1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

61 Commits

Author SHA1 Message Date
Andrew Bartlett
26421fb2dc r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine.  But we should
ensure that we do always get a valid key, to prevent any segfaults.

Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.

Andrew Bartlett
(This used to be commit cfd0df16b7)
2007-10-10 13:51:55 -05:00
Andrew Bartlett
20d9dc9796 r13144: This seems to be required for Samba4 to talk to Samba4, and to get the
same session key.  I need to understand this more, but it works
samba/samba, and I don't have access to windows doing AES (longhorn)
yet.

Andrew Bartlett
(This used to be commit 38809b43a5)
2007-10-10 13:51:28 -05:00
Andrew Bartlett
28d78c40ad r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa)
2007-10-10 13:51:26 -05:00
Andrew Bartlett
adab8d3968 r12863: As lha suggested to me a while back, it appears that the
gsskrb5_get_initiator_subkey() routine is bougs.  We can indeed use
gss_krb5_get_subkey().

This is fortunate, as there was a segfault bug in 'initiator' version.

Andrew Bartlett
(This used to be commit ec11870ca1)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
63d718e243 r12696: Reduce the size of include/structs.h
(This used to be commit 6391761601)
2007-10-10 13:49:40 -05:00
Andrew Bartlett
fbf106f670 r12269: Update to current lorikeet-heimdal. This changed the way the hdb
interface worked, so hdb-ldb.c and the glue have been updated.

Andrew Bartlett
(This used to be commit 8fd5224c6b)
2007-10-10 13:47:26 -05:00
Andrew Bartlett
9afdb938cd r12037: Fix malloc corruption caused by double-free(), where realloc(ptr, 0)
is equivilant to free().

This is the issue tridge was seeing in the MEMORY: keytab code.

Andrew Bartlett
(This used to be commit d5a2de8ef0)
2007-10-10 13:47:01 -05:00
Andrew Bartlett
6913dddf64 r12000: Update to current lorikeet-heimdal, including in particular support
for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).

Andrew Bartlett
(This used to be commit 2426581dfb)
2007-10-10 13:46:57 -05:00
Andrew Bartlett
9c6b7f2d62 r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.

In particular, the credentials system now supplies GSS client and
server credentials.  These are imported into GSS with
gss_krb5_import_creds().  Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.

Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls.  Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.

To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass.  The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.

This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().

We can now (in theory) use a system-provided /etc/krb5.keytab, if

krb5Keytab: FILE:/etc/krb5.keytab

is added to the secrets.ldb record.  By default the attribute

privateKeytab: secrets.keytab

is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df4)
2007-10-10 13:46:56 -05:00
Andrew Bartlett
3a3c53327a r11940: Love has clarified why this code does what it does.
Andrew Bartlett
(This used to be commit 9b3dedbc0b)
2007-10-10 13:46:49 -05:00
Andrew Bartlett
68049cfac3 r11931: Add a short README explaining what this directory is all about.
Andrew Bartlett
(This used to be commit eaf8777e44)
2007-10-10 13:46:49 -05:00
Andrew Bartlett
ef9ec9583d r11930: Add socket/packet handling code for kpasswdd
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.

Use the netbios address as the workstation name for the allowed
workstations check with krb5.

Andrew Bartlett
(This used to be commit 328fa186f2)
2007-10-10 13:46:48 -05:00
Andrew Bartlett
30d164d9f0 r11568: Debuging aids: Let the administrator know when a key/entry expired,
rather than just the fact of the expiry.

Andrew Bartlett
(This used to be commit 31c4ab26d7)
2007-10-10 13:45:54 -05:00
Andrew Bartlett
918c7634c2 r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the
TGT.  We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.

This should also allow us to interop with windows KDCs.

If we get an invalid PAC at the TGS stage, we just drop it.

I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy.  This
continues that trend.

Andrew Bartlett
(This used to be commit 36973b1eef)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
f7ca730849 r11542: Add the netbios name type. We will need it when we start to handle
allowedWorkstations on Krb5.

Andrew Bartlett
(This used to be commit dbf73a82fc)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
7bfbe8af7e r11541: More logical (I think...) delegation semantics.
Andrew Bartlett
(This used to be commit 6bb1b24428)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
fb2394d309 r11536: Add a hook for client-principal access control to hdb-ldb, re-using
the code in auth/auth_sam.c for consistancy.  This will also allow us
to have one place for a backend directory hook.

I will use a very similar hook to add the PAC.

