1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

369 Commits

Author SHA1 Message Date
Stefan Metzmacher
5797b9a913 s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.c
metze
2010-05-11 18:11:05 +02:00
Karolin Seeger
55838a8c02 s4-heimdal: Fix typo in comment.
Karolin
2010-04-13 20:09:13 +02:00
Andrew Bartlett
c8cb17a18c s4:heimdal Create a new PAC when impersonating a user with S4U2Self
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.

Andrew Bartlett
2010-04-10 21:40:59 +10:00
Andrew Bartlett
1d59abc724 s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.

Andrew Bartlett
2010-04-10 21:40:58 +10:00
Karolin Seeger
deccb6cf9a s4-krb5: Fix typos in comment.
Karolin
2010-04-09 09:24:28 +02:00
Andrew Bartlett
1f0467562b s4:heimdal Use correct variable to advance past -- options in kpasswd
This bug was introduced when kpasswd was migrated to a local getarg()
call, in Heimdal commit 7dd146072cd9b56d660a01f4aa20f8d81be356e8

Andrew Bartlett
2010-03-27 19:13:28 +11:00
Andrew Bartlett
64b8b0cdaf s4:heimal Update generated files (cp from Heimdal) 2010-03-27 12:24:00 +11:00
Andrew Bartlett
533024be44 s4:heimdal: import lorikeet-heimdal-201003262338 (commit f4e0dc17709829235f057e0e100d34802d3929ff) 2010-03-27 11:55:22 +11:00
Andrew Bartlett
564d5cd2c4 s4:heimdal New files and supporting logic for heimdal update 2010-03-27 11:53:23 +11:00
Andrew Bartlett
89eaef0253 s4:heimdal: import lorikeet-heimdal-201001120029 (commit a5e675fed7c5db8a7370b77ed0bfa724196aa84d) 2010-03-27 11:51:27 +11:00
Matthias Dieter Wallnöfer
2bdece18c6 kerberos - set the memory to "0"s before freeing the password to prevent security issues 2010-03-16 18:20:51 +01:00
Matthias Dieter Wallnöfer
a6c57472ab heimdal - remove unused variable 2010-03-16 17:11:49 +01:00
Matthias Dieter Wallnöfer
dc5e0d8464 heimdal - fix overlapped identifiers in the "krb5" library 2010-03-16 17:11:49 +01:00
Matthias Dieter Wallnöfer
973001e91a heimdal - free always "ctx->password" when it isn't needed anymore
"strdup" does always create a new object in the memory (through "malloc") which
needs to be freed if it isn't used anymore.
2010-03-16 17:11:48 +01:00
Karolin Seeger
694ab7c5ff s4-heimdal: Fix typos in comment.
Karolin
2010-02-15 12:23:11 +01:00
Stefan Metzmacher
4a4b2a5eaf s4:heimdal: regerenate files
Andrew using cp like in commit ca12e7bc8f
is wrong as that removes #include "config.h" and breaks the build on AIX.

metze
2010-02-08 09:59:29 +01:00
Andrew Tridgell
bb009412d3 heimdal: work around differences between GNU and XSI strerror_r()
This is a fairly ugly workaround, but then again, strerror_r() is a
very ugly mess.
2009-12-14 22:29:57 +11:00
Andrew Tridgell
29c87ef830 s4-heimdal: fixed a use-after-free heimdal bug
This caused samba4kinit to segfault on some systems
2009-12-08 15:16:13 +11:00
Kamen Mazdrashki
bf7cc3262e krb5: Fix leaked hx509_context pointer
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-12-08 12:39:10 +11:00
Andrew Bartlett
4f64bc7125 heimdal Fix invalid format string 2009-11-24 11:38:41 +11:00
Andrew Bartlett
dc351a579d s4:heimdal: import lorikeet-heimdal-200911170333 (commit b532c294d974cead40a1183c71be644c6ccc2832)
This fixes up connections to Windows 2003, because the previous import
had a broken arcfour-hmac-md5 implementation (fixed in Heimdal
316fc6ff8ffb0cbb1ef3689685e9977c37405bc4)

Andrew Bartlett
2009-11-17 16:21:29 +11:00
Andrew Bartlett
ca12e7bc8f s4:heimdal Import generated files from heimdal tree
We should be able to rebuild these, but a cp is easier :-)
2009-11-13 23:19:06 +11:00
Andrew Bartlett
4f8ba5ad6a s4:heimdal: import lorikeet-heimdal-200911122202 (commit 9291fd2d101f3eecec550178634faa94ead3e9a1) 2009-11-13 23:19:05 +11:00
Andrew Bartlett
5bc87c14a1 s4:heimdal: import lorikeet-heimdal-200909210500 (commit 290db8d23647a27c39b97c189a0b2ef6ec21ca69) 2009-11-13 23:19:05 +11:00
Matthias Dieter Wallnöfer
9f170bc7ea heimdal - hdb/ext.c - fix a "shadows variable" warning
Renamed the variable "str" in the nested block to "str2" to prevent the collision
with "str" in the main function block.
2009-10-21 17:35:51 +02:00
Andrew Bartlett
3493b62b4b s4:heimdal A real fix for bug 6801
The issue was that we would free the entry after the database, not
knowing that the entry was a talloc child of the database.

Andrew Bartlett
2009-10-14 10:20:01 +11:00
Matthias Dieter Wallnöfer
3393257920 heimdal kerberos - fix memory leak (free the plugin list always - not only in error cases) 2009-10-03 15:49:40 +02:00
Matthias Dieter Wallnöfer
02b289f65b heimdal - fix various warnings
- Shadowed variables
- "const" related warnings
- Parameter names which shadow function declarations
- Non-void functions which have no return value

(patch also ported upstream)
2009-10-03 13:20:52 +02:00
Stefan Metzmacher
16f1ba2558 s4:heimdal/gssapi/krb5: set cred_handle in _gsskrb5_import_cred
metze
2009-09-18 20:34:16 +02:00
Andrew Bartlett
64e2b859d2 s4:heimdal: import lorikeet-heimdal-200908052208 (commit 370a73a74199a5a55188340906e15fd795f67a74)
This removes some of the portability changes made to code under
heimdal/

If these are still required, then we will re-add them with code under
heimdal_build/ (so that we can simply 'drop in' future heimdal
releases).

