summaryrefslogtreecommitdiffstats
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPNAndrew Bartlett2015-03-091-21/+0
| | | | | | | | | | This is now handled properly by samba_kdc_lookup_server() and this wrapper actually breaks things. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: make Samba KDC pass new TGS-REQ and AS-REQ (to self) testingAndrew Bartlett2015-02-081-58/+148
| | | | | | | | This also reverts 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 as our testing shows Windows 2012R2 does not have this behaviour. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* kdc: fixup KDC to use functions portable to MIT krb5Andrew Bartlett2015-02-081-1/+1
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* kdc: Correctly return the krbtgt/realm@REALM principal from our KDCAndrew Bartlett2015-01-231-25/+31
| | | | | | | | | | This needs to vary depending on if the client requested the canonicalize flag This was found by our new krb5.kdc test Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Add TODO to remind us where we need to hook for RODC to get secretsAndrew Bartlett2015-01-231-0/+1
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix Samba's KDC to only change the principal in the right casesAndrew Bartlett2015-01-231-9/+23
| | | | | | | | | | | | | | | | If we are set to canonicalize, we get back the fixed UPPER case realm, and the real username (ie matching LDAP samAccountName) Otherwise, if we are set to enterprise, we get back the whole principal as-sent Finally, if we are not set to canonicalize, we get back the fixed UPPER case realm, but the as-sent username Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix enterpise principal name handlingAndrew Bartlett2015-01-232-11/+24
| | | | | | | | | | | | Based on a patch by Samuel Cabrero <scabrero@zentyal.com> This ensures we write the correct (implict, samAccountName) based UPN into the ticket, rather than the userPrincipalName, which will have a different realm. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry()Stefan Metzmacher2015-01-211-5/+5
| | | | | | | | This avoids writing invalid memory, because num_keys was calculated in a wrong way... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s4:kdc: add aes key support for trusted domainsStefan Metzmacher2014-12-191-37/+148
| | | | | | | | | | | We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
* s4:kdc: remove unused allow_warnings=True for 'MIT_SAMBA'Stefan Metzmacher2014-11-251-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:kdc: comment out unused code in db-glue.cStefan Metzmacher2014-11-251-2/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Fix commented out code in kpasswd server to use correct functionAndrew Bartlett2014-09-271-1/+1
| | | | | | | | | | The fix in ac2d31e24cfa24f6674b645b3661a1a2ce9ab060 picked the wrong function name. This is meant to be the remote address, not the local one, if we ever have to re-instate this code. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out fetching trusted domain into sam_get_results_trust()Andrew Bartlett2014-09-011-37/+15
| | | | | | | | | | This new helper function will also be used by pdb_samba_dsdb. Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3/s4: smbd, rpc, ldap, cldap, kdc services.Jeremy Allison2014-06-071-2/+10
| | | | | | | | | | | | | | Allow us to start if we bind to *either* :: or 0.0.0.0. Allows us to cope with systems configured as only IPv4 or only IPv6. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-By: Amitay Isaacs <amitay@gmail.com> Reviewed-By: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jun 7 01:01:44 CEST 2014 on sn-devel-104
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* kdc: call authsam_zero_bad_pwd_count on successful AS-REQAndrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Include values from msDS-User-Account-Control-Computed when checking ↵Andrew Bartlett2014-04-021-0/+20
| | | | | | | | user flags Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Set flags.locked_out on a locked-out user.Andrew Bartlett2014-04-021-1/+1
| | | | | | | | This only changes the log output, the same error is still returned Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-021-1/+17
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-021-2/+7
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc: explicitly use allow_warnings=True for MIT_SAMBAStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: make use of gensec_update_ev()Stefan Metzmacher2014-03-271-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Use correct KDC include path when building against the system heimdalAndrew Bartlett2014-03-141-5/+11
| | | | | | | | | This ensures we notice any API changes at compile time. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
* s4:lib/socket: simplify iface_list_wildcard() and its callersStefan Metzmacher2014-03-071-1/+1
| | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10464 Signed-off-by: Stefan Metzmacher <metze@samba.org> Change-Id: Ib317d71dea01fc8ef6b6a26455f15a8a175d59f6 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Mar 7 02:18:17 CET 2014 on sn-devel-104
* kdc: Free the resource which is not used anymoreSantosh Kumar Pradhan2014-02-211-0/+1
| | | | | | | | | | | In samba_kdc_firstkey() routine, krb5_get_default_realm() allocates memory for "realm" but never used afterwards. Free() the leaked memory. CID: 1107223 Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* kdc: Add belts-and-braces check that we fail if the hdb version changesAndrew Bartlett2014-01-202-0/+11
| | | | | | | | | | | This checks both if host system run-time Heimdal has changed version, and that the build-time version is supported. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jan 20 22:26:49 CET 2014 on sn-devel-104