Andrew Bartlett
(This used to be commit 4315836cd8)
2007-10-10 13:45:50 -05:00
Andrew Bartlett
512f5ae881 r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted.  There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name.  Likewise, the name may be a netbios, not DNS name.

This should avoid some nasty DNS lookups.

Andrew Bartlett
(This used to be commit da0ff19856)
2007-10-10 13:45:49 -05:00
Andrew Bartlett
1ab27b7fdf r11477: This seems really nasty, but as I understand it an attacker cannot
change this checksum, as it is inside the encrypted packets.

Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue.  We can't rid the world of all Samba3 and similar clients...

Andrew Bartlett
(This used to be commit e60cdb63fb)
2007-10-10 13:45:42 -05:00
Andrew Bartlett
3b213ca9a3 r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials.  This means we now delegate to windows correctly.

Andrew Bartlett
(This used to be commit d6928a3bf8)
2007-10-10 13:45:40 -05:00
Andrew Bartlett
cc0f3779b1 r11468: Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control
delegation.

It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).

If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.

I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)

Andrew Bartlett
(This used to be commit fd5fd03570)
2007-10-10 13:45:40 -05:00
Andrew Bartlett
84c908d983 r11462: Fix the build: somehow I lost the header for this samba-specific hack.
Andrew Bartlett
(This used to be commit 0a41941189)
2007-10-10 13:45:39 -05:00
Andrew Bartlett
3b2a6997b4 r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack.

Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.

Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.

Andrew Bartlett
(This used to be commit 55b89899ad)
2007-10-10 13:45:38 -05:00
Volker Lendecke
0ea06b97c2 r11392: After confirmation from Love, fix a compiler warning
(This used to be commit a0b4036ba6)
2007-10-10 13:45:30 -05:00
Andrew Bartlett
1244a97dbe r11317: An ugly hack to setup the global gssapi_krb5_context early, when we
have easy access to the event context.

This stops Samba dead-locking against itself when the winbindd client
tries to contact the KDC.

Andrew Bartlett
(This used to be commit 57f811115e)
2007-10-10 13:45:19 -05:00
Andrew Bartlett
14a3abd559 r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather
than doing ASN.1 parsing in Samba.

Also use the API function for getting a client from a ticket, rather
than just digging in the structure.

Andrew Bartlett
(This used to be commit 25d5ea6d72)
2007-10-10 13:45:18 -05:00
Andrew Bartlett
4dc5da1335 r11310: Free the 'if_relevent' portion of the PAC when we build it.
Andrew Bartlett
(This used to be commit ede638c00b)
2007-10-10 13:45:17 -05:00
Andrew Bartlett
4019064c5d r11294: Update Heimdal in Samba4 to lorikeet-heimdal (which is in turn updated
to CVS of 2005-10-24).

Andrew Bartlett
(This used to be commit 939d4f340f)
2007-10-10 13:45:15 -05:00
Andrew Bartlett
5a30cd8097 r10983: Another case were we want to avoid DNS for unqualified names.
Andrew Bartlett
(This used to be commit 1d7094b8df)
2007-10-10 13:39:50 -05:00
Andrew Bartlett
8407a1a866 r10561: This patch takes over KDC socket routines in Heimdal, and directs them
at the Samba4 socket layer.

The intention here is to ensure that other events may be processed while
heimdal is waiting on the KDC.  The interface is designed to be
sufficiently flexible, so that the plugin may choose how to time
communication with the KDC (ie multiple outstanding requests, looking
for a functional KDC).

I've hacked the socket layer out of cldap.c to handle this very
specific case of one udp packet and reply.  Likewise I also handle
TCP, stolen from the winbind code.

This same plugin system might also be useful for a self-contained
testing mode in Heimdal, in conjunction with libkdc.  I would suggest
using socket-wrapper instead however.

Andrew Bartlett
(This used to be commit 3b09f9e8f9)
2007-10-10 13:39:04 -05:00
Andrew Bartlett
3b7f8ddd9a r10398: Don't do DNS lookups on short names (no .).
Andrew Bartlett
(This used to be commit 77aca9619d)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
c44efdaa22 r10386: Merge current lorikeet-heimdal into Samba4.
Andrew Bartlett
(This used to be commit 4d2a9a9bc4)
2007-10-10 13:38:38 -05:00
Andrew Bartlett
42f2519b50 r10382: In the absence of client support for the full KDC-side
canonicalisation code, I've hacked Heimdal to use the default realm if
no other realm can be determined for a given host.

