summaryrefslogtreecommitdiffstats
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* s4-kdc: Improve grammer and clarity of password change failure messages.Andrew Bartlett2012-09-011-4/+3
| | | | | | | This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett
* s4-kdc: Give information on how long the password history isAndrew Bartlett2012-08-311-1/+2
| | | | | Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 31 08:06:17 CEST 2012 on sn-devel-104
* lib/krb5_wrap: Move kerberos_enctype_to_bitmap() into krb5_wrapAndrew Bartlett2012-08-281-20/+0
|
* s4:kdc/wdc-samba4.c - fix user logins on specific workstationsMatthias Dieter Wallnöfer2012-08-141-4/+5
| | | | | | | | The decrement operation has been missing. Problem found by Mohammad Ebrahim Abravi <lamp.mia@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* lib/param: Create a seperate server role for "active directory domain ↵Andrew Bartlett2012-06-151-1/+5
| | | | | | | | | | | | | | | controller" This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett
* heimdal: Cope with newer Heimdal versions accepting a keyset argument toJelmer Vernooij2012-05-071-0/+4
| | | | | | | hdb_enctype2key. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon May 7 18:33:10 CEST 2012 on sn-devel-104
* Make krb5 context initialization not heimdal specificSimo Sorce2012-04-231-1/+1
| | | | | Turn the logging data to an opaque pointer. Ifdef code and use MIT logging function when built against system MIT.
* Move kdc_get_policy helper in the lsa server where it belongs.Simo Sorce2012-04-205-94/+18
| | | | | | | | | | | | | | | | This was used in only 2 places, db-glue.c and the lsa server. In db-glue.c it is awkward though, as it forces to use an unconvenient lsa structure and conversions from time_t to nt_time only to have nt_times converted back to time_t for actual use. This is silly. Also the kdc-policy file was a single funciton library, that's just ridiculous. The loadparm helper is all we need to keep the values consistent, and if we ever end up doing something with group policies we will care about it when it's the time. the code would have to change quite a lot anyway. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Fri Apr 20 01:53:37 CEST 2012 on sn-devel-104
* Use loadparm helper to find lifetime defaultsSimo Sorce2012-04-191-6/+10
| | | | Implictly fixes buggy use of int for time_t
* auth-krb: Move pac related util functions in a single place.Simo Sorce2012-04-121-0/+1
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move function to db-glue.c and make it static.Simo Sorce2012-04-121-0/+21
| | | | | | | kerberos_enctype_to_bitmap is not used anywhere else, so just move it there and make it static, one less dependency to worry about. Signed-off-by: Andreas Schneider <asn@samba.org>
* Log short_princ instead of uninitialised filter.Michael Wood2012-01-211-5/+6
| | | | | Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Jan 21 13:06:35 CET 2012 on sn-devel-104
* auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett2012-01-121-1/+1
|
* s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett2012-01-126-44/+152
| | | | | | | Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett
* s4-kdc: use IDL constant NETLOGON_GENERIC_KRB5_PAC_VALIDATEAndrew Bartlett2012-01-121-1/+1
|
* s4-kdc: only build hdb plugin if we build against system HeimdalAndrew Bartlett2011-12-071-0/+1
| | | | | | | It is not safe to have a system kadmin use our plugin if we do not share the same libkrb5. Andrew Bartlett
* s4-kdc: Add hdb plugin for samba4, to allow kadmin to workAndrew Bartlett2011-11-305-40/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This will help users who are used to the kadmin interface, and could be extended to import existing MIT or Heimdal keys into a Samba4 AD domain. To use, add to your krb5.conf [kdc] database = { dbname = samba4: } or [kdc] database = { dbname = samba4:/usr/local/samba/etc/smb.conf } And copy hdb_samba4.so from PREFIX/modules/hdb to your Heimdal lib directory Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Nov 30 03:22:11 CET 2011 on sn-devel-104
* gensec: move event context from gensec_*_init() to gensec_update()Andrew Bartlett2011-10-181-1/+1
| | | | | | | | | | | | This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
* pac: Fix wrong memory allocation checkSimo Sorce2011-10-111-1/+1
| | | | | Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Tue Oct 11 01:18:22 CEST 2011 on sn-devel-104
* s4-kdc: fixed handling of previous vs current trust passwordAndrew Tridgell2011-10-041-36/+77
| | | | | | | | | | | This sorts out the correct handling for the 'kvno=255' problem. Windows will use the previous trust password for 1 hour after a password set, and indicates that the previous password is being used by sending current_kvno-1. That maps to 255 if the trust password has not actually been changed, so the initial trust password is being used. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: don't look at global catalog NCs in the kdcAndrew Tridgell2011-10-042-16/+23
| | | | | | | | the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: treat a kvno of 255 as unspecifiedAndrew Tridgell2011-10-041-1/+4
| | | | | | | | windows sometimes sends us a kvno of 255 for inter-domain trusts. We don't yet know why it does this, but it seems that we need to treat this as an unspecified kvno Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: set NO_GLOBAL_CATALOG control in kdcAndrew Tridgell2011-09-221-3/+5
