sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
103,590 Commits 60 Branches 1,145 Tags 452 MiB
a5efb21a53
Commit Graph

635 Commits

Author SHA1 Message Date
Stefan Metzmacher
a5efb21a53 s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change() 
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-06-30 03:30:23 +02:00
Stefan Metzmacher
92141c6b03 s4:kdc: add some const to samba_get_logon_info_pac_blob() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-06-30 03:30:23 +02:00
Andreas Schneider
3de3f643a8 s4-kdc: Move KDC packet handling functions to kdc-server.c 
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
 2016-06-19 03:31:32 +02:00
Andreas Schneider
3da8932e4c s4-kdc: Create a kdc-proxy.h header file 
This makes the it Kerberos implmentation independent.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:27 +02:00
Andreas Schneider
379ed08754 s4-kdc: Rename proxy-heimdal.c to kdc-proxy.c 
The plan is to have a KDC-SERVER subsystem later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
dc350a349a s4-kdc: Move KDC socket structs to krb5-server.h 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
f110662310 s4-kdc: Move kdc_process_fn_t declaration to kdc-server.h 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
13661b6fb0 s4-kdc: Move definitions to kdc-server.h 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
cafd2d365a s4-kdc: Use better and simpler names for the kdc_process_ret enum 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
0314796113 s4-kdc: Put the heimdal kdc config into a private data pointer 
This allows us to make the struct general useable.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
5ddfe5ecd3 s4-kdc: Use smb_krb5_mk_error() in kpasswd implementation 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
c5a02e81ea s4-kdc: Use smb_krb5_mk_error() in kdc implemenation 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
de88bfc770 s4-kdc: Rename heimdal KDC files 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2016-06-18 23:32:26 +02:00
Andreas Schneider
4aab5ba2ce mit_samba: Allow to use SPNs for AS-REQ 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jun  2 16:35:35 CEST 2016 on sn-devel-144
 2016-06-02 16:35:35 +02:00
Andreas Schneider
8267b2e186 mit_samba: Fix flags that we get a referral tickets 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
7019103bab mit_samba: Return 0 in case of a wrong realm 
The MIT KDC will deal with this correctly for us.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
7a1fd661b0 sdb: Do not create kmod information if we return early 
In case of a wrong realm in a cross forest trust we return early with
just the realm corrected. We need to parse a kdb entry but do not have
all information available. So skip creating the kmod.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
00267c9565 sdb: Fix NULL pointer deference if we return early 
If we return because of a wrong realm in a cross forest trust case, we
do not have a skdc_entry allocated.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
3d6e18f210 kdb: Do not allocate memory with size 0 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Andreas Schneider
84c4b91fc6 sdb: Do not set disallow if we do not have ticket info in the DB 
These things are applied by the incoming ticket by the KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-06-02 12:48:13 +02:00
Ralph Boehme
3116e8d3be s4: add a minimal ktutil for selftest 
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:

./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)

This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2016-04-25 10:35:14 +02:00
Andreas Schneider
abfa8e335c mit-kdb: Add missing SDB_F_FOR_AS_REQ for AS requests 
This correctly handles enterprise principals and ticket renewal.

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 07:57:49 CET 2016 on sn-devel-144
 2016-03-17 07:57:49 +01:00
Andreas Schneider
859c625c82 mit-kdb: Fix segfault in krb5kdc dereferencing an invalid pointer 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
bb72aec13f mit-kdb: Add support for KDB version 8 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
b0f2165901 mit-kdb: Add support for bad password count 
This fixes the samba4.ldap.password_lockout.python test.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
05cc9b0af9 mit-kdb: Restrict admin/changepw principal db_entry with some flags 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
b76cf191d9 mit-kdb: Return 0 in kdb_samba_db_put_principal() 
This allows the kadmin server to assume an update of a db_entry has
succeeded (while in fact the update_pwd call did the update already).

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
5a6819dbee mit-kdb: Implement KDB function to change passwords 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Günther Deschner
f5e86db147 mit-kdb: Use calloc to initialize master keylists. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
fab9fe0177 mit-kdb: Add ks_get_admin_principal() and use it for kadmin users. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
5a4e3adbda mit-kdb: Add ks_create_principal(). 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:29 +01:00
Andreas Schneider
742b4c3da8 mit-kdb: Do not allow to get a kadmin ticket as a client. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
e13e9c54f5 mit-kdb: Add more ks_is_kadmin* functions. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
d787d35d97 mit-kdb: Use calloc so both authdata elements are zeroed 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
1b6a085b7f mit-kdb: Do not overwrite the error code in failure case. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
ade958e20b mit-kdb: Add initial MIT KDB Samba driver 
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
4865867f59 mit_samba: Setup logging to stdout 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
23c249a88b mit_samba: Add function for handling bad password count 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
9734b5d9ed mit_samba: Add functions to generate random password and salt. 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
909e7f9ff6 mit_samba: Add function to change the password 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
77cec013c3 mit_samba: Add ks_is_tgs_principal() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Günther Deschner
859a6fba0b mit_samba: Use talloc_zero in mit_samba_context_init(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
597772dbd2 mit_samba: Directly pass the principal and kflags 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:28 +01:00
Andreas Schneider
33fcc76aa7 mit_samba: Make mit_samba a shim layer between Samba and KDB 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Günther Deschner
209d4b5b28 mit_samba: Use sdb in the mit_samba plugin 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Günther Deschner
6825a61b0b s4-kdc: Introduce a simple sdb_kdb shim layer 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-03-17 04:32:27 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header. 
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
 2016-01-13 04:43:23 +01:00
Douglas Bagnall
795f4729ca auth: keep track of lastLogon and lastLogonTimestamp 
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.

lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.

The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.

The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2015-12-15 00:08:57 +01:00
Andreas Schneider
78075cfcda waf: Add talloc as a dependency 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 04:08:30 CEST 2015 on sn-devel-104
 2015-08-05 04:08:30 +02:00
Andreas Schneider
38d7617802 sdb: Assert if the HDB flags will change 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2015-08-05 01:05:15 +02:00