1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

369 Commits

Author SHA1 Message Date
Volker Lendecke
afd8c389c9 HEIMDAL:lib/krb5: Harden _krb5_derive_key()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Volker Lendecke
c15464f886 HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
fb318ab020 HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
This allows the optimized checksum->verify() function to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
05cc099499 HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-20 07:51:14 +01:00
Stefan Metzmacher
2abc3710a8 HEIMDAL:lib/krb5: destroy a memory ccache on reinit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-10-12 20:54:08 +02:00
Uri Simchoni
3f1f6e03cd heimdal: revert 1f90983324
A different version has gone upstream, fixing the problem
elsewhere.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Oct  3 11:12:29 CEST 2016 on sn-devel-144
2016-10-03 11:12:29 +02:00
Uri Simchoni
0b61d9e02e heimdal-lib/krb5: keep a copy of config etypes in the context
When reading configuration file, keep an extra copy of
the encryption types, and use this when resetting the
encryption types to default.

GSSAPI always resets the enctypes to default before obtaining
a TGS, because the enctypes might have previously altered,
so this prevents changing the etypes from the configured ones
to the full set of supported etypes.

The same patch has gone into upstream heimdal as commit
a3bece1. It is a different solution to the problem fixed
here by commit 1f90983, so this commit will be reverted next
to keep compatibility with uptream.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-10-03 07:27:13 +02:00
Andreas Schneider
b3e324aad5 heimdal: Fix reauthentication after password change
If the KDC requires a password change kinit will ask after the initial
authentication for a new password. After the password has been changed
it does reauthentication and for that it needs to use the new password
we just set.

It is needed for the a new kpasswd service test.

This is already fixed upstream with:
    911c99375741281adae305f6ec3a3317023eba3e

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:21 +02:00
Andreas Schneider
e4f82de771 s4-heimdal: Export krb5_init_creds_* functions
The function krb5_get_init_creds_opt_get_error() is deprecated and
krb5_init_creds_init() and krb5_init_creds_get_error() should be used
now.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-31 20:59:17 +02:00
Uri Simchoni
1f90983324 heimdal: honor conf enctypes when obtaining a service ticket
This patch removes part of what's categorized in the code as
"hideous glue", which causes Heimdal to ignore krb5.conf
encryption types, and instead use either the application-
supplied values or the default compile-time values.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-09 04:39:07 +02:00
Stefan Metzmacher
0022ea9efb HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:21 +02:00
Stefan Metzmacher
f61833082a HEIMDAL:kdc: reset e_text after successful pre-auth verification
This is already fixed in upstream heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 23:34:20 +02:00
Stefan Metzmacher
08ead28c69 HEIMDAL:lib/krb5: allow predefined PAC_{LOGON_NAME,PRIVSVR_CHECKSUM,SERVER_CHECKSUM} elements in _krb5_pac_sign()
A caller may want to specify an explicit order of PAC elements,
e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME
element.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This is commit 7cd40a610569d5e54ebe323672794fb6415b5dac in heimdal master.
2016-07-22 23:34:20 +02:00
Garming Sam
978bc8681e kerberos: Return enc data on PREAUTH_FAILED
Without the enc data, Windows clients will perform two AS-REQ causing the password
lockout count to increase by two instead of one.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul  5 10:52:32 CEST 2016 on sn-devel-144
2016-07-05 10:52:32 +02:00
Uri Simchoni
b2b951d14f heimdal make kvno unisgned internally
The folks at heimdal didn't like the patch in
commit 6379737b7d and insisted
that kvno should remain unsigned internally, even though it is
encoded as signed in packets. This patch reverts some of the
unsigned->signed changes in that commit, and resolves conversion
issues - in order to be aligned with upstream Heimdal.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
2016-05-24 03:00:39 +02:00
Uri Simchoni
6379737b7d heimdal: encode/decode kvno as signed integer
This patch changes the encoding/decoding of kvno (key version number)
in blobs and packets to signed integer, for compatibility with Windows.
Reportedly, MIT Kerberos does the same.

This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599
in the heimdal tree.

