summaryrefslogtreecommitdiffstats
path: root/source4/heimdal/kdc
Commit message (Collapse)AuthorAgeFilesLines
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Only indicate successful authentication after successful authzAndrew Bartlett2014-04-021-4/+4
| | | | | | | | | | This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the ↵Andrew Bartlett2014-04-021-1/+1
| | | | | | | | account is locked out Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Do not attempt password authentication for locked out accountsAndrew Bartlett2014-04-021-0/+8
| | | | | | Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett2012-01-121-12/+2
| | | | | | | | | | | | The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
* heimdal: handle referrals for 3 part DRSUAPI SPNsAndrew Tridgell2011-10-041-1/+18
| | | | | | | | | | | | | This handles referrals for SPNs of the form E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are used during DRS replication when we don't know the dnsHostName of the target DC (which we don't know until the first replication from that DC completes). We use the 3rd part of the SPN directly as the realm name in the referral. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* heimdal: Try to handle the PAC checking when we are in a cross-realm environmentAndrew Bartlett2011-09-051-1/+10
|
* s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher2011-07-265-8/+12
| | | | 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
* s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher2011-07-1512-360/+414
| | | | 48936803fae4a2fb362c79365d31f420c917b85b)
* s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher2011-06-281-4/+2
| | | | metze
* HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher2011-06-283-20/+41
| | | | | | | | function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
* HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5Stefan Metzmacher2011-06-281-2/+2
| | | | | | | | | | commit "heimdal Add support for extracting a particular KVNO from the database" (f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master) changed the windc_plugin interface, so we need to change the version number. metze
* HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher2011-06-241-4/+4
| | | | | | | | | | | check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
* HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher2011-06-241-5/+19
| | | | | | | | This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
* HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher2011-06-241-1/+1
| | | | | | With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
* HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy caseStefan Metzmacher2011-05-181-13/+38
| | | | | | TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
* HEIMDAL:kdc: pass the correct principal name for the resulting service ticketStefan Metzmacher2011-05-181-38/+36
| | | | | | | Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
* HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksumsStefan Metzmacher2011-05-181-4/+7
| | | | | | | | For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
* Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2Jelmer Vernooij2011-03-142-3/+4
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
* HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via ↵Stefan Metzmacher2011-03-041-0/+5
| | | | | | tgs_parse_request() and _kdc_tgs_rep() metze
* heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as wellAndrew Bartlett2011-02-171-2/+1
| | | | | | | | | | | | | This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
* s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett2011-02-021-0/+4
| | | | aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
* heimdal_build: Add version-script for kdc.Jelmer Vernooij2010-12-171-0/+21
|
* s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett2010-12-014-1049/+7
| | | | 81fe27bcc0148d410ca4617f8759b9df1a5e935c)
* heimdal Build ticket with the canonical server nameAndrew Bartlett2010-11-161-1/+1
| | | | | | | We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett
* heimdal Fetch the client before the PAC check, but after obtaining krbtgt_outAndrew Bartlett2010-11-151-31/+30
| | | | | | | | By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
* s4:heimdal - fix the return code of a non-void functionMatthias Dieter Wallnöfer2010-11-151-0/+2
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
* heimdal Fix handling of backwards cross-realm detection for Samba4Andrew Bartlett2010-11-151-18/+48
| | | | | | | | | | | | | | Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
* s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett2010-11-151-19/+25
| | | | 5734d03c20e104c8f45533d07f2a2cbbd3224f29)
* heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett2010-11-123-11/+34
| | | | | | | | This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett2010-10-034-18/+28
| | | | 1bea031b9404b14114b0272ecbe56e60c567af5c)
* s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou2010-10-035-28/+43
| | | | | | | | | 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
* heimdal use returned server entry from HDB to compare realmsAndrew Bartlett2010-10-021-1/+1
| | | | | | | | Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett
* heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett2010-09-295-17/+51
| | | | | | | | | This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
* s4:heimdal Create a new PAC when impersonating a user with S4U2SelfAndrew Bartlett2010-04-101-4/+46
| | | | | | | If we don't do this, the PAC is given for the machine accout, not the account being impersonated. Andrew Bartlett
* s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett2010-04-101-4/+36
| | | | | | | | This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett2010-03-279-16/+11
| | | | f4e0dc17709829235f057e0e100d34802d3929ff)
* s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett2010-03-279-166/+197
| | | | a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
* heimdal Fix invalid format stringAndrew Bartlett2009-11-241-1/+1
|
* s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett2009-11-137-149/+207
| | | | 9291fd2d101f3eecec550178634faa94ead3e9a1)
* s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett2009-11-134-98/+145
| | | | 290db8d23647a27c39b97c189a0b2ef6ec21ca69)
* heimdal kerberos - fix memory leak (free the plugin list always - not only ↵Matthias Dieter Wallnöfer2009-10-031-1/+1
| | | | in error cases)
* s4:heimdal: import lorikeet-heimdal-200908050050 (commit ↵Andrew Bartlett2009-08-054-20/+25
| | | | | | | | | | | 8714779fa7376fd9f7761587639e68b48afc8c9c) This also adds a new hdb-glue.c file, to cope with Heimdal's uncondtional enabling of SQLITE. (Very reasonable, but not required for Samba4's use). Andrew Bartlett
* s4:kerberos Add support for user principal names in certificatesAndrew Bartlett2009-07-282-18/+21
| | | | | | | | | | | | | | This extends the PKINIT code in Heimdal to ask the HDB layer if the User Principal Name name in the certificate is an alias (perhaps just by case change) of the name given in the AS-REQ. (This was a TODO in the Heimdal KDC) The testsuite is extended to test this behaviour, and the other PKINIT certficate (using the standard method to specify a principal name in a certificate) is updated to use a Administrator (not administrator). (This fixes the kinit test). Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-200907162216 (commit ↵Andrew Bartlett2009-07-171-17/+22
| | | | | | | | | | | d09910d6803aad96b52ee626327ee55b14ea0de8) This includes in particular changes to the KDC to resolve bug 6272, originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We need to sort the AuthorizationData elements to put the PAC first, or else WinXP breaks when browsed from Win2k8. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett2009-07-163-25/+59
| | | | 2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
* s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett2009-06-302-22/+28
| | | | | | | | | | | | | | The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
* s4:kdc Allow a password change when the password is expiredAndrew Bartlett2009-06-186-27/+35
| | | | | | | | | | | | | | This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
generated by cgit (git 2.34.1) at 2025-09-04 10:31:40 +0000