1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

125 Commits

Author SHA1 Message Date
Andrew Bartlett
c85779b3b5 r12036: Fix more KDC memory leaks (and there are probably still more...).
Andrew Bartlett
(This used to be commit 0c4ea6f641)
2007-10-10 13:47:01 -05:00
Andrew Bartlett
925c95ac9e r12035: Fix memory leaks in the KDC.
Andrew Bartlett
(This used to be commit b60531b109)
2007-10-10 13:47:01 -05:00
Andrew Bartlett
36b21c951d r11987: Clarify the accountExpires behaviour in the KDC.
Andrew Bartlett
(This used to be commit 05334e98fb)
2007-10-10 13:46:55 -05:00
Tim Potter
b9b59fa798 r11968: More warning fixes. We're on track to getting to double digits for
the number of warnings generated now.
(This used to be commit d479f2d760)
2007-10-10 13:46:52 -05:00
Andrew Bartlett
ef9ec9583d r11930: Add socket/packet handling code for kpasswdd
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.

Use the netbios address as the workstation name for the allowed
workstations check with krb5.

Andrew Bartlett
(This used to be commit 328fa186f2)
2007-10-10 13:46:48 -05:00
Andrew Tridgell
614950aed3 r11713: separate out the setting of the fde in the packet context from the
enabling of packet serialisation
(This used to be commit 6a47cd65a8)
2007-10-10 13:46:17 -05:00
Andrew Tridgell
b8f4d22ab5 r11621: some minor fixes from comments by metze
(This used to be commit 6ab8082234)
2007-10-10 13:45:59 -05:00
Andrew Tridgell
5d5b462bbb r11619: use the 32 bit length helper in the kdc.
(This used to be commit 24f20eed0e)
2007-10-10 13:45:59 -05:00
Andrew Tridgell
549b6dfdba r11608: switched the kdc to use the generic packet send code
(This used to be commit 2cbcc8a919)
2007-10-10 13:45:58 -05:00
Andrew Tridgell
188a75b4a0 r11604: converted the kdc code to use the new packet lib. Andrew, I'm not sure
how to test this, can you have a look and see if it works for you? Is
there some hidden switch to kinit to use tcp?
(This used to be commit 0a797712fb)
2007-10-10 13:45:57 -05:00
Andrew Bartlett
9a9604b26c r11572: Add support for accountExpires and password expiry (should cause the
ticket to be reduced in validity).

Andrew Bartlett
(This used to be commit 5575a1443b)
2007-10-10 13:45:54 -05:00
Simo Sorce
5c95905871 r11567: Ldb API change patch.
This patch changes the way lsb_search is called and the meaning of the returned integer.
The last argument of ldb_search is changed from struct ldb_message to struct ldb_result
which contains a pointer to a struct ldb_message list and a count of the number of messages.
The return is not the count of messages anymore but instead it is an ldb error value.

I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good
amount of places. I also tried to double check all my changes being sure that the calling
functions would still behave as before. But this patch is big enough that I fear some bug
may have been introduced anyway even if it passes the test suite. So if you are currently
working on any file being touched please give it a deep look and blame me for any error.

Simo.
(This used to be commit 22c8c97e6f)
2007-10-10 13:45:53 -05:00
Andrew Bartlett
9e302b6f7c r11544: Allow delegation in a Samba4 realm.
Andrew Bartlett
(This used to be commit c4a9d025d6)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
918c7634c2 r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the
TGT.  We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.

This should also allow us to interop with windows KDCs.

If we get an invalid PAC at the TGS stage, we just drop it.

I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy.  This
continues that trend.

Andrew Bartlett
(This used to be commit 36973b1eef)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
f9c2f271e8 r11540: Some notes to myself on RFC complience.
Andrew Bartlett
(This used to be commit 6d439cae98)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
fb2394d309 r11536: Add a hook for client-principal access control to hdb-ldb, re-using
the code in auth/auth_sam.c for consistancy.  This will also allow us
to have one place for a backend directory hook.

I will use a very similar hook to add the PAC.