Andrew Bartlett
(This used to be commit 0f0b0021b7)
2007-10-10 13:38:34 -05:00
Andrew Bartlett
f9263dd102 r10337: This grubby little hack is the implementation of a concept discussed
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at
all for expanding short names into long names.

Using the 'override krb5_init_context' code already in the tree, this
removes the DNS lag on a kerberos session setup/connection.

Andrew Bartlett
(This used to be commit de3ceab3d0)
2007-10-10 13:38:29 -05:00
Andrew Bartlett
f3bce652c8 r10286: This patch is ugly and disgusting, but for now it works better than the other
ideas I have had.

When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.

(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).

Andrew Bartlett
(This used to be commit 8a22d46e70)
2007-10-10 13:38:13 -05:00
Jelmer Vernooij
957d361cd1 r10191: Return the right error code in the case of a time skew. Windows will now
ignore Kerberos and fallback to NTLMSSP when joining. Thanks to Andrew Bartlett
for the assistence.
(This used to be commit 3b6bfbe8cf)
2007-10-10 13:38:07 -05:00
James Peach
0639375119 r10159: Dereference padsize before comparing to an int.
(This used to be commit 5767c05909)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
5edbeca141 r10153: This patch adds a new parameter to gensec_sig_size(), the size of the
data to be signed/sealed.  We can use this to split the data from the
signature portion of the resultant wrapped packet.

This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).

This fixes one of the krb5 issues in my list.

Andrew Bartlett
(This used to be commit e4f2afc343)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
cfdcc32f84 r10149: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit b9695d5e7c)
2007-10-10 13:38:03 -05:00
Andrew Bartlett
6a74a83151 r10072: Fix mismerge weridness in error handling.
Andrew Bartlett
(This used to be commit c17926b6fe)
2007-10-10 13:36:34 -05:00
Andrew Bartlett
1f2f470889 r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.

Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.

I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal.  It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging.  (metze assures me it still has memory leak problems, but
I've started to address some of that).

This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.

On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC.  Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.

One thing doesn't work with this patch:
 - the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken.  I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.

Andrew Bartlett
(This used to be commit a3aba57c00)
2007-10-10 13:36:33 -05:00
Andrew Bartlett
6b14ffe271 r10035: This patch removes the need for the special case hack
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)

This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.

This patch also tries to simplify some principal handling and fixes some
error cases.

Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.

Andrew Bartlett
(This used to be commit 506a7b67ae)
2007-10-10 13:36:31 -05:00
Andrew Bartlett
52d9dbe75c r10022: Merge tpot's fix for IRIX and AIX_rea build problems from lorikeet-heimdal
to Samba4.

Andrew Bartlett
(This used to be commit 6835e42790)
2007-10-10 13:36:30 -05:00
Andrew Bartlett
ad14812b8f r9931: Make use of new 'norealm' parsing functions rather than strchr(p '@').
Merge these norealm functions from lorikeet-heimdal.

Andrew Bartlett
(This used to be commit 6aef275efd)
2007-10-10 13:36:23 -05:00
Andrew Bartlett
92a652c2a4 r9877: Merge from lorikeet-heimdal, to try and fix build failures.
Andrew Bartlett
(This used to be commit 53f2bf3b91)
2007-10-10 13:36:19 -05:00
Andrew Bartlett
1478781603 r9859: Enable (blocking) KDC resolution with DNS.
To enable, set:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true

in your /etc/krb5.conf.

In the future I may override the krb5.conf and set this on by default
in Samba4.

Andrew Bartlett
(This used to be commit 32fb50d025)
2007-10-10 13:36:18 -05:00
Andrew Bartlett
3c265c7986 r9696: Update prototypes for new name of short parsing function.
Andrew Bartlett
(This used to be commit cc35cd5ee2)
2007-10-10 13:34:42 -05:00
Andrew Bartlett
08730652fb r9680: Update Heimdal to current lorikeet-heimdal (which was itself updated
to Heimdal CVS as of 2005-08-27).

Andrew Bartlett
(This used to be commit 913924a499)
2007-10-10 13:34:39 -05:00
Andrew Tridgell
b8f4e0796d r9648: this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3f)
2007-10-10 13:34:37 -05:00
Andrew Bartlett
55f5453bc8 r9413: Bring Samba4 back up to date with lorikeet-heimdal.
Delete test_crypto_wrapping.c, previously included but unbuilt.

Andrew Bartlett
(This used to be commit d5fb30fb0c)
2007-10-10 13:33:35 -05:00