summaryrefslogtreecommitdiff
path: root/source4/heimdal
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksumIsaac Boukris2019-05-071-0/+7
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: lib/krb5: do not fail set_config_files due to parse errorJeffrey Altman2018-06-252-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | Follow Apple's lead and do not fail krb5_set_config_files() simply because one of the files in the profile list fails to parse correctly. Doing so can lead to hard to find failures and could lead to an end user shooting themselves in the foot and no longer be able to login to their system to fix it. Parse as many of the files as we can. Only fail krb5_set_config_files() if init_context_from_config_file() fails. Change-Id: I122664c6d707a5f926643808ba414bf4f681f8b8 Cherry-pick of Heimdal commit b7cf5e7caf9b270f4d4151d2690177b11a7a1bdf BUG: https://bugzilla.samba.org/show_bug.cgi?id=11573 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Alexander Bokovoy <ab@samba.org> (cherry picked from commit f05a1554b770c6a2c905170347bfb41157f4aa78) Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-8-test): Mon Jun 25 17:30:14 CEST 2018 on sn-devel-144
* s4-heimdal: Fix the format-truncation errors.Günther Deschner2018-06-201-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ../source4/heimdal/lib/com_err/compile_et.c: In function ‘generate_h’: ../source4/heimdal/lib/com_err/compile_et.c:138:33: error: ‘%s’ directive output may be truncated writing up to 127 bytes into a region of size 126 [-Werror=format-truncation=] snprintf(fn, sizeof(fn), "__%s__", hfn); ^~ ~~~ ../source4/heimdal/lib/com_err/compile_et.c:138:5: note: ‘snprintf’ output between 5 and 132 bytes into a destination of size 128 snprintf(fn, sizeof(fn), "__%s__", hfn); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../source4/heimdal/lib/com_err/compile_et.c: In function ‘main’: ../source4/heimdal/lib/com_err/compile_et.c:234:35: error: ‘.h’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(hfn, sizeof(hfn), "%s.h", Basename); ^~ ../source4/heimdal/lib/com_err/compile_et.c:234:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128 snprintf(hfn, sizeof(hfn), "%s.h", Basename); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../source4/heimdal/lib/com_err/compile_et.c:235:35: error: ‘.c’ directive output may be truncated writing 2 bytes into a region of size between 1 and 128 [-Werror=format-truncation=] snprintf(cfn, sizeof(cfn), "%s.c", Basename); ^~ ../source4/heimdal/lib/com_err/compile_et.c:235:5: note: ‘snprintf’ output between 3 and 130 bytes into a destination of size 128 snprintf(cfn, sizeof(cfn), "%s.c", Basename); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors BUG: https://bugzilla.samba.org/show_bug.cgi?id=13437 Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jun 8 13:23:51 CEST 2018 on sn-devel-144
* HEIMDAL:kdc: fix dh->q allocation check in get_dh_param()Stefan Metzmacher2017-12-061-1/+1
| | | | | | | | | | Thanks to Doug Nazar <nazard@nazar.ca> for spotting this! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Signed-off-by: Stefan Metzmacher <metze@samba.org> (cherry picked from heimdal commit a79b59ba27070a015479e8d981b7e685dbe34310) Reviewed-by: Andreas Schneider <asn@samba.org>
* HEIMDAL: don't bother seeing q if not sentLove Hornquist Astrand2017-08-281-3/+6
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b) Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Aug 28 15:10:54 CEST 2017 on sn-devel-144
* HEIMDAL: allow optional q in DH DomainParametersLove Hornquist Astrand2017-08-283-3/+8
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986 Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
* heimdal: Fix printing a short int into a stringAndreas Schneider2017-08-111-2/+2
| | | | | | | | | | | | | | | The size of portstr is too small to print an integer and we should print a short anyway. This fixes building with GCC 7.1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Aug 11 18:08:04 CEST 2017 on sn-devel-144
* CVE-2017-11103: Orpheus' Lyre KDC-REP service name validationJeffrey Altman2017-07-121-2/+2
| | | | | | | | | | | | | | | | | | | | | In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Jul 12 17:44:50 CEST 2017 on sn-devel-144
* strerror_r: provide XSI-compliant strerror_rGary Lockyer2017-06-131-84/+0
| | | | | | | | | | | | | Provide a XSI-compliant strerror_r on GNU based systems. The default GNU strerror_r is not XSI-compliant, this patch wraps the GNU-specific call in an XSI-compliant wrapper. This reverts 18ed32ce0821d11c0c06d82c07ba1c27b0c2b886 which tried to make Heimdal use roken, rather than libreplace for strerror_r. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-292-6/+44
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Add initializer for stack pointersAndrew Bartlett2017-03-271-2/+2
