summaryrefslogtreecommitdiffstats
path: root/source4/auth/kerberos
Commit message (Collapse)AuthorAgeFilesLines
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+48
| | | | | | | If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
* s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher2011-06-223-5/+134
| | | | | | | For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
* s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher2011-06-221-1/+47
| | | | | | | | | | Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
* s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-94/+99
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-32/+41
| | | | | | In order to make the following changes easier to review. metze
* s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher2011-06-221-24/+76
| | | | | | | | | | | It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
* s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-27/+41
| | | | | | This will make the following changes easier to review. metze
* s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher2011-06-221-0/+2
| | | | metze
* s4/auth: Trivial spelling fixes.Brad Hards2011-06-211-3/+3
| | | | Signed-off-by: Andrew Tridgell <tridge@samba.org>
* libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett2011-06-201-2/+2
| | | | | | | | | | | | The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
* libcli/util Bring samba4 unix -> nt_status code in common.Andrew Bartlett2011-06-201-1/+1
| | | | | | | | Due to library link orders, this is already the function that is being used. However we still need to sort out the duplicate symbol issues, probably by renaming things. Andrew Bartlett
* s4:auth/credentials: pass 'self_service' to ↵Stefan Metzmacher2011-05-181-2/+6
| | | | | | | | | | | | cli_credentials_set_impersonate_principal() This also adds a cli_credentials_get_self_service() helper function. In order to support S4U2Proxy we need to be able to set the service principal for the S4U2Self step independent of the target principal. metze
* s4-param Remove config_path() -> lpcfg_config_path()Andrew Bartlett2011-04-291-1/+1
| | | | | | This is consistent with lock_path() Andrew Bartlett
* libcli/auth Move PAC parsing and verification in common.Andrew Bartlett2011-04-202-334/+17
| | | | | | | | This uses the source3 PAC code (originally from Samba4) with some small changes to restore functionality needed by the torture tests, and to have a common API. Andrew Bartlett
* s3-auth Rename smb_krb5_open_keytab to avoid a conflict with s3Andrew Bartlett2011-04-141-7/+7
| | | | | | The s3 function doesn't use the keytab_container concept. Andrew Bartlett
* libcli/auth Move krb5 wrapper functions from s3 into commonAndrew Bartlett2011-04-143-113/+4
| | | | | | | | | This requires a small rework of the build system to ensure that the correct #define statements are made in both the s3 and top level builds. We now define the various HAVE_ macros in config.h at all times, using heimdal_build/wscript_configure when that is in use. Andrew Bartlett
* lib: make asn1_util a private libraryAndrew Tridgell2011-04-061-1/+1
| | | | | | | this prevents symbol duplication of the asn1 symbols in the service and ntvfs subsystems Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-krb5: be a bit less verbose about krb5 packetsAndrew Tridgell2011-04-041-1/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* source4/auth: Fix prototypes for all functions.Jelmer Vernooij2011-03-192-0/+10
|
* librpc: make NDR_KRB5PAC a shared library (libndr-krb5pac.so).Günther Deschner2011-02-141-1/+1
| | | | | | | | | Simo, please check. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Feb 14 18:54:38 CET 2011 on sn-devel-104
* ldb: use #include <ldb.h> for ldbAndrew Tridgell2011-02-101-1/+1
| | | | | | | | thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-krb5: authkrb5 should depend on ldbAndrew Tridgell2011-02-101-1/+1
| | | | | | this fixes the include path to add ldb Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2011-02-092-50/+57
| | | | | | | | | | | | | This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
* heimdal_build: Add missing dependencies when building with system heimdal.Jelmer Vernooij2011-01-011-1/+1
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Jan 1 04:46:35 CET 2011 on sn-devel-104