Andrew Bartlett
(This used to be commit 4315836cd8)
2007-10-10 13:45:50 -05:00
Andrew Bartlett
2dcb73aed8 r11525: Move lookups (including the attribute search) for users from
kdc/hdb-ldb.c to share the routines used for auth/

This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).

Andrew Bartlett
(This used to be commit da38bcefa7)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
b5ae5ac69c r11524: More work on our hdb backend in the KDC.
The aim here is to restructure the queries to match the queries we do
in auth, then to share the code that does the actual query (at least
for user logins).

Then we can generate the PAC from that shared query, rather than a
seperate query.

Andrew Bartlett
(This used to be commit 4395d087e1)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
15c1df2e8a r11437: Fix (valid!) use of uninitialised value warnings.
Andrew Bartlett
(This used to be commit 64b9ea642b)
2007-10-10 13:45:37 -05:00
Jelmer Vernooij
a4e7bf3a89 r11382: Require number of required M4 macros
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM
Add some more PUBLIC_HEADERS
(This used to be commit 875eb8f4cc)
2007-10-10 13:45:29 -05:00
Andrew Bartlett
15b9e70ebc r11333: Push service principal lookups into the cracknames code, rather than
in the hdb-ldb code.

Andrew Bartlett
(This used to be commit f71149c88d)
2007-10-10 13:45:20 -05:00
Andrew Bartlett
e408e14154 r11322: Start moving towards using the cracknames code in the KDC.
Andrew Bartlett
(This used to be commit cf67af4216)
2007-10-10 13:45:19 -05:00
Andrew Bartlett
6efaf588a9 r11321: Fix typos in warnings.
Andrew Bartlett
(This used to be commit 81f020d3a4)
2007-10-10 13:45:19 -05:00
Andrew Bartlett
db4b95827e r11270: Move the core CrackNames code from rpc_server/drsuapi to dsdb/samdb.
I'm sure this will not be the final resting place, but it will do for
now.

Use the cracknames code in auth/ for creating a server_info given a
principal name only (should avoid assumtions about spliting a
user@realm principal).

Andrew Bartlett
(This used to be commit c9d5d8e45d)
2007-10-10 13:45:11 -05:00
Jelmer Vernooij
4c5a4a7e02 r11244: Relative path names in .mk files
(This used to be commit 24e1030090)
2007-10-10 13:45:06 -05:00
Stefan Metzmacher
29a3b138a2 r11241: - fix compiler warning
- fix comment

metze
(This used to be commit 4f999625a1)
2007-10-10 13:45:06 -05:00
Andrew Bartlett
16bbafb7e8 r11239: Use ${REALM} for the realm in rootdse.ldif
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.

This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues.  It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.

This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.

Andrew Bartlett
(This used to be commit ab5dbbe10a)
2007-10-10 13:45:06 -05:00
Jelmer Vernooij
f4d590662e r11214: Remove scons files (see http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c917)
2007-10-10 13:45:03 -05:00
Andrew Bartlett
c86852aef8 r11206: It appears to me that any account may operate as a server.
Andrew Bartlett
(This used to be commit 3b6c9c7cbc)
2007-10-10 13:45:02 -05:00
Andrew Bartlett
a8e69328bf r11106: Make the KDC handler plugable, as I want to drop kpasswdd into exactly
the same spot (it has identical TCP sementics).

Andrew Bartlett
(This used to be commit 84d6118e87)
2007-10-10 13:44:50 -05:00
Stefan Metzmacher
fc94355d8e r10987: add support for tcp kdc requests
metze
(This used to be commit 4c4f19cc23)
2007-10-10 13:39:51 -05:00
Andrew Bartlett
1377cca5f4 r10810: This adds the hooks required to communicate the current user from the
authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett
(This used to be commit fd7203789a)
2007-10-10 13:39:32 -05:00
Jelmer Vernooij
5058f4b9e8 r10586: Add MergedObject() builder. Default to Library() rather
then StaticLibrary()
(This used to be commit b53313dc51)
2007-10-10 13:39:08 -05:00
Andrew Bartlett
81097e20e7 r10562: Ensure we initalise the error table with hdb errors. This ensures we
get good text error strings.

