summaryrefslogtreecommitdiff
path: root/source4/kdc
Commit message (Collapse)AuthorAgeFilesLines
* lib/util: remove extra safe_string.h fileMatthew DeVore2020-08-281-0/+2
| | | | | | | | | | | | | | | | | | lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
* kdc: Remind us that these values need to match other valuesAndrew Bartlett2020-08-071-0/+2
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:KerberosStefan Metzmacher2020-07-281-6/+12
| | | | | | | | | | | | | | | | | | Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos. If a service account has msDS-SupportedEncryptionTypes: 31 and DES keys stored in Primary:Kerberos, we'll pass the DES key to smb_krb5_keyblock_init_contents(), but may get KRB5_PROG_ETYPE_NOSUPP. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184
* db-glue.c: set forwardable flag on cross-realm tgt ticketsIsaac Boukris2020-06-122-5/+3
| | | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Match Windows behavior and allow the forwardable flag to be set in cross-realm tickets. We used to allow forwardable to any server, but now that we apply disallow-forwardable policy in heimdal we need to explicitly allow in the corss-realm case (and remove the workaround we have for it the MIT plugin). Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184
* mit-kdc: Explicitly reject S4U requestsIsaac Boukris2020-03-101-0/+5
| | | | | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
* Sign and verify PAC with ticket principal instead of canon principalIsaac Boukris2020-03-101-10/+2
| | | | | | | | | | | | | With MIT library 1.18 the KDC no longer set KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows us to not canonicalize them (like in Windows / Heimdal). However, it now breaks the PAC signature verification as it was wrongly done using canonical client rather than ticket client name. Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* Adapt sign_authdata in our KDB module for krb5 v1.18Isaac Boukris2020-03-103-1/+49
| | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* mit-kdb: Fix license on header fileSimo Sorce2019-12-171-26/+19
| | | | | | | | | | Signed-off-by: Simo Sorce <idra@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Dec 17 09:24:56 UTC 2019 on sn-devel-184
* CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flagIsaac Boukris2019-12-102-11/+11
| | | | | | | Signed-off-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Tue Dec 10 10:44:01 UTC 2019 on sn-devel-184
* kdc/db-glue: do not fetch single DES keys from dbIsaac Boukris2019-11-191-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blobStefan Metzmacher2019-10-211-3/+3
| | | | | | | | | | | | | We need the target service without realm, but the proxy services with realm. I have a domain with an w2008r2 server and a samba and now both generate the same S4U_DELEGATION_INFO. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth auth_log: csbuild unused parm unix_usernameGary Lockyer2019-06-131-2/+1
| | | | | | | | | | | | | | | | | | Fixes csbuild errors Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_json’ auth/auth_log.c:146:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Error: COMPILER_WARNING: auth/auth_log.c: scope_hint: In function ‘log_authentication_event_human_readable’ auth/auth_log.c:586:14: warning: unused parameter ‘unix_username’ [-Wunused-parameter] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* kdc hdb: Generate and pass logon IDