summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/krb5tgs.c
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksumIsaac Boukris2019-05-071-0/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:kdc: make it possible to disable the principal based referral detectionStefan Metzmacher2017-03-101-1/+3
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hookStefan Metzmacher2016-07-221-1/+1
| | | | | | | | | | | This allows PAC_CRENDENTIAL_INFO to be added to the PAC when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains an encrypted PAC_CRENDENTIAL_DATA. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal make kvno unisgned internallyUri Simchoni2016-05-241-2/+15
| | | | | | | | | | | | | | | The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
* heimdal:kdc: add support for HDB_ERR_WRONG_REALMStefan Metzmacher2015-07-081-0/+26
| | | | | | | | | | | | | A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: generic support for 3part servicePrincipalNamesStefan Metzmacher2015-07-081-3/+2
| | | | | | | This is not DRSUAPI specific, it works for all 3 part principals. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett2012-01-121-12/+2
| | | | | | | | | | | | The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
* heimdal: handle referrals for 3 part DRSUAPI SPNsAndrew Tridgell2011-10-041-1/+18
| | | | | | | | | | | | | This handles referrals for SPNs of the form E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are used during DRS replication when we don't know the dnsHostName of the target DC (which we don't know until the first replication from that DC completes). We use the 3rd part of the SPN directly as the realm name in the referral. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* heimdal: Try to handle the PAC checking when we are in a cross-realm environmentAndrew Bartlett2011-09-051-1/+10
|
* s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher2011-07-261-4/+8
| | | | 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
* s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher2011-07-151-46/+58
| | | | 48936803fae4a2fb362c79365d31f420c917b85b)
* s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher2011-06-281-4/+2
| | | | metze
* HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher2011-06-281-14/+31
| | | | | | | | function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
* HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher2011-06-241-4/+4
| | | | | | | | | | | check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
* HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher2011-06-241-5/+19
| | | | | | | | This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
* HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher2011-06-241-1/+1
| | | | | | With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
* HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy caseStefan Metzmacher2011-05-181-13/+38
| | | | | | TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
* HEIMDAL:kdc: pass the correct principal name for the resulting service ticketStefan Metzmacher2011-05-181-38/+36
| | | | | | | Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
* HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksumsStefan Metzmacher2011-05-181-4/+7
| | | | | | | | For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
* HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via ↵Stefan Metzmacher2011-03-041-0/+5
| | | | | | tgs_parse_request() and _kdc_tgs_rep() metze
* heimdal Build ticket with the canonical server nameAndrew Bartlett2010-11-161-1/+1
| | | | | | | We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett
* heimdal Fetch the client before the PAC check, but after obtaining krbtgt_outAndrew Bartlett2010-11-151-31/+30
| | | | | | | | By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
* heimdal Fix handling of backwards cross-realm detection for Samba4Andrew Bartlett2010-11-151-18/+48
| | | | | | | | | | | | | | Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
* heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett2010-11-121-5/+22
| | | | | | | | This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett2010-10-031-4/+4
| | | | 1bea031b9404b14114b0272ecbe56e60c567af5c)
* s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou2010-10-031-9/+19
| | | | | | | | | 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
* heimdal use returned server entry from HDB to compare realmsAndrew Bartlett2010-10-021-1/+1
| | | | | | | | Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett
