IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pass down request flags and check they are respected with the response
flags. Otherwise, error out and pretend the connection never happened.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Prepare for rebasing libads on top of libsmbldap.
To make libads using 'struct smbldap_state' instead of direct LDAP
structure, we need to abstract out libads logic from connection
handling. SASL wrapping does not really depend on availability of LDAP
handle and does not need direct access to ADS_STRUCT. As result, we'll
be able to move SASL wrapping code under smbldap once the latter is able
to pass settings that libads passes to the SASL wrapping.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldap_search_ext_s manpage states:
Note that res parameter of ldap_search_ext_s should be freed with
ldap_msgfree() regardless of return value of these functions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 8 14:59:35 CET 2017 on sn-devel-144
Heimdal and all supported versions of MIT krb5 prove gss_krb5_import_cred(),
so we don't need an #ifdef here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 6 11:44:54 CET 2017 on sn-devel-144
Any fallbacks to other authentication methods should be logged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The system /etc/krb5.conf defines some defaults like:
default_ccache_name = KEYRING:persistent:%{uid}
We need to respect that so should include it in our own created
krb5.conf file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This allows to authenticate using user@DOMAIN against an AD DC.
https://bugzilla.samba.org/show_bug.cgi?id=12457
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 2 00:23:02 CET 2016 on sn-devel-144
Analysis by: Rebecca Gellman <rebecca@starfleet-net.co.uk>
Ignore cldap_socket_init() failure when sending
multiple cldap netlogon requests. Allow cldap_netlogon_send()
to catch the bad address and correctly return through a
tevent subreq.
Make sure cldap_search_send() copes with cldap parameter == NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12381
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Oct 18 02:16:20 CEST 2016 on sn-devel-144
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 1 00:43:51 CEST 2016 on sn-devel-144
This also removes the asn1util dependency from krb5_wrap and moves it to
libads which is the only user.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When creating the custom krb.conf file, list etypes
according to kerberos encryption types
Also use proper directives for heimdal (heimdal recognizes
the MIT etype directives, but does not act upon them)
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When doing spnego sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144
When doing gssapi sasl bind:
1. Try working without kinit only if a password is not
provided
2. When using kinit, ensure the KRB5CCNAME env var is set
to a private memory ccache, so that the bind is on behalf
of the requested user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12006
Signed-off-by: Uri Simchoni <uri@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Ensure we don't crash in this case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11959
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Jun 9 13:18:56 CEST 2016 on sn-devel-144
ENCTYPE_NULL is defined by the RFC and used by MIT Kerberos. Heimdal
also provides ENCTYPE_NULL.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Apr 26 22:47:19 CEST 2016 on sn-devel-144
Unused in this commit, the next commit will use it to avoid deleting
keys with the same kvno but a different enctype.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>