| | | | | | | This helps ensure we know these are NULL until set Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* HEIMDAL:kdc: make it possible to disable the principal based referral detectionStefan Metzmacher2017-03-103-1/+6
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Correct "updateing" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "unavaible" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "allignment" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "paramaters" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "explicity" typos.Chris Lamb2017-02-221-2/+2
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "encyption" typos.Chris Lamb2017-02-221-2/+2
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "relase" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "existence" typos.Chris Lamb2017-02-222-2/+2
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "extention" typos.Chris Lamb2017-02-222-3/+3
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* Correct "doesnt" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* HEIMDAL:lib/krb5: Harden _krb5_derive_key()Volker Lendecke2016-12-201-3/+12
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()Volker Lendecke2016-12-201-0/+8
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()Stefan Metzmacher2016-12-201-8/+9
| | | | | | | This allows the optimized checksum->verify() function to be used. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()Stefan Metzmacher2016-12-201-31/+20
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* HEIMDAL:lib/krb5: destroy a memory ccache on reinitStefan Metzmacher2016-10-121-17/+35
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* heimdal: revert 1f90983324b9f5804dc57f87c5f7695b0e53db8dUri Simchoni2016-10-031-4/+7
| | | | | | | | | | | A different version has gone upstream, fixing the problem elsewhere. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Uri Simchoni <uri@samba.org> Autobuild-Date(master): Mon Oct 3 11:12:29 CEST 2016 on sn-devel-144
* heimdal-lib/krb5: keep a copy of config etypes in the contextUri Simchoni2016-10-032-0/+30
| | | | | | | | | | | | | | | | | | | When reading configuration file, keep an extra copy of the encryption types, and use this when resetting the encryption types to default. GSSAPI always resets the enctypes to default before obtaining a TGS, because the enctypes might have previously altered, so this prevents changing the etypes from the configured ones to the full set of supported etypes. The same patch has gone into upstream heimdal as commit a3bece1. It is a different solution to the problem fixed here by commit 1f90983, so this commit will be reverted next to keep compatibility with uptream. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix reauthentication after password changeAndreas Schneider2016-09-111-3/+4
| | | | | | | | | | | | | | | If the KDC requires a password change kinit will ask after the initial authentication for a new password. After the password has been changed it does reauthentication and for that it needs to use the new password we just set. It is needed for the a new kpasswd service test. This is already fixed upstream with: 911c99375741281adae305f6ec3a3317023eba3e Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-heimdal: Export krb5_init_creds_* functionsAndreas Schneider2016-08-311-0/+3
| | | | | | | | | The function krb5_get_init_creds_opt_get_error() is deprecated and krb5_init_creds_init() and krb5_init_creds_get_error() should be used now. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: honor conf enctypes when obtaining a service ticketUri Simchoni2016-08-091-7/+4
| | | | | | | | | | This patch removes part of what's categorized in the code as "hideous glue", which causes Heimdal to ignore krb5.conf encryption types, and instead use either the application- supplied values or the default compile-time values. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hookStefan Metzmacher2016-07-224-4/+22
| | | | | | | | | | | This allows PAC_CRENDENTIAL_INFO to be added to the PAC when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains an encrypted PAC_CRENDENTIAL_DATA. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:kdc: reset e_text after successful pre-auth verificationStefan Metzmacher2016-07-221-0/+2
| | | | | | | | | This is already fixed in upstream heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* HEIMDAL:lib/krb5: allow predefined ↵Stefan Metzmacher2016-07-221-0/+34
| | | | | | | | | | | | | | | PAC_{LOGON_NAME,PRIVSVR_CHECKSUM,SERVER_CHECKSUM} elements in _krb5_pac_sign() A caller may want to specify an explicit order of PAC elements, e.g. the PAC_UPN_DNS_INFO element should be placed after the PAC_LOGON_NAME element. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> This is commit 7cd40a610569d5e54ebe323672794fb6415b5dac in heimdal master.
