summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* KRB5: Work around const warning for krb5 releases older than 1.11Sumit Bose2012-11-201-1/+1
|
* Disable canonicalization during password changesSumit Bose2012-11-201-2/+43
| | | | | | | | | | | | | | | If canonicalization is enabled Active Directory KDCs return 'krbtgt/AD.DOMAIN' as service name instead of the expected 'kadmin/changepw' which causes a 'KDC reply did not match expectations' error. Additionally the forwardable and proxiable flags are disabled, the renewable lifetime is set to 0 and the lifetime of the ticket is set to 5 minutes as recommended in https://fedorahosted.org/sssd/ticket/1405 and also done by the kpasswd utility. Fixes: https://fedorahosted.org/sssd/ticket/1405 https://fedorahosted.org/sssd/ticket/1615
* Fix compare_principal_realm() checkSumit Bose2012-11-201-9/+3
| | | | | In case of a short UPN compare_principal_realm() erroneously returns an error.
* Just use the service name with krb5_get_init_creds_password()Sumit Bose2012-11-201-24/+2
| | | | | | | | | Currently we add the realm name to change password principal but according to the MIT Kerberos docs and the upstream usage the realm name is just ignored. Dropping the realm name also does not lead to confusion if the change password request was received for a user of a trusted domain.
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2012-11-151-1/+2
|
* Only build extract_and_send_pac on platforms that support itJakub Hrozek2012-11-151-104/+18
|
* KRB5: Rename variable to avoid shadowing a global declarationJakub Hrozek2012-11-141-4/+4
| | | | | | | src/providers/krb5/krb5_utils.c: In function ‘cc_dir_create’: src/providers/krb5/krb5_utils.c:824: warning: declaration of ‘dirname’ shadows a global declaration /usr/include/libgen.h:27: warning: shadowed declaration is here
* krb5_auth: update with correct UPN if neededSumit Bose2012-11-053-0/+133
| | | | | | | | | The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
* Use find_or_guess_upn() where neededSumit Bose2012-11-054-34/+49
|
* Add new call find_or_guess_upn()Sumit Bose2012-11-054-8/+54
| | | | | | | | | With the current approach the upn was either a pointer to a const string in a ldb_message or a string created with the help of talloc. This new function always makes it a talloc'ed value. Additionally krb5_get_simple_upn() is enhanced to handle sub-domains as well.
* krb5_child: send back the client principalSumit Bose2012-11-053-5/+41
| | | | | | | | | | | | | In general Kerberos is case sensitive but the KDC of Active Directory typically handles request case in-sensitive. In the case where we guess a user principal by combining the user name and the realm and are not sure about the cases of the letters used in the user name we might get a valid ticket from the AD KDC but are not able to access it with the Kerberos client library because we assume a wrong case. The client principal in the returned credentials will always have the right cases. To be able to update the cache user principal name the krb5_child will return the principal for further processing.
* krb5_mod_ccname: replace wrong memory contextSumit Bose2012-11-051-1/+1
|
* krb5_child: send PAC to PAC responderSumit Bose2012-11-051-1/+139
| | | | | | If the authenticated user comes from a different realm the service ticket which was returned during the validation of the TGT is used to extract the PAC which is send to the pac responder for evaluation.
* krb5_auth: send different_realm flag to krb5_childSumit Bose2012-11-052-1/+8
| | | | | | | The different_realm flag which was set by the responder is send to the krb5_child so that it can act differently on users from other realms. To avoid code duplication and inconsistent behaviour the krb5_child will not set the flag on its own but use the one from the provider.
* krb5_auth: check if principal belongs to a different realmSumit Bose2012-11-054-0/+43
| | | | | | Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
* check_ccache_files: search sub-domains as wellSumit Bose2012-11-051-4/+14
| | | | | If sssd is configured to renew Kerberos tickets automatically ticket of sub-domain uses should be renewed as well.
* krb5_auth_send: check for sub-domainsSumit Bose2012-11-053-5/+37
| | | | | | If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
* Only call krb5_set_trace_callback on platforms that support itJakub Hrozek2012-10-121-1/+1
|
* Collect krb5 trace on high debug levelsJakub Hrozek2012-10-122-2/+25
| | | | | | | If the debug level contains SSSDBG_TRACE_ALL, then the logs would also include tracing information from libkrb5. https://fedorahosted.org/sssd/ticket/1539
* Two fixes to child processesJakub Hrozek2012-10-121-2/+0
| | | | | | | | There was an unused structure member in the krb5_child. Declaration of __krb5_error_msg was shadowing the same variable from sss_krb5.h which is not nice. Also we might actually use the error context directly instead of passing it as parameter.
* Add more info about ticket validationOndrej Kos2012-10-101-0/+8
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1499 Adds log message about not finding appropriate entry in keytab and using the last keytab entry when validation is enabled. Adds more information about validation into manpage.
