Stefan Metzmacher [Fri, 15 Jul 2011 06:44:53 +0000 (08:44 +0200)]
kdc: fix comparision between krb5uint32 and (unsigned int)
We don't need a cast in that case.
Before commit
1124c4872dfb81bec9c4b527b8927ca35e39a599
(KVNOs are krb5uint32 in RFC4120, make it so),
we compared krb5int32 casted to size_t with unsigned int,
which resulted in the following problem:
Casting krb5int32 to (size_t) is wrong, as sizeof(int)==4 != sizeof(size_t)== 8.
If you cast negative int values to size_t you'll get this:
int ival = -5000; // 0xFFFFEC78
size_t sval = (size_t)ival; // this will be 0xFFFFFFFFFFFFEC78
So we better compare while casting to (unsigned int).
This is important for Active Directory RODC support,
which adds a random number into the higher 16-bits of the
32-bit kvno value.
metze
Stefan Metzmacher [Mon, 25 Jul 2011 06:34:13 +0000 (08:34 +0200)]
kuser/kinit: make it possible to use --windows option on its own
metze
Andrew Bartlett [Tue, 16 Nov 2010 04:05:33 +0000 (15:05 +1100)]
kdc: Build ticket with the canonical server name
We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply if requested.
Andrew Bartlett
Stefan Metzmacher [Mon, 25 Jul 2011 07:39:43 +0000 (09:39 +0200)]
kdc: pass down HDB_F_FOR_AS_REQ and HDB_F_FOR_TGS_REQ to the hdb layer
metze
Stefan Metzmacher [Mon, 25 Jul 2011 07:36:41 +0000 (09:36 +0200)]
lib/hdb: add HDB_F_FOR_AS_REQ and HDB_F_FOR_TGS_REQ flags
This will be used to indicate to the backend if a fetch is for
an AS REQ or TGS REQ. Samba needs to take some action in the
HDB_F_FOR_TGS_REQ case and always canonicalize the principal
names, even without HDB_F_CANON.
metze
Stefan Metzmacher [Sun, 24 Jul 2011 18:55:36 +0000 (20:55 +0200)]
kdc: only pass HDB_F_CANON if the client specified b->kdc_options.canonicalize
metze
Stefan Metzmacher [Mon, 25 Jul 2011 07:23:52 +0000 (09:23 +0200)]
lib/krb5: windows KDCs always return the canoncalized server principal
Is there a better way to handle this?
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:45:26 +0000 (11:45 +0200)]
HACK: Netbios Domain as Realm
This is really a ugly hack, to support using the Netbios Domain Name
as realm against windows KDC's, they always return the full realm
based on the DNS Name.
metze
Jelmer Vernooij [Tue, 21 Dec 2010 14:17:30 +0000 (15:17 +0100)]
lorikeet-heimdal: remove obsolete script for importing from svn.
Andrew Tridgell [Wed, 1 Dec 2010 02:00:08 +0000 (13:00 +1100)]
lorikeet-heimdal: Add a new script to help merging patches from Samba4 to heimdal
Stefan Metzmacher [Thu, 14 Jul 2011 14:24:37 +0000 (16:24 +0200)]
lorikeet-heimdal: improve import-lorikeet.sh for the toplevel build
metze
Andrew Bartlett [Tue, 30 Nov 2010 23:54:49 +0000 (10:54 +1100)]
lorikeet-heimdal: Improve the heimdal import scripts
Stefan Metzmacher [Fri, 27 Mar 2009 06:31:11 +0000 (07:31 +0100)]
lorikeet-heimdal: add scipts to rebase and import the latest version into samba4
If you use this scripts, read them! :-)
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:58:18 +0000 (11:58 +0200)]
lorikeet-heimdal: add wrap_ex_ntlm.diff from abartlet
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:36 +0000 (11:57 +0200)]
lorikeet-heimdal: add IMPORT-HEIMDAL.sh
I think this can be removed...