* kerberos: Return enc data on PREAUTH_FAILEDGarming Sam2016-07-051-79/+99
| | | | | | | | | | | | Without the enc data, Windows clients will perform two AS-REQ causing the password lockout count to increase by two instead of one. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144
* heimdal make kvno unisgned internallyUri Simchoni2016-05-242-3/+16
| | | | | | | | | | | | | | | The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
* heimdal: encode/decode kvno as signed integerUri Simchoni2016-05-072-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch changes the encoding/decoding of kvno (key version number) in blobs and packets to signed integer, for compatibility with Windows. Reportedly, MIT Kerberos does the same. This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599 in the heimdal tree. According to the Kerberos spec (RFC 4120 5.2.9), the kvno field in encrypted data object is an unsigned integer that fits in 32 bits. The Heimdal Kerberos component bundled with Samba conforms to this. However, Windows deviates from the standard and encodes kvno as a signed integer, and this creates interoperability issues. ASN.1 DER has no special encoding for unsigned integer. A 32-bit unsigned integer is encoded as a signed integer, so while a signed 32-bit integer (covering the range of -0x80000000..0x7fffffff) is encoded using up to 4 bytes, an unsigned integer (covering 0..0xffffffff) could require 5 bytes. Normally, kvno for a given account starts at 1 and increments on password changes. Kerberos defined this as unsigned because there's no meaning for negative version numbers, so the standard writers figured 4 billion versions is better than 2 billion. It was not expected for a kvno to really go past 0x7fffffff and the disctinction usually does not matter. However, RODCs use kvnos which have the most-significant bit set. In Active Directory, RODCs have a private secret for the krbtgt, because the assumption is that the RODC is less secure, and recovering the domain krbtgt secret from the RODC would compromise the security of the entire domain. The kvno field is being used to identify the private krbtgt account that owns the key - the upper 16 bits are the RODC id, and the lower 16 bits identify the key version number for this specific RODC. It's common to have an RODC id greater than 0x8000, and therefore to have a kvno larger than 0x7fffffff, which would be DER-encoded using 5 bytes. Windows encodes kvno as signed integer - basically taking the 32 bits and treating them as a signed integer rather than an unsigned integer. This means that in Windows a kvno can always be encoded using 4 bytes, and Windows DCs reject a kvno encoded using more than 4 bytes without even generating an error response (the DC assumes it's an attack). Heimdal re-encodes the TGT when it creates a TGS request. Obviously it cannot decode and encode the encrypted parts but it does re-encode the plain parts, which include the kvno. That leads to a 5-byte kvno in the TGS request, which is rejected without an error response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 7 21:14:21 CEST 2016 on sn-devel-144
* s4/heimdal: allow SPNs in AS-REQRalph Boehme2016-04-251-3/+3
| | | | | | | | This allows testing keytabs with service tickets. Windows KDCs allow this as well. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4/heimdal/lib/krb5/pac.c: typoAurelien Aptel2016-03-101-1/+1
| | | | | | | | | Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <rb@sernet.de> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Mar 10 03:33:46 CET 2016 on sn-devel-144
* s4/heimdal/lib/gssapi/mech/gss_compare_name.c: typoAurelien Aptel2016-03-101-1/+1
| | | | | | | | | make memcmp() compare the name1 and name2 value instead of comparing name1 with itself. Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Ira Cooper <ira@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* heimdal asn1: avoid fclose(NULL) caused by missing bracesDouglas Bagnall2016-03-031-1/+2
| | | | | | | | | | | Thanks to GCC6 -Wmisleading-indentation. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Mar 3 16:21:52 CET 2016 on sn-devel-144
* s4:heimdal fix a compile warningChristian Ambach2016-02-121-2/+2
| | | | | | | about a potentially uninitialized variable Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Fix memory leak in dns resolution during spnego authentication using kerberos.Har Gagan Sahai2015-09-031-0/+1
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11471 Signed-off-by: Har Gagan Sahai <SHarGagan@novell.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Sep 3 19:11:22 CEST 2015 on sn-devel-104
* heimdal/gssapi: Allow a NULL authenticatorAndrew Bartlett2015-08-051-36/+35
| | | | | | | | | | | | | | | | | | Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req() can trigger a NULL authenticator here. Assume this to be equvilent to specifying an all-zero channel bindings and some reasonable (fixed) flags. This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC Original patch by Andrew Bartlett, restructured by Douglas Bagnall Cherry-picked from upstream GIT 0a5de96d72cdea9e465412d7dba1e5d13e53dc09 which is the merge of https://github.com/heimdal/heimdal/pull/134 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal:kdc: add support for HDB_ERR_WRONG_REALMStefan Metzmacher2015-07-084-1/+59
| | | | | | | | | | | | | A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:kdc: generic support for 3part servicePrincipalNamesStefan Metzmacher2015-07-081-3/+2
| | | | | | | This is not DRSUAPI specific, it works for all 3 part principals. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:lib/krb5: add krb5_mk_error_ext() helper functionStefan Metzmacher2015-07-082-13/+37
| | | | | | | | | This gives the caller the ability to skip the client_name and only provide client_realm. This is required for KDC_ERR_WRONG_REALM messages. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referralsStefan Metzmacher2015-07-081-0/+21
| | | | | | | | | An AS-REQ with an enterprise principal will always directed to a kdc of the local (default) realm. The KDC directs the client into the direction of the final realm. See rfc6806.txt. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with ↵Stefan Metzmacher2015-06-242-3/+640
| | | | | | | | | | arcfour-hmac-md5 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status