summaryrefslogtreecommitdiffstats
path: root/source/libads/kerberos.c
Commit message (Collapse)AuthorAgeFilesLines
* r25030: ip_srv_nonsite and count_nonsite are initialized in get_kdc_list() ↵Lars Müller2007-10-101-2/+2
| | | | | | in any case.
* r24836: Initialize some uninitialized variables.Michael Adam2007-10-101-3/+5
| | | | | | | This prevents a segfault when get_kdc_ip_string() is called with sitename == NULL. Michael
* r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell2007-10-101-2/+1
|
* r23779: Change from v2 or later to v3 or later.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password ↵Jeremy Allison2007-10-101-1/+2
| | | | | | data to krb5_prompter. Jeremy.
* r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and makeGünther Deschner2007-10-101-3/+29
| | | | | | winbindd's kerberized pam_auth use that. Guenther
* r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the ↵Günther Deschner2007-10-101-0/+121
| | | | | | | | NTSTATUS codes directly out of the krb5_error edata. Guenther
* r22663: Restructure kerberos_kinit_password_ext() error path.Günther Deschner2007-10-101-53/+33
| | | | Guenther
* r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.James Peach2007-10-101-1/+1
|
* r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the differentJames Peach2007-10-101-2/+2
| | | | | calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention.
* r21240: Fix longstanding Bug #4009.Günther Deschner2007-10-101-1/+5
| | | | | | | | | | | | | | | | | For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther
* r21238: Fix tab indent in self-written krb5.confs.Günther Deschner2007-10-101-1/+1
| | | | Guenther
* r21110: Fix kinit with Heimdal (Bug #4226).Günther Deschner2007-10-101-13/+26
| | | | Guenther
* r20860: Adding some small tweaks. When we have no sitename, there is no need toGünther Deschner2007-10-101-11/+14
| | | | | | ask for the list of DCs twice. Guenther
* r20857: Silence gives assent :-). Checking in the fix forJeremy Allison2007-10-101-14/+51
| | | | | | | | | site support in a network where many DC's are down. I heard via Volker there is still a bug w.r.t the wrong site being chosen with trusted domains but we'll have to layer that fix on top of this. Gd - complain if this doesn't work for you. Jeremy.
* r18512: Add krb5conf file environment to debug statement.Günther Deschner2007-10-101-2/+3
| | | | Guenther
* r18241: If replacing the krb5.conf, ensure it's readable.Jeremy Allison2007-10-101-0/+10
| | | | Jeremy.
* r18226: Ensure we only do this evil thing if it's our realm.Jeremy Allison2007-10-101-2/+1
| | | | Jeremy.
* r18225: If we're going to overwrite krb5.conf, at leastJeremy Allison2007-10-101-20/+42
| | | | | be polite enough to make a backup. Jeremy.
* r18201: Make explicit what's going on here.Jeremy Allison2007-10-101-1/+2
| | | | Jeremy.
* r18200: Experimental code to allow system /etc/krb5.conf to beJeremy Allison2007-10-101-42/+63
| | | | | overwritten by winbindd. Don't enable this :-). Jeremy.
* r18010: Ensure we don't timeout twice to the sameJeremy Allison2007-10-101-0/+3
| | | | | | | server in winbindd when it's down and listed in the -ve connection cache. Fix memory leak, reduce timeout for cldap calls - minimum 3 secs. Jeremy.
* r18006: Actually a smaller change than it looks. LeverageJeremy Allison2007-10-101-2/+49
| | | | | | | | | the get_dc_list code to get the _kerberos. names for site support. This way we don't depend on one KDC to do ticket refresh. Even though we know it's up when we add it, it may go down when we're trying to refresh. Jeremy.
* r18004: If you're writing out a krb5.conf, at leastJeremy Allison2007-10-101-2/+2
| | | | | get the syntax right... :-). Jeremy.
* r18003: Creating a directory and getting EEXIST isn't an error.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r18002: Improved debug.Jeremy Allison2007-10-101-1/+2
| | | | Jeremy.
* r18001: Proper error reporting on write/close fail.Jeremy Allison2007-10-101-1/+7
| | | | Jeremy.
* r18000: Get nelem/size args right for x_fwrite.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r17999: No need to prevent others from reading. Use 755 insteadJeremy Allison2007-10-101-2/+2
| | | | | | of 700, and 644 instead of 600. Reading might help debugging. Jeremy.
* r17997: Ensure lockdir exists for winbindd. Store tmpJeremy Allison2007-10-101-1/+1
| | | | | krb5.conf files under lockdir, not privatedir. Jeremy.
* r17996: Don't talloc free the memory then reference it. Doh !Jeremy Allison2007-10-101-3/+4
| | | | Jeremy.
* r17995: Ensure we create the domain-specific krb5 files in aJeremy Allison2007-10-101-8/+22
| | | | | separate directory. Jeremy.
* r17994: Add debugs that showed me why my site code wasn'tJeremy Allison2007-10-101-0/+3
| | | | | | working right. Don't update the server site when we have a client one... Jeremy.
* r17946: Fix couple of typos...Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r17945: Store the server and client sitenames in the ADSJeremy Allison2007-10-101-1/+10
| | | | | | struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy.
* r17944: Handle locking madness.Jeremy Allison2007-10-101-11/+32
| | | | Jeremy.
* r17943: The horror, the horror. Add KDC site support byJeremy Allison2007-10-101-0/+58
| | | | | | | writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy.
* r17345: Some C++ warningsVolker Lendecke2007-10-101-1/+2
|
* r17003: Fix coverity #303 - possible null deref. Jerry pleaseJeremy Allison2007-10-101-0/+1
| | | | | check this is your new code. Jeremy.
* r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense ↵Gerald Carter2007-10-101-5/+0
| | | | when fetching the DES salting principal
* r16955: Fix an uninitialized var -- Jerry, please check.Volker Lendecke2007-10-101-2/+2
|
* r16952: New derive DES salt code and Krb5 keytab generationGerald Carter2007-10-101-471/+100
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys.
* r16272: Fix memleak.Günther Deschner2007-10-101-1/+2
| | | | Guenther
* r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner2007-10-101-2/+24
| | | | | | | | | | | | kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther
* r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison2007-10-101-15/+13
| | | | | | | smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy.
* r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner2007-10-101-10/+0
| | | | | | | | We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther
* r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner2007-10-101-4/+20
| | | | | | kerberos_kinit_password_ext provides access to more options. Guenther
* r14512: Guenther, This code breaks winbind with MIT krb1.3.Gerald Carter2007-10-101-2/+12
| | | | | | I'm disabling it for now until we have en effective means of dealing with the ticket request flags for users and computers.
* r14503: Fix principal in debug statement.Günther Deschner2007-10-101-2/+1
| | | | Guenther
* r13316: Let the carnage begin....Gerald Carter2007-10-101-9/+31
| | | | Sync with trunk as off r13315
generated by cgit (git 2.34.1) at 2024-10-07 00:27:07 +0000