IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
The system /etc/krb5.conf defines some defaults like:
default_ccache_name = KEYRING:persistent:%{uid}
We need to respect that so should include it in our own created
krb5.conf file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This allows to authenticate using user@DOMAIN against an AD DC.
https://bugzilla.samba.org/show_bug.cgi?id=12457
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 2 00:23:02 CET 2016 on sn-devel-144
This also removes the asn1util dependency from krb5_wrap and moves it to
libads which is the only user.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When creating the custom krb.conf file, list etypes
according to kerberos encryption types
Also use proper directives for heimdal (heimdal recognizes
the MIT etype directives, but does not act upon them)
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Without this fix, for accounts with an expired password, a password change
process is initiated and - due to the prompter - this fails with a confusing
error message:
"kerberos_kinit_password Administrator@W2K12DOM.BER.REDHAT.COM failed: Password
mismatch
Failed to join domain: failed to connect to AD: Password mismatch"
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We also verified that we cannot simply remove the prompter as several older
versions of Heimdal would crash.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Oct 2 07:29:43 CEST 2015 on sn-devel-104
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038
From the bug report:
"With e551cdb37d re-applied the problem is gone with
and without kerberos. Moreover, if correctly configured,
sshd requests you to change your password at logon time,
which then succeeds.
The problem why I had this reverted was because I had not
gone through the pain to correctly configure all the PAM
services (in particular the "account" section), leading
to sshd letting the user in when the password had to be
changed."
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e551cdb37d)
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 2 00:16:29 CEST 2015 on sn-devel-104
This reverts commit e551cdb37d.
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep 1 20:47:50 CEST 2015 on sn-devel-104
Thanks to "L.P.H. van Belle" <belle@bazuin.nl>
for help in reproducing the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11038
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 22:03:31 CEST 2015 on sn-devel-104
This patch sets dns_lookup_realm=false in samba-generated krb5.conf.
Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.
When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.
In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.
Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".
In AD environments, the TXT queries typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When creating a custom krb.conf file for a domain, make sure
that the DC which already answered the ldap ping is not queried
again, and is always first in the custom KDC list. This has two
advantages:
1. Avoid re-sending an ldap ping to this server
2. The generated list is made up of the servers that answered
first. Since the DC which already answered an LDAP ping
is typically the "last good server", this change keeps it
out of the contest and guarantees that we keep using last
good server as long as it works.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Move the kerberos port number definition to a header file, so that
it can be used by DNS code.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
In case of multiple KDCs, the automatically-generated
domain-specific kerberos configuration file lists all the
KDCs it can find, but the indentation of additional KDCs
is not aligned with that of the first KDC.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Older MIT Kerberos libraries will add any secondary ipv6 address as
ipv4 address, defining the (default) krb5 port 88 circumvents that.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Apr 4 16:33:12 CEST 2014 on sn-devel-104
Just calling print_canonical_sockaddr() is sufficient, as it already deals with
ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
removed as well. It was pointless because it always derived the port number from
the provided address which was either a SMB (usually port 445) or LDAP
connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
Finally, the kerberos libraries that we support and build with, can deal with
ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
resolving the DC name on the kerberos library anymore.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug 5 12:24:44 CEST 2013 on sn-devel-104
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Mar 6 01:16:34 CET 2013 on sn-devel-104
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 5 03:33:32 CET 2012 on sn-devel-104
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Some Kerberos libraries don't do proper failover. This fixes the situation
where a KDC exists in DNS but is not reachable for some reason.
Ported to master by Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 17 11:25:37 CEST 2011 on sn-devel-104
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Sep 26 18:24:25 CEST 2011 on sn-devel-104