* s4:auth/kerberos/kerberos_pac.c - fix another memory leak regarding the KRB ↵Matthias Dieter Wallnöfer2010-12-041-1/+4
| | | | | | | | | principal In addition fix a counter type Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Dec 4 15:14:46 CET 2010 on sn-devel-104
* s4-auth: fixed infinite loop in krb5 authAndrew Tridgell2010-11-141-1/+1
| | | | | | | | we were continually trying the first address returned, instead of moving to the next address Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
* s4-auth: fixed crash in krb5 authAndrew Tridgell2010-11-141-2/+1
| | | | remote_addr was used after free
* s4-kerberos Mention the remote address we fail to contact the KDC onAndrew Bartlett2010-11-051-1/+10
|
* s4-auth: unconditionally set previous_evAndrew Tridgell2010-11-041-3/+1
| | | | | | we need the caller to know when the previous_ev was NULL Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij2010-10-312-561/+0
| | | | | | | | The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
* s4-auth: make KERBEROS subsystem into authkrb5 private libraryAndrew Tridgell2010-10-301-7/+8
| | | | | | this fixes some double linking. The name 'KERBEROS' was also a bit confusing, as it sounded like a base kerberos library, when it is in fact part of auth
* waf: Remove lib prefix from libraries manually.Jelmer Vernooij2010-10-261-1/+1
|
* s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett2010-10-114-23/+127
| | | | | | | | | | | | | | By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
* s4-kerberos Remove unused parameterAndrew Bartlett2010-10-112-3/+1
|
* s4-kerberos Remove unsued variableAndrew Bartlett2010-10-111-1/+0
|
* credentials: Split up into several subsystems.Jelmer Vernooij2010-10-111-1/+1
|
* kerberos_util: Put into separate subsystem.Jelmer Vernooij2010-10-112-1/+8
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Oct 11 00:34:56 UTC 2010 on sn-devel-104
* Add missing dependencies for com_err.Jelmer Vernooij2010-10-051-1/+1
|
* heimdal: Fix name of hx509 library.Jelmer Vernooij2010-10-051-1/+1
|
* s4-kerberos Don't regenerate key values for each alias in keytabAndrew Bartlett2010-10-021-43/+35
| | | | | | | | | Instead, store the same key value under the multiple alias names. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
* s4-auth Add make_server_info_pac() to include 'resource domain' groupsAndrew Bartlett2010-10-021-5/+3
| | | | | | | | Previously, our PAC code didn't include these groups into the server_info from which we would eventually calculate the full list of tokenGroups. Andrew Bartlett
* s4-auth: fixed a vagrind error when creating keytabsAndrew Tridgell2010-10-011-0/+3
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kerberos Don't segfault if the password isn't specified in keytab generationAndrew Bartlett2010-09-261-0/+7
| | | | | | | Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Sep 26 03:29:34 UTC 2010 on sn-devel-104
* s4-kerberos Rework keytab handling to export servicePrincipalName entriesAndrew Bartlett2010-09-242-126/+164
| | | | | | | This creates keytab entries with all the servicePrincipalNames listed in the secrets.ldb entry. Andrew Bartlett
* s4-kerberos Move 'set key into keytab' code out of credentials.Andrew Bartlett2010-09-242-139/+229
| | | | | | | | This code never really belonged in the credentials layer, and is easier done with direct access to the ldb_message that is in secrets.ldb. Andrew Bartlett
* s4-kerberos Fix kerberos_enctype_bitmap_to_enctypes()Andrew Bartlett2010-09-241-2/+3
| | | | | | The previous code never worked Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-kerberos: obey the credentials setting for forwardable ticketsAndrew Tridgell2010-09-163-27/+40
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-2/+2
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:kerberos Add functions to convert msDS-SupportedEncryptionTypesAndrew Bartlett2010-06-292-0/+60
| | | | | | This will allow us to interpret this attibute broadly in Samba. Andrew Bartlett
* s4:provision Add an msDS-SupportedEncryptionTypes entry to our DCAndrew Bartlett2010-06-291-0/+3
| | | | | | | | This ensures that our DC will use all the available encyption types. (The KDC reads this entry to determine what the server supports) Andrew Bartlett
generated by cgit (git 2.34.1) at 2024-06-28 07:55:38 +0000