summaryrefslogtreecommitdiff
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2018-16853: fix crash in expired passowrd caseIsaac Boukris2018-12-041-3/+4
| | | | | | | | | | | | | | When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-8-test): Tue Dec 4 18:36:56 CET 2018 on sn-devel-144
* CVE-2018-16853: Do not segfault if client is not setAndreas Schneider2018-12-041-0/+16
| | | | | | | | | This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16853: The ticket in check_policy_as can actually be a TGSIsaac Boukris2018-12-041-2/+6
| | | | | | | | | | | This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principalAndrew Bartlett2018-11-261-3/+3
| | | | | | | | | | | | | In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* s4:kdc: disable support for CROSS_ORGANIZATION domainsStefan Metzmacher2018-03-011-0/+9
| | | | | | | | | | | | | | | | | | | We don't support selective authentication yet, so we shouldn't silently allow domain wide authentication for such a trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144 (cherry picked from commit 31b5328c46c5f510ba234f75688886987276ee9e) Autobuild-User(v4-8-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-8-test): Thu Mar 1 06:08:56 CET 2018 on sn-devel-144
* s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in ↵Stefan Metzmacher2018-03-011-0/+10
| | | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d0a813a173be630c2def93cc55e4514204d265a2)
* s4:kdc: make use of dsdb_trust_parse_tdo_info() in ↵Stefan Metzmacher2018-03-011-10/+19
| | | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 274209f5cd4eec2ffe4ffe12bfbb41eb8ed0c9df)
* mit-kdb: support MIT Kerberos 1.16 KDB API changesAlexander Bokovoy2018-02-273-15/+42
| | | | | | | | | | | | | | | | | | | | | | | | MIT Kerberos 1.16 adds ability to audit local and remote addresses during AS_REQ processing. As result, audit_as_req callback signature was changed to include the addresses and KDB API version was increased. Change mit-kdb code to properly expose audit_as_req signature KDC expects in 1.16 version. Also update #ifdefs to account for the new KDB API version. This commit does not add actual audit of the local and remote IP addresses, it only makes it possible to compile against MIT Kerberos 1.16. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13304 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144 (cherry picked from commit 7c1c8c68174ed484fe86a0d9e429daad3a47a57d)
* s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HEREStefan Metzmacher2017-12-061-6/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC. We should not map any error to HDB_ERR_NOT_FOUND_HERE, we should just pass errors along unmapped. Otherwise we'll hit the logic bug in: if (ret == KDC_PROXY_REQUEST) { uint16_t port; if (!sock->kdc_socket->kdc->am_rodc) { DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC")); talloc_free(call); goto done; } And just don't send an error message to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 6 23:16:54 CET 2017 on sn-devel-144
* gpo: Apply kerberos settingsDavid Mulder2017-11-201-1/+2
| | | | | | | | | Add kdc kerberos settings to gpo.tdb, then retrieve those settings in lpcfg_default_kdc_policy. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Pass down the task to get access to model_ops for kpasswd serverAndreas Schneider2017-10-271-3/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* source4/smbd: Do not overstamp the process model with "single"Gary Lockyer2017-10-192-19/+6
| | | | | | | | | Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct service_details in the init function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* source4/smbd: refactor the process model for preforkGary Lockyer2017-10-193-3/+35
| | | | | | | | | | | | | | | | | | Refactor the process model code to allow the addition of a prefork process model. - Add a process context to contain process model specific state - Add a service details structure to allow service to indicate which process model options they can support. In the new code the services advertise the features they support to the process model. The process model context is plumbed through to allow the process model to keep track of the supported options, and any state the process model may require. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* mit-kdb: Fix NULL pointer check after mallocAndreas Schneider2017-07-241-1/+1
| | | | | | | | | | | | This fixes building with GCC 7.1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144
* mit_samba: Fix the MIT KDC build with the latest changesAndreas Schneider2017-06-011-1/+4
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Thu Jun 1 07:12:47 CEST 2017 on sn-devel-144
* netlogon: Implement SendToSam along with its winbind forwardingGarming Sam2017-05-301-1/+29
| | | | | | | | | | | This allows you to forward bad password count resets to 0. Currently, there is a missing access check for the RODC to ensure it only applies to cached users (msDS-Allowed-Password-Replication-Group). (further patches still need to address forcing a RWDC contact) Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Send bad password via NETLOGON in RODCGarming Sam2017-05-302-8/+73
| | | | | | | | | | This means that a RWDC will be collecting the badPwdCount to ensure domain wide lockout. TODO The parameters should be better constructed. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* hdb: Dupe a copy of repl secrets into the KDCGarming Sam2017-05-302-2/+52
| | | | | | | When you have an RODC, this will force the fetch of secrets if not found here Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* python: Create the kdc.conf in the Samba private directoryAndreas Schneider2017-05-261-5/+11
