1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

22 Commits

Author SHA1 Message Date
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
08976cb3d2 r20639: Commit part 1 of 2.
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.

We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk.  This is much easier than
listing every generated .o file individually.

This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts.  I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.

The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller.  In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.

(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).

Andrew Bartlett
(This used to be commit 75fddbbc08)
2007-10-10 14:37:20 -05:00
Stefan Metzmacher
c779270116 r19664: fix compiler warnings...
should _krb5_find_type_in_ad() also take a const?

metze
(This used to be commit addc31bd93)
2007-10-10 14:25:27 -05:00
Andrew Bartlett
3c1e780ec7 r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f17351)
2007-10-10 14:25:03 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Simo Sorce
a23b63a8e5 r17516: Change helper function names to make more clear what they are meant to do
(This used to be commit ad75cf8695)
2007-10-10 14:15:31 -05:00
Andrew Bartlett
bc4156e6e2 r14203: Include less private heimdal headers.
Andrew Bartlett
(This used to be commit ce80425f6d)
2007-10-10 13:57:00 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 1228358767)
2007-10-10 13:52:24 -05:00
Andrew Bartlett
4a56399798 r12383: Fixes for Apple's AD client. Don't segfualt in the KDC, and they
require the isSynchronized flag in the rootDSE.

Andrew Bartlett
(This used to be commit e48464c884)
2007-10-10 13:47:33 -05:00
Andrew Bartlett
fbf106f670 r12269: Update to current lorikeet-heimdal. This changed the way the hdb
interface worked, so hdb-ldb.c and the glue have been updated.

Andrew Bartlett
(This used to be commit 8fd5224c6b)
2007-10-10 13:47:26 -05:00
Andrew Bartlett
172a8b477e r12179: Allow our KDC to use LDAP to get to the backend database.
To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list.  An
extension to the credentials system allows this function.

Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.

Andrew Bartlett
(This used to be commit 5f9dddd02c)
2007-10-10 13:47:16 -05:00
Andrew Bartlett
ef9ec9583d r11930: Add socket/packet handling code for kpasswdd
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.

Use the netbios address as the workstation name for the allowed
workstations check with krb5.

Andrew Bartlett
(This used to be commit 328fa186f2)
2007-10-10 13:46:48 -05:00
Andrew Bartlett
918c7634c2 r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the
TGT.  We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.

This should also allow us to interop with windows KDCs.

If we get an invalid PAC at the TGS stage, we just drop it.

I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy.  This
continues that trend.

Andrew Bartlett
(This used to be commit 36973b1eef)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
6efaf588a9 r11321: Fix typos in warnings.
Andrew Bartlett
(This used to be commit 81f020d3a4)
2007-10-10 13:45:19 -05:00
Andrew Bartlett
db4b95827e r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.
I'm sure this will not be the final resting place, but it will do for
now.

Use the cracknames code in auth/ for creating a server_info given a
principal name only (should avoid assumtions about spliting a
user@realm principal).

Andrew Bartlett
(This used to be commit c9d5d8e45d)
2007-10-10 13:45:11 -05:00
Andrew Bartlett
1f2f470889 r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.

Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.

I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal.  It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging.  (metze assures me it still has memory leak problems, but
I've started to address some of that).

This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.

On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC.  Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.

One thing doesn't work with this patch:
 - the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken.  I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.

Andrew Bartlett
(This used to be commit a3aba57c00)
2007-10-10 13:36:33 -05:00
Andrew Tridgell
b8f4e0796d r9648: this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3f)
2007-10-10 13:34:37 -05:00
Andrew Bartlett
8db8279730 r9084: 'resign' the sample PAC for the validation of the signature algorithms.
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.

This involved returning more data from the pac functions, so changed
some callers and split up some functions.

Andrew Bartlett
(This used to be commit d514a74912)
2007-10-10 13:31:15 -05:00
Andrew Bartlett
dbd2688c90 r8110: More PAC work. I still can't get WinXP to accept the PAC, but we are
much closer.

This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary.  This is the only way I can explain
the 4 trainling zeros in the signature struct.

Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.

I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.

Andrew Bartlett
(This used to be commit 50a54bf4e9)
2007-10-10 13:19:09 -05:00
Andrew Bartlett
44f2d34bd3 r8013: Remember to add the header containing the prototype for the pac
generating function...

Andrew Bartlett
(This used to be commit 707cf5fba8)
2007-10-10 13:18:59 -05:00
Andrew Bartlett
ddffc922df r8001: Also fill in the krbtgt checksum, and make sure to put the right
checksum in the right place...

Andrew Bartlett
(This used to be commit 90d0f502da)
2007-10-10 13:18:57 -05:00
Andrew Bartlett
9a7481bcfe r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2)
2007-10-10 13:18:57 -05:00