summaryrefslogtreecommitdiffstats
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
...
* s4-auth: rename 'auth' subsystem to 'auth4'Andrew Tridgell2011-02-181-5/+5
| | | | | | | | this prevents conflicts with the s3 auth modules. The auth modules in samba3 may appear in production smb.conf files, so it is preferable to rename the s4 modules for minimal disruption. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* ldb: use #include <ldb.h> for ldbAndrew Tridgell2011-02-101-1/+1
| | | | | | | | thi ensures we are using the header corresponding to the version of ldb we're linking against. Otherwise we could use the system ldb for link and the in-tree one for include Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-auth Rework auth subsystem to remove struct auth_serversupplied_infoAndrew Bartlett2011-02-092-15/+16
| | | | | | | | | | | | | This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
* mit-samba: Allow nesting on the event contextSimo Sorce2011-02-071-0/+3
| | | | | | | | This context is used in ldb, and ldb modules apparently abort if nesting is not allowed. Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Mon Feb 7 20:58:02 CET 2011 on sn-devel-104
* s4-kdc: don't ask for an extended DN for krbtgt_dnAndrew Tridgell2011-01-141-1/+1
| | | | | | otherwise msg->dn would be non-minimal and would fail in searches Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* Typo fix in KDC parameters.Brad Hards2010-12-241-3/+3
| | | | | | | Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 24 12:09:00 CET 2010 on sn-devel-104
* s4:kdc/*.c - minimise includesMatthias Dieter Wallnöfer2010-12-128-44/+2
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
* s4:kdc/proxy.c - optimise includes in order to fix a build warning on Tru64Matthias Dieter Wallnöfer2010-12-121-6/+1
|
* s4:kdc/kpasswdd.c - don't return an uninitialised NT_STATUSMatthias Dieter Wallnöfer2010-12-121-2/+1
| | | | Discovered by Tru64 build
* s4-lsa Implement kerberos ticket life policyAndrew Bartlett2010-12-095-3/+108
| | | | | | | | We now no longer print tickets with a potentially infinite life, and we report the same life over LSA as we use in the KDC. We should get this from group policy, but for now it's parametric smb.conf options. Andrew Bartlett
* s4:kdc/kpasswdd.c - fix memory leaksMatthias Dieter Wallnöfer2010-12-041-2/+15
|
* s4/kdc - fix a warning regarding a changed parameter type (kvno)Matthias Dieter Wallnöfer2010-12-033-3/+3
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
* s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett2010-12-012-21/+6
| | | | 81fe27bcc0148d410ca4617f8759b9df1a5e935c)
* s4-loadparm: use loadparm_init_global() instead of loadparm_init()Andrew Tridgell2010-11-291-1/+1
| | | | | | | this prevents us having two lp_ctx contexts in these tools which leads to bizarre behaviour Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc Rework supported encryption type logic to match MicrosoftAndrew Bartlett2010-11-161-37/+16
| | | | | | | | | | | | | | | | | Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
* s4-kdc Fix the realm handling again, this time pay attention to the flagsAndrew Bartlett2010-11-161-20/+20
| | | | | | | | | The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett
* s4-kdc use 'flags' to only create the 'admin data' elements when requestedAndrew Bartlett2010-11-161-15/+19
| | | | | | This avoids setting these values when the caller simply does not care Andrew Bartlett
* s4-kdc Add 'flags' parameter to db fetch callsAndrew Bartlett2010-11-161-8/+35
| | | | | | This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett
* s4-kdc Don't regenerate the PAC for cross-realm ticketsAndrew Bartlett2010-11-151-0/+3
| | | | | | | | | | | We should never get a cross-realm ticket that was not issued by a full DC, but if someone claims to have such a thing, reject it rather than segfaulting on the NULL client pointer. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
* s4-kdc Don't always regenerate the PACAndrew Bartlett2010-11-151-2/+4
| | | | | | | | | The PAC was being regenerated on all normal DCs, because they don't have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check if it's set and not equal to our RODC number, allowing RODCs to trust the full DCs and itself, but not other RODCs. Andrew Bartlett
* s4-kdc Fix realm handling in our KDCAndrew Bartlett2010-11-151-38/+6
| | | | | | | we should reset the realm part of the principal, but not the lowercase realm embedded in the 'krbtgt/realm@REALM'. Andrew Bartlett
