sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-07 00:58:40 +03:00
Code
125,435 Commits 62 Branches 1,155 Tags
Commit Graph

24 Commits

Author SHA1 Message Date
Joseph Sutton
45ff2b3236 CVE-2020-25719 s4:kdc: Add KDC support for PAC_REQUESTER_SID PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:45 +01:00
Andrew Bartlett
b8a81c0635 CVE-2020-25718 kdc: Confirm the RODC was allowed to issue a particular ticket 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-08 10:46:45 +01:00
Andrew Bartlett
649c9d1577 CVE-2020-25718 kdc: Remove unused samba_kdc_get_pac_blob() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2021-11-08 10:46:45 +01:00
Joseph Sutton
30fb296a38 CVE-2020-25719 s4:kdc: Add KDC support for PAC_ATTRIBUTES_INFO PAC buffer 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:45 +01:00
Andreas Schneider
36a1c87654 CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-11-08 10:46:45 +01:00
Joseph Sutton
8048b6fe8c s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7149eeaceb426470b1b8181749d2d081c2fb83a4)
 2021-10-26 12:00:27 +00:00
Stefan Metzmacher
a5f803e9e9 s4:kdc: pass krbtgt and server to samba_kdc_update_pac_blob() 
This will be used for SID expanding and filtering.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2018-03-19 20:30:52 +01:00
Stefan Metzmacher
54d32c262b s4:kdc: provide a PAC_UPN_DNS_INFO element for logons 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-07-22 23:34:22 +02:00
Stefan Metzmacher
af4dc22314 s4:kdc: provide a PAC_CREDENTIAL_INFO element for PKINIT logons 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2016-07-22 23:34:21 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE. 
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
38e5d8d4aa s4-kdc/pac_glue: remove old samba_kdc_build_edata_reply(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2015-07-21 19:04:14 +02:00
Günther Deschner
714862defd s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
0501db1a67 s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
78c0cf292b s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Andrew Bartlett
49f8113fab s4-kdc Do the KDC PAC checksum validation in the Samba plugin 
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that
we know.  We cannot check the KDC signature on incoming trusts.

Andrew Bartlett
 2012-01-12 18:02:54 +11:00
Stefan Metzmacher
73b1e1466c s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pac 
metze
 2011-06-28 19:23:43 +02:00
Andrew Bartlett
990720b8cd s4-kdc Add function to determine if a hdb entry is a RODC 
This is important, as we must ignore the PAC from an RODC.

Andrew Bartlett
 2010-09-29 04:23:07 +10:00
Jelmer Vernooij
b8268cf7b0 s3: Remove use of iconv_convenience. 2010-05-18 11:45:31 +02:00
Simo Sorce
489f78d19e s4:kdc make function static 2010-02-25 13:01:14 -05:00
Simo Sorce
b116d4e5b9 s4:kdc Streamline client access verification call 
Move the core to pac-glue so that other plugins can use it.
 2010-01-31 13:25:17 -05:00
Simo Sorce
1f2e9e90bd s4:PAC make common functions public 2010-01-27 14:03:06 -05:00
Simo Sorce
4c548048c5 s4:kdc Simplify header files 2010-01-22 11:16:24 -05:00
Simo Sorce
67d1af4384 s4:cleanups More trailing spaces and tabs 2009-12-23 15:17:56 -05:00
Andrew Bartlett
47a7a2e442 s4:kerberos Add 'net export keytab' command for wireshark decryption 
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain.  Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.

(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).

Andrew Bartlett
 2009-07-28 08:52:43 +10:00