:59 +11:00
Jelmer Vernooij
caa3935a38 kdc: Build as shared module by default. 2010-11-15 03:14:23 +01:00
Jelmer Vernooij
bee3b665a8 Build wrepl server as service by default. 2010-11-14 17:14:05 +00:00
Andrew Tridgell
1ec8d55e27 s4-kdc: added proxying of kdc requests for RODCs
when we are an RODC and we get a request for a principal that we don't
have the right secrets for, we need to proxy the request to a
writeable DC. This happens for both TCP and UDP requests, for both
krb5 and kpasswd

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 08:03:20 +00:00
Andrew Tridgell
4f352a5b6a s4-kdc: we don't need the special include handling now
the special handling was to cope with the conflict with the kdc.h
header

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-11-12 18:18:55 +11:00
Jelmer Vernooij
4217734a51 credentials: Lowercase library name,
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Nov  7 01:48:44 UTC 2010 on sn-devel-104
2010-11-07 01:48:44 +00:00
Andrew Tridgell
b6b0d2cea3 s4-kdc: create a 'pac' private grouping library
this removes the final case where we have an object file linked into
two libraries

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:49:00 +11:00
Jelmer Vernooij
a74e8be6d1 waf: Stop automaticaly changing dashes to underscores in library names. 2010-10-26 10:17:18 -07:00
Jelmer Vernooij
8cf61377aa waf: Remove lib prefix from libraries manually. 2010-10-26 10:17:17 -07:00