Andrew Bartlett
(This used to be commit 0600202067)
2007-10-10 13:39:04 -05:00
Jelmer Vernooij
6812c73534 r10348: Add scons scripts for remaining subsystems. Most subsystems build now,
but final linking still fails (as does generating files asn1, et, idl and proto
files)
(This used to be commit 4f0d7f75b9)
2007-10-10 13:38:30 -05:00
James Peach
7b0471c66d r10157: Remove the last traces of heimdal/include.
(This used to be commit 6512490107)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
1f2f470889 r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.

Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.

I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal.  It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging.  (metze assures me it still has memory leak problems, but
I've started to address some of that).

This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.

On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC.  Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.

One thing doesn't work with this patch:
 - the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken.  I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.

Andrew Bartlett
(This used to be commit a3aba57c00)
2007-10-10 13:36:33 -05:00
Andrew Bartlett
ad14812b8f r9931: Make use of new 'norealm' parsing functions rather than strchr(p '@').
Merge these norealm functions from lorikeet-heimdal.

Andrew Bartlett
(This used to be commit 6aef275efd)
2007-10-10 13:36:23 -05:00
Jelmer Vernooij
b674411eb4 r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinking
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m!
(This used to be commit 200a8f6652)
2007-10-10 13:35:01 -05:00
Andrew Tridgell
b8f4e0796d r9648: this fixes the krb5 based login with the pac. The key to this whole saga was
that the logon_time field in the pac must match the authtime field in the ticket we
gave the client in the AS-REP (and thus also the authtime field in the ticket we get
back in the TGS-REQ).

Many thanks to Andrew Bartlett for his patience in showing me the
basic ropes of all this code! This was a joint effort.
(This used to be commit 7bee374b3f)
2007-10-10 13:34:37 -05:00
Simo Sorce
ac90ddfdb2 r9392: Fix ldb_dn_compose to make build farm happy
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655)
2007-10-10 13:33:33 -05:00
Simo Sorce
3e4c4cff21 r9391: Convert all the code to use struct ldb_dn to ohandle ldap like distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b779)
2007-10-10 13:33:32 -05:00
Steve French
f9c7357d74 r9310: Add two missing return statements after null pointer checks to fix potential oops in kdc code.
Found by coverity.
(This used to be commit 3b707b9289)
2007-10-10 13:33:23 -05:00
Andrew Bartlett
da33c531b6 r9235: Remove attribute search we no longer reference.
Andrew Bartlett
(This used to be commit cf8bf1e9f3)
2007-10-10 13:31:35 -05:00
Stefan Metzmacher
232704793e r9170: fix crash bug
metze
(This used to be commit 232b04bf3e)
2007-10-10 13:31:27 -05:00
Andrew Bartlett
8db8279730 r9084: 'resign' the sample PAC for the validation of the signature algorithms.
If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.

This involved returning more data from the pac functions, so changed
some callers and split up some functions.

Andrew Bartlett
(This used to be commit d514a74912)
2007-10-10 13:31:15 -05:00
Andrew Tridgell
ea39a55dea r8586: register the kdc with irpc so we can tell that it is up
(This used to be commit 093bbae1c3)
2007-10-10 13:29:41 -05:00
Andrew Tridgell
e835621799 r8520: fixed a pile of warnings from the build farm gcc -Wall output on
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.

The main fixes are:

 - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats

 - use of NULL format statements to perform dn searches.

 - assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
2007-10-10 13:29:34 -05:00
Andrew Bartlett
24bef4a4bb r8511: This 'can't happen', but GCC gives warnings because it thinks it can.
Andrew Bartlett
(This used to be commit 40088b9566)
2007-10-10 13:29:33 -05:00
Stefan Metzmacher
f4ec5d45c3 r8363: - we need to correct the realm for the krbtgt/NETBIOSDOMAINREALM
into krbtgt/DNS.DOMAIN.REALM too
  with this a windows client asks for the correct ticket when you try to login
  (but it's still not working correct, as some how we mess up the dns host name of the
   client and it asks for the wrong service principal)

- fix some compiler wranings
- fix some debug messages

metze
(This used to be commit c4c93eeec2)
2007-10-10 13:20:12 -05:00
Andrew Bartlett
37cf22a39e r8249: Clarify (with a comment) why we are playing these games here.
Andrew Bartlett
(This used to be commit 33dcbe938d)
2007-10-10 13:19:25 -05:00
Andrew Bartlett
78d5afa84b r8181: Allow host/foo.realm/realm@REALM requests, assuming that the realm
forms both differ only in case.  We may need a better solution than
this later.

