summaryrefslogtreecommitdiffstats
path: root/source4/kdc/db-glue.c
Commit message (Collapse)AuthorAgeFilesLines
* lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrapAndrew Bartlett2012-08-281-20/+0
|
* Move kdc_get_policy helper in the lsa server where it belongs.Simo Sorce2012-04-201-7/+10
| | | | | | | | | | | | | | | | This was used in only 2 places, db-glue.c and the lsa server. In db-glue.c it is awkward though, as it forces to use an unconvenient lsa structure and conversions from time_t to nt_time only to have nt_times converted back to time_t for actual use. This is silly. Also the kdc-policy file was a single funciton library, that's just ridiculous. The loadparm helper is all we need to keep the values consistent, and if we ever end up doing something with group policies we will care about it when it's the time. the code would have to change quite a lot anyway. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
* s4-auth-krb: Move function to db-glue.c and make it static.Simo Sorce2012-04-121-0/+21
| | | | | | | kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and make it static, one less dependency to worry about. Signed-off-by: Andreas Schneider <asn@samba.org>
* Log short_princ instead of uninitialised filter.Michael Wood2012-01-211-5/+6
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Jan 21 13:06:35 CET 2012 on sn-devel-104
* s4-kdc: fixed handling of previous vs current trust passwordAndrew Tridgell2011-10-041-36/+77
| | | | | | | | | | | This sorts out the correct handling for the 'kvno=255' problem. Windows will use the previous trust password for 1 hour after a password set, and indicates that the previous password is being used by sending current_kvno-1. That maps to 255 if the trust password has not actually been changed, so the initial trust password is being used. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: don't look at global catalog NCs in the kdcAndrew Tridgell2011-10-041-10/+13
| | | | | | | | the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: treat a kvno of 255 as unspecifiedAndrew Tridgell2011-10-041-1/+4
| | | | | | | | windows sometimes sends us a kvno of 255 for inter-domain trusts. We don't yet know why it does this, but it seems that we need to treat this as an unspecified kvno Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: set NO_GLOBAL_CATALOG control in kdcAndrew Tridgell2011-09-221-3/+5
| | | | | | | | the kdc doesn't want to find users who are in partialReplica partitions, as they won't have the needed secret info for the kdc to operate. We need to generate referrals instead Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: default kvno for inter-domain trusts to zeroAndrew Tridgell2011-09-191-1/+9
| | | | | | | | | | the exact value doesn't matter, as both Samba and windows check against the latest password, but the old default of -1 caused ASN.1 parsing errors on windows, which prevented it answering TGS requests thanks to Hongwei Sun for finding this from a ttt trace Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: fixed subtree search in KDCAndrew Tridgell2011-08-251-1/+3
| | | | | | use ldb_get_default_basedn() with a subtree search Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: fix compiler warningStefan Metzmacher2011-08-021-1/+1
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Aug 2 06:06:15 CEST 2011 on sn-devel-104
* s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is givenStefan Metzmacher2011-07-261-2/+7
| | | | | | | | | Windows seems to always canonicalize the principal in TGS replies. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
* s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2011-06-241-0/+105
| | | | metze
* s4:kdc: split s4u2self and s4u2proxy checksStefan Metzmacher2011-05-181-9/+20
| | | | metze
* s4:kdc: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION => ↵Stefan Metzmacher2011-05-181-0/+14
| | | | | | flags.trusted_for_delegation metze
* kdc: always ldb escape the realmAndrew Bartlett2011-04-051-1/+11
|
* source4/kdc: Fix prototypes for all functions.Jelmer Vernooij2011-03-191-0/+2
|
* s4:kdc: fix calculation of the rodc kvnoStefan Metzmacher2011-03-041-4/+12
| | | | | | | | | | | | | | | | | | Bit shifting is non-trivial in C:-) This int32_t a = 0x12340000; uint32_t b = (a >> 16); results in 0x00001234, but this int32_t a = 0xEDCB0000; uint32_t b = (a >> 16); results in 0xFFFFEDCB, while we expected 0x0000EDCB. metze
* s4-kdc: don't ask for an extended DN for krbtgt_dnAndrew Tridgell2011-01-141-1/+1
| | | | | | otherwise msg->dn would be non-minimal and would fail in searches Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer2010-12-121-9/+0
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
* s4-lsa Implement kerberos ticket life policyAndrew Bartlett2010-12-091-2/+24
| | | | | | | | We now no longer print tickets with a potentially infinite life, and we report the same life over LSA as we use in the KDC. We should get this from group policy, but for now it's parametric smb.conf options. Andrew Bartlett
