summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5/krb5_common.h
Commit message (Collapse)AuthorAgeFilesLines
* krb5: add copy_keytab_into_memory()Sumit Bose2014-11-281-0/+4
|
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-181-7/+0
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: Remove unused ccache backend infrastructureSimo Sorce2013-09-091-2/+0
| | | | | | | | Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
* KRB5: Do not send PAC in server modeJakub Hrozek2013-07-231-1/+7
| | | | | | | | The krb5 child contacts the PAC responder for any user except for the IPA native users if the PAC is configured. This works fine for the general case but the ipa_server_mode is a special one. The PAC responder is there, but since in the server mode we should be operating as AD provider default, the PAC shouldn't be analyzed either in this case.
* AD: Write out domain-realm mappingsJakub Hrozek2013-06-271-1/+0
| | | | | This patch reuses the code from IPA provider to make sure that domain-realm mappings are written even for AD sub domains.
* KRB5: guess UPN for subdomain usersJakub Hrozek2013-06-271-1/+1
|
* krb5: do not send pac for IPA users from the local domainSumit Bose2013-06-251-0/+2
| | | | | | | | | | | | | So far we didn't send the PAC of IPA users to the PAC responder during password authentication because group memberships for IPA users can be retrieved efficiently with LDAP calls. Recently patches added PAC support for the AD provider as well and removed the restriction for the IPA users. This patch restores the original behaviour by introducing a new flag in struct krb5_ctx which is only set for the IPA provider. Additionally a different flag is renamed to make it's purpose more clear. Fixes https://fedorahosted.org/sssd/ticket/1995
* A new option krb5_use_kdcinfoJakub Hrozek2013-06-101-1/+5
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf
* Allow usage of enterprise principalsSumit Bose2013-04-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842
* Add new call find_or_guess_upn()Sumit Bose2012-10-261-1/+2
| | | | | | | | | With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-10-261-0/+4
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* Primary server support: new options in krb5 providerJan Zeleny2012-08-011-0/+2
| | | | | | This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: krb5 adaptationJan Zeleny2012-08-011-1/+3
| | | | | | This patch adds support for the primary server functionality into krb5 provider. No backup servers are added at the moment, just the basic support is in place.
* AD: Add AD auth and chpass providersStephen Gallagher2012-07-061-0/+4
| | | | | | These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
* KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher2012-07-061-3/+2
| | | | | | | | | | | | | | | | This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
* Add a credential cache back end structureJakub Hrozek2012-06-141-0/+3
| | | | | | To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
* Add support to request canonicalization on krb AS requestsJan Zeleny2011-11-021-0/+2
| | | | https://fedorahosted.org/sssd/ticket/957
* Remove unused krb5_service structure memberJakub Hrozek2011-07-131-1/+0
|
* Allow new option to specify principal for FASTJan Zeleny2011-04-251-0/+2
| | | | https://fedorahosted.org/sssd/ticket/700
* Serialize requests of the same user in the krb5 providerSumit Bose2010-12-201-0/+2
|
* Replace krb5_kdcip by krb5_server in LDAP providerSumit Bose2010-12-071-1/+2
|
* Add support for FAST in krb5 providerSumit Bose2010-12-071-1/+5
|
* Add support for automatic Kerberos ticket renewalSumit Bose2010-12-031-0/+3
|
* krb5_child returns TGT lifetimeSumit Bose2010-12-031-0/+7
|
* Add krb5_lifetime optionSumit Bose2010-12-031-0/+2
|
* Add krb5_renewable_lifetime optionSumit Bose2010-12-031-0/+2
|
* Add krb5_get_simple_upn()Sumit Bose2010-11-041-0/+2
|
* Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip.Jan Zeleny2010-10-191-0/+3
| | | | | | | | For the time being, if krb5_server is not found, still falls back to krb5_kdcip with a warning. If both options are present in config file, krb5_server has a higher priority. Fixes: #543
* Initialize kerberos service for GSSAPIJakub Hrozek2010-10-131-0/+6
|
* Remove krb5_changepw_principal optionJakub Hrozek2010-06-141-2/+0
| | | | Fixes: #531
* Refactor krb5 SIGTERM handler installationSumit Bose2010-05-271-0/+3
|
* Add callback to remove krb5 info files when going offlineSumit Bose2010-05-271-0/+52
|
* Revert "Create kdcinfo and kpasswdinfo file at startup"Sumit Bose2010-05-271-1/+0
| | | | This reverts commit f3c31d11bf365eb6a79c4f698667915a4c81eeb7.
* Add support for delayed kinit if offlineSumit Bose2010-05-261-0/+1
| | | | | | | If the configuration option krb5_store_password_if_offline is set to true and the backend is offline the plain text user password is stored and used to request a TGT if the backend becomes online. If available the Linux kernel key retention service is used.
* Use service discovery in backendsJakub Hrozek2010-05-071-2/+2
| | | | | | | | | Integrate the failover improvements with our back ends. The DNS domain used in the SRV query is always the SSSD domain name. Please note that this patch changes the default value of ldap_uri from "ldap://localhost" to "NULL" in order to use service discovery with no server set.
* Create kdcinfo and kpasswdinfo file at startupSumit Bose2010-05-071-0/+1
|
* Clean up kdcinfo and kpasswdinfo files when exitingStephen Gallagher2010-05-071-0/+7
|
* Add krb5_kpasswd optionSumit Bose2010-03-121-1/+7
|
* Rename server/ directory to src/Stephen Gallagher2010-02-181-0/+72
Also update BUILD.txt
generated by cgit (git 2.34.1) at 2024-04-25 18:08:23 +0000