Andrew Bartlett
(This used to be commit a0ad13f5bc)
2007-10-10 13:19:17 -05:00
Andrew Bartlett
42bb490709 r8161: Update Samba4 for the new Heimdal update.
Andrew Bartlett
(This used to be commit 6a9b637327)
2007-10-10 13:19:16 -05:00
Andrew Bartlett
dbd2688c90 r8110: More PAC work. I still can't get WinXP to accept the PAC, but we are
much closer.

This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary.  This is the only way I can explain
the 4 trainling zeros in the signature struct.

Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.

I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.

Andrew Bartlett
(This used to be commit 50a54bf4e9)
2007-10-10 13:19:09 -05:00
Andrew Bartlett
44f2d34bd3 r8013: Remember to add the header containing the prototype for the pac
generating function...

Andrew Bartlett
(This used to be commit 707cf5fba8)
2007-10-10 13:18:59 -05:00
Andrew Bartlett
ddffc922df r8001: Also fill in the krbtgt checksum, and make sure to put the right
checksum in the right place...

Andrew Bartlett
(This used to be commit 90d0f502da)
2007-10-10 13:18:57 -05:00
Andrew Bartlett
9a7481bcfe r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2)
2007-10-10 13:18:57 -05:00
Andrew Bartlett
3ff7916571 r7969: It seems reasonable that our tickets be marked renewable, in the
absense of an apparent AD flag to control this behaviour.

Andrew Bartlett
(This used to be commit 9886aa6f0e)
2007-10-10 13:18:55 -05:00
Andrew Tridgell
b3e493470f r7911: task_terminate() is defined in the macosx headers, so change the name
to task_server_terminate()
(This used to be commit a7447e25ac)
2007-10-10 13:18:48 -05:00
Andrew Bartlett
f3661e2062 r7765: Thanks to Maurice Massar <massar@unix-ag.uni-kl.de> for spotting that
I missed one spot in moving from hdb_ent_type to the
internal-to-hdb-ldb hdb_ldb_ent_type, which results in a

Kerberos: Server has invalid flag set -- krbtgt/....@....

on kinit.

Andrew Bartlett
(This used to be commit 2358e0c0e4)
2007-10-10 13:18:33 -05:00
Andrew Bartlett
363e1143de r7680: Move to using our own private enum for the principal type inside the
hdb-ldb module.  This removes the need for the KRBTGT case to exist in
the broader heimdal code.

Andrew Bartlett
(This used to be commit fb83465dbc)
2007-10-10 13:18:21 -05:00
Andrew Bartlett
10d8a860db r7651: Only convert SERVER requests to KRBTGT requests.
Andrew Bartlett
(This used to be commit a948e743bb)
2007-10-10 13:18:17 -05:00
Andrew Bartlett
8cd7848b8f r7520: Fix memory leak in hdb-ldb.c
Andrew Bartlett
(This used to be commit 7f6a7f7fc5)
2007-10-10 13:18:05 -05:00
Andrew Bartlett
183cb2b939 r7508: Fix memory leak of outgoing packets in the KDC.
Andrew Bartlett
(This used to be commit 6f7bb00c7e)
2007-10-10 13:18:02 -05:00
Andrew Tridgell
6a4cb0e651 r7484: the previous bug can also affect the kdc
(This used to be commit ee8bf9db4a)
2007-10-10 13:17:58 -05:00
Andrew Tridgell
bce8cda061 r7352: the internal heimdal build change. This changes quite a few things:
- if you want kerberos now, you need to unpack a lorikeet heimdal
   tree in source/heimdal/. If source/heimdal/ does not exist at
   configure time then all kerberos features are disabled. You cannot
   use an external kerberos library for now. That may change later.

