summaryrefslogtreecommitdiff
path: root/source4/kdc/kdc-heimdal.c
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2022-37966 s4:kdc: use the strongest possible keysStefan Metzmacher2022-12-131-15/+8
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Set Kerberos debug class for all KDC filesAndreas Schneider2022-09-121-0/+3
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184
* CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_nameJoseph Sutton2022-07-271-2/+2
| | | | | | | | | This makes explicitly clear the purpose of this keytab. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 s4:kdc: Don't allow HDB keytab iterationJoseph Sutton2022-07-271-2/+2
| | | | | | | | | | | | | | A fallback in krb5_rd_req_ctx() means that Samba's kpasswd service will try many inappropriate keys to decrypt the ticket supplied to it. For example, it will accept a ticket encrypted with the Administrator's key, when it should rather accept only tickets encrypted with the krbtgt's key (and not an RODC krbtgt). To fix this, declare the HDB keytab using the HDBGET ops, which do not support iteration. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: make use of the 'kdc enable fast' optionStefan Metzmacher2022-03-111-0/+7
| | | | | | | | | | | This will useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
* s4:kdc: Adapt to hdb_entry_ex removalJoseph Sutton2022-03-011-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than having a 'free_entry' member that can be called to free an hdb_entry, we now implement the free function in HDB. We perform the free only if the context pointer is non-NULL. We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the context pointer is now part of the 'hdb_entry' structure itself, and this would undesirably zero it out. This is an adaptation to Heimdal commits: commit c5551775e204d00c7ee8055ab6ddbba7e0590584 Author: Luke Howard <lukeh@padl.com> Date: Fri Jan 7 12:15:55 2022 +1100 hdb: decorate HDB_entry with context member Decorate HDB_entry with context and move free_entry callback into HDB structure itself. Requires updating hdb_free_entry() signature to include HDB parameter. A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry member) into hdb_entry. commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8 Author: Luke Howard <lukeh@padl.com> Date: Fri Jan 7 12:54:40 2022 +1100 hdb: eliminate hdb_entry_ex Remove hdb_entry_ex and revert to the original design of hdb_entry (except with an additional context member in hdb_entry which is managed by the free_entry method in HDB). NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Rename windc to kdc pluginJoseph Sutton2022-03-011-7/+7
| | | | | | | | | | | | | | | | | | | | | | | This is an adaptation to Heimdal: commit fcff5933ade652343d7c169659da92fac0e6e0d4 Author: Luke Howard <lukeh@padl.com> Date: Mon Jan 3 11:10:18 2022 +1100 kdc: rename windc to kdc plugin Rename the "windc" plugin API to the more general "kdc" plugin API, for two reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain controller, and the plugin API has accreted methods that are not specific to emulating a domain controller (such as referral_policy and finalize_reply). NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Add referral policy callbackJoseph Sutton2022-03-011-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | This is now used instead of a configuration option. This is an adaption to Heimdal: commit 3fa47f5a1a422e178d968a8ec0d59889eaa71548 Author: Luke Howard <lukeh@padl.com> Date: Sun Jan 2 21:51:43 2022 +1100 kdc: add referral_policy callback to windc plugin Add a referral policy hook to the TGS as a more elegant way of resolving referral detection for Samba). The hook can either rewrite the server_princ in the request, or it can return an error to disable built-in referral processing. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal importAndrew Bartlett2022-01-191-0/+18
| | | | | | | | | | | This allows us to continue to avoid CVE-2020-25719 in particular and pass our tests for expected FAST behaviour as the patches we requested by upstream to be conditional, not hard-coded. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]Andrew Bartlett2022-01-191-0/+2
| | | | | | | | | | This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests test as this always expects the salt, which Windows always provides. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc: cope with upstream rename of configuration parameters.Gary Lockyer2022-01-191-2/+2
| | | | | | | | | | | | | | | | | | | | | This copes with the upstream commit: commit c757eb7fb04a9b0ca883ddb72c1bc75bf5d814f3 Author: Nicolas Williams <nico@cryptonector.com> Date: Fri Nov 25 17:21:04 2011 -0600 Rename and fix as/tgs-use-strongest-key config parameters Different ticket session key enctype selection options should distinguish between target principal type (krbtgt vs. not), not between KDC request types. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> [abartlet@samba.org Researched and updated the commit message] Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc: Move calls using the samba4 name to be right after each otherAndrew Bartlett2022-01-191-6/+6
| | | | | | | | | These all need to be in sync NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytabAndrew Bartlett2022-01-191-2/+2
| | | | | | | NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-25717: Add FreeIPA domain controller roleAlexander Bokovoy2021-11-091-0/+1
| | | | | | | | | | | | | | | | | As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain controller role. It means that role won't result in ROLE_STANDALONE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: prefer newer enctypes for preauth responsesStefan Metzmacher2021-07-011-1/+1