* Log possibly non-randomizable ccache file templateOndrej Kos2012-10-044-6/+26
| | | | | | | fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
* KRB5: Recover gracefully if the ccache file could not be reusedJakub Hrozek2012-09-241-4/+6
| | | | https://fedorahosted.org/sssd/ticket/1384
* KRB5 child: handle more error codes gracefullyJakub Hrozek2012-09-201-31/+26
| | | | | This patch changes handling of krb5 child error codes so that it's on par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
* KRB5 child: Don't return System Error on empty passwordJakub Hrozek2012-09-201-0/+4
| | | | https://fedorahosted.org/sssd/ticket/1310
* Failover: use _srv_ when no primary server is definedPavel Březina2012-09-171-12/+3
| | | | https://fedorahosted.org/sssd/ticket/1521
* FO: Check server validity before setting statusJakub Hrozek2012-09-131-5/+9
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Add a missing string argumentJakub Hrozek2012-09-101-1/+2
|
* KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek2012-09-101-19/+32
| | | | https://fedorahosted.org/sssd/ticket/1515
* KRB5: cancel the sysdb transaction on one place onlyJakub Hrozek2012-09-101-1/+0
| | | | | | | https://fedorahosted.org/sssd/ticket/1516 If sysdb_set_user_attr failed, we would cancel the transaction, then go to the error handler and attempt to close it again.
* Use new debug levels in validate_tgt()Sumit Bose2012-08-241-13/+16
|
* Fix fallback in validate_tgt()Sumit Bose2012-08-241-8/+20
| | | | | | | | | | To validate a TGT a keytab entry from the client realm is preferred but if none ca be found the last entry should be used. But the entry was freed and zeroed before it could be used. This should also fix the trusted domain use case mentioned in https://fedorahosted.org/sssd/ticket/1396 although a different approach then suggested in the ticket is used.
* Fix: IPv6 address with square brackets doesn't work.Michal Zidek2012-08-231-1/+14
| | | | https://fedorahosted.org/sssd/ticket/1365
* Unify usage of sysdb transactionsMichal Zidek2012-08-231-2/+14
| | | | | | Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-08-151-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* Duplicate detection in fail over did not work.Michal Zidek2012-08-151-1/+6
| | | | https://fedorahosted.org/sssd/ticket/1472
* SRV resolution for backup servers should not be permitted.Michal Zidek2012-08-091-2/+9
| | | | https://fedorahosted.org/sssd/ticket/1463
* Allocate on top of a talloc context, not NULLJakub Hrozek2012-08-081-0/+3
|
* Primary server support: new options in krb5 providerJan Zeleny2012-08-013-4/+17
| | | | | | This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.
* Primary server support: krb5 adaptationJan Zeleny2012-08-013-49/+94
| | | | | | This patch adds support for the primary server functionality into krb5 provider. No backup servers are added at the moment, just the basic support is in place.
* Primary server support: basic support in failover codeJan Zeleny2012-08-011-1/+1
| | | | | | | | Now there are two list of servers for each service. If currently selected server is only backup, then an event will be scheduled which tries to get connection to one of primary servers and if it succeeds, it starts using this server instead of the one which is currently connected to.
* Fix uninitialized valuesNick Guay2012-07-182-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1379
* Cast uid_t to unsigned long long in DEBUG messagesJakub Hrozek2012-07-101-3/+3
|
* Print based on pointer contents not addressJakub Hrozek2012-07-101-1/+3
|
* Fix uninitialized memcpy errorStephen Gallagher2012-07-091-0/+2
| | | | Coverity #12784
* heimdal: use sss_krb5_princ_realm to access realmRambaldi2012-07-091-4/+11
|
* Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8Stef Walter2012-07-061-21/+0
| | | | | | | | * This broke corner cases when used with default_tkt_types = des-cbc-crc and DES enabled on an AD domain. * This is fixed in kerberos instead, in a more correct way and in a way which we cannot replicate.
* AD: Add AD auth and chpass providersStephen Gallagher2012-07-061-0/+4
| | | | | | These new providers take advantage of existing code for the KRB5 provider, providing sensible defaults for operating against an Active Directory 2008 R2 or later server.
* KRB5: Create a common init routine for krb5_child optionsStephen Gallagher2012-07-063-53/+129
| | | | | This will reduce code duplication between the krb5, ipa and ad providers
* KRB5: Drop memctx parameter of krb5_try_kdcipStephen Gallagher2012-07-062-13/+15
| | | | | | | | | | | | | | | | This function is not supposed to return any newly-allocated memory directly. It was actually leaking the memory for krb5_servers if krb5_kdcip was being used, though it was undetectable because it was allocated on the provided memctx. This patch removes the memctx parameter and allocates krb5_servers temporarily on NULL and ensures that it is freed on all exit conditions. It is not necessary to retain this memory, as dp_opt_set_string() performs a talloc_strdup onto the appropriate context internally. It also updates the DEBUG messages for this function to the appropriate new macro levels.
generated by cgit (git 2.34.1) at 2024-04-26 03:56:43 +0000