Andrew Bartlett
2009-08-06 08:44:53 +10:00
Andrew Bartlett
cd1d7f4be7 s4:heimdal: import lorikeet-heimdal-200908050050 (commit 8714779fa7376fd9f7761587639e68b48afc8c9c)
This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.

(Very reasonable, but not required for Samba4's use).

Andrew Bartlett
2009-08-05 12:18:17 +10:00
Andrew Bartlett
8ff1f50b0c s4:kerberos Add support for user principal names in certificates
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ.  (This was a TODO in
the Heimdal KDC)

The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).

Andrew Bartlett
2009-07-28 14:10:47 +10:00
Andrew Bartlett
0c2dca71fa s4:heimdal Extend the 'hdb as a keytab' code
This extends the hdb_keytab code to allow enumeration of all the keys.

The plan is to allow ktutil's copy command to copy from Samba4's
hdb_samba4 into a file-based keytab used in wireshark.

One day, with a few more hacks, we might even make this a loadable
module that can be used directly...

Andrew Bartlett
2009-07-27 22:41:41 +10:00
Andrew Bartlett
6cb81f7b37 s4:heimdal: import lorikeet-heimdal-200907162216 (commit d09910d6803aad96b52ee626327ee55b14ea0de8)
This includes in particular changes to the KDC to resolve bug 6272,
originally by Matthieu Patou <mat+Informatique.Samba@matws.net>.  We
need to sort the AuthorizationData elements to put the PAC first, or
else WinXP breaks when browsed from Win2k8.

Andrew Bartlett
2009-07-17 08:32:01 +10:00
Andrew Bartlett
e25325539a s4:heimdal: import lorikeet-heimdal-200907152325 (commit 2bef9cd5378c01e9c2a74d6221761883bd11a5c5) 2009-07-16 11:31:36 +10:00
Andrew Bartlett
84dca625ca s4:heimdal The implied GSS_C_MUTUAL_FLAG depends on AP_OPTS_MUTUAL_REQUIRED
We had previously assumed it was unconditional.  Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.

Andrew Bartlett
2009-07-16 09:23:35 +10:00
Stefan Metzmacher
5d4d9d333d s4:heimdal: readd heimdal/lib/asn1/asn1parse.y which was parse.y before the last import
Also commit the regenerated files for systems without yacc and lex.

This fixes the build with automatic dependecies for me.

metze
2009-07-06 13:28:11 +02:00
Björn Jacke
e9fc7c5e15 heimdal: don't include <ifaddrs.h> without knowing it's there
this is 73dbbe0d54 re-added. abartlet, please pick this to lorikeet.
2009-07-03 19:13:08 +02:00
Andrew Bartlett
89a074b784 s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ.  Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.

While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).

Andrew Bartlett
2009-06-30 12:11:14 +10:00
Andrew Bartlett
19413c5249 s4:kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue.  (In particular, in
case our requirements become more complex in future).

The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw

Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.

Andrew Bartlett
2009-06-18 13:49:30 +10:00
Andrew Bartlett
9b261c008a s4:heimdal: import lorikeet-heimdal-200906080040 (commit 904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test

A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).

Andrew Bartlett
2009-06-12 07:45:48 +10:00
Björn Jacke
d2bb72d713 s4:heimdal: fix build on FreeBSD
Patch from Timur I. Bakeyev sent to samba-technical:

Heimdal requires openpty() presence. FreeBSD has in in standard libc, so
autodetection works, but compilation fails, as declaration of this function is
missing.

This patch adds proper header detection and inclusion for openpty().
2009-06-08 22:14:49 +02:00
Jeremy Allison
3a88316e23 Fix the build. Looks like no one ever compiled this on a system
with a libintl.h before.
Jeremy.
2009-02-24 12:19:06 -08:00
Jeremy Allison
365925eea3 Start fixing Solaris build failures.
Jeremy.
2009-02-24 11:37:57 -08:00
Stefan Metzmacher
6028e8f346 heimdal: void functions should not return a value
metze
2009-01-31 08:54:01 +01:00
Stefan Metzmacher
2fe137e7bc heimdal:hdb: always include "config.h" first
metze
2009-01-30 19:44:20 +01:00
Stefan Metzmacher
55f663a04b heimdal:camellia: include roken.h
metze
2009-01-30 19:37:06 +01:00
Stefan Metzmacher
e592718c43 heimdal:roken: arg_match_long() should return a value
This should fix a build problem on IRIX.

metze
2009-01-30 18:02:21 +01:00
Stefan Metzmacher
3f09dd0d82 heimdal:roken: arg_printusage() should not try to return a value.
This should fix problems with the IRIX build.

metze
2009-01-30 17:58:57 +01:00
Stefan Metzmacher
9cf1175d33 heimdal:camellia-ntt.c: include config.h as first header
metze
2009-01-30 17:52:37 +01:00
Stefan Metzmacher
cdca75dee6 heimdal: don't include <sys/cdefs.h> without knowing it's there
metze
2009-01-30 17:38:41 +01:00
Stefan Metzmacher
73dbbe0d54 heimdal: don't include <ifaddrs.h> without knowing it's there
metze
2009-01-30 17:38:40 +01:00
Andrew Bartlett
2fc5ca8409 Re-add support for supporting the PAC over domain trusts.
(This was not entered in lorikeet-heimdal.diff, so missed by metze's import).

Andrew Bartlett
2008-11-04 16:06:57 +11:00
Jelmer Vernooij
e7810b1bc2 Use standard heimdal function for finding interfaces - libreplace provides support for the underlying functions now. 2008-11-02 18:14:53 +01:00
Stefan Metzmacher
2b29b71864 s4: import lorikeet-heimdal-200810271034
metze
2008-10-28 08:53:09 +01:00
Jelmer Vernooij
87ec1d2532 Make sure prototypes are always included, make some functions static and
remove some unused functions.
2008-10-20 18:59:51 +02:00
Andrew Bartlett
71022daac2 Add samba4kpasswd and rkpty binaries
smaba4kpasswd will be used to test the kpasswdd componet of the KDC
(which is up until now untested), and rkpty is an expect-like wrapper
we can use to blackbox that utility.

Andrew Bartlett
2008-10-20 20:07:08 +11:00
Andrew Bartlett
6a5547742f Allow the PAC to be passed along during cross-realm authentication 2008-10-06 14:28:27 -07:00
Andrew Bartlett
6ad78f01a5 Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.

