samba.git/source4/kdc, branch master Unnamed repository; edit this file 'description' to name the repository. kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN 2015-03-09T08:35:05+00:00 Andrew Bartlett abartlet@samba.org 2015-03-09T03:00:56+00:00 a1ddee8d2f9e58e04f3203db9afa576354dd2079 This is now handled properly by samba_kdc_lookup_server() and this wrapper actually breaks things. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
kdc: make Samba KDC pass new TGS-REQ and AS-REQ (to self) testing 2015-02-08T07:07:07+00:00 Andrew Bartlett abartlet@samba.org 2015-01-29T23:31:29+00:00 f32564d643a76b2618395096d26d99654b33dd98 This also reverts 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 as our testing shows Windows 2012R2 does not have this behaviour. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
This also reverts 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 as our
testing shows Windows 2012R2 does not have this behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
kdc: fixup KDC to use functions portable to MIT krb5 2015-02-08T07:07:07+00:00 Andrew Bartlett abartlet@samba.org 2015-02-01T23:38:07+00:00 01c6991d362d26c71604649ad7a2dd4e6b695918 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
kdc: Correctly return the krbtgt/realm@REALM principal from our KDC 2015-01-23T04:42:08+00:00 Andrew Bartlett abartlet@samba.org 2015-01-23T03:41:50+00:00 c1819f5fd1eb690326a1fc547422544f5c834558 This needs to vary depending on if the client requested the canonicalize flag This was found by our new krb5.kdc test Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
This needs to vary depending on if the client requested the canonicalize flag

This was found by our new krb5.kdc test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
kdc: Add TODO to remind us where we need to hook for RODC to get secrets 2015-01-23T04:42:08+00:00 Andrew Bartlett abartlet@samba.org 2015-01-23T04:39:45+00:00 69fb2a7616fe3b67312904075fdb691b7fa510bb Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
kdc: Fix Samba's KDC to only change the principal in the right cases 2015-01-23T04:42:08+00:00 Andrew Bartlett abartlet@samba.org 2015-01-22T01:11:52+00:00 9fc3f1e3d6854f399e2b2322b8ab1a714353ba12 If we are set to canonicalize, we get back the fixed UPPER case realm, and the real username (ie matching LDAP samAccountName) Otherwise, if we are set to enterprise, we get back the whole principal as-sent Finally, if we are not set to canonicalize, we get back the fixed UPPER case realm, but the as-sent username Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
If we are set to canonicalize, we get back the fixed UPPER
case realm, and the real username (ie matching LDAP
samAccountName)

Otherwise, if we are set to enterprise, we
get back the whole principal as-sent

Finally, if we are not set to canonicalize, we get back the
fixed UPPER case realm, but the as-sent username

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
kdc: Fix enterpise principal name handling 2015-01-23T04:42:08+00:00 Andrew Bartlett abartlet@samba.org 2014-12-17T04:02:53+00:00 86021a081fa7973d00ac3665296ffcfc9e834fb0 Based on a patch by Samuel Cabrero <scabrero@zentyal.com> This ensures we write the correct (implict, samAccountName) based UPN into the ticket, rather than the userPrincipalName, which will have a different realm. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> 
Based on a patch by Samuel Cabrero <scabrero@zentyal.com>

This ensures we write the correct (implict, samAccountName) based UPN into
the ticket, rather than the userPrincipalName, which will have a different
realm.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry() 2015-01-21T13:56:07+00:00 Stefan Metzmacher metze@samba.org 2015-01-20T10:52:22+00:00 01c02340c1700aeb16d167be45f6de8d96a91802 This avoids writing invalid memory, because num_keys was calculated in a wrong way... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> 
This avoids writing invalid memory, because num_keys was calculated
in a wrong way...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
s4:kdc: add aes key support for trusted domains 2014-12-19T14:39:40+00:00 Stefan Metzmacher metze@samba.org 2014-12-15T15:48:27+00:00 8dd37327b02eaea33915a9cd206667981b8df872 We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104 
We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
s4:kdc: remove unused allow_warnings=True for 'MIT_SAMBA' 2014-11-25T06:25:45+00:00 Stefan Metzmacher metze@samba.org 2014-10-29T11:21:07+00:00 4bb9aca9001747f6781c5a495d52f3dce62e47e2 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>