summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* s4:kdc: Add support for constructed claims (for authentication silos)HEADmasterJoseph Sutton2023-05-183-2/+184
| | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
* s4:kdc: Make use of dsdb_search_one()Joseph Sutton2023-05-181-11/+12
| | | | | | | Ensure we get exactly one object back, or an error. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Don’t perform unnecessary search to get account objectClassJoseph Sutton2023-05-181-17/+1
| | | | | | | We now have this information in the ldb_message. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Have get_claims_for_principal() take the entire principalJoseph Sutton2023-05-183-10/+11
| | | | | | | | The ldb_message contains more information than just the DN, such as which authentication policy or silo is assigned. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Enforce TGT lifetime authentication policyJoseph Sutton2023-05-183-43/+25
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Look up authentication policies for Kerberos clients and serversJoseph Sutton2023-05-184-2/+51
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Make maximum lifetime and renew time signedJoseph Sutton2023-05-182-4/+4
| | | | | | | | | | This is now consistent with Heimdal, and with our usage of time_t elsewhere. NOTE: This commit finally works again! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flagJoseph Sutton2023-05-181-1/+3
| | | | | | | | | | | | | This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and indicates a lookup of an armor ticket client principal, rather than the principal of the main TGT. This helps us to determine whether an authentication policy will apply to a principal acting as a client, and hence whether we have to look up the policy in the database. NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit ↵Joseph Sutton2023-05-186-18/+29
| | | | | | | | | 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add helper functions for authentication policiesJoseph Sutton2023-05-186-0/+1060
| | | | | | | | | | | | | These functions are not yet used. They are arranged into two libraries: ‘authn_policy’, containing the core functions, and ‘authn_policy_util’, containing utility functions that can access the database. This separation is so that libraries depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions without introducing a dependency cycle. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Make a proper shallow copy of the auth_user_info_dc structureJoseph Sutton2023-05-184-40/+32
| | | | | | | | | | | | Just copying the structure fields is prone to lead to use-after-frees if we access them after the original structure and its fields are freed. Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This properly references the fields in the original structure so that they will not be freed until we are sure we have finished with them. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: Add function to make a shallow copy of an auth_user_info_dc structureJoseph Sutton2023-05-182-0/+71
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add NTSTATUS strings to log messagesJoseph Sutton2023-05-181-4/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:audit_logging: Fix typo in log messageJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:audit_logging: Add function to add a formatted time value to a JSON messageJoseph Sutton2023-05-182-17/+44
| | | | | | | | | json_add_timestamp() is limited to adding a ‘timestamp’ field with the current time. The new function can add an arbitrary timestamp with an arbitrary field name. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:audit_logging: Add function to add an optional boolean value to a JSON ↵Joseph Sutton2023-05-182-0/+47
| | | | | | | message Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib:audit_logging: Add function to add flags to a JSON messageJoseph Sutton2023-05-183-14/+59
| | | | | | | | | This replaces a couple of calls to snprintf() in log_authentication_event_json() and log_successful_authz_event_json() respectively. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: Remove superfluous semicolonJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: Fix leakJoseph Sutton2023-05-181-1/+4
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Fix leaksJoseph Sutton2023-05-181-13/+64
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Correct parameter order in headerJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix diagnostic messagesJoseph Sutton2023-05-181-17/+17
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix error messagesJoseph Sutton2023-05-181-2/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Check ldb_dn_new() return valueJoseph Sutton2023-05-181-0/+4
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Remove double-freeJoseph Sutton2023-05-181-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Remove double-freeJoseph Sutton2023-05-181-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix leaksJoseph Sutton2023-05-181-0/+5
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Make use of auth_generate_security_token()Joseph Sutton2023-05-181-9/+9
| | | | | | | | We don’t need the whole session info structure to perform an access check. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: Fix typosJoseph Sutton2023-05-184-5/+5
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:auth: Split out new function to generate a security tokenJoseph Sutton2023-05-182-44/+82
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: Remove unnecessary return statementsJoseph Sutton2023-05-181-4/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:utils: Fix typoJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix debugging stringsJoseph Sutton2023-05-181-2/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix typosJoseph Sutton2023-05-183-4/+4
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Factor out PAC blob functions into new source fileJoseph Sutton2023-05-184-252/+341
| | | | | | | | pac-glue.c has become rather large, and can do without these PAC blob–handling functions. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add missing includes and declarationsJoseph Sutton2023-05-181-0/+10
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli: Add missing includeJoseph Sutton2023-05-181-0/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Include missing headersJoseph Sutton2023-05-181-0/+4
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constantJoseph Sutton2023-05-181-1/+1
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Add tests for authentication policiesJoseph Sutton2023-05-186-0/+6810
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying whether PA-DATA types are to be checkedJoseph Sutton2023-05-182-50/+61
| | | | | | | | | | | Not all tests are intended to test that the correct PA-DATA types are returned. This parameter allows us to skip checking for cases where we don’t care. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow server and workstation accounts to perform a SamLogonJoseph Sutton2023-05-181-0/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Allow specifying machine credentials to _test_samlogon()Joseph Sutton2023-05-181-9/+11
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Rename ‘server’ to ‘dc_server’Joseph Sutton2023-05-181-3/+3
| | | | | | | This makes it more clear that this is in fact the DC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon:schannel: Fix NULL pointer dereferenceJoseph Sutton2023-05-181-0/+3
| | | | | | | We should not pass a NULL pointer into netlogon_creds_client_init(). Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply ↵Joseph Sutton2023-05-183-24/+92
| | | | | | | | | e-data Certain clients rely on this behaviour. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Improve edata checkingJoseph Sutton2023-05-184-24/+73
| | | | | | | | | | | | Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA and fall back to METHOD_DATA if that fails. The environment variable EXPECT_NT_STATUS indicates that the KDC supports returning a status code in the e-data field. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/krb5: Remove unused importJoseph Sutton2023-05-181-1/+0
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Clean up codeJoseph Sutton2023-05-182-3/+3
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool domain: Remove unused variablesJoseph Sutton2023-05-184-33/+24
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status