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:57:06 +0000 (11:57 +0200)]
lorikeet-heimdal: add HEIMDAL-LICENCE.txt
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:43:50 +0000 (11:43 +0200)]
lorikeet-heimdal: camellia-ntt GPLv2+ license
metze
Stefan Metzmacher [Fri, 22 Aug 2008 09:42:21 +0000 (11:42 +0200)]
lorikeet-heimdal: autogen.sh modifications
metze
Love Hörnquist Åstrand [Mon, 25 Jul 2011 03:23:30 +0000 (20:23 -0700)]
Only free ext on replace
Love Hörnquist Åstrand [Mon, 25 Jul 2011 03:05:05 +0000 (20:05 -0700)]
remove used variables
Love Hörnquist Åstrand [Mon, 25 Jul 2011 03:04:02 +0000 (20:04 -0700)]
update (c)
Love Hörnquist Åstrand [Mon, 25 Jul 2011 03:02:10 +0000 (20:02 -0700)]
start to use KRB5_ENCTYPE_
Love Hörnquist Åstrand [Mon, 25 Jul 2011 02:48:52 +0000 (19:48 -0700)]
compiler warning
Love Hörnquist Åstrand [Mon, 25 Jul 2011 01:14:25 +0000 (18:14 -0700)]
use add_HDB_Ext_KeySet and plug memory leak
Love Hörnquist Åstrand [Mon, 25 Jul 2011 01:08:52 +0000 (18:08 -0700)]
drop dependency
Love Hörnquist Åstrand [Mon, 25 Jul 2011 01:06:33 +0000 (18:06 -0700)]
drop dependency since we need the autoconf to overwrite this
Love Hörnquist Åstrand [Sun, 24 Jul 2011 23:15:06 +0000 (16:15 -0700)]
expore more
Love Hörnquist Åstrand [Sun, 24 Jul 2011 23:02:22 +0000 (16:02 -0700)]
switch to KRB5_ENCTYPE
Love Hörnquist Åstrand [Sun, 24 Jul 2011 22:46:11 +0000 (15:46 -0700)]
fix compile warning
Love Hörnquist Åstrand [Sun, 24 Jul 2011 22:41:36 +0000 (15:41 -0700)]
Merge pull request #12 from nicowilliams/krb5_admin_patches_2nd
Krb5 admin patches 2nd
This has all the patches needed for krb5_admind to build and pass most tests, that includes:
- more kadm5 API compatibility (including very basic profile functionality)
- multi-kvno support (useful for key rollovers) (a test for this is included in tests/db/check-kdc)
Unfinished:
- password history (currently uses key history, needs to be separated and use digests)
- policies (only default policy allowed)
- mit kdb changes not tested yet
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Love Hörnquist Åstrand [Sun, 24 Jul 2011 21:23:45 +0000 (14:23 -0700)]
KVNOs are krb5uint32 in RFC4120, make it so
Love Hörnquist Åstrand [Sun, 24 Jul 2011 21:09:23 +0000 (14:09 -0700)]
fix warning
Linus Nordberg [Wed, 20 Jul 2011 22:38:36 +0000 (00:38 +0200)]
Add version-script.map to _DEPENDENCIES.
Added to 11 out of 14 directories with map files. Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Love Hörnquist Åstrand [Sun, 24 Jul 2011 21:03:08 +0000 (14:03 -0700)]
partly unify enctype/keytype since there is only enctypes
Love Hörnquist Åstrand [Sun, 24 Jul 2011 21:00:23 +0000 (14:00 -0700)]
add an invalid protection level to the enum
Love Hörnquist Åstrand [Sun, 24 Jul 2011 20:07:07 +0000 (13:07 -0700)]
cast to avoid size_t vs int issue
Love Hörnquist Åstrand [Sun, 24 Jul 2011 20:00:36 +0000 (13:00 -0700)]
switch order of type and GSSAPI_LIB_VARIABLE
Love Hörnquist Åstrand [Sun, 24 Jul 2011 19:47:55 +0000 (12:47 -0700)]
fixup type for GSS_C_ATTR_LOCAL_LOGIN_USER
Love Hörnquist Åstrand [Sun, 24 Jul 2011 19:34:51 +0000 (12:34 -0700)]
make sure keylen is a multiple of 2
Andrew Bartlett [Sat, 16 Apr 2011 05:44:23 +0000 (15:44 +1000)]
lib/krb5: Allow any kvno to match when searching the keytab.