| | | | | | | | the kdc doesn't want to find users who are in partialReplica partitions, as they won't have the needed secret info for the kdc to operate. We need to generate referrals instead Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: default kvno for inter-domain trusts to zeroAndrew Tridgell2011-09-191-1/+9
| | | | | | | | | | the exact value doesn't matter, as both Samba and windows check against the latest password, but the old default of -1 caused ASN.1 parsing errors on windows, which prevented it answering TGS requests thanks to Hongwei Sun for finding this from a ttt trace Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: fixed subtree search in KDCAndrew Tridgell2011-08-251-1/+3
| | | | | | use ldb_get_default_basedn() with a subtree search Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* credentials: Rename library to samba-credentials to avoid name clashes.Jelmer Vernooij2011-08-181-5/+5
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
* gensec: clarify memory ownership for gensec_session_info() and ↵Andrew Bartlett2011-08-031-0/+1
| | | | | | | | | | | | | | | gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
* s4:kdc: fix compiler warningStefan Metzmacher2011-08-021-1/+1
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Aug 2 06:06:15 CEST 2011 on sn-devel-104
* s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is givenStefan Metzmacher2011-07-261-2/+7
| | | | | | | | | Windows seems to always canonicalize the principal in TGS replies. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
* s4:kdc: restore the behavior before the last heimdal importStefan Metzmacher2011-07-201-8/+16
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jul 20 12:12:38 CEST 2011 on sn-devel-104
* s4:kdc: set *_strongest_*_key to true to restore the old behaviorStefan Metzmacher2011-07-151-0/+13
| | | | | | | | | TODO: check why this is needed. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
* s4:kdc/mit_samba: disable mit_samba_check_s4u2proxy()Stefan Metzmacher2011-06-281-0/+9
| | | | | | | | | | | As mit_samba_update_pac_data() doesn't support adding S4U_DELEGATION_INFO to the pac (and I have no clue how to add that) we should disable S4U2Proxy until this is implemented. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
* s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher2011-06-284-7/+155
| | | | metze
* s4:kdc: use KRB5_WINDC_PLUGIN_MINOR define instead of KRB5_WINDC_PLUGING_MINORStefan Metzmacher2011-06-281-1/+1
| | | | metze
* s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2011-06-241-0/+105
| | | | metze
* Use tevent_req_oomVolker Lendecke2011-06-201-1/+1
| | | | This fixes a few Coverity errors
* libcli/util Rename common map_nt_error_from_unix to avoid duplicate symbolAndrew Bartlett2011-06-201-2/+2
| | | | | | | | | | | | The two error tables need to be combined, but for now seperate the names. (As the common parts of the tree now use the _common function, errmap_unix.c must be included in the s3 autoconf build). Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
* s4-ipv6: update callers to load_interface_list()Andrew Tridgell2011-06-061-1/+1
|
* s4-ipv6: use iface_list_wildcard() to listen on IPv6Andrew Tridgell2011-06-061-12/+17
| | | | | when we need to listen on a wildcard address, we now listen on a list of sockets, usually 0.0.0.0 and ::
* s4:kdc: split s4u2self and s4u2proxy checksStefan Metzmacher2011-05-184-23/+55
| | | | metze
* s4:kdc: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION => ↵Stefan Metzmacher2011-05-181-0/+14
| | | | | | flags.trusted_for_delegation metze
* s4-interfaces Rename interfaces code so not to conflict with source3/Andrew Bartlett2011-05-081-4/+4
| | | | | | | | | The iface_count, iface_n_bcast, and load_interfaces functions conflicted with functions of the same name in source3, so the source4 functions were renamed. Hopefully we can actually wrap one around the other in future. Andrew Bartlett
* kdc: always ldb escape the realmAndrew Bartlett2011-04-051-1/+11
|
* lib/util/charset rename iconv_convenience to iconv_handleAndrew Bartlett2011-03-251-2/+2
| | | | | | This better reflects what this structure is Andrew Bartlett
* charcnv: removed the allow_badcharcnv and allow_bad_conv options to ↵Andrew Tridgell2011-03-241-2/+2
| | | | | | | | | convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
* source4/kdc: Fix prototypes for all functions.Jelmer Vernooij2011-03-196-1/+13
|
* s4:kdc: split the kdc_tcp_proxy() logic from the main kdc logicStefan Metzmacher2011-03-043-252/+303
| | | | | | | | | | | By having kdc_tcp_proxy_send/recv(), which just asks any writeable dc for a reponse blob, we simplify the interaction between client-local and local-writeable sockets. This allows us to make kdc_socket, kdc_process_fn_t, kdc_tcp_call and kdc_tcp_socket private to kdc.c again. metze
* s4:kdc: split the kdc_udp_proxy() logic from the main kdc logicStefan Metzmacher2011-03-043-207/+231
| | | | | | | | | | | By having kdc_udp_proxy_send/recv(), which just asks any writeable dc for a reponse blob, we simplify the interaction between client-local and local-writeable sockets. This allows us to make kdc_udp_call and kdc_udp_socket private to kdc.c again. metze
* s4:kdc: add a kdc_proxy_unavailable_error() helper functionStefan Metzmacher2011-03-041-0/+24
| | | | metze
* s4:kdc: fix calculation of the rodc kvnoStefan Metzmacher2011-03-041-4/+12
| | | | | | | | | | | | | | | | | | Bit shifting is non-trivial in C:-) This int32_t a = 0x12340000; uint32_t b = (a >> 16); results in 0x00001234, but this int32_t a = 0xEDCB0000; uint32_t b = (a >> 16); results in 0xFFFFEDCB, while we expected 0x0000EDCB. metze
generated by cgit (git 2.34.1) at 2024-07-02 20:10:21 +0000