summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5/krb5_child.c
Commit message (Collapse)AuthorAgeFilesLines
* Fixing critical format string issues.Lukas Slebodnik2013-05-201-1/+3
| | | | | | --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'
* Allow usage of enterprise principalsSumit Bose2013-04-221-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
* Check for correct variable nameJakub Hrozek2013-04-031-4/+0
| | | | https://fedorahosted.org/sssd/ticket/1864
* krb5 child: Use the correct type when processing OTPJakub Hrozek2013-04-031-1/+1
|
* Making the authtok structure really opaque.Lukas Slebodnik2013-04-021-14/+14
| | | | | | | | | | | | | | | | | | | | Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
* Reusing create_pam_data() on the other places.Lukas Slebodnik2013-04-021-1/+1
| | | | | | Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
* Add support for krb5 1.11's responder callback.Nathaniel McCallum2013-03-081-0/+223
| | | | | | | | | | | krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
* Cleanup error message handling for krb5 childSimo Sorce2013-03-041-229/+160
| | | | | | | | | | | | | | | | | | | | Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
* krb5_child: fix value type and initializationOndrej Kos2013-03-041-1/+2
| | | | ret was defined as integer, instead of errno_t, and was uninitialized
* Refactor krb5 childSimo Sorce2013-02-281-288/+210
| | | | | | | | | | | | | | | | | | | | | | | | | | The aim of this refactoring is to make the code readable and understandable. This code has grown organically over time and has becomed confused and baroque enough that understanding it's very simple flow had become very complex for the uninitiated. Complex flows easily hide nasty bugs. Improvements: - Remove dead/unused data storage - Fix and simplify talloc hierarchy, use a memory context (kr) for the whole code and allocate kr->pd where it is filled up. - Rename some functions to create a better name space (easier for searching fucntions across the tree) - Streamline setup function, by spliting out fast setup in a subroutine. - Avoid confusing indirection in executng actual functions by not using the krb5_req child_req member. - Make main() flow s now simmetric, send abck data from the main function instead of delegating a reply to every inner function that implements a command. Now the flow is evident from the main function: 1. read request 2. setup data 3. execute command 4. send reply back
* krb5_child style fixSimo Sorce2013-02-281-11/+11
| | | | Use the standard 'done' label for exceptions.
* Change pam data auth tokens.Simo Sorce2013-01-101-71/+77
| | | | Use the new authtok abstraction and interfaces throught the code.
* Disable canonicalization during password changesSumit Bose2012-11-191-2/+43
| | | | | | | | | | | | | | | If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
* Just use the service name with krb5_get_init_creds_password()Sumit Bose2012-11-191-24/+2
| | | | | | | | | Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
* Only build extract_and_send_pac on platforms that support itJakub Hrozek2012-11-121-104/+18
|
* Include talloc log in our debug facilityMichal Zidek2012-10-291-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1495
* krb5_child: send back the client principalSumit Bose2012-10-261-5/+24
| | | | | | | | | | | | | In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
* krb5_child: send PAC to PAC responderSumit Bose2012-10-261-1/+139
| | | | | | If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
* krb5_auth: send different_realm flag to krb5_childSumit Bose2012-10-261-0/+4
| | | | | | | The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
* Only call krb5_set_trace_callback on platforms that support itJakub Hrozek2012-10-121-1/+1
|
* Collect krb5 trace on high debug levelsJakub Hrozek2012-10-121-1/+24
| | | | | | | If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
* Two fixes to child processesJakub Hrozek2012-10-121-2/+0
| | | | | | | | There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
* Add more info about ticket validationOndrej Kos2012-10-101-0/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
* Log possibly non-randomizable ccache file templateOndrej Kos2012-10-041-1/+1
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
* KRB5 child: handle more error codes gracefullyJakub Hrozek2012-09-201-31/+26
| | | | | This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
* KRB5 child: Don't return System Error on empty passwordJakub Hrozek2012-09-201-0/+4
| | | | https://fedorahosted.org/sssd/ticket/1310
* KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek2012-09-101-19/+32
| | | | https://fedorahosted.org/sssd/ticket/1515
* Use new debug levels in validate_tgt()Sumit Bose2012-08-241-13/+16
|
* Fix fallback in validate_tgt()Sumit Bose2012-08-241-8/+20
| | | | | | | | | | To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.
* Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek2012-07-101-3/+3
|
* Print based on pointer contents not addressJakub Hrozek2012-07-101-1/+3
|
* heimdal: use sss_krb5_princ_realm to access realmRambaldi2012-07-091-4/+11
|
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter2012-07-061-21/+0
| | | | | | | | * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
* KRB5: Some logging enhancements for krb5_childStephen Gallagher2012-07-061-6/+13
|
* KRB5: Auto-detect DIR cache support in configureStephen Gallagher2012-06-151-0/+8
| | | | | | We can't support the DIR cache features in systems with kerberos libraries older than 1.10. Make sure we don't build it on those systems.
* Use Kerberos context in KRB5_DEBUGJakub Hrozek2012-06-141-45/+40
| | | | | Passing Kerberos context to sss_krb5_get_error_message will allow us to get better error messages.
* Add support for storing credential caches in the DIR: back endJakub Hrozek2012-06-141-30/+198
| | | | https://fedorahosted.org/sssd/ticket/974
* Provide more debugging in krb5_child and ldap_childJakub Hrozek2012-06-141-13/+65
| | | | https://fedorahosted.org/sssd/ticket/1225
* Two small krb5_child fixesJakub Hrozek2012-06-141-3/+10
| | | | | * Allocation check was missing * a DEBUG statement overwrote errno
* added DEBUG messages to krb5_child and ldap_childNick Guay2012-05-311-3/+12
|
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-071-0/+21
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-071-1/+3
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-041-2/+6
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* Convert read and write operations to sss_atomic_readJakub Hrozek2012-04-201-30/+21
| | | | https://fedorahosted.org/sssd/ticket/1209
* Clean up log messages about keytab_nameStephen Gallagher2012-04-051-2/+4
| | | | | | | | | There were many places where we were printing (null) to the logs because a NULL keytab name tells libkrb5 to use its configured default instead of a particular path. This patch should clean up all uses of this to print "default" in the logs. https://fedorahosted.org/sssd/ticket/1288
* krb5_child: set debugging soonerJakub Hrozek2012-03-061-12/+18
|
* KRB5: Add syslog messages for Kerberos failuresStephen Gallagher2012-01-311-0/+1
| | | | https://fedorahosted.org/sssd/ticket/1137
* Add compatibility layer for Heimdal Kerberos implementationStephen Gallagher2011-12-221-4/+6
|
* Securely set umask when using mkstempStephen Gallagher2011-12-191-0/+3
| | | | Coverity 12394, 12395, 12396, 12397 and 12398
* Move child_common routines to utilStephen Gallagher2011-12-191-1/+1
|
generated by cgit (git 2.34.1) at 2024-05-12 03:00:30 +0000