IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
For non-testing callers of auth_generate_session_info(), passing
lp_ctx will allow us to correctly set a flag indicating if claims
should be evaluated.
For testing applications, the default will allow safe operation
inspecting the SID list.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
If we pass an empty string as the ‘whoami’ parameter, MIT’s logging
facilities will prepend a mysterious colon to the message. Printing
“mitkdc: ” ought at least to be more sensible, and perhaps more closely
to match our behaviour prior to commit
dd8138236b.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
winsdb_message() stores this element as hexadecimal, which format
ldb_msg_find_attr_as_uint() cannot cope with. Permit this element to be
in either decimal or hexadecimal format.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is a near‐duplicate of smb_krb5_principal_is_tgs().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function has the handy feature of being able to be called twice in
succession without mysteriously breaking your code. Now, doesn’t that
sound useful?
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Create a temporary memory context on which to allocate things.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To do so is to invoke undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it clearer what these variables are used for, and avoids
confusion with the similarly‐named ‘nt_status’ variables — also used in
these functions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Having pac_blobs::type_blobs be managed both by talloc and by the
‘pac_blobs’ structure itself (with pac_blobs_destroy()) is very prone to
error. So is the current situation of having the other ‘pac_blobs’
functions each take in a memory context.
Improve these circumstances by requiring ‘pac_blobs’ to be managed by
talloc. Now the other functions can dispense with their ‘mem_ctx’
parameters, being instead able to allocate on to the ‘pac_blobs’
structure itself. pac_blobs_init() no longer must be a separate
function; inline it into pac_blobs_from_krb5_pac(). pac_blobs_destroy(),
being no longer of use, can go too.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps to make error‐checking and cleanup more systematic.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This avoids allocating working structures on to a potentially long‐lived
context.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Introduce a temporary memory context and allocate working structures on
to it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Introduce a temporary variable instead of assigning the result of
talloc_realloc() directly to samr_RidWithAttributeArray::rids. In this
way we avoid having a structure with a non‐zero ‘count’ but with ‘rids’
set to the NULL pointer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it less likely that we forget to clean up resources.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allocate variables on to a temporary context rather than on to the
potentially long‐lived context passed in by the caller.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is more consistent with the other PAC blob functions, and easier to
reason about.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The lifetime of a blob’s contents should be tied to the lifetime of the
blob itself.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>