* heimdal Add support for extracting a particular KVNO from the databaseAndrew Bartlett2010-09-291-14/+37
| | | | | | | | | This should allow master key rollover. (but the real reason is to allow multiple krbtgt accounts, as used by Active Directory to implement RODC support) Andrew Bartlett
* s4:heimdal Create a new PAC when impersonating a user with S4U2SelfAndrew Bartlett2010-04-101-4/+46
| | | | | | | If we don't do this, the PAC is given for the machine accout, not the account being impersonated. Andrew Bartlett
* s4:heimdal Add hooks to check with the DB before we allow s4u2selfAndrew Bartlett2010-04-101-4/+36
| | | | | | | | This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-201003262338 (commit ↵Andrew Bartlett2010-03-271-2/+0
| | | | f4e0dc17709829235f057e0e100d34802d3929ff)
* s4:heimdal: import lorikeet-heimdal-201001120029 (commit ↵Andrew Bartlett2010-03-271-2/+3
| | | | a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
* heimdal Fix invalid format stringAndrew Bartlett2009-11-241-1/+1
|
* s4:heimdal: import lorikeet-heimdal-200911122202 (commit ↵Andrew Bartlett2009-11-131-59/+107
| | | | 9291fd2d101f3eecec550178634faa94ead3e9a1)
* s4:heimdal: import lorikeet-heimdal-200909210500 (commit ↵Andrew Bartlett2009-11-131-10/+15
| | | | 290db8d23647a27c39b97c189a0b2ef6ec21ca69)
* s4:heimdal: import lorikeet-heimdal-200907162216 (commit ↵Andrew Bartlett2009-07-171-17/+22
| | | | | | | | | | | d09910d6803aad96b52ee626327ee55b14ea0de8) This includes in particular changes to the KDC to resolve bug 6272, originally by Matthieu Patou <mat+Informatique.Samba@matws.net>. We need to sort the AuthorizationData elements to put the PAC first, or else WinXP breaks when browsed from Win2k8. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-200907152325 (commit ↵Andrew Bartlett2009-07-161-15/+29
| | | | 2bef9cd5378c01e9c2a74d6221761883bd11a5c5)
* s4:kdc Allow a password change when the password is expiredAndrew Bartlett2009-06-181-4/+4
| | | | | | | | | | | | | | This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett2009-06-121-35/+27
| | | | | | | | | | | 904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
* Re-add support for supporting the PAC over domain trusts.Andrew Bartlett2008-11-041-19/+17
| | | | | | (This was not entered in lorikeet-heimdal.diff, so missed by metze's import). Andrew Bartlett
* s4: import lorikeet-heimdal-200810271034Stefan Metzmacher2008-10-281-25/+25
| | | | metze
* Allow the PAC to be passed along during cross-realm authenticationAndrew Bartlett2008-10-061-18/+16
|
* heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patchesStefan Metzmacher2008-08-261-5/+21
| | | | | | | This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo. metze (This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
* heimdal: update to lorikeet-heimdal rev 801Stefan Metzmacher2008-08-011-239/+400
| | | | | metze (This used to be commit d6c54a66fb23c784ef221a3c1cf766b72bdb5a0b)
* Merge lorikeet-heimdal -r 787 into Samba4 tree.Andrew Bartlett2008-03-191-8/+16
| | | | | Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2)
* r23678: Update to current lorikeet-heimdal (-r 767), which should fix theAndrew Bartlett2007-10-101-16/+16
| | | | | | | panics on hosts without /dev/random. Andrew Bartlett (This used to be commit 14a4ddb131993fec72316f7e8e371638749e6f1f)
* r23456: Update Samba4 to current lorikeet-heimdal.Andrew Bartlett2007-10-101-14/+21
| | | | | Andrew Bartlett (This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
* r20640: Commit part 2/2Andrew Bartlett2007-10-101-110/+228
| | | | | | | | | | Update Heimdal to match current lorikeet-heimdal. This includes integrated PAC hooks, so Samba doesn't have to handle this any more. This also brings in the PKINIT code, hence so many new files. Andrew Bartlett (This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
* r19604: This is a massive commit, and I appologise in advance for it's size.Andrew Bartlett2007-10-101-0/+1781
This merges Samba4 with lorikeet-heimdal, which itself has been tracking Heimdal CVS for the past couple of weeks. This is such a big change because Heimdal reorganised it's internal structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases. In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO PAC. This matches windows behavour. We also have an option to require the PAC to be present (which allows us to automate the testing of this code). This also includes a restructure of how the kerberos dependencies are handled, due to the fallout of the merge. Andrew Bartlett (This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
View Lorry Controller Status