According to the Kerberos spec (RFC 4120 5.2.9), the kvno field
in encrypted data object is an unsigned integer that fits in
32 bits. The Heimdal Kerberos component bundled with Samba
conforms to this. However, Windows deviates from the standard
and encodes kvno as a signed integer, and this creates
interoperability issues.

ASN.1 DER has no special encoding for unsigned integer. A 32-bit
unsigned integer is encoded as a signed integer, so while a signed
32-bit integer (covering the range of -0x80000000..0x7fffffff) is
encoded using up to 4 bytes, an unsigned integer (covering
0..0xffffffff) could require 5 bytes.

Normally, kvno for a given account starts at 1 and increments on
password changes. Kerberos defined this as unsigned because there's
no meaning for negative version numbers, so the standard writers figured
4 billion versions is better than 2 billion. It was not
expected for a kvno to really go past 0x7fffffff and the disctinction
usually does not matter. However, RODCs use kvnos which
have the most-significant bit set.

In Active Directory, RODCs have a private secret for the krbtgt,
because the assumption is that the RODC is less secure, and
recovering the domain krbtgt secret from the RODC would compromise
the security of the entire domain. The kvno field is being used
to identify the private krbtgt account that owns the key - the
upper 16 bits are the RODC id, and the lower 16 bits identify
the key version number for this specific RODC. It's common to
have an RODC id greater than 0x8000, and therefore to have a
kvno larger than 0x7fffffff, which would be DER-encoded using
5 bytes.

Windows encodes kvno as signed integer - basically taking the
32 bits and treating them as a signed integer rather than an
unsigned integer. This means that in Windows a kvno can
always be encoded using 4 bytes, and Windows DCs reject a kvno
encoded using more than 4 bytes without even generating an error
response (the DC assumes it's an attack).

Heimdal re-encodes the TGT when it creates a TGS request. Obviously
it cannot decode and encode the encrypted parts but it does re-encode
the plain parts, which include the kvno. That leads to a 5-byte
kvno in the TGS request, which is rejected without an error
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May  7 21:14:21 CEST 2016 on sn-devel-144
2016-05-07 21:14:21 +02:00
Ralph Boehme
20dc68050d s4/heimdal: allow SPNs in AS-REQ
This allows testing keytabs with service tickets. Windows KDCs allow
this as well.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Aurelien Aptel
cb51e8d5cb s4/heimdal/lib/krb5/pac.c: typo
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 10 03:33:46 CET 2016 on sn-devel-144
2016-03-10 03:33:46 +01:00
Aurelien Aptel
511c747745 s4/heimdal/lib/gssapi/mech/gss_compare_name.c: typo
make memcmp() compare the name1 and name2 value instead of comparing
name1 with itself.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-10 00:08:11 +01:00
Douglas Bagnall
116f415779 heimdal asn1: avoid fclose(NULL) caused by missing braces
Thanks to GCC6 -Wmisleading-indentation.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Mar  3 16:21:52 CET 2016 on sn-devel-144
2016-03-03 16:21:52 +01:00
Christian Ambach
fc8e507b48 s4:heimdal fix a compile warning
about a potentially uninitialized variable

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-02-12 09:01:14 +01:00
Har Gagan Sahai
e4b0ea1425 Fix memory leak in dns resolution during spnego authentication using kerberos.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11471

Signed-off-by: Har Gagan Sahai <SHarGagan@novell.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep  3 19:11:22 CEST 2015 on sn-devel-104
2015-09-03 19:11:22 +02:00
Andrew Bartlett
ddee603b5e heimdal/gssapi: Allow a NULL authenticator
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here.  Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.

This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

Original patch by Andrew Bartlett, restructured by Douglas Bagnall

Cherry-picked from upstream GIT 0a5de96d72cdea9e465412d7dba1e5d13e53dc09
which is the merge of https://github.com/heimdal/heimdal/pull/134

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-05 06:39:19 +02:00
Stefan Metzmacher
2d98800219 heimdal:kdc: add support for HDB_ERR_WRONG_REALM
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.

entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).