Windows does not use a KVNO when it checks it's passwords, and MIT
doesn't check the KVNO when no acceptor identity is specified (looping
over all keys in the keytab).
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Love Hörnquist Åstrand [Sun, 24 Jul 2011 17:33:28 +0000 (10:33 -0700)]
switch to use use_strongest_server_key
use the same behavior as 1.4 release.
Marc Balmer [Sun, 24 Jul 2011 17:29:47 +0000 (10:29 -0700)]
Typo
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Nicolas Williams [Sun, 24 Jul 2011 16:10:37 +0000 (11:10 -0500)]
Use heim_assert() instead of assert()
Nicolas Williams [Sun, 24 Jul 2011 16:08:58 +0000 (11:08 -0500)]
Protect against negative n_ks_tuple values and against randkey returning negative n_keys
Nicolas Williams [Sun, 24 Jul 2011 16:07:27 +0000 (11:07 -0500)]
s/assert/heim_assert/ and remove dead code
Love Hörnquist Åstrand [Sat, 23 Jul 2011 19:08:37 +0000 (12:08 -0700)]
1.5.99
Love Hörnquist Åstrand [Sat, 23 Jul 2011 19:06:01 +0000 (12:06 -0700)]
check for NULL as argument to krb5_{prepend,set}_error_message functions
Love Hörnquist Åstrand [Sat, 23 Jul 2011 18:59:06 +0000 (11:59 -0700)]
update to match plugin abi
Stefan Metzmacher [Tue, 28 Jun 2011 11:24:50 +0000 (13:24 +0200)]
kdc: pass down the delegated_proxy_principal to the verify_pac() function
This is needed in order to add the S4U_DELEGATION_INFO to the pac.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Stefan Metzmacher [Tue, 28 Jun 2011 11:07:42 +0000 (13:07 +0200)]
kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5
commit "heimdal Add support for extracting a particular KVNO from the database"
(
f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master
and
9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master)
changed the windc_plugin interface, so we need to change the
version number.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Stefan Metzmacher [Fri, 24 Jun 2011 10:40:33 +0000 (12:40 +0200)]
kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Stefan Metzmacher [Fri, 24 Jun 2011 09:53:37 +0000 (11:53 +0200)]
kdc: pass down the server hdb_entry_ex to check_constrained_delegation()
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Stefan Metzmacher [Fri, 24 Jun 2011 09:08:33 +0000 (11:08 +0200)]
kdc: use the correct client realm in the EncTicketPart
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Love Hörnquist Åstrand [Sat, 23 Jul 2011 18:44:42 +0000 (11:44 -0700)]
better logging
Love Hörnquist Åstrand [Sat, 23 Jul 2011 18:18:21 +0000 (11:18 -0700)]
sprinkle more windows files
Jelmer Vernooij [Fri, 22 Jul 2011 12:19:34 +0000 (14:19 +0200)]
cf: Also enable pthreads on Linux 3.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Nicolas Williams [Sat, 23 Jul 2011 02:07:48 +0000 (21:07 -0500)]
Make kadm5_lock() and unlock work, and add kadmin commands for them.
The libkadm5 functions hdb_open() and close around all HDB ops. This
meant the previous implementation of kadm5_lock() and unlock would
always result in a core dump. Now we hdb_open() for write in
kadm5_lock() and hdb_close() in kadm5_unlock(), with all kadm5_s_*()
functions now not opening nor closing the HDB when the server context
keep_open flag is set.
Also, there's now kadmin(8) lock and unlock commands. These are there
primarily as a way to test the kadm5_lock()/unlock() operations, but
MIT's kadmin.local also has lock/unlock commands, and these can be
useful for scripting (though they require much care).
