summaryrefslogtreecommitdiffstats
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* libds: share UF_ flags between samba3 and 4.Günther Deschner2009-07-132-2/+2
| | | | Guenther
* s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett2009-06-301-0/+1
| | | | | | | | | | | | | | The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
* s4:kdc Only get the lp_ctx once for a LDB_fetch()Andrew Bartlett2009-06-301-11/+18
|
* Rework hdb-samba4 to remove useless abstractions.Andrew Bartlett2009-06-301-84/+44
| | | | | | | | | | | The function LDB_lookup_principal() has been eliminated, and it's contents spread back to it's callers. Removing the abstraction makes the code clearer. Also ensure we never pass unescaped user input to a LDB search function. Andrew Bartlett
* s4:kdc Allow a password change when the password is expiredAndrew Bartlett2009-06-183-36/+54
| | | | | | | | | | | | | | This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett2009-06-122-61/+56
| | | | | | | | | | | 904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
* changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell2009-06-041-27/+25
| | | | | | | | | | | | | | | | | | Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
* Handle the krbtgt special case by looking for RID -514Andrew Bartlett2009-05-271-26/+52
| | | | | | | | It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary way the krbtgt account is recognised as special is that RID. This should fix issues such as 'password expired' on the kpasswd service. Andrew Bartlett
* Don't use crossRef records to find our own domainAndrew Bartlett2009-05-264-146/+79
| | | | | | | | A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
* s4:kdc: use krb5_data_free()Stefan Metzmacher2009-03-261-1/+1
| | | | metze
* Use common header file for character set handling in Samba 3 and Samba 4.Jelmer Vernooij2009-03-011-3/+2
|
* s4: Use same function signature for convert_* as s3.Jelmer Vernooij2009-03-011-8/+5
|
* Add allow_badcharcnv argument to all conversion function, forJelmer Vernooij2009-03-011-2/+2
| | | | consistency with Samba 3.
* Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett2009-02-131-9/+10
| | | | | | | | | | | When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
* s4:service_stream: s/private/private_dataStefan Metzmacher2009-02-021-4/+4
| | | | metze
* s4:irpc: avoid c++ reserved word 'private'Stefan Metzmacher2009-02-011-1/+1
| | | | metze
* s4:kdc: avoid c++ reserved word 'private'Stefan Metzmacher2009-02-013-49/+50
| | | | metze
* s4:lib/tevent: rename structsStefan Metzmacher2008-12-294-6/+6
| | | | | | | | | | | | | | | | | | | | list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
* s4:kdc: pass down event_context explicitStefan Metzmacher2008-12-293-1/+4
| | | | metze
* s4: Fix subsystem for various services in samba daemon.Jelmer Vernooij2008-12-221-1/+1
|
* s4:kdc: allow a trusted domain to get kerberos ticketsStefan Metzmacher2008-12-041-1/+2
| | | | metze
* Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij2008-11-021-1/+3
| | | | should in the future only contain some settings required for gensec.
* Remove unused include param/param.h.Jelmer Vernooij2008-10-241-1/+0
|
* Remove iconv_convenience argument from convert_string{,talloc}() butJelmer Vernooij2008-10-241-2/+2
| | | | make them wrappers around convert_string{,talloc}_convenience().
* Remove iconv_convenience parameter from simple string push/pullJelmer Vernooij2008-10-241-1/+1
| | | | functions.
* Ensure the hdb_method structure is not on the stack.Andrew Bartlett2008-10-201-5/+5
| | | | | | | We supply this to krb5 as a plugin, so we must keep it around as long as the krb5_context. Andrew Bartlett
* Add TALLOC_CTX pointer to strhex_to_data_blob for consistency with SambaJelmer Vernooij2008-10-181-2/+1
| | | | 3.
