summaryrefslogtreecommitdiff
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* kdc hdb: Generate and pass logon IDGary Lockyer2019-02-201-2/+4
| | | | | | | Generate and pass the logon_id in SamLogon calls Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* librpc idl: netlogon netr_identity_info logon_id to 64 bitGary Lockyer2019-02-201-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fold the two 32 bit values logon_id_high and logon_id_low into a single 64 bit logon_id in netr_identity_info. This will be used to tie together winbind and SamLogon requests in audit logging. Summary of the of the Query and Response from Microsoft on it's usage. [REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does the Reserved field have LogonId meaning? Questions: In NetrLogonSamLogonEx does the Reserved field (of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning? What is a valid LogonID, and does have any audit usage? Samba is sending a constant "deadbeef" in hex and would like to understand any usage of this field. Response: The NRPC spec is accurate in defining the field as Reserved, and without protocol significance. In the header file in our source code, it is defined as LogonId and commented as such, but it’s effectively not used. This is probably why the API structure has that field name. It may have been intended as such but it’s not used. Samba will send a random value in this field. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix size type for num_bind in kdc-heimdalAndreas Schneider2019-01-191-1/+1
| | | | | | | | | This fixes a compile error on sn-devel184. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144
* s4: Add kerberos tracingSwen Schillig2018-12-202-4/+6
| | | | | | | | | | | | | Replace kerberos context initialization from raw krb5_init_context() to smb_krb5_init_context_basic() which is adding common tracing as well. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Thu Dec 20 01:31:17 CET 2018 on sn-devel-144
* krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()Volker Lendecke2018-11-283-43/+27
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2018-16853: fix crash in expired passowrd caseIsaac Boukris2018-11-281-3/+4
| | | | | | | | | | | When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16853: Do not segfault if client is not setAndreas Schneider2018-11-281-0/+16
| | | | | | | | | This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16853: The ticket in check_policy_as can actually be a TGSIsaac Boukris2018-11-281-2/+6
| | | | | | | | | | | This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principalAndrew Bartlett2018-11-281-3/+3
| | | | | | | | | | | | | In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd prefork: restart on non zero exit codeGary Lockyer2018-11-231-1/+2
| | | | | | | | Restart any pre-fork master or worker process that exits with a non zero exit code. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: restore MIT KDC backendPhilipp Gesang2018-11-092-17/+20
| | | | | | | | | | | | | | | Fix fallout from the KDC prefork patchset (99aea42520fc..). GCC warns when Samba is being built with --with-system-mitkrb5. Fix this by adapting the signature of mitkdc_task_init() to match task_init which has been extended to return a status code. Status codes try to mimick those of kdc-heimdal.c:kdc_task_init() as closely as possible. Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* source4 smbd: pass instance number to post_forkGary Lockyer2018-11-071-1/+1
| | | | | | | | Pass the instance number to the post_fork hook. This is required to allow the rpc_server to support the prefork process model. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Update debug callsGary Lockyer2018-11-011-7/+8
| | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd kdc: allow the kdc to run in preforkGary Lockyer2018-11-011-40/+49
| | | | | | | | Modify the kdc to allow it to run in the prefork process model. The task_init function has been split up and code moved into the post_fork function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smdb: Add a post fork hook to the service APIGary Lockyer2018-11-012-26/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a post fork hook to the service API this will be called: - standard process model immediately after the task_init. - single process model immediately after the task_init - prefork process model, inhibit_pre_fork = true immediately after the task_init - prefork process model, inhibit_pre_fork = false after each service worker has forked. It is not run on the service master process. The post fork hook is not called in the standard model if a new process is forked on a new connection. It is instead called immediately after the task_init. The task_init hook has been changed to return an error code. This ensures the post_fork code is only run if the task_init code completed successfully. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd: Make the service_details structure constant.Gary Lockyer2018-11-012-2/+2
| | | | | | Make the service_details structure a static const. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* kdc: Improve code clarity with extra bracketsAndrew Bartlett2018-09-051-1/+1
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 16:17:59 CEST 2018 on sn-devel-144
* auth: For NTLM and KDC authentication, log the authentication durationAndrew Bartlett2018-06-251-0/+3
| | | | | | | | | | | | | | This is not a general purpose profiling solution, but these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other processes. This complements a similar patch set to log the transaction duration. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* kdc: Fix CID 1435720 Unchecked return valueVolker Lendecke2018-05-241-2/+10
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Fix spelling s/fowarding/forwarding/Mathieu Parent2018-05-121-1/+1
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* samdb: Add remote address to connectGary Lockyer2018-05-105-6/+20
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: make sure we expand group memberships of the local domainStefan Metzmacher2018-03-191-0/+11
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: pass krbtgt and server to samba_kdc_update_pac_blob()Stefan Metzmacher2018-03-194-1/+16
| | | | | | | | | This will be used for SID expanding and filtering. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: remember is_krbtgt, is_rodc and is_trust samba_kdc_entryStefan Metzmacher2018-03-192-1/+8
