samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00

Author	SHA1	Message	Date
Günther Deschner	f85b233a3e	s4-kdc: Fix Coverity ID #1373385 (OVERRUN) Guenther Pair-Programmed-With: Volker Lendecke <vl@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 22:16:52 CEST 2016 on sn-devel-144	2016-09-29 22:16:52 +02:00
Günther Deschner	9ad014ea4f	s4-kdc: Fix Coverity ID #1373386 (Resource Leak) Guenther Pair-Programmed-With: Volker Lendecke <vl@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org>	2016-09-29 18:30:18 +02:00
Andreas Schneider	5ab88ddbb9	s4-kdc: Remove unused etypes from sdb structure Signed-off-by: Andreas Schneider <asn@samba.org> eviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Sep 26 06:08:09 CEST 2016 on sn-devel-144	2016-09-26 06:08:09 +02:00
Andreas Schneider	47f10584d7	s4-kdc: Sort encrytion keys in descending order of strength Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>	2016-09-26 02:25:07 +02:00
Andreas Schneider	41172e2755	krb5_wrap: Rename krb5_copy_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Andreas Schneider	e8632e2af5	krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-08-31 20:59:13 +02:00
Stefan Metzmacher	1be64cb660	s4:kdc: ignore empty supplementalCredentialsBlob structures BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-07-20 21:27:17 +02:00
Stefan Metzmacher	8ac4218690	s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:24 +02:00
Stefan Metzmacher	a5efb21a53	s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change() The logic in samdb_result_force_password_change() is incomplete and the correct logic is already available via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-06-30 03:30:23 +02:00
Günther Deschner	d49b4aafa8	s4-kdc: Use sdb in db-glue and hdb-samba4 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104	2015-07-30 13:29:27 +02:00
Andreas Schneider	1c4dc00a5e	s4-kdc: Use smb_krb5_principal_get_(type\|realm) in db-glue Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>	2015-07-30 10:24:26 +02:00
Andreas Schneider	81471560d9	s4-kdc: Fix a casting warning Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>	2015-07-21 19:04:14 +02:00
Andreas Schneider	17c8b1a821	s4-kdc: Fix a typo Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>	2015-07-21 19:04:14 +02:00
Stefan Metzmacher	839645d238	s4:kdc/db-glue: make use of dsdb_trust_search_tdo() dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(), so we can remove sam_get_results_trust() later. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-07-08 18:38:21 +02:00
Stefan Metzmacher	143b654ad2	s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM We lookup the principal against our trust routing table and return HDB_ERR_WRONG_REALM and the realm of the next trust hoop. Routing within our own forest is not supported yet. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-07-08 18:38:21 +02:00
Stefan Metzmacher	3a14835d18	s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal We should always return the principal from the values stored in the database. This also means we need to ignore a missing HDB_F_CANON. This was demonstrated by running some new tests against windows. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-07-08 18:38:20 +02:00
Stefan Metzmacher	3943f02691	s4:kdc/db-glue: preferr the previous password for trust accounts If no kvno is specified we should return the keys with the lowest value. For the initial value this means we return the current key with kvno 0 (NULL on the wire). Later we return the previous key with kvno current - 1. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-07-08 18:38:20 +02:00
Stefan Metzmacher	f05c0bc639	s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry() We should fallback to the current password if the trusted KDC used a wrong kvno. After commit `6f8b868a29`, we always have the previous password filled. With the trust creation we typically don't have a TRUST_AUTH_TYPE_VERSION in the current nor in the previous array. This means current_kvno is 0. And now previous_kvno is 255. A FreeIPA/MIT KDC uses kvno=1 in the referral ticket, which triggered the 'Request for unknown kvno 1 - current kvno is 0' case. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-07-08 18:38:20 +02:00
Stefan Metzmacher	61de10240e	s4:kdc/db-glue: allow principals in form of computer@EXAMPLE.COM This should be translated to computer$@EXAMPLE.COM. Note the behavior differs between client and server lookup. In samba_kdc_lookup_client() we need to fallback in case of NO_SUCH_USER. samba_kdc_lookup_server() needs to do a single search and only use the result if it's unique. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-06-24 01:03:16 +02:00
Stefan Metzmacher	ccb6495445	s4:kdc/db-glue: fix memory leak in samba_kdc_lookup_server() We need to free enterprise_principal if generated. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2015-06-24 01:03:16 +02:00
Stefan Metzmacher	14b6e0a599	s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@S4XDOM.BASE%A1b2C3d4 worked while smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@s4xdom.base failed, if aes keys are used across the trust. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Mar 27 04:02:05 CET 2015 on sn-devel-104	2015-03-27 04:02:05 +01:00
Günther Deschner	4b12fcebaf	s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	e2eef86431	s4-kdc/db_glue: use smb_krb5_principal_set_type(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	ac23b7dd52	s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	cebecffd98	s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	2a0e2dd52a	s4-kdc/db-glue: use principal_comp_str{case}cmp. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	6d6e411fb8	s4-kdc/db-glue: add principal_comp_str{case}cmp Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	ba1838300c	s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	f4b087b483	s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	7afd9e6aca	s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Günther Deschner	9a0263a7c3	s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-27 01:26:16 +01:00
Andreas Schneider	a9bcc86504	kdc-db-glue: Remove unused code. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Andreas Schneider	b21b2d596e	kdc-db-glue: Do not allocate memory for the principal The function we are calling already allocate memory. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Andreas Schneider	aa1431e53f	kdc-db-glue: Fix memory cleanup to avoid crashes. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Andreas Schneider	6ada266dcf	kdc-db-glue: Fix function format of samba_kdc_message2entry() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Andreas Schneider	b9072d9741	kdc-db-glue: Fix a NULL pointer dereference. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	13cd1d5c58	s4-kdc/db_glue: bad idea to free parent mem_ctx when sub function got a failure. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	e49802a02d	s4-kdc/db-glue: use krb5_copy_data_contents in samba_kdc_message2entry_keys(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	c5eb9b388e	s4-kdc/db_glue: use KRB5_PW_SALT instead of hdb type. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	683ba8a09d	s4-kdc/db_glue: use smb_krb5_principal_get_type() to access private members Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	3ee26c43b9	s4-kdc/db_glue: use KRB5_KEY_TYPE to access private key members. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	0163c9403e	s4-kdc/db_glue: use time_t directly instead of KerberosTime. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:54 +01:00
Günther Deschner	668f1e9ab0	s4-kdc/db_glue: use krb5_principal_get_comp_string() to access members of private structs. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	75602bf1ae	s4-kdc/db_glue: use krb5_princ_size() instead of inspecting private structs. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	10a06fcd55	s4-kdc/db_glue: use smb_krb5_principal_get_realm(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Stefan Metzmacher	8b2cada705	s4:kdc/db-glue: pass a valid principal from samba_kdc_seq() to samba_kdc_message2entry() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	463be9f676	s4-kdc/db_glue: use smb_krb5_principal_set_realm(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	b705ec95d4	s4-kdc/db_glue: use krb5_copy_principal(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	7296f1b2f5	s4-kdc/db_glue: use smb_krb5_make_principal(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00
Günther Deschner	2b29bfe62a	s4-kdc/db_glue: use smb_krb5_keyblock_init_contents(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2015-03-20 23:25:53 +01:00

1 2 3

126 Commits