* s4/kdc - fix a warning regarding a changed parameter type (kvno)Matthias Dieter Wallnöfer2010-12-031-1/+1
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
* s4-kdc Rework supported encryption type logic to match MicrosoftAndrew Bartlett2010-11-161-37/+16
| | | | | | | | | | | | | | | | | Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
* s4-kdc Fix the realm handling again, this time pay attention to the flagsAndrew Bartlett2010-11-161-20/+20
| | | | | | | | | The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
* s4-kdc use 'flags' to only create the 'admin data' elements when requestedAndrew Bartlett2010-11-161-15/+19
| | | | | | This avoids setting these values when the caller simply does not care Andrew Bartlett
* s4-kdc Add 'flags' parameter to db fetch callsAndrew Bartlett2010-11-161-8/+35
| | | | | | This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett
* s4-kdc Fix realm handling in our KDCAndrew Bartlett2010-11-151-38/+6
| | | | | | | we should reset the realm part of the principal, but not the lowercase realm embedded in the 'krbtgt/realm@REALM'. Andrew Bartlett
* s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODCAndrew Bartlett2010-11-121-1/+7
| | | | | | | | | | This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett
* s4:"util_ldb" - remove some really unused dependanciesMatthias Dieter Wallnöfer2010-10-181-1/+0
|
* Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer2010-10-171-0/+1
| | | | | | | | | | | | in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
* s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer2010-10-171-1/+0
| | | | | | | | | "dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
* samdb: Add flags argument to samdb_connect().Jelmer Vernooij2010-10-101-1/+1
|
* s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer2010-10-051-3/+3
| | | | It doesn't change much but it's nicer to have it consistent.
* s4:kdc/db-glue.c - remove unused variableMatthias Dieter Wallnöfer2010-10-031-1/+0
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 3 17:30:34 UTC 2010 on sn-devel-104
* s4-kdc Remove special case kerberos restriction in the KDCAndrew Bartlett2010-10-031-16/+0
| | | | | | | | | We should avoid using Kerberos or any other recursive auth mechanism in ldb backends, but denying Kerberos here won't be enough, so remove the special case. (Typcially we bind using a different password space and DIGEST-MD5 or NTLM). Andrew Bartlett
* s4-kdc Rework 'allowed encryption types' handling in the KDCAndrew Bartlett2010-10-021-28/+44
| | | | | | | All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett
* s4-kdc: RODC DCs should be able to produce forwardable ticketsAndrew Tridgell2010-09-281-1/+1
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc Ensure that an RODC may act as a server (needed to fillAndrew Bartlett2010-09-281-5/+24
| | | | | | the krbtgt role). Andrew Bartlett
* s4-kdc Handle the case where we may be given a ticket from an RODC in db layerAndrew Bartlett2010-09-291-17/+48
| | | | | | | | This includes rewriting the PAC if the original krbtgt isn't to be trusted, and reading different entries from the DB for the krbtgt depending on the krbtgt number. Andrew Bartlett
* s4-kdc Add common setup, handle RODC setup caseAndrew Bartlett2010-09-291-0/+135
| | | | | | | | | | This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
* s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNOAndrew Bartlett2010-09-291-1/+18
| | | | Andrew Bartlett
* s4-kdc: prevent segfault on bad trust stringsAndrew Tridgell2010-09-161-4/+8
| | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.Günther Deschner2010-08-251-7/+7
| | | | | | | Also remove bogus trustCurrentPasswords struct which we just had because our IDL was incorrect. Guenther
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-9/+9
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc Rework the 'allowed enc types' calculationAndrew Bartlett2010-06-291-41/+35
| | | | | | | | | | This changes the calculation to apply the allowed enc types to all uses of the key (no point allowing a weak kinit to a key the server wanted strongly protected). It also ensures that all the non-DES keys are available on the krbtgt in particular, even as it does not have a msds-SupportedEncryptionTypes attributes. Andrew Bartlett
* s4:kdc Use msDS-SupportedEncTypes in our KDCAndrew Bartlett2010-06-231-30/+54
| | | | | | | We need to honour this, otherwise we will send AES-encrypted tickets to unprepared Kerberos targets. Andrew Bartlett
* s4:kdc/db-glue.c - remove unreachable codeMatthias Dieter Wallnöfer2010-06-201-4/+0
| | | | Would be nice if someone could check if this fits.
* Finish removal of iconv_convenience in public API's.Jelmer Vernooij2010-05-181-6/+5
|
* s4:kdc/db-glue.c - use "TALLOC_FREE" insteal of "talloc_free" for the "priv" ↵Matthias Dieter Wallnöfer2010-04-171-5/+5
| | | | | | | context Also after a free "priv" could be != NULL and may be freed again. This should fix bug #7365.
* s4:kdc/db-glue.c - fix integer counter typesMatthias Dieter Wallnöfer2010-04-121-6/+7
|
generated by cgit (git 2.34.1) at 2024-09-29 01:28:18 +0000