* Create a 'straight paper path' for UTF16 passwords.Andrew Bartlett2008-10-161-11/+26
| | | | | | | | | | | | | | | | | | | | | This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
* Fix include paths to new location of libutil.Jelmer Vernooij2008-10-113-3/+3
|
* Set default trust kvno to -1Andrew Bartlett2008-10-061-1/+1
|
* Fix cross-realm authentication in Samba4's KDC.Andrew Bartlett2008-10-061-3/+5
|
* Use the trust password version as kvno for trusts in Kerberos.Andrew Bartlett2008-10-061-0/+7
|
* Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.Andrew Bartlett2008-09-293-29/+44
| | | | | | | | | | This avoids one more custom patch to the Heimdal code, and provides a more standard way to produce hdb plugins in future. I've renamed from hdb_ldb to hdb_samba4 as it really is not generic ldb. Andrew Bartlett
* Cosmetic corrections for the KERBEROS libraryMatthias Dieter Wallnöfer2008-09-241-3/+3
| | | | This commit applies some cosmetic corrections for the KERBEROS library.
* Move source4/lib/crypto to lib/crypto.Jelmer Vernooij2008-09-241-1/+1
|
* Rename smbd -> samba.Jelmer Vernooij2008-09-241-1/+1
| | | | | | | | This reverts commit 05ea5e23cf4e70de0bd658b1c5c0ead133967091. Conflicts: source4/smbd/server.c
* Merge ldb_search() and ldb_search_exp_fmt() into a simgle function.Simo Sorce2008-09-231-8/+9
| | | | | The previous ldb_search() interface made it way too easy to leak results, and being able to use a printf-like expression turns to be really useful.
* This torture test and skipping of the server-side check was bogus.Andrew Bartlett2008-09-221-3/+1
| | | | | | | The IDL is declared to force the MessageType to 3 on output, so we instead checked the same thing 255 times... Andrew Bartlett
* s4: allways initialize the process model before it's usedStefan Metzmacher2008-09-221-1/+1
| | | | metze
* Revert "Rename smbd -> samba."Jelmer Vernooij2008-09-211-1/+1
| | | | This reverts commit 0e9008be35a5b334bd65e6417193d4b8f27bdc36.
* Rename smbd -> samba.Jelmer Vernooij2008-09-211-1/+1
|
* Update copyrightAndrew Bartlett2008-09-051-1/+1
| | | | (This used to be commit edea162a0e11f03b4b6069388abbca099f097386)
* Implement NETLOGON PAC verfication on the server-sideAndrew Bartlett2008-09-031-0/+112
| | | | | | | | This is implemented by means of a message to the KDC, to avoid having to link most of the KDC into netlogon. Andrew Bartlett (This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
* Heimdal provides Kerberos PAC parsing routines. Use them.Andrew Bartlett2008-08-281-37/+7
| | | | | | | | | | | | | | This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
* kdc: move references to heimdal internals into heimdal_build/kpasswd-glue.hStefan Metzmacher2008-08-261-2/+1
| | | | | metze (This used to be commit 65057f17b0d9e83f1b775afdeb7ea91ce0e52cd1)
* Only allow the trust in the correct direction (per the flags).Andrew Bartlett2008-08-261-3/+9
| | | | (This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)
* Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-localAndrew Bartlett2008-08-251-11/+13
|\ | | | | | | (This used to be commit a555334db67527b57bc6172e3d08f65caf1e6760)
| * kdc/pac-glue: pull/push the logon_info via the PAC_INFO unionStefan Metzmacher2008-08-201-11/+13
| | | | | | | | | | | | | | This prepares the next commit... metze (This used to be commit 7d297f7fb7a3ac388390429db7cb16fa60d3f8c0)
* | Trusted domains implementation for the KDC.Andrew Bartlett2008-08-151-12/+193
| | | | | | | | | | | | | | | | At this stage, only arcfour-hmac-md5 trusts are used, and all trusts are presumed bi-directional. Much more work still to be done. Andrew Bartlett (This used to be commit 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8)
* | More work towards trusted domain support in the KDC.Andrew Bartlett2008-08-081-25/+93
| | | | | | | | (This used to be commit c87d732b23ad7de8dc2f824bf11c9310fb4184e1)
generated by cgit (git 2.34.1) at 2025-09-27 17:47:06 +0000