* Support for Heimdal's unified krb5 and hdb plugin system.Jeffrey Clark2014-01-211-0/+16
| | | | | | | | | Fixes exportkeytab and a kdc crash when building against heimdal master. Bug-Debian: http://bugs.debian.org/732342 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
* s4:kdc fix compiler warningsChristian Ambach2013-12-121-2/+1
| | | | | | | about set but unused variables Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Cope with first element in hdb_method having a different name in different ↵Jelmer Vernooij2013-11-281-1/+1
| | | | | | | | | | | | | | heimdal versions. It's called `interface_version` in older Heimdal versions and `version` in newer versions. Signed-off-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Nov 28 04:17:55 CET 2013 on sn-devel-104
* s4-kdc: Improve grammer and clarity of password change failure messages.Andrew Bartlett2012-09-011-4/+3
| | | | | | | This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett
* s4-kdc: Give information on how long the password history isAndrew Bartlett2012-08-311-1/+2
| | | | | Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 31 08:06:17 CEST 2012 on sn-devel-104
* lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrapAndrew Bartlett2012-08-281-20/+0
|
* s4:kdc/wdc-samba4.c - fix user logins on specific workstationsMatthias Dieter Wallnöfer2012-08-141-4/+5
| | | | | | | | The decrement operation has been missing. Problem found by Mohammad Ebrahim Abravi <lamp.mia@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* lib/param: Create a seperate server role for "active directory domain ↵Andrew Bartlett2012-06-151-1/+5
| | | | | | | | | | | | | | | controller" This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett
* heimdal: Cope with newer Heimdal versions accepting a keyset argument toJelmer Vernooij2012-05-071-0/+4
| | | | | | | hdb_enctype2key. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon May 7 18:33:10 CEST 2012 on sn-devel-104
* Make krb5 context initialization not heimdal specificSimo Sorce2012-04-231-1/+1
| | | | | Turn the logging data to an opaque pointer. Ifdef code and use MIT logging function when built against system MIT.
* Move kdc_get_policy helper in the lsa server where it belongs.Simo Sorce2012-04-205-94/+18
| | | | | | | | | | | | | | | | This was used in only 2 places, db-glue.c and the lsa server. In db-glue.c it is awkward though, as it forces to use an unconvenient lsa structure and conversions from time_t to nt_time only to have nt_times converted back to time_t for actual use. This is silly. Also the kdc-policy file was a single funciton library, that's just ridiculous. The loadparm helper is all we need to keep the values consistent, and if we ever end up doing something with group policies we will care about it when it's the time. the code would have to change quite a lot anyway. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
* Use loadparm helper to find lifetime defaultsSimo Sorce2012-04-191-6/+10
| | | | Implictly fixes buggy use of int for time_t
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-121-0/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move function to db-glue.c and make it static.Simo Sorce2012-04-121-0/+21
| | | | | | | kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and make it static, one less dependency to worry about. Signed-off-by: Andreas Schneider <asn@samba.org>
* Log short_princ instead of uninitialised filter.Michael Wood2012-01-211-5/+6
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Jan 21 13:06:35 CET 2012 on sn-devel-104
* auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett2012-01-121-1/+1
|
* s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett2012-01-126-44/+152
| | | | | | | Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett
* s4-kdc: use IDL constant NETLOGON_GENERIC_KRB5_PAC_VALIDATEAndrew Bartlett2012-01-121-1/+1
|
* s4-kdc: only build hdb plugin if we build against system HeimdalAndrew Bartlett2011-12-071-0/+1
| | | | | | | It is not safe to have a system kadmin use our plugin if we do not share the same libkrb5. Andrew Bartlett
* s4-kdc: Add hdb plugin for samba4, to allow kadmin to workAndrew Bartlett2011-11-305-40/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will help users who are used to the kadmin interface, and could be extended to import existing MIT or Heimdal keys into a Samba4 AD domain. To use, add to your krb5.conf [kdc] database = { dbname = samba4: } or [kdc] database = { dbname = samba4:/usr/local/samba/etc/smb.conf } And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
* gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett2011-10-181-1/+1
| | | | | | | | | | | | This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* pac: Fix wrong memory allocation checkSimo Sorce2011-10-111-1/+1
| | | | | Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Tue Oct 11 01:18:22 CEST 2011 on sn-devel-104
* s4-kdc: fixed handling of previous vs current trust passwordAndrew Tridgell2011-10-041-36/+77
| | | | | | | | | | | This sorts out the correct handling for the 'kvno=255' problem. Windows will use the previous trust password for 1 hour after a password set, and indicates that the previous password is being used by sending current_kvno-1. That maps to 255 if the trust password has not actually been changed, so the initial trust password is being used. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: don't look at global catalog NCs in the kdcAndrew Tridgell2011-10-042-16/+23
| | | | | | | | the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2025-08-29 08:16:56 +0000