Nicolas Williams [Fri, 22 Jul 2011 21:18:44 +0000 (16:18 -0500)]
Fix from Roland Dowdeswell -- kadm5_setkey_principal() has to rev kvno earlier
Nicolas Williams [Thu, 21 Jul 2011 22:39:53 +0000 (17:39 -0500)]
Fixes for updates of KADM5_KVNO but not KEY_DATA and vice-versa.
It turns out that updates of kvno but not key data and vice-versa are
both, allowed and actually done (e.g, in kadmin's ank). Doing the right
thing in these cases turns out to be a bit tricky, but this commit ought
to do it.
Nicolas Williams [Thu, 21 Jul 2011 20:39:22 +0000 (15:39 -0500)]
add_enctype needs to set the kvno of the keys it adds!
add_enctype() was not fetching the kvno of the principal it was
modifying, and it was not setting the kvno of the new keys (instead it
set it to 0). This worked fine before multi-kvno, but broke then. The
fix is to fetch the kvno and set the new keys' kvno to that.
I'm thinking of adding a new kadmin command to prune old kvnos by date
or kvno differential...
Nicolas Williams [Thu, 21 Jul 2011 20:38:49 +0000 (15:38 -0500)]
Test multi-kvno support in kadmin and KDC (part 1).
Nicolas Williams [Thu, 21 Jul 2011 20:26:50 +0000 (15:26 -0500)]
Preserve set_time on historic keysets in kadm5_s_modify_principal() path.
Nicolas Williams [Thu, 21 Jul 2011 15:32:29 +0000 (10:32 -0500)]
Two mods from Roland to make kadm5_setkey_principal_3() work.
Nicolas Williams [Wed, 20 Jul 2011 23:54:29 +0000 (18:54 -0500)]
Two patches from Roland Dowdeswell to make n_keys/new_keys args optional.
Nicolas Williams [Wed, 20 Jul 2011 22:45:14 +0000 (17:45 -0500)]
Re-write _kadm5_set_keys2() to handle key history.
Nicolas Williams [Wed, 20 Jul 2011 22:44:27 +0000 (17:44 -0500)]
Introduce Keys ::= SEQUENCE OF Key in hdb.asn1 so we can get convenience utils.
Nicolas Williams [Wed, 20 Jul 2011 19:57:27 +0000 (14:57 -0500)]
Another HDB_F_DECRYPT-isn't-critical fix.
Nicolas Williams [Wed, 20 Jul 2011 05:49:01 +0000 (00:49 -0500)]
Oops, HDB_F_DECRYPT isn't critical; making it so breaks tests.
Nicolas Williams [Wed, 20 Jul 2011 05:01:53 +0000 (00:01 -0500)]
Fix warnings.
Nicolas Williams [Wed, 20 Jul 2011 02:14:15 +0000 (21:14 -0500)]
Fix a double free in ank.c.
Nicolas Williams [Wed, 20 Jul 2011 00:42:09 +0000 (19:42 -0500)]
Make the KDC path work.
Nicolas Williams [Wed, 20 Jul 2011 00:41:02 +0000 (19:41 -0500)]
How on earth did this build breaking thinko get through?
Nicolas Williams [Tue, 19 Jul 2011 19:19:38 +0000 (14:19 -0500)]
Fixed a likely bug in modify_principal() where the memset() of ent happens after early error checking.
Nicolas Williams [Tue, 19 Jul 2011 19:18:54 +0000 (14:18 -0500)]
Remove policy name checking against krb5.conf code.
Nicolas Williams [Tue, 19 Jul 2011 19:01:56 +0000 (14:01 -0500)]
Add missing KADM5_AUTH_GET_KEYS error and use it.
Nicolas Williams [Tue, 19 Jul 2011 18:41:36 +0000 (13:41 -0500)]
Updated kadmind.8 and kadmin.8.