I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.

Andrew Bartlett
2008-09-29 22:34:35 -07:00
Andrew Bartlett
baf0b36081 Merge krb5_cksumtype_to_enctype from Heimdal svn -r 23719
(This used to be commit cc1df3c002)
2008-09-03 14:20:30 +10:00
Andrew Bartlett
0b16d70f39 Don't wipe the PAC checksums, the caller may actually need them.
(This used to be commit 9db5a966fc)
2008-08-28 16:19:16 +10:00
Stefan Metzmacher
9430420ba2 heimdal: add missing heimdal/lib/hcrypto/{evp-aes-cts.c,evp-hcrypto.c}, sorry...
metze
(This used to be commit 0c4227e45d)
2008-08-26 21:38:34 +02:00
Stefan Metzmacher
243321b4bb heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.

metze
(This used to be commit 467a1f2163)
2008-08-26 19:46:38 +02:00
Stefan Metzmacher
9080b5d979 heimdal_build: autogenerate the heimdal private/proto headers
Now it's possible to just use a plain heimdal tree in source/heimdal/
without any pregenerated files.

metze
(This used to be commit da333ca711)
2008-08-26 18:49:17 +02:00
Stefan Metzmacher
a1bbd66b0f heimdal_build: autogenerate table files in heimdal/lib/wind/
metze
(This used to be commit f4cfba26ae)
2008-08-26 18:48:50 +02:00
Stefan Metzmacher
57d4e11023 heimdal_build: add fallback for AC_WARNING_ENABLE()
metze
(This used to be commit 8d6d96898d)
2008-08-26 18:47:49 +02:00
Stefan Metzmacher
f09f67d24d heimdal: remove unused old files
metze
(This used to be commit 94cef56212)
2008-08-26 18:47:48 +02:00
Stefan Metzmacher
1c4b84ee4f heimdal_build: add a fake sqlite keytab implementation
This remove a difference against lorikeet-heimdal.

metze
(This used to be commit 4314df3561)
2008-08-26 14:25:44 +02:00
Stefan Metzmacher
cec74e9b00 Revert "gsskrb5: add support for DCE_STYLE and des and des3 keys"
This reverts commit 86848dd0f2.

This should come back via a merge from heimdal's trunk later.

metze
(This used to be commit 585e5360e2)
2008-08-26 12:30:02 +02:00
Stefan Metzmacher
64826077bf Revert "gsskrb5: always return an acceptor subkey"
This reverts commit 6a8b07c395.

This isn't strictly needed and will come back in the next merge
from heimdal's trunk.

metze
(This used to be commit 8ed040c8c4)
2008-08-26 12:30:02 +02:00
Stefan Metzmacher
e75f1072b6 Revert "krb5: always generate the acceptor subkey as the same enctype as the used service key"
This reverts commit dbb94133e0.

As we fixed gensec_gssapi to only return a session key when it's
have the correct session key, this hack isn't needed anymore.

metze
(This used to be commit 697cd1896b)
2008-08-14 13:13:52 +02:00
Stefan Metzmacher
69d074af81 gsskrb5: always return an acceptor subkey
For non cfx keys it's the same as the intiator subkey.
This matches windows behavior.

metze
(This used to be commit 6a8b07c395)
2008-08-14 13:13:52 +02:00
Stefan Metzmacher
5569132f45 gsskrb5: try to be compatible with windows for gss_wrap* and cfx
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.

metze
(This used to be commit 0fa41a94e4)
2008-08-08 15:29:17 +02:00
Stefan Metzmacher
610b1ada15 krb5: always generate the acceptor subkey as the same enctype as the used service key
With this patch samba4 can use gsskrb5_get_subkey() to get the session key.

metze
(This used to be commit dbb94133e0)
2008-08-08 15:29:16 +02:00
Stefan Metzmacher
4ad02f5185 gsskrb5: add support for DCE_STYLE and des and des3 keys
Only the des keys are tested as windows doesn't support des3

metze
(This used to be commit 86848dd0f2)
2008-08-08 12:52:14 +02:00
Stefan Metzmacher
86c9db8d4a heimdal: add missing files
metze
(This used to be commit b395cd7acd)
2008-08-01 17:49:45 +02:00
Stefan Metzmacher
9f5325ce39 heimdal: add missing file heimdal/lib/gssapi/mech/gss_pseudo_random.c
metze
(This used to be commit 3bd7e68a5c)
2008-08-01 17:27:18 +02:00
Stefan Metzmacher
a925f039ee heimdal: update to lorikeet-heimdal rev 801
metze
(This used to be commit d6c54a66fb)
2008-08-01 16:11:00 +02:00
Stefan Metzmacher
3678411037 gsskrb5: just don't force, but allow the flags when GSS_CF_NO_CI_FLAGS is given
metze
(This used to be commit f10c9ca361)
2008-06-27 12:43:04 +02:00
Stefan Metzmacher
eb192abd3a gsskrb5: fix gss_krb5_cred_no_ci_flags_x_oid_desc variable name
metze
(This used to be commit d88be1a1cb)
2008-06-27 12:43:04 +02:00
Stefan Metzmacher
b3ec55b984 krb5_init_sec_context: skip the token header when GSS_C_DCE_STYLE is specified
Windows (and heimdal) accepts packets with token header
in the server, but it doesn't match the windows client.
We now match the windows client and that fixes
also the display in wireshark.

metze
(This used to be commit 58f66184f0)
2008-06-02 16:58:04 +02:00
Andrew Bartlett
aaf62085dd Merge branch 'v4-0-logon' of git://git.id10ts.net/samba into 4-0-local
(This used to be commit 8252b51850)
2008-03-19 11:04:42 +11:00
Andrew Bartlett
9e6b0c2871 Merge lorikeet-heimdal -r 787 into Samba4 tree.
Andrew Bartlett
(This used to be commit d88b530522)
2008-03-19 10:17:42 +11:00
Andrew Kroeger
a550317253 heimdal: Add parameter to windc_plugin to allow extended return codes.
These changes add a krb5_data parameter named e_data to the windc_plugin to
allow the samba KDC to return extended error information in addition to the
standard KRB5KDC_ERR_* codes.  Windows uses the extended information to provide
detailed information in user dialogs (e.g. account disabled, logon hours
restriction, must change password, etc.).

This particular commit modifies only heimdal code.  Hopefully this can be
submitted and accepted into the upstream heimdal codebase.
(This used to be commit f542362be2)
2008-03-13 01:16:49 -05:00
Jelmer Vernooij
236a780baa idl: Use typedef rather than declare.
(This used to be commit 3fd750bd54)
2008-01-12 01:18:53 +01:00
Jelmer Vernooij
0500b87092 r26540: Revert my previous commit after concerns raised by Andrew.
(This used to be commit 6ac86f8be7)
2007-12-21 05:52:06 +01:00
Jelmer Vernooij
3e75f222bc r26539: Remove unnecessary statics.
(This used to be commit e53e79eebe)
2007-12-21 05:52:05 +01:00
Jelmer Vernooij
d378cf4c15 r26310: Remove more uses of global_loadparm.
(This used to be commit 9d806da113)
2007-12-21 05:48:22 +01:00
Stefan Metzmacher
9fe133ffc6 r25738: always include config.h first.
this needs merging to heimdal and lorikeet-heimdal

metze
(This used to be commit c2c2c991c7)
2007-12-21 05:43:36 +01:00
Stefan Metzmacher
5d482b634d r25734: regenerate yacc output (parse.[ch] files)
metze
(This used to be commit cb3aec0d22)
2007-12-21 05:43:34 +01:00
Stefan Metzmacher
12215fadf8 r25732: import updated parse.y files from lorikeet-heimdal
I wonder why they're not updated as the parse.[ch]
are generated from the new versions already...

metze
(This used to be commit 9735715a0f)
2007-12-21 05:43:32 +01:00
Stefan Metzmacher
733591c079 r25298: regenerate lex.c files with config.h as first include
this should help on aix 5.3.

metze
(This used to be commit bfd8c275bb)
2007-10-10 15:07:08 -05:00
Andrew Bartlett
b39330c487 r24614: Merge with current lorikeet-heimdal. This brings us one step closer
to an alpha release.

Andrew Bartlett
(This used to be commit 30e02747d5)
2007-10-10 15:02:25 -05:00
Stefan Metzmacher
c1010f666c r23895: reapply rev 23493:
regenerate lex.c files with flex 2.5.33
this makes sure we include config.h as first header

hopefully fixes the build on SerNet-aix

abartlet: please don't revert that again with your next
          heimdal merge...:-)

metze
(This used to be commit 8da4e9a9ac)
2007-10-10 15:01:08 -05:00
Andrew Tridgell
e1c15c74af r23799: updated old Franklin Street FSF addresses to new URL
(This used to be commit db92b76a00)
2007-10-10 14:59:16 -05:00
Andrew Bartlett
ec0035c9b8 r23678: Update to current lorikeet-heimdal (-r 767), which should fix the
panics on hosts without /dev/random.

Andrew Bartlett
(This used to be commit 14a4ddb131)
2007-10-10 14:58:59 -05:00
Stefan Metzmacher
f5c2f26e84 r23493: regenerate lex.c files with flex 2.5.33
this makes sure we include config.h as first header

hopefully fixes the build on SerNet-aix

metze
(This used to be commit 0149226ece)
2007-10-10 14:53:22 -05:00
Andrew Bartlett
91adebe749 r23456: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit ae0f81ab23)
2007-10-10 14:53:18 -05:00
Stefan Metzmacher
4690d5c553 r23209: import getnameinfo.c, inet_ntop.c and inet_pton.c from
loikeet-heimdal

metze
(This used to be commit 48eb20199e)
2007-10-10 14:53:04 -05:00
Andrew Tridgell
1a55a36401 r23060: use #include <roken.h> consistently. Using "roken.h" in this directory
breaks Samba builds on some systems as they find the wrong roken.h
(This used to be commit 59cd26b664)
2007-10-10 14:52:46 -05:00
Andrew Bartlett
cc275f011e r22191: Add a samba4kinit binary to the build, so I can test using an existing
ccache, as well as PKINIT.

Andrew Bartlett
(This used to be commit 440b8d9e4b)
2007-10-10 14:50:02 -05:00
Andrew Bartlett
548ffe7cf6 r21746: We don't link in this file any more.
(This used to be commit 123ae858c7)
2007-10-10 14:49:23 -05:00
Andrew Tridgell
3bdf3aa144 r21620: commit updated versions (with correct paths)
(This used to be commit 2694bfb143)
2007-10-10 14:49:03 -05:00
Stefan Metzmacher
3db368ad76 r21448: return the same error codes as a windows KDC
metze
(This used to be commit e4d69b83dc)
2007-10-10 14:48:37 -05:00
Stefan Metzmacher
544e17896e r21447: make handling of replying e_data more generic
love: please merge this

metze
(This used to be commit 3e4ff2de9c)
2007-10-10 14:48:37 -05:00
Stefan Metzmacher
f280849a6f r21439: fix compiler warnings
metze
(This used to be commit ac347d7aa5)
2007-10-10 14:48:35 -05:00
Stefan Metzmacher
837f283f81 r21438: create the PAC element in the same order as w2k3,
maybe there's some broken code in windows which relies
on this...

love: can you merge this to heimdal?

metze
(This used to be commit b64abf9113)
2007-10-10 14:48:35 -05:00
Stefan Metzmacher
5cd79db03e r21436: Choose the TGT session key enctype also by checking what enctypes
the krbtgt hdb entry provides.

We need to make sure other KDC's with the same hdb backend data
can accept the TGT. (w2k and w2k3 don't support aes256-cts-hmac-sha1-96 (18)
session keys.)

Love: I'm not sure if this is the correct way of doing it...

metze
(This used to be commit 5840f50d89)
2007-10-10 14:48:34 -05:00
Andrew Bartlett
d5bbd817fe r20988: Call out to Heimdal's krb5.conf processing to configure many aspects
of KDC behaviour.  This should allow PKINIT to be turned on and
managed with reasonable sanity.

This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.

