summaryrefslogtreecommitdiff
path: root/auth/credentials/credentials_krb5.c
Commit message (Collapse)AuthorAgeFilesLines
* dsdb: Allow special chars like "@" in samAccountName when generating the saltAndrew Bartlett2021-10-201-6/+6
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
* auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()Andreas Schneider2021-04-281-1/+3
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth:creds: Rename CRED_USE_KERBEROS valuesAndreas Schneider2020-11-031-2/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* lib/util: remove extra safe_string.h fileMatthew DeVore2020-08-281-0/+2
| | | | | | | | | | | | | | | | | | lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
* auth:creds: Remove unused credentials autoproto headerAndreas Schneider2020-08-191-1/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* credentials: Workaround krb5_cc_remove_cred not implemented in MIT kerberosSamuel Cabrero2019-04-291-0/+149
| | | | | | | | | Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Apr 29 19:15:48 UTC 2019 on sn-devel-184
* credentials: Initialize krb5 client to retrieve creds from ccacheSamuel Cabrero2019-04-291-0/+15
| | | | | | | | | MIT kerberos require krb5_creds.client to be initialized to match krb5_creds.server with the cached credentials. Signed-off-by: Samuel Cabrero <scabrero@suse.de> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()Volker Lendecke2018-11-281-3/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Remove an unnecessary talloc_steal()Volker Lendecke2018-11-281-1/+0
| | | | | | | ccc was already allocated off cred, this talloc_steal was a no-op. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix set_ccache with empty creds cacheVolker Lendecke2018-11-281-6/+7
| | | | | | | | | This is an extension of bb2f7e3aee7e9b8: Without this fix in the "empty ccache" case we never set cred->ccache, so the whole call to cli_credentials_set_ccache became pointless Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Fix an error path memleakVolker Lendecke2018-11-281-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Only do shallow copies of valid ccachesVolker Lendecke2018-11-281-0/+14
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* krb5-samba: interdomain trust uses different salt principalAlexander Bokovoy2018-09-051-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where DOMAIN is the sAMAccountName without the dollar sign ($) The salt principal for the BLA$ user object was generated wrong. dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010 trustDirection: 3 trustPartner: bla.base trustPosixOffset: -2147483648 trustType: 2 trustAttributes: 8 flatName: BLA dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base userAccountControl: 2080 primaryGroupID: 513 objectSid: S-1-5-21-278041429-3399921908-1452754838-1597 accountExpires: 9223372036854775807 sAMAccountName: BLA$ sAMAccountType: 805306370 pwdLastSet: 131485652467995000 The salt stored by Windows in the package_PrimaryKerberosBlob (within supplementalCredentials) seems to be 'W4EDOM-L4.BASEkrbtgtBLA' for the above trust and Samba stores 'W4EDOM-L4.BASEBLA$'. While the salt used when building the keys from trustAuthOutgoing/trustAuthIncoming is 'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
* define DBGC_AUTH classkkplein2018-01-081-0/+3
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* credentials: Simplify cli_credentials_get_server_gss_creds()Andreas Schneider2018-01-031-9/+10
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 3 14:37:12 CET 2018 on sn-devel-144
* auth/credentials: remove unused smb_krb5_create_salt_principal()Stefan Metzmacher2017-06-271-79/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/credentials: make use of smb_krb5_salt_principal() in ↵Stefan Metzmacher2017-06-271-12/+26
| | | | | | | cli_credentials_get_keytab() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* credentials_krb5: convert to use smb_gss_krb5_import_credAlexander Bokovoy2017-03-081-9/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: fix mem leak & use appropriate free functionAurelien Aptel2017-02-011-1/+1
| | | | | | | | | | | coverity fix. cli_credentials_set_principal does a strdup, we want to free 'name' regardless of the result in 'ok'. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* credentials: Create a smb_gss_krb5_copy_ccache() functionAndreas Schneider2017-01-121-4/+129
| | | | | | | | This sets the default principal on the copied ccache if it hasn't been set yet. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Always set the the realm if we set the principal from the ↵Andreas Schneider2017-01-101-3/+17
| | | | | | | | | | ccache This fixes a bug in gensec_gssapi_client_start() where an invalid realm is used to get a Kerberos ticket. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add missing error code check for MIT KerberosAndreas Schneider2016-12-241-1/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add NULL check to free_dccache()Andreas Schneider2016-12-201-2/+7
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Add NULL check in free_mccache()Andreas Schneider2016-12-201-1/+5
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth/credentials: Move function to free ccaches to the topAndreas Schneider2016-12-201-15/+15
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* mit: make it possible to build with MIT kerberos and --picky-developerGünther Deschner2016-09-291-1/+2