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: make use of gensec_update() in kpasswd_process()Stefan Metzmacher2017-05-211-6/+14
| | | | | | | This avoids using gensec_update_ev() with a nested event loop. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: Add TALLOC_CTX * to register_server_service().Jeremy Allison2017-05-112-2/+2
| | | | | | | | Use the passed in context from callers. Remove one talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* mit_samba: Fix principal lookup for cross domain referralAndreas Schneider2017-04-301-6/+70
| | | | | | | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sun Apr 30 03:29:35 CEST 2017 on sn-devel-144
* mit-samba: Remove obsolete mit_samba_update_pac_data()Andreas Schneider2017-04-292-79/+0
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use mit_samba_reget_pac() in ks_verify_pac()Andreas Schneider2017-04-291-23/+27
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Implement mit_samba_reget_pac()Andreas Schneider2017-04-292-0/+393
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-pac-glue: Do not add an empty PAC_TYPE_LOGON_NAME with MITAndreas Schneider2017-04-291-3/+10
| | | | | | | | | MIT Kerberos will insert an empty PAC_TYPE_LOGON_NAME during krb5_pac_sign(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* mit-samba: Remove unused mit_samba_get_pac_data()Andreas Schneider2017-04-292-39/+0
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Use mit_samba_get_pac() in ks_get_pac()Andreas Schneider2017-04-291-22/+8
| | | | | | | | This adds UPN_DNS_INFO to the PAC. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Implement mit_samba_get_pac()Andreas Schneider2017-04-292-0/+74
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Fix logging with the KDB driverAndreas Schneider2017-04-291-1/+1
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Start the kpasswd service with MIT KDCAndreas Schneider2017-04-292-1/+225
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Add MIT Kerberos specific kpasswd codeAndreas Schneider2017-04-292-2/+305
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: Add 'mit kdc config' option to smb.confAndreas Schneider2017-04-291-0/+7
| | | | | | | | This points to the kdc config file created by Samba by default. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Register the MIT irpc PAC validation serviceAndreas Schneider2017-04-292-0/+13
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Add MIT KRB5 based irpc service for PAC validationAndreas Schneider2017-04-293-0/+234
| | | | | | | | | | Pair-Programmed-With: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-kdc: Add a MIT Kerberos KDC serviceAndreas Schneider2017-04-293-18/+179
| | | | | | | | This starts the krb5kdc binary shipped with MIT Kerberos. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* mit-kdb: Update KDB vtable for DAL version 6Andreas Schneider2017-04-295-132/+63
| | | | | | | | | | This changed between 1.14 and 1.15. Also the 1.15 change removed the ability that the KDB module can free memory. This caused issues of serveral projects. It got fixed with 1.15.1. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* mit-kdb: Zero the db principal when we allocate itAndreas Schneider2017-04-291-1/+1
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* heimdal: Pass extra information to hdb_auth_status() to log success and failuresAndrew Bartlett2017-03-294-4/+124
| | | | | | | | | | We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* auth: Generate a human readable Authentication log message.Gary Lockyer2017-03-291-5/+5
| | | | | | | | | Add a human readable authentication log line, to allow verification that all required details are being passed. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* s4:kdc: disable principal based autodetected referral detectionStefan Metzmacher2017-03-101-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* mit-kdb: Remove unneeded memset()Andreas Schneider2017-01-121-2/+0
| | | | | | | The memory has been allocated with calloc() already. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* mit-kdb: Use calloc() to allocate memoryAndreas Schneider2017-01-121-3/+1
| | | | | | | This avoids a memset(). Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* wscript: remove executable bits for all wscript* filesStefan Metzmacher2017-01-111-0/+0
| | | | | | | | | | These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
* kdc: Use "all_zero" where appropriateVolker Lendecke2017-01-031-6/+4
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4-kdc: Fix Coverity ID #1373385 (OVERRUN)Günther Deschner2016-09-291-5/+3
| | | | | | | | | | | | | | Guenther Pair-Programmed-With: Volker Lendecke <vl@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Sep 29 22:16:52 CEST 2016 on sn-devel-144
* s4-kdc: Fix Coverity ID #1373386 (Resource Leak)Günther Deschner2016-09-291-0/+2
| | | | | | | Guenther Pair-Programmed-With: Volker Lendecke <vl@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org>
* s4-kdc: Remove unused etypes from sdb structureAndreas Schneider2016-09-263-46/+0
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> eviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Sep 26 06:08:09 CEST 2016 on sn-devel-144
* s4-sdb: Generate etypes list out of keys listAndreas Schneider2016-09-261-5/+10
| | | | | | | | This etypes list is Heimdal specific. It doesn't make sense to allocate and fill it in db-glue. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
View Lorry Controller Status