summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
Commit message (Collapse)AuthorAgeFilesLines
* HEIMDAL:kdc: fix dh->q allocation check in get_dh_param()Stefan Metzmacher2017-12-061-1/+1
| | | | | | | | | | Thanks to Doug Nazar <nazard@nazar.ca> for spotting this! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310) Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL: don't bother seeing q if not sentLove Hornquist Astrand2017-08-281-3/+6
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b) Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 28 15:10:54 CEST 2017 on sn-devel-144
* HEIMDAL: allow optional q in DH DomainParametersLove Hornquist Astrand2017-08-281-1/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-291-4/+35
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Add initializer for stack pointersAndrew Bartlett2017-03-271-2/+2
| | | | | | | This helps ensure we know these are NULL until set Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* HEIMDAL:kdc: make it possible to disable the principal based referral detectionStefan Metzmacher2017-03-103-1/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hookStefan Metzmacher2016-07-224-4/+22
| | | | | | | | | | | This allows PAC_CRENDENTIAL_INFO to be added to the PAC when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains an encrypted PAC_CRENDENTIAL_DATA. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:kdc: reset e_text after successful pre-auth verificationStefan Metzmacher2016-07-221-0/+2
| | | | | | | | | This is already fixed in upstream heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kerberos: Return enc data on PREAUTH_FAILEDGarming Sam2016-07-051-79/+99
| | | | | | | | | | | | Without the enc data, Windows clients will perform two AS-REQ causing the password lockout count to increase by two instead of one. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144
* heimdal make kvno unisgned internallyUri Simchoni2016-05-242-3/+16
| | | | | | | | | | | | | | | The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
* heimdal: encode/decode kvno as signed integerUri Simchoni2016-05-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the encoding/decoding of kvno (key version number) in blobs and packets to signed integer, for compatibility with Windows. Reportedly, MIT Kerberos does the same. This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599 in the heimdal tree. According to the Kerberos spec (RFC 4120 5.2.9), the kvno field in encrypted data object is an unsigned integer that fits in 32 bits. The Heimdal Kerberos component bundled with Samba conforms to this. However, Windows deviates from the standard and encodes kvno as a signed integer, and this creates interoperability issues. ASN.1 DER has no special encoding for unsigned integer. A 32-bit unsigned integer is encoded as a signed integer, so while a signed 32-bit integer (covering the range of -0x80000000..0x7fffffff) is encoded using up to 4 bytes, an unsigned integer (covering 0..0xffffffff) could require 5 bytes. Normally, kvno for a given account starts at 1 and increments on password changes. Kerberos defined this as unsigned because there's no meaning for negative version numbers, so the standard writers figured 4 billion versions is better than 2 billion. It was not expected for a kvno to really go past 0x7fffffff and the disctinction usually does not matter. However, RODCs use kvnos which have the most-significant bit set. In Active Directory, RODCs have a private secret for the krbtgt, because the assumption is that the RODC is less secure, and recovering the domain krbtgt secret from the RODC would compromise the security of the entire domain. The kvno field is being used to identify the private krbtgt account that owns the key - the upper 16 bits are the RODC id, and the lower 16 bits identify the key version number for this specific RODC. It's common to have an RODC id greater than 0x8000, and therefore to have a kvno larger than 0x7fffffff, which would be DER-encoded using 5 bytes. Windows encodes kvno as signed integer - basically taking the 32 bits and treating them as a signed integer rather than an unsigned integer. This means that in Windows a kvno can always be encoded using 4 bytes, and Windows DCs reject a kvno encoded using more than 4 bytes without even generating an error response (the DC assumes it's an attack). Heimdal re-encodes the TGT when it creates a TGS request. Obviously it cannot decode and encode the encrypted parts but it does re-encode the plain parts, which include the kvno. That leads to a 5-byte kvno in the TGS request, which is rejected without an error response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 7 21:14:21 CEST 2016 on sn-devel-144
* s4/heimdal: allow SPNs in AS-REQRalph Boehme2016-04-251-3/+3
| | | | | | | | This allows testing keytabs with service tickets. Windows KDCs allow this as well. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* heimdal:kdc: add support for HDB_ERR_WRONG_REALMStefan Metzmacher2015-07-083-1/+58
| | | | | | | | | | | | | A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: generic support for 3part servicePrincipalNamesStefan Metzmacher2015-07-081-3/+2
| | | | | | | This is not DRSUAPI specific, it works for all 3 part principals. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handlingStefan Metzmacher2015-03-121-52/+0
| | | | | | | | | | | This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt and the final rfc6806.txt. The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Only indicate successful authentication after successful authzAndrew Bartlett2014-04-021-4/+4
| | | | | | | | | | This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the ↵Andrew Bartlett2014-04-021-1/+1
| | | | | | | | account is locked out Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Do not attempt password authentication for locked out accountsAndrew Bartlett2014-04-021-0/+8
| | | | | | Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett2012-01-121-12/+2
| | | | | | | | | | | | The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
* heimdal: handle referrals for 3 part DRSUAPI SPNsAndrew Tridgell2011-10-041-1/+18
| | | | | | | | | | | | | This handles referrals for SPNs of the form E3514235-4B06-11D1-AB04-00C04FC2DCD2/NTDSGUID/REALM, which are used during DRS replication when we don't know the dnsHostName of the target DC (which we don't know until the first replication from that DC completes). We use the 3rd part of the SPN directly as the realm name in the referral. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
* heimdal: Try to handle the PAC checking when we are in a cross-realm environmentAndrew Bartlett2011-09-051-1/+10
|
* s4:heimdal: import lorikeet-heimdal-201107241840 (commit ↵Stefan Metzmacher2011-07-265-8/+12
| | | | 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
* s4:heimdal: import lorikeet-heimdal-201107150856 (commit ↵Stefan Metzmacher2011-07-1512-360/+414
| | | | 48936803fae4a2fb362c79365d31f420c917b85b)
* s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher2011-06-281-4/+2
| | | | metze
* HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher2011-06-283-20/+41
| | | | | | | | function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
* HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5Stefan Metzmacher2011-06-281-2/+2
| | | | | | | | | | commit "heimdal Add support for extracting a particular KVNO from the database" (f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master) changed the windc_plugin interface, so we need to change the version number. metze
* HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher2011-06-241-4/+4
| | | | | | | | | | | check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
* HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher2011-06-241-5/+19
| | | | | | | | This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
* HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher2011-06-241-1/+1
| | | | | | With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
* HEIMDAL:kdc: check and regenerate the PAC in the s4u2proxy caseStefan Metzmacher2011-05-181-13/+38
| | | | | | TODO: we need to add a S4U_DELEGATION_INFO to the PAC later. metze
* HEIMDAL:kdc: pass the correct principal name for the resulting service ticketStefan Metzmacher2011-05-181-38/+36
| | | | | | | Depending on S4U2Proxy the principal name for the resulting ticket is not the principal of the client ticket. metze
* HEIMDAL:kdc: let check_PAC() to verify the incoming server and krbtgt cheksumsStefan Metzmacher2011-05-181-4/+7
| | | | | | | | For a normal TGS-REQ they're both signed with krbtgt key. But for S4U2Proxy requests which ask for contrained delegation, the keys differ. metze
* Merge new lorikeet heimdal, revision 85ed7247f515770c73b1f1ced1739f6ce19d75d2Jelmer Vernooij2011-03-142-3/+4
| | | | | Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
* HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via ↵Stefan Metzmacher2011-03-041-0/+5
| | | | | | tgs_parse_request() and _kdc_tgs_rep() metze
* heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as wellAndrew Bartlett2011-02-171-2/+1
| | | | | | | | | | | | | This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
* s4:heimdal: import lorikeet-heimdal-201101310455 (commit ↵Andrew Bartlett2011-02-021-0/+4
| | | | aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
* heimdal_build: Add version-script for kdc.Jelmer Vernooij2010-12-171-0/+21
|
* s4:heimdal: import lorikeet-heimdal-201012010201 (commit ↵Andrew Bartlett2010-12-014-1049/+7
| | | | 81fe27bcc0148d410ca4617f8759b9df1a5e935c)
* heimdal Build ticket with the canonical server nameAndrew Bartlett2010-11-161-1/+1
| | | | | | | We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett
* heimdal Fetch the client before the PAC check, but after obtaining krbtgt_outAndrew Bartlett2010-11-151-31/+30
| | | | | | | | By checking the client principal here, we compare the realm based on the normalised realm, but do so early enough to validate the PAC (and regenerate it if required). Andrew Bartlett
* s4:heimdal - fix the return code of a non-void functionMatthias Dieter Wallnöfer2010-11-151-0/+2
| | | | | Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 15 23:14:57 UTC 2010 on sn-devel-104
* heimdal Fix handling of backwards cross-realm detection for Samba4Andrew Bartlett2010-11-151-18/+48
| | | | | | | | | | | | | | Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components. The easy way to keep this test passing is to consider also what we need to do to get the krbtgt account for the PAC signing - and to use krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use that resutl for realm comparion. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
* s4:heimdal: import lorikeet-heimdal-201011102149 (commit ↵Andrew Bartlett2010-11-151-19/+25
| | | | 5734d03c20e104c8f45533d07f2a2cbbd3224f29)
* heimdal Return HDB_ERR_NOT_FOUND_HERE to the callerAndrew Bartlett2010-11-123-11/+34
| | | | | | | | This means that no reply packet should be generated, but that instead the user of the libkdc API should forward the packet to a real KDC, that has a full database. Andrew Bartlett
* s4:heimdal: import lorikeet-heimdal-201010022046 (commit ↵Andrew Bartlett2010-10-034-18/+28
| | | | 1bea031b9404b14114b0272ecbe56e60c567af5c)
* s4:heimdal: import lorikeet-heimdal-201009250123 (commit ↵Matthieu Patou2010-10-035-28/+43
| | | | | | | | | 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett
* heimdal use returned server entry from HDB to compare realmsAndrew Bartlett2010-10-021-1/+1
| | | | | | | | Some hdb modules (samba4) may change the case of the realm in a returned result. Use that to determine if it matches the krbtgt realm also returned from the DB (the DB will return it in the 'right' case) Andrew Bartlett
View Lorry Controller Status