Andrew Bartlett
(This used to be commit a50bbde81b)
2007-10-10 14:44:18 -05:00
Jelmer Vernooij
c448896c7e r20786: Fix the build.
(This used to be commit 42bb335bd5)
2007-10-10 14:40:55 -05:00
Andrew Tridgell
1c211a2e43 r20650: revert a bunch of code I didn't mean to commit yet
(This used to be commit b3e2d49087)
2007-10-10 14:37:26 -05:00
Andrew Bartlett
2ffd009a74 r20648: Closer to a build... Add missing header file.
(This used to be commit a4051a2d65)
2007-10-10 14:37:24 -05:00
Andrew Tridgell
f6274959ba r20647: add cluster code
(This used to be commit 5870830b99)
2007-10-10 14:37:24 -05:00
Andrew Bartlett
2309c52444 r20643: Remove generated files accidentilly committed.
Andrew Bartlett
(This used to be commit 12953ee765)
2007-10-10 14:37:23 -05:00
Andrew Bartlett
126b48e5ab r20642: This bit of autoconf causes us pain. Revert back to how we had things
before the last merge.

Andrew Bartlett
(This used to be commit 9e7124cc85)
2007-10-10 14:37:22 -05:00
Andrew Bartlett
f7242f6437 r20640: Commit part 2/2
Update Heimdal to match current lorikeet-heimdal.  This includes
integrated PAC hooks, so Samba doesn't have to handle this any more.

This also brings in the PKINIT code, hence so many new files.

Andrew Bartlett
(This used to be commit 351f7040f7)
2007-10-10 14:37:20 -05:00
Stefan Metzmacher
f2784a8bb0 r20139: only add GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG if the caller requested it!
this is needed to create plain, singed or sealed LDAP connections.

this should go into lorikeet and main heimdal...

metze
(This used to be commit 75c037cae2)
2007-10-10 14:29:13 -05:00
Andrew Bartlett
5a6288f458 r19681: Update to current lorikeet-heimdal. I'm looking at using the realm
lookup plugin, the new PAC validation code as well as Heimdal's SPNEGO
implementation.

Andrew Bartlett
(This used to be commit 05421f45ed)
2007-10-10 14:25:31 -05:00
Stefan Metzmacher
d822b963f9 r19663: merge changes from lorikeet heimdal:
support for netbios domain based realms

metze
(This used to be commit dcec6eebf1)
2007-10-10 14:25:26 -05:00
Andrew Bartlett
e5974a1b5f r19650: Allow Samba to use Heimdal's SPNEGO code. Currently this can only
negotiate krb5, but if this works, I'll add NTLM as a GSSAPI backend
by some means or other.

Andrew Bartlett
(This used to be commit 476452e143)
2007-10-10 14:25:25 -05:00
Andrew Bartlett
ed77e4e57b r19644: Merge up to current lorikeet-heimdal, incling adding
gsskrb5_set_default_realm(), which should fix mimir's issues.

Andrew Bartlett
(This used to be commit 8117e76d2a)
2007-10-10 14:25:24 -05:00
Andrew Bartlett
f722b07438 r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.
Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c

Andrew Bartlett
(This used to be commit 13c9df1d4f)
2007-10-10 14:25:21 -05:00
Andrew Bartlett
e10791a364 r19632: This got missed in the heimdal merge. Without this, we don't keep the
full database name.  The existing code (needed for when we use the HDB
as a keytab, such as for the kpasswd service) only works for HDB
keytabs not prefixed with a type.

Andrew Bartlett
(This used to be commit 12dc157dae)
2007-10-10 14:25:21 -05:00
Stefan Metzmacher
14b00f10d9 r19616: the heimdal spnego mech doesn't seem to use roken.h and isn't portable
(it doesn't compile on suse 10.1 because gethostname() isn't found,
 unistd.h isn't included...)

as we don't need the spnego mech, disable it till it gets fixed in heimdal

metze
(This used to be commit 0a52e11a9c)
2007-10-10 14:25:06 -05:00
Stefan Metzmacher
6f9bed3d3e r19615: include roken.h.in as this still includes the ifdef's we need in samba4
this should fix the portability of samba4

metze
(This used to be commit 497543a17e)
2007-10-10 14:25:06 -05:00
Stefan Metzmacher
7b1551c4c6 r19613: remove diff between samba4 and lorikeet
metze
(This used to be commit bec1783c4c)
2007-10-10 14:25:05 -05:00
Stefan Metzmacher
b14dafc3e2 r19612: fix the build with auto dependencies
the samba4 heimdal copy should do not need to use socket_wrapper

metze
(This used to be commit 704fe73940)
2007-10-10 14:25:05 -05:00
Andrew Bartlett
601f0e6316 r19606: Remove generated files
Andrew Bartlett
(This used to be commit 7b7e1fe153)
2007-10-10 14:25:03 -05:00
Andrew Bartlett
3c1e780ec7 r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f17351)
2007-10-10 14:25:03 -05:00
Andrew Tridgell
69e755892a r19325: leak fix from lha
(This used to be commit 248f3265e6)
2007-10-10 14:21:09 -05:00
Andrew Bartlett
83558e822b r18826: Allow 'enterprise' principal names to log in.
These principals do not need to be in the same realm as the rest of
the ticket, the full principal name is in the first componet of the
ASN.1.

Samba4's backend will handle getting this to the 'right' place.

Andrew Bartlett
(This used to be commit 90b01b8af2)
2007-10-10 14:19:14 -05:00
Andrew Tridgell
f7b29f23ad r18528: work around what appears to be a compiler bug in gcc on irix. It
caused the RPC-SECRETS test to crash smbd in an inlined version of
this memcmp() call. This patch should have absolutely no effect at
all, but in fact it prevents the crash.

Disassembling at the point of the crash, it shows that gcc is inlining
the memcmp(). I don't know enough MIPS assembler to actually spot the
bug. In case anyone reading this does know MIPS assembler, here is the
gcc generated code that crashes:

0x105e0218 <gssapi_krb5_verify_header+168>:     lw      $t1,52($sp)
0x105e021c <gssapi_krb5_verify_header+172>:     lw      $t1,0($t1)
0x105e0220 <gssapi_krb5_verify_header+176>:     lhu     $t1,0($t1)
0x105e0224 <gssapi_krb5_verify_header+180>:     lw      $t2,68($sp)
0x105e0228 <gssapi_krb5_verify_header+184>:     lhu     $t2,0($t2)
0x105e022c <gssapi_krb5_verify_header+188>:     subu    $t1,$t1,$t2

it gets a segv at 0x105e0220.

lha, what do you think of this? The change should be innocuous on all
other platforms, apart from making the code harder to read :(
(This used to be commit 95455b5789)
2007-10-10 14:18:42 -05:00
Andrew Tridgell
d2e72c46c1 r18322: fixed a compilation problem on AIX caused by lex not putting config.h
first. That leads to a conflicting define for lseek() due to
_LARGE_FILES being defined after standards headers are included
(This used to be commit 9034238e27)
2007-10-10 14:18:08 -05:00
Andrew Tridgell
66c16b5143 r18308: get this right ....
(This used to be commit 3697cd6597)
2007-10-10 14:18:06 -05:00
Andrew Tridgell
85e24e54d2 r18300: fixed a type bug in heimdal - lha, you happy with this upstream? It
showed up on ia_64 systems
(This used to be commit 1f38a7ea56)
2007-10-10 14:18:04 -05:00
Andrew Tridgell
aca4eeac43 r18204: darn, compilers always look in the directory the source is in for
headers with "" even with a -I override. That means our heimdal_build/
roken override doesn't work.