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* krb5_wrap: Rename get_kerberos_allowed_etypes()Andreas Schneider2016-08-311-1/+1
| | | | | | | Use consistent naming. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Wrap krb5_cc_copy_creds and krb5_cc_copy_cacheAlexander Bokovoy2016-07-251-2/+2
| | | | | | | | | | | Heimdal and MIT Kerberos have different API to copy credentials from a ccache. Wrap it via lib/krb5_wrap/. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Mon Jul 25 21:27:58 CEST 2016 on sn-devel-144
* auth/credentials: also do a shallow copy of the krb5_ccache.Stefan Metzmacher2016-07-221-0/+67
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-auth: Always pass down the salt principalAndreas Schneider2015-07-171-6/+104
| | | | | | | | We should always pass down the saltPrincipal to smb_krb5_update_keytab() function. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is neededAndreas Schneider2015-06-241-1/+9
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
* auth/credentials: use HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X instead of ↵Stefan Metzmacher2015-06-231-3/+2
| | | | | | | | | SAMBA4_USES_HEIMDAL Newer MIT versions also have this. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/credentials_krb5: fix memory leak in ↵Günther Deschner2015-01-261-0/+2
| | | | | | | | | | | | cli_credentials_failed_kerberos_login(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104
* auth/credentials_krb5: silence a build warning.Günther Deschner2014-08-081-0/+2
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/credentials-krb5: use get_kerberos_allowed_etypes().Günther Deschner2014-08-081-6/+5
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Remove un-used event context argument from smb_krb5_init_context()Andrew Bartlett2014-04-281-1/+1
| | | | | | | | | | | | | | | | | The event context here was only specified in the server or admin-tool context, which does not do network communication, so this only caused a talloc_reference() and never any useful result. The actual network communication code sets an event context directly before making the network call. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Apr 28 02:24:57 CEST 2014 on sn-devel-104
* auth/credentials: keep cli_credentials privateStefan Metzmacher2013-08-051-0/+1
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth: added cli_credentials_failed_kerberos_login()Andrew Tridgell2012-11-011-0/+61
| | | | | | | | this is used to support retrying kerberos connections after removing a ccache entry, to cope with a server being re-built while our client still has a valid service ticket Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* auth/credentials: Support match-by-key in cli_credentials_get_server_gss_creds()Andrew Bartlett2012-08-301-3/+8
| | | | | | | | | | | | | This allows a password alone to be used to accept kerberos tickets. Of course, we need to have got the salt right, but we do not need also the correct kvno. This allows gensec_gssapi to accept tickets based on a secrets.tdb entry. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Aug 30 01:26:12 CEST 2012 on sn-devel-104
* auth/credentials: 'workgroup' set via command line will not drop existing ccacheAlexander Bokovoy2012-05-241-12/+2
| | | | | | | | | | The root cause for existing ccache being invalidated was use of global loadparm with 'workgroup' value set as if from command line. However, we don't really need to take 'workgroup' parameter value's nature into account when invalidating existing ccache. When -U is used on the command line, one can specify a password to force ccache invalidation. The commit also reverts previous fix now that root cause is clear.
* auth-credentials: Support using pre-fetched ccache when obtaining kerberos ↵Alexander Bokovoy2012-05-231-2/+12
| | | | | | | | | credentials When credentials API is used by a client-side program that already as fetched required tickets into a ccache, we need to skip re-initializing ccache. This is used in FreeIPA when Samba 4 Python bindings are run after mod_auth_kerb has obtained user tickets already.
* auth and s4-rpc_server: Do not use features we currently can't implement ↵Simo Sorce2012-05-231-1/+4
| | | | with MIT Kerbros build
* s4-auth: Use smb_krb5_cc_get_lifetime() wrapper.Andreas Schneider2012-05-041-2/+2
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2012-04-251-0/+1
| | | | | | | | | | | | | | lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
* Make krb5 wrapper library common so they can be used all overSimo Sorce2012-04-231-0/+1
|
* srv_keytab: Pass krb5_context directly, it's all we use anyways.Simo Sorce2012-04-121-1/+2
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove dependency on credentials too.Simo Sorce2012-04-121-3/+6
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Remove unneded dependency on kerberos_util.Simo Sorce2012-04-121-3/+13
| | | | Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Move keytab functions in a separate file.Simo Sorce2012-04-121-0/+1
| | | | | | Confine ldb dependency. Signed-off-by: Andreas Schneider <asn@samba.org>
* s4-auth-krb: Make cli_credentials_invalidate_client_gss_creds static.Simo Sorce2012-04-121-0/+4
| | | | | | It's not used anywhere else. Signed-off-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status