 - moved lib/replace/ config stuff to lib/replace/ and create a
   lib/replace/replace.h. That allows the heimdal build to use our
   portability layer, and prevenets duplicate definitions of functions
   like strlcat()

 - if you do enable heimdal, then you will need to do 'make
   HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once
   I explain the problem to jelmer (the problem is the inability to
   set a depend without also dragging in the object list of the
   dependency. We need this for building the heimdal asn1 compiler and
   et compiler.

 - disabled all of the m4 checks for external kerberos libraries. I
   left them in place in auth/kerberos/, but disabled it in
   configure.in

some of the heimdal_build/ code is still very rough, for example I
don't correctly detect the correct awk, flex, bison replacements for
heimdal_build/build_external.sh. I expect to fix that stuff up over
the next few days.
(This used to be commit d4648249b2)
2007-10-10 13:17:45 -05:00
Andrew Bartlett
31cd6fd88d r7304: Make the libkdc actually work:
- Remove (some) excess logging
 - use samdb_connect() to hook into the right handling for multiple tdb handles
 - move the connect to the server startup, rather than per-packet.
 - Fix config.mk dependency

Tested with a WinXP domain join.

Andrew Bartlett
(This used to be commit 13cf51612d)
2007-10-10 13:17:39 -05:00
Stefan Metzmacher
2c499fe5aa r7303: autodetect the libkdc and our kdc support
btw: I use this for configuring heimdal

>>>
CONFIG="CFLAGS=\"-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement\" \
	CC=gcc-4.0 \
	./configure -C --prefix=$HOME/prefix/heimdal-test \
	--sysconfdir=/etc \
	--enable-shared=no \
	--with-ldb=$HOME/prefix/ldb \
	--without-openldap \
	--without-openssl $@"

echo $CONFIG
eval $CONFIG
>>>

maybe you also want to use --disable-berkeley-db

metze
(This used to be commit 2aec140e00)
2007-10-10 13:17:39 -05:00
Stefan Metzmacher
ba30cbf67b r7297: make the code more readable
metze
(This used to be commit f9b4448ec5)
2007-10-10 13:17:38 -05:00
Andrew Tridgell
68908f1712 r7272: this is a sample mk file for building a heimdal library using the
samba4 build system. It assumes we have source/heimdal/ with a current
lorikeet heimdal tree.

I haven't enabled this, its just an example of one possible approach
to heimdal integration.
(This used to be commit 0835d6a0d9)
2007-10-10 13:17:35 -05:00
Andrew Bartlett
d26f46f72c r7270: A big revamp to the way we handle kerberos errors in Samba4. We now
fill in the function pointers to handle the logging, and catch all the
kerberos warnings. (Currently at level 3).

To avoid a memory leak, this requries a new function: krb5_freelog(),
which I've added to lorikeet/heimdal.

This also required a revamp to how we handle the krb5_context, so as
to make it easier to handle with talloc destructors.

Andrew Bartlett
(This used to be commit 63272794c4)
2007-10-10 13:17:34 -05:00
Andrew Tridgell
b7b7c46eb4 r7264: fix up the socket handling for abartlet. Still only udp, but it won't
be hard to do tcp as well.
(This used to be commit 7cbb95d3f5)
2007-10-10 13:17:33 -05:00
Andrew Bartlett
6113066fa5 r7259: Move the recv handler out into a seperate function (suggestion from
tridge)

Andrew Bartlett
(This used to be commit 6329f2ee36)
2007-10-10 13:17:32 -05:00
Andrew Bartlett
089b538163 r7241: The KDC almost links...
Using current lorikeet/heimdal, and with the KDC module enabled (it is
disabled by default), I almost get the KDC to link.

(To enable the KDC for testing, comment out the only line in
smbd/config.m4, and add 'kdc' to the 'server services' line in
smb.conf).
(This used to be commit 26cd4b4f68)
2007-10-10 13:17:30 -05:00
Andrew Bartlett
51fc684227 r7221: Add the start of a KDC service (to be built on a 'libkdc' from a to be
included Heimdal) to Samba4.

Andrew Bartlett
(This used to be commit 51ba3ea60c)
2007-10-10 13:17:27 -05:00