Switching to <> style includes in roken fixes this. lha, would be be
acceptable upstream? I notice that half your includes of roken.h are
with <> now anyway, so should be harmless (and even more consistent!)
(This used to be commit 92742b8999)
2007-10-10 14:17:49 -05:00
Jelmer Vernooij
38fdde5d9b r18031: Merge my replace fixes:
* libreplace can now build stand-alone
 * add stub testsuite for libreplace
 * make talloc/tdb/ldb use libreplace
(This used to be commit fe7ca4b145)
2007-10-10 14:17:05 -05:00
Andrew Bartlett
49e15ba555 r17986: Add a copy of the Heimdal licence to our source tree, to make it very
clear what the conditions on this code are, and that the terms are GPL
compatible.

Andrew Bartlett
(This used to be commit 99ce2ecf39)
2007-10-10 14:17:01 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Bartlett
b3076a39b9 r16235: Don't update minor_status when cleaning up on error. This restores
sensible log messages to gensec_gssapi.

Andrew Bartlett
(This used to be commit df2e4f061f)
2007-10-10 14:09:07 -05:00
Gerald Carter
e3a6c6be79 r16100: Patch from Michael Wood <mwood@icts.uct.ac.za>: s/then/than/ for correct grammar
(This used to be commit 26a2fa97e4)
2007-10-10 14:08:59 -05:00
Andrew Bartlett
e0bb0e9f95 r16056: Fix errors found by trying to use our kpasswd server and the Apple client.
Andrew Bartlett
(This used to be commit ae2913898c)
2007-10-10 14:08:54 -05:00
Stefan Metzmacher
72ce1f31e9 r16000: - use uint16_t instead of u_int16_t
- use int32_t for seq_number

both changes let us use the types which the main heimdal code uses

metze
(This used to be commit ecff7b70aa)
2007-10-10 14:08:48 -05:00
Stefan Metzmacher
ee1c2b79ed r15993: don't use u_int32_t, as the main heimdal code also don't use
it anymore

metze
(This used to be commit e1842c9b55)
2007-10-10 14:08:47 -05:00
Andrew Tridgell
0a1a19d9d9 r15953: our timegm() replacement still doesn't work, so grab the one from
Heimdal which does work. This should fix most of the rest of the
failures on solaris
(This used to be commit acfaa98b5e)
2007-10-10 14:08:44 -05:00
Andrew Bartlett
bfff6b0e64 r15515: Syncronsise with current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit 0132312124)
2007-10-10 14:05:45 -05:00
Andrew Bartlett
e9237f96ef r15491: Always initialise is_cfx (found by Valgrind)
Always remember to free the crypto context (found by Luke Howard)
(This used to be commit 4b44355d42)
2007-10-10 14:05:41 -05:00
Andrew Bartlett
1ec7132b30 r15484: Make accept_security_context() more compatible with how Samba3 (and
similarly built clients) behave.

This is better than just ignoring the checksum, if it isn't the GSSAPI
checksum.  (Samba4 clients in Samba3 mode use more than just the MD5
checksum, and will use a signed AES checksum if available.  Actual
samba3 may well do the same in future, against a suitable KDC).

Also a change for easier debugging of checksum issues.

Andrew Bartlett
(This used to be commit 120374f5f9)
2007-10-10 14:05:39 -05:00
Andrew Bartlett
835926c879 r15481: Update heimdal/ to match current lorikeet-heimdal.
This includes many useful upstream changes, many of which should
reduce warnings in our compile.

It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.

(This required the rework in hdb-ldb.c included in this commit)

Andrew Bartlett
(This used to be commit ef5604b877)
2007-10-10 14:05:39 -05:00
Andrew Bartlett
c33f6b2c37 r15192: Update Samba4 to use current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit f0e538126c)
2007-10-10 14:04:15 -05:00
James Peach
7970a755ea r15155: Add strsep replacement from heimdal 0.7.2 for systems that don't
have strsep in libc.
(This used to be commit 76dea9f68c)
2007-10-10 14:04:12 -05:00
Andrew Tridgell
0291c48389 r14949: re-add the two lex.c files for heimdal, these are needed for systems
that don't have bison/flex. If we auto-generate these on samba.org we
can delete these again.
(This used to be commit dca9003ec2)
2007-10-10 14:00:22 -05:00
Stefan Metzmacher
c7ee532e46 r14711: let windows clients retry after getting ERR_SKEW
metze
(This used to be commit 02703f4e8f)
2007-10-10 13:59:11 -05:00
Andrew Bartlett
fc52ddf176 r14707: Initialise default value (the rest of this function sets it to 1 if
this is CFX).

Caught by Valgrind.

Andrew Bartlett
(This used to be commit bdb55ce2b5)
2007-10-10 13:59:11 -05:00
Andrew Bartlett
864d9b531d r14635: - Remove lex.c from SVN (it is built anyway, and having it in SVN
confuses things)

- Update Samba4 from lorikeet-heimdal

- Remove generated symlink on make clean

Andrew Bartlett
(This used to be commit a5c2b4cc92)
2007-10-10 13:59:02 -05:00
Jelmer Vernooij
59c427963f r14605: Create heimdal/lib/des/hcrypto symlink if it doesn't exist
(This used to be commit 303832bdc9)
2007-10-10 13:59:00 -05:00
Jelmer Vernooij
3cad0b87dc r14281: Pull apart LIBDIR and MODULESDIR
Move architecture-independent data to DATADIR (was LIBDIR)
(This used to be commit 2c7b62a861)
2007-10-10 13:57:07 -05:00
Andrew Bartlett
b7afac2b83 r14198: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit 97a0a0e2fa)
2007-10-10 13:56:58 -05:00
Andrew Bartlett
26421fb2dc r13481: As far as I can tell, my changes in -r 12863 were dangerously untested.
We do need the gsskrb5_get_initiator_subkey() routine.  But we should
ensure that we do always get a valid key, to prevent any segfaults.

Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.

Andrew Bartlett
(This used to be commit cfd0df16b7)
2007-10-10 13:51:55 -05:00
Andrew Bartlett
20d9dc9796 r13144: This seems to be required for Samba4 to talk to Samba4, and to get the
same session key.  I need to understand this more, but it works
samba/samba, and I don't have access to windows doing AES (longhorn)
yet.

Andrew Bartlett
(This used to be commit 38809b43a5)
2007-10-10 13:51:28 -05:00
Andrew Bartlett
28d78c40ad r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our
case) as the keytab.

This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).

Andrew Bartlett
(This used to be commit 849500d1aa)
2007-10-10 13:51:26 -05:00
Andrew Bartlett
adab8d3968 r12863: As lha suggested to me a while back, it appears that the
gsskrb5_get_initiator_subkey() routine is bougs.  We can indeed use
gss_krb5_get_subkey().

This is fortunate, as there was a segfault bug in 'initiator' version.

Andrew Bartlett
(This used to be commit ec11870ca1)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
63d718e243 r12696: Reduce the size of include/structs.h
(This used to be commit 6391761601)
2007-10-10 13:49:40 -05:00
Andrew Bartlett
fbf106f670 r12269: Update to current lorikeet-heimdal. This changed the way the hdb
interface worked, so hdb-ldb.c and the glue have been updated.

Andrew Bartlett
(This used to be commit 8fd5224c6b)
2007-10-10 13:47:26 -05:00
Andrew Bartlett
9afdb938cd r12037: Fix malloc corruption caused by double-free(), where realloc(ptr, 0)
is equivilant to free().

This is the issue tridge was seeing in the MEMORY: keytab code.

Andrew Bartlett
(This used to be commit d5a2de8ef0)
2007-10-10 13:47:01 -05:00
Andrew Bartlett
6913dddf64 r12000: Update to current lorikeet-heimdal, including in particular support
for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).

Andrew Bartlett
(This used to be commit 2426581dfb)
2007-10-10 13:46:57 -05:00
Andrew Bartlett
9c6b7f2d62 r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.

In particular, the credentials system now supplies GSS client and
server credentials.  These are imported into GSS with
gss_krb5_import_creds().  Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.

Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls.  Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.

To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass.  The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.

This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().

We can now (in theory) use a system-provided /etc/krb5.keytab, if

krb5Keytab: FILE:/etc/krb5.keytab

is added to the secrets.ldb record.  By default the attribute

privateKeytab: secrets.keytab

is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df4)
2007-10-10 13:46:56 -05:00
Andrew Bartlett
3a3c53327a r11940: Love has clarified why this code does what it does.
Andrew Bartlett
(This used to be commit 9b3dedbc0b)
2007-10-10 13:46:49 -05:00
Andrew Bartlett
68049cfac3 r11931: Add a short README explaining what this directory is all about.
Andrew Bartlett
(This used to be commit eaf8777e44)
2007-10-10 13:46:49 -05:00
Andrew Bartlett
ef9ec9583d r11930: Add socket/packet handling code for kpasswdd
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.

Use the netbios address as the workstation name for the allowed
workstations check with krb5.

Andrew Bartlett
(This used to be commit 328fa186f2)
2007-10-10 13:46:48 -05:00
Andrew Bartlett
30d164d9f0 r11568: Debuging aids: Let the administrator know when a key/entry expired,
rather than just the fact of the expiry.

Andrew Bartlett
(This used to be commit 31c4ab26d7)
2007-10-10 13:45:54 -05:00
Andrew Bartlett
918c7634c2 r11543: A major upgrade to our KDC and PAC handling.
We now put the PAC in the AS-REP, so that the client has it in the
TGT.  We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.

This should also allow us to interop with windows KDCs.

If we get an invalid PAC at the TGS stage, we just drop it.

I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy.  This
continues that trend.

Andrew Bartlett
(This used to be commit 36973b1eef)
2007-10-10 13:45:52 -05:00
Andrew Bartlett
f7ca730849 r11542: Add the netbios name type. We will need it when we start to handle
allowedWorkstations on Krb5.

Andrew Bartlett
(This used to be commit dbf73a82fc)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
7bfbe8af7e r11541: More logical (I think...) delegation semantics.
Andrew Bartlett
(This used to be commit 6bb1b24428)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
fb2394d309 r11536: Add a hook for client-principal access control to hdb-ldb, re-using
the code in auth/auth_sam.c for consistancy.  This will also allow us
to have one place for a backend directory hook.

I will use a very similar hook to add the PAC.

Andrew Bartlett
(This used to be commit 4315836cd8)
2007-10-10 13:45:50 -05:00
Andrew Bartlett
512f5ae881 r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted.  There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name.  Likewise, the name may be a netbios, not DNS name.

This should avoid some nasty DNS lookups.

Andrew Bartlett
(This used to be commit da0ff19856)
2007-10-10 13:45:49 -05:00
Andrew Bartlett
1ab27b7fdf r11477: This seems really nasty, but as I understand it an attacker cannot
change this checksum, as it is inside the encrypted packets.

Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue.  We can't rid the world of all Samba3 and similar clients...

Andrew Bartlett
(This used to be commit e60cdb63fb)
2007-10-10 13:45:42 -05:00
Andrew Bartlett
3b213ca9a3 r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials.  This means we now delegate to windows correctly.

Andrew Bartlett
(This used to be commit d6928a3bf8)
2007-10-10 13:45:40 -05:00
Andrew Bartlett
cc0f3779b1 r11468: Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control
delegation.

It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).

If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.

I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)

Andrew Bartlett
(This used to be commit fd5fd03570)
2007-10-10 13:45:40 -05:00
Andrew Bartlett
84c908d983 r11462: Fix the build: somehow I lost the header for this samba-specific hack.
Andrew Bartlett
(This used to be commit 0a41941189)
2007-10-10 13:45:39 -05:00
Andrew Bartlett
3b2a6997b4 r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack.

Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.

Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.

Andrew Bartlett
(This used to be commit 55b89899ad)
2007-10-10 13:45:38 -05:00
Volker Lendecke
0ea06b97c2 r11392: After confirmation from Love, fix a compiler warning
(This used to be commit a0b4036ba6)
2007-10-10 13:45:30 -05:00
Andrew Bartlett
1244a97dbe r11317: An ugly hack to setup the global gssapi_krb5_context early, when we
have easy access to the event context.

This stops Samba dead-locking against itself when the winbindd client
tries to contact the KDC.

Andrew Bartlett
(This used to be commit 57f811115e)
2007-10-10 13:45:19 -05:00
Andrew Bartlett
14a3abd559 r11314: Use a patch from lha to have the kerberos libs extract the PAC, rather
than doing ASN.1 parsing in Samba.

Also use the API function for getting a client from a ticket, rather
than just digging in the structure.

Andrew Bartlett
(This used to be commit 25d5ea6d72)
2007-10-10 13:45:18 -05:00
Andrew Bartlett
4dc5da1335 r11310: Free the 'if_relevent' portion of the PAC when we build it.
Andrew Bartlett
(This used to be commit ede638c00b)
2007-10-10 13:45:17 -05:00
Andrew Bartlett
4019064c5d r11294: Update Heimdal in Samba4 to lorikeet-heimdal (which is in turn updated
to CVS of 2005-10-24).

Andrew Bartlett
(This used to be commit 939d4f340f)
2007-10-10 13:45:15 -05:00
Andrew Bartlett
5a30cd8097 r10983: Another case were we want to avoid DNS for unqualified names.
Andrew Bartlett
(This used to be commit 1d7094b8df)
2007-10-10 13:39:50 -05:00
Andrew Bartlett
8407a1a866 r10561: This patch takes over KDC socket routines in Heimdal, and directs them
at the Samba4 socket layer.

The intention here is to ensure that other events may be processed while
heimdal is waiting on the KDC.  The interface is designed to be
sufficiently flexible, so that the plugin may choose how to time
communication with the KDC (ie multiple outstanding requests, looking
for a functional KDC).

I've hacked the socket layer out of cldap.c to handle this very
specific case of one udp packet and reply.  Likewise I also handle
TCP, stolen from the winbind code.

This same plugin system might also be useful for a self-contained
testing mode in Heimdal, in conjunction with libkdc.  I would suggest
using socket-wrapper instead however.

Andrew Bartlett
(This used to be commit 3b09f9e8f9)
2007-10-10 13:39:04 -05:00
Andrew Bartlett
3b7f8ddd9a r10398: Don't do DNS lookups on short names (no .).
Andrew Bartlett
(This used to be commit 77aca9619d)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
c44efdaa22 r10386: Merge current lorikeet-heimdal into Samba4.
Andrew Bartlett
(This used to be commit 4d2a9a9bc4)
2007-10-10 13:38:38 -05:00
Andrew Bartlett
42f2519b50 r10382: In the absence of client support for the full KDC-side
canonicalisation code, I've hacked Heimdal to use the default realm if
no other realm can be determined for a given host.

Andrew Bartlett
(This used to be commit 0f0b0021b7)
2007-10-10 13:38:34 -05:00
Andrew Bartlett
f9263dd102 r10337: This grubby little hack is the implementation of a concept discussed
on the kerberos mailing lists a couple of weeks ago: Don't use DNS at
all for expanding short names into long names.

Using the 'override krb5_init_context' code already in the tree, this
removes the DNS lag on a kerberos session setup/connection.

Andrew Bartlett
(This used to be commit de3ceab3d0)
2007-10-10 13:38:29 -05:00
Andrew Bartlett
f3bce652c8 r10286: This patch is ugly and disgusting, but for now it works better than the other
ideas I have had.

When I get a full list of things I want to do to a krb5_context I'll
either add gsskrb5_ wrappers, or a way of speicfying the krb5 context
per gssapi context.

(I want to ensure that the only krb5_context variables created while
executing Samba4 are via our wrapper).

Andrew Bartlett
(This used to be commit 8a22d46e70)
2007-10-10 13:38:13 -05:00
Jelmer Vernooij
957d361cd1 r10191: Return the right error code in the case of a time skew. Windows will now
ignore Kerberos and fallback to NTLMSSP when joining. Thanks to Andrew Bartlett
for the assistence.
(This used to be commit 3b6bfbe8cf)
2007-10-10 13:38:07 -05:00
James Peach
0639375119 r10159: Dereference padsize before comparing to an int.
(This used to be commit 5767c05909)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
5edbeca141 r10153: This patch adds a new parameter to gensec_sig_size(), the size of the
data to be signed/sealed.  We can use this to split the data from the
signature portion of the resultant wrapped packet.

This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).

This fixes one of the krb5 issues in my list.

Andrew Bartlett
(This used to be commit e4f2afc343)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
cfdcc32f84 r10149: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit b9695d5e7c)
2007-10-10 13:38:03 -05:00
Andrew Bartlett
6a74a83151 r10072: Fix mismerge weridness in error handling.
Andrew Bartlett
(This used to be commit c17926b6fe)
2007-10-10 13:36:34 -05:00
Andrew Bartlett
1f2f470889 r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.

Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.

I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal.  It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging.  (metze assures me it still has memory leak problems, but
I've started to address some of that).

This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.

On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC.  Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.

One thing doesn't work with this patch:
 - the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken.  I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.

Andrew Bartlett
(This used to be commit a3aba57c00)
2007-10-10 13:36:33 -05:00
Andrew Bartlett
6b14ffe271 r10035: This patch removes the need for the special case hack
'MEMORY_WILDCARD' keytab type. (part of this checking is in effect a
merge from lorikeet-heimdal, where I removed this)

This is achieved by correctly using the GSSAPI gsskrb5_acquire_cred()
function, as this allows us to specify the target principal, regardless
of which alias the client may use.

This patch also tries to simplify some principal handling and fixes some
error cases.

Posted to samba-technical, reviewed by metze, and looked over by lha on IRC.

Andrew Bartlett
(This used to be commit 506a7b67ae)
2007-10-10 13:36:31 -05:00