| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
in any
case.
|
|
|
|
|
|
|
| |
This prevents a segfault when get_kdc_ip_string() is called
with sitename == NULL.
Michael
|
| |
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
| |
data to krb5_prompter.
Jeremy.
|
|
|
|
|
|
| |
winbindd's kerberized pam_auth use that.
Guenther
|
|
|
|
|
|
|
|
| |
NTSTATUS
codes directly out of the krb5_error edata.
Guenther
|
|
|
|
| |
Guenther
|
| |
|
|
|
|
|
| |
calling convention in the latest MIT changes. Apparantly Heimdal
is also changing to this calling convention.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
|
|
| |
ask for the list of DCs twice.
Guenther
|
|
|
|
|
|
|
|
|
| |
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
|
|
|
|
| |
Guenther
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
| |
be polite enough to make a backup.
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
| |
overwritten by winbindd. Don't enable this :-).
Jeremy.
|
|
|
|
|
|
|
| |
server in winbindd when it's down and listed
in the -ve connection cache. Fix memory leak,
reduce timeout for cldap calls - minimum 3 secs.
Jeremy.
|
|
|
|
|
|
|
|
|
| |
the get_dc_list code to get the _kerberos. names
for site support. This way we don't depend on one
KDC to do ticket refresh. Even though we know it's
up when we add it, it may go down when we're trying
to refresh.
Jeremy.
|
|
|
|
|
| |
get the syntax right... :-).
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
| |
of 700, and 644 instead of 600. Reading might help
debugging.
Jeremy.
|
|
|
|
|
| |
krb5.conf files under lockdir, not privatedir.
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
| |
separate directory.
Jeremy.
|
|
|
|
|
|
| |
working right. Don't update the server site when we
have a client one...
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
| |
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
|
| |
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
|
| |
|
|
|
|
|
| |
check this is your new code.
Jeremy.
|
|
|
|
| |
when fetching the DES salting principal
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
|
|
|
|
| |
Guenther
|
|
|
|
|
|
|
|
|
|
|
|
| |
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
|
|
|
|
|
|
|
| |
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
|
|
|
|
|
|
|
|
| |
We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.
Guenther
|
|
|
|
|
|
| |
kerberos_kinit_password_ext provides access to more options.
Guenther
|
|
|
|
|
|
| |
I'm disabling it for now until we have en effective
means of dealing with the ticket request flags for users
and computers.
|
|
|
|
| |
Guenther
|
|
|
|
| |
Sync with trunk as off r13315
|