IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
These principals do not need to be in the same realm as the rest of
the ticket, the full principal name is in the first componet of the
ASN.1.
Samba4's backend will handle getting this to the 'right' place.
Andrew Bartlett
caused the RPC-SECRETS test to crash smbd in an inlined version of
this memcmp() call. This patch should have absolutely no effect at
all, but in fact it prevents the crash.
Disassembling at the point of the crash, it shows that gcc is inlining
the memcmp(). I don't know enough MIPS assembler to actually spot the
bug. In case anyone reading this does know MIPS assembler, here is the
gcc generated code that crashes:
0x105e0218 <gssapi_krb5_verify_header+168>: lw $t1,52($sp)
0x105e021c <gssapi_krb5_verify_header+172>: lw $t1,0($t1)
0x105e0220 <gssapi_krb5_verify_header+176>: lhu $t1,0($t1)
0x105e0224 <gssapi_krb5_verify_header+180>: lw $t2,68($sp)
0x105e0228 <gssapi_krb5_verify_header+184>: lhu $t2,0($t2)
0x105e022c <gssapi_krb5_verify_header+188>: subu $t1,$t1,$t2
it gets a segv at 0x105e0220.
lha, what do you think of this? The change should be innocuous on all
other platforms, apart from making the code harder to read :(
headers with "" even with a -I override. That means our heimdal_build/
roken override doesn't work.
Switching to <> style includes in roken fixes this. lha, would be be
acceptable upstream? I notice that half your includes of roken.h are
with <> now anyway, so should be harmless (and even more consistent!)
similarly built clients) behave.
This is better than just ignoring the checksum, if it isn't the GSSAPI
checksum. (Samba4 clients in Samba3 mode use more than just the MD5
checksum, and will use a signed AES checksum if available. Actual
samba3 may well do the same in future, against a suitable KDC).
Also a change for easier debugging of checksum issues.
Andrew Bartlett
This includes many useful upstream changes, many of which should
reduce warnings in our compile.
It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.
(This required the rework in hdb-ldb.c included in this commit)
Andrew Bartlett
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
same session key. I need to understand this more, but it works
samba/samba, and I don't have access to windows doing AES (longhorn)
yet.
Andrew Bartlett
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use
gss_krb5_get_subkey().
This is fortunate, as there was a segfault bug in 'initiator' version.
Andrew Bartlett
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.
Use the netbios address as the workstation name for the allowed
workstations check with krb5.
Andrew Bartlett
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
the code in auth/auth_sam.c for consistancy. This will also allow us
to have one place for a backend directory hook.
I will use a very similar hook to add the PAC.
Andrew Bartlett
wanted. There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name. Likewise, the name may be a netbios, not DNS name.
This should avoid some nasty DNS lookups.
Andrew Bartlett
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