| | | | | | | | | | | This matches Windows KDCs, which was demonstrated by the krb5.as_req_tests tests. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jul 1 18:37:14 UTC 2021 on sn-devel-184
* s4: rename source4/smbd/ to source4/samba/Ralph Boehme2020-11-271-1/+1
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
* s4:kdc: Fix size type for num_bind in kdc-heimdalAndreas Schneider2019-01-191-1/+1
| | | | | | | | | This fixes a compile error on sn-devel184. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144
* source4 smbd prefork: restart on non zero exit codeGary Lockyer2018-11-231-1/+2
| | | | | | | | Restart any pre-fork master or worker process that exits with a non zero exit code. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* source4 smbd: pass instance number to post_forkGary Lockyer2018-11-071-1/+1
| | | | | | | | Pass the instance number to the post_fork hook. This is required to allow the rpc_server to support the prefork process model. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Update debug callsGary Lockyer2018-11-011-7/+8
| | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd kdc: allow the kdc to run in preforkGary Lockyer2018-11-011-40/+49
| | | | | | | | Modify the kdc to allow it to run in the prefork process model. The task_init function has been split up and code moved into the post_fork function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smdb: Add a post fork hook to the service APIGary Lockyer2018-11-011-23/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a post fork hook to the service API this will be called: - standard process model immediately after the task_init. - single process model immediately after the task_init - prefork process model, inhibit_pre_fork = true immediately after the task_init - prefork process model, inhibit_pre_fork = false after each service worker has forked. It is not run on the service master process. The post fork hook is not called in the standard model if a new process is forked on a new connection. It is instead called immediately after the task_init. The task_init hook has been changed to return an error code. This ensures the post_fork code is only run if the task_init code completed successfully. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd: Make the service_details structure constant.Gary Lockyer2018-11-011-1/+1
| | | | | | Make the service_details structure a static const. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* samdb: Add remote address to connectGary Lockyer2018-05-101-2/+6
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* source4/smbd: Do not overstamp the process model with "single"Gary Lockyer2017-10-191-13/+6
| | | | | | | | | Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct service_details in the init function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* source4/smbd: refactor the process model for preforkGary Lockyer2017-10-191-1/+16
| | | | | | | | | | | | | | | | | | Refactor the process model code to allow the addition of a prefork process model. - Add a process context to contain process model specific state - Add a service details structure to allow service to indicate which process model options they can support. In the new code the services advertise the features they support to the process model. The process model context is plumbed through to allow the process model to keep track of the supported options, and any state the process model may require. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4: Add TALLOC_CTX * to register_server_service().Jeremy Allison2017-05-111-1/+1
| | | | | | | | Use the passed in context from callers. Remove one talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-291-0/+1
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: disable principal based autodetected referral detectionStefan Metzmacher2017-03-101-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4-kdc: Switch to the new kpasswd service implementationAndreas Schneider2016-09-131-2/+11
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Move KDC packet handling functions to kdc-server.cAndreas Schneider2016-06-191-587/+0
| | | | | | | | | | | Create an Kerberos implmentation independent KDC-SERVER subsystem so we can use it to implement a kpasswd server with MIT Kerberos in future. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
* s4-kdc: Create a kdc-proxy.h header fileAndreas Schneider2016-06-181-0/+1
| | | | | | | This makes the it Kerberos implmentation independent. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Move KDC socket structs to krb5-server.hAndreas Schneider2016-06-181-14/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Move kdc_process_fn_t declaration to kdc-server.hAndreas Schneider2016-06-181-8/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Move definitions to kdc-server.hAndreas Schneider2016-06-181-0/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use better and simpler names for the kdc_process_ret enumAndreas Schneider2016-06-181-25/+25
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Put the heimdal kdc config into a private data pointerAndreas Schneider2016-06-181-14/+24
| | | | | | | This allows us to make the struct general useable. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use smb_krb5_mk_error() in kdc implemenationAndreas Schneider2016-06-181-4/+7
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Rename heimdal KDC filesAndreas Schneider2016-06-181-0/+1054
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status