This is needed to route enterprise principals between AD domain trusts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
c63f360788 heimdal:kdc: generic support for 3part servicePrincipalNames
This is not DRSUAPI specific, it works for all 3 part principals.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
454db47eac heimdal:lib/krb5: add krb5_mk_error_ext() helper function
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
fca11edc0b heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
c245d4f33e heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
571a05c649 heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
688c537ab1 heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
3269ebfcbf heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
01350c76ad heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
9414d9867c heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Uri Simchoni
12079b412d heimdal: fix endless loop for specific KDC error code
When sending a Kerberos request, if at least one of the available
KDCs repeatedly replies with an error response of
KRB5KDC_ERR_SVC_UNAVAILABLE, and all other KDCs, if there are any,
do not reply at all or cannot be contacted, then the code repeatedly
retries to send the request in an endless loop.

This is fixed in upstream (post 1.5 branch) heimdal but the code
there is vastly refactored, so this is an independent fix to the issue.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 17 02:34:31 CEST 2015 on sn-devel-104
2015-06-17 02:34:31 +02:00
Stefan Metzmacher
47a3f9cc5a heimdal:lib/krb5: verify_logonname() to handle multi component principal
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.

verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.

Samba commit b7cc8c1187
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-20 19:29:30 +02:00
Volker Lendecke
81da2aa605 heimdal: Fix the O3 developer build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-07 20:20:19 +02:00
Volker Lendecke
4ae2266015 heimdal: Fix CID 240793 Uninitialized scalar variable
tmp.data is uninitialized in the fwrite call

Hopefully I don't create a problem here: If tmp.data is supposed to be randomly
set, I think the right fix would have been to explicitly call a random function
initializing it.

<jra@samba.org>
------------------------------------------------------------
I have looked through the code carefully. Your fix is safe.

The first entry in the replay file created in krb5_rc_initialize()
is only used to store the 'krb5_deltat auth_lifespan' value, the
associated data[16] value is never looked at. (Look at the
code in krb5_rc_store() and krb5_rc_get_lifespan() to confirm).

Only subsequent data[16] values are checked with memcmp.
------------------------------------------------------------

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-07 20:20:19 +02:00
Volker Lendecke
6169ab798d heimdal: Fix a warning
99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-30 11:04:15 +02:00
Volker Lendecke
578f2c7c7d heimdal: Fix a warning
99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2015-03-30 11:04:15 +02:00
Stefan Metzmacher
da99f8a5b9 heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY
An ENTERPRISE principal should result in 'administrator@S4XDOM.BASE'
instead of 'administrator\@S4XDOM.BASE'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
b7cc8c1187 heimdal:lib/krb5: allow enterprise principals in verify_logonname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
89099611fd heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
9ebd10b343 heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
76f66332a1 heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Volker Lendecke
90d03a65bc heimdal: Fix CID 1273430 Double free
I think Coverity is right here: Before the preceding call to
krb5_make_principal we already krb5_free_principal(ctx, tmp_creds.server)
without wiping out tmp_creds.server. The call to krb5_make_principal only
stores something fresh when it also returns 0 a.k.a. success.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Mar  6 17:38:09 CET 2015 on sn-devel-104
2015-03-06 17:38:09 +01:00
Volker Lendecke
38628b1e32 Fix the O3 developer build
Different gcc versions complain at different places

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  3 13:14:53 CET 2015 on sn-devel-104
2015-03-03 13:14:53 +01:00
Volker Lendecke
b72cc326f6 heimdal: Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-02-25 14:02:09 +01:00
Andrew Bartlett
891c4c6a40 heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not overwritten
This change ensures that our RODC will correctly proxy when asked to provide
a ticket for a service or user where the keys are not on this RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:07 +01:00
Nicolas Williams
da4ac71eab heimdal: Really bug in KDC handling of enterprise princs
The value of this commit to Samba is to continue to match Heimdal's
upstream code in this area.  Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL
there is no runtime difference.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:07 +01:00
Nicolas Williams
fe99c420b2 heimdal: Fix bug in KDC handling of enterprise principals
The useful change in Samba from this commit is that we gain
validation of the enterprise principal name.

(commit message by Andrew Bartlett)

Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f

Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:07 +01:00