* kdc: Build as shared module by default.Jelmer Vernooij2010-11-151-0/+1
|
* s4-kdc update startup routines after heimdal updateAndrew Bartlett2010-11-151-1/+13
| | | | | | | We should check the errors from krb5_kdc_windc_init and we now need to additionally run krb5_kdc_pkinit_config() Andrew Bartlett
* s4-kdc Remove use of heimdal private headers in kpasswd server.Andrew Bartlett2010-11-151-16/+3
| | | | | | | This remains an abuse, because it relies on setting into the krb5_principal structure, but at least it causes less trouble for the server. Andrew Bartlett
* s4-kdc: if "bind interfaces only" is false, then also listen on wildcardAndrew Tridgell2010-11-151-20/+44
| | | | | | | Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Nov 15 00:13:59 UTC 2010 on sn-devel-104
* Build wrepl server as service by default.Jelmer Vernooij2010-11-141-1/+1
|
* s4-kdc: added proxying of kdc requests for RODCsAndrew Tridgell2010-11-125-66/+782
| | | | | | | | | | | | when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
* s4-kdc Return HDB_ERR_NOT_FOUND_HERE on un-revealed accounts on an RODCAndrew Bartlett2010-11-121-1/+7
| | | | | | | | | | This means that when we are an RODC, and an account does not have the password attributes, we can now indicate to the kdc code that it should forward the request to a real DC. (The proxy code itself is not in this commit). Andrew Bartlett
* s4-kdc: split the kdc process return into a tri-stateAndrew Tridgell2010-11-123-53/+59
| | | | | | this is in preparation for doing forwarding of packets for RODCs Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: we don't need the special include handling nowAndrew Tridgell2010-11-121-6/+0
| | | | | | | the special handling was to cope with the conflict with the kdc.h header Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.hAndrew Tridgell2010-11-126-5/+5
| | | | kdc.h conflicts with a heimdal header name
* credentials: Lowercase library name,Jelmer Vernooij2010-11-071-9/+9
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Nov 7 01:48:44 UTC 2010 on sn-devel-104
* s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij2010-10-312-88/+0
| | | | | | | | The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
* s4-smbd: don't initialise process models more than onceAndrew Tridgell2010-10-301-1/+1
| | | | | | | | | this also removes the event_context parameter from process model initialisation. It isn't needed, and is confusing when a process model init can be called from more than one place, possibly with different event contexts. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: create a 'pac' private grouping libraryAndrew Tridgell2010-10-301-0/+6
| | | | | | | this removes the final case where we have an object file linked into two libraries Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* waf: Stop automaticaly changing dashes to underscores in library names.Jelmer Vernooij2010-10-261-9/+9
|
* waf: Remove lib prefix from libraries manually.Jelmer Vernooij2010-10-261-6/+6
|
* s4: Rename DB_GLUE to db_glue.Jelmer Vernooij2010-10-241-4/+4
|
* s4: Rename LIBSAMBA-* to libsamba-*Jelmer Vernooij2010-10-241-6/+6
|
* s4-kdc: make DB_GLUE a private libraryAndrew Tridgell2010-10-211-2/+3
|
* s4:"util_ldb" - remove some really unused dependanciesMatthias Dieter Wallnöfer2010-10-181-1/+0
|
* Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls ↵Matthias Dieter Wallnöfer2010-10-172-0/+2
| | | | | | | | | | | | in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
* s4:remove "util_ldb" submodule and integrate the three gendb_* calls in ↵Matthias Dieter Wallnöfer2010-10-172-2/+0
| | | | | | | | | "dsdb/common/util.c" They're only in use by SAMDB code. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
* s4-credentials Add explicit event context handling to Kerberos calls (only)Andrew Bartlett2010-10-111-1/+1
| | | | | | | | | | | | | | By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
* s4-kerberos Remove unused parameterAndrew Bartlett2010-10-111-1/+0
|
* kdc: Add missing dependency on samba_gensec_server.Jelmer Vernooij2010-10-111-1/+1
|
* samdb: Add flags argument to samdb_connect().Jelmer Vernooij2010-10-102-4/+4
|
* s4:kdc - use "userAccountControl" always unsignedMatthias Dieter Wallnöfer2010-10-052-4/+4
| | | | It doesn't change much but it's nicer to have it consistent.
* Add missing dependencies for com_err.Jelmer Vernooij2010-10-051-9/+9
|
* heimdal: Fix name of kdc library.Jelmer Vernooij2010-10-051-1/+1
|
generated by cgit (git 2.34.1) at 2024-07-05 10:39:40 +0000