| | | | | | | | | This can later be used for sid filtering and similar things. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: disable support for CROSS_ORGANIZATION domainsStefan Metzmacher2018-02-281-0/+9
| | | | | | | | | | | | | | We don't support selective authentication yet, so we shouldn't silently allow domain wide authentication for such a trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144
* s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in ↵Stefan Metzmacher2018-02-281-0/+10
| | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4:kdc: make use of dsdb_trust_parse_tdo_info() in ↵Stefan Metzmacher2018-02-281-10/+19
| | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* mit-kdb: support MIT Kerberos 1.16 KDB API changesAlexander Bokovoy2018-01-193-15/+42
| | | | | | | | | | | | | | | | | | | | MIT Kerberos 1.16 adds ability to audit local and remote addresses during AS_REQ processing. As result, audit_as_req callback signature was changed to include the addresses and KDB API version was increased. Change mit-kdb code to properly expose audit_as_req signature KDC expects in 1.16 version. Also update #ifdefs to account for the new KDB API version. This commit does not add actual audit of the local and remote IP addresses, it only makes it possible to compile against MIT Kerberos 1.16. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144
* s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HEREStefan Metzmacher2017-12-061-6/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC. We should not map any error to HDB_ERR_NOT_FOUND_HERE, we should just pass errors along unmapped. Otherwise we'll hit the logic bug in: if (ret == KDC_PROXY_REQUEST) { uint16_t port; if (!sock->kdc_socket->kdc->am_rodc) { DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC")); talloc_free(call); goto done; } And just don't send an error message to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 6 23:16:54 CET 2017 on sn-devel-144
* gpo: Apply kerberos settingsDavid Mulder2017-11-201-1/+2
| | | | | | | | | Add kdc kerberos settings to gpo.tdb, then retrieve those settings in lpcfg_default_kdc_policy. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Pass down the task to get access to model_ops for kpasswd serverAndreas Schneider2017-10-271-3/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* source4/smbd: Do not overstamp the process model with "single"Gary Lockyer2017-10-192-19/+6
| | | | | | | | | Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct service_details in the init function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* source4/smbd: refactor the process model for preforkGary Lockyer2017-10-193-3/+35
| | | | | | | | | | | | | | | | | | Refactor the process model code to allow the addition of a prefork process model. - Add a process context to contain process model specific state - Add a service details structure to allow service to indicate which process model options they can support. In the new code the services advertise the features they support to the process model. The process model context is plumbed through to allow the process model to keep track of the supported options, and any state the process model may require. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* mit-kdb: Fix NULL pointer check after mallocAndreas Schneider2017-07-241-1/+1
| | | | | | | | | | | | This fixes building with GCC 7.1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144
* mit_samba: Fix the MIT KDC build with the latest changesAndreas Schneider2017-06-011-1/+4
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Thu Jun 1 07:12:47 CEST 2017 on sn-devel-144
* netlogon: Implement SendToSam along with its winbind forwardingGarming Sam2017-05-301-1/+29
| | | | | | | | | | | This allows you to forward bad password count resets to 0. Currently, there is a missing access check for the RODC to ensure it only applies to cached users (msDS-Allowed-Password-Replication-Group). (further patches still need to address forcing a RWDC contact) Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Send bad password via NETLOGON in RODCGarming Sam2017-05-302-8/+73
| | | | | | | | | | This means that a RWDC will be collecting the badPwdCount to ensure domain wide lockout. TODO The parameters should be better constructed. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* hdb: Dupe a copy of repl secrets into the KDCGarming Sam2017-05-302-2/+52
| | | | | | | When you have an RODC, this will force the fetch of secrets if not found here Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python: Create the kdc.conf in the Samba private directoryAndreas Schneider2017-05-261-5/+11
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: make use of gensec_update() in kpasswd_process()Stefan Metzmacher2017-05-211-6/+14
| | | | | | | This avoids using gensec_update_ev() with a nested event loop. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: Add TALLOC_CTX * to register_server_service().Jeremy Allison2017-05-112-2/+2
| | | | | | | | Use the passed in context from callers. Remove one talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* mit_samba: Fix principal lookup for cross domain referralAndreas Schneider2017-04-301-6/+70
| | | | | | | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sun Apr 30 03:29:35 CEST 2017 on sn-devel-144
* mit-samba: Remove obsolete mit_samba_update_pac_data()Andreas Schneider2017-04-292-79/+0
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use mit_samba_reget_pac() in ks_verify_pac()Andreas Schneider2017-04-291-23/+27
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Implement mit_samba_reget_pac()Andreas Schneider2017-04-292-0/+393
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-pac-glue: Do not add an empty PAC_TYPE_LOGON_NAME with MITAndreas Schneider2017-04-291-3/+10
| | | | | | | | | MIT Kerberos will insert an empty PAC_TYPE_LOGON_NAME during krb5_pac_sign(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* mit-samba: Remove unused mit_samba_get_pac_data()Andreas Schneider2017-04-292-39/+0
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use mit_samba_get_pac() in ks_get_pac()Andreas Schneider2017-04-291-22/+8
| | | | | | | | This adds UPN_DNS_INFO to the PAC. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Implement mit_samba_get_pac()Andreas Schneider2017-04-292-0/+74
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Fix logging with the KDB driverAndreas Schneider2017-04-291-1/+1
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status