Nicolas Williams [Tue, 19 Jul 2011 17:54:49 +0000 (12:54 -0500)]
Add comment and assert about key history to kadm5_log_replay_modify()
Nicolas Williams [Tue, 19 Jul 2011 17:34:38 +0000 (12:34 -0500)]
Fix incorrect key history check optimization. (NOT TESTED)
Nicolas Williams [Tue, 19 Jul 2011 17:34:06 +0000 (12:34 -0500)]
Avoid useless work related to keepold.
Nicolas Williams [Tue, 19 Jul 2011 15:05:30 +0000 (10:05 -0500)]
Forgot to export the kadm5 policy functions.
Nicolas Williams [Tue, 19 Jul 2011 06:30:42 +0000 (01:30 -0500)]
More s/int/size_t/ for iterators. Also fixed a stupid bug.
Nicolas Williams [Tue, 19 Jul 2011 05:41:23 +0000 (00:41 -0500)]
Add default to policy prompt and fix harmless bug in edit_policy()
Nicolas Williams [Tue, 19 Jul 2011 05:31:39 +0000 (00:31 -0500)]
Re-fix an earlier mistake that fell out in a branch switcheroo.
Nicolas Williams [Tue, 19 Jul 2011 05:21:30 +0000 (00:21 -0500)]
Complete --keepold support and fix crasher in kadmin cpw -r --keepold.
Nicolas Williams [Tue, 19 Jul 2011 04:35:58 +0000 (23:35 -0500)]
Oops, reverse sense of get-keys check...
Nicolas Williams [Tue, 19 Jul 2011 04:15:59 +0000 (23:15 -0500)]
Forgot to save edits to kadmin/server.c to use the new get-keys authorization.
Nicolas Williams [Tue, 19 Jul 2011 04:15:33 +0000 (23:15 -0500)]
Forgot to export kadm5_store_principal_ent_nokeys().
Nicolas Williams [Tue, 19 Jul 2011 03:51:33 +0000 (22:51 -0500)]
Fix policy validation bug (parse_policy() should return success when the policy name is OK!)
Nicolas Williams [Tue, 19 Jul 2011 03:50:59 +0000 (22:50 -0500)]
create_principal() must memset(ent, 0, ...) before ever returning (fixes core dump)
Nicolas Williams [Tue, 19 Jul 2011 03:49:50 +0000 (22:49 -0500)]
Undo a s/size_t/int/. Iterators must be unsigned.
Nicolas Williams [Tue, 19 Jul 2011 03:49:20 +0000 (22:49 -0500)]
Ooops! Mind those tags when re-ordering ASN.1 SEQUENCEs! (hdb_keyset)
Nicolas Williams [Mon, 18 Jul 2011 23:37:51 +0000 (18:37 -0500)]
Export the new kadm5 functions.
Nicolas Williams [Mon, 18 Jul 2011 20:46:04 +0000 (15:46 -0500)]
Add --keepold option to cpw.
Nicolas Williams [Mon, 18 Jul 2011 06:13:43 +0000 (01:13 -0500)]
Duh, act on keepold in randkey!
Nicolas Williams [Mon, 18 Jul 2011 20:40:59 +0000 (15:40 -0500)]
Trivial policy bug fix.
Nicolas Williams [Mon, 18 Jul 2011 20:45:15 +0000 (15:45 -0500)]
Fixed dumb bug that caused keys to not accumulate in history.
Nicolas Williams [Mon, 18 Jul 2011 20:38:16 +0000 (15:38 -0500)]
Make changes to hdb_keyset type be backward-compatible.
Nicolas Williams [Mon, 18 Jul 2011 20:39:41 +0000 (15:39 -0500)]
Forgot a file for the hdb_keyset backwards-compat extention.
Nicolas Williams [Sun, 17 Jul 2011 23:49:34 +0000 (18:49 -0500)]
More kadmin support for kvno diff policy.
Nicolas Williams [Sun, 17 Jul 2011 20:28:06 +0000 (15:28 -0500)]
Changed lib/hdb/Makefile.am to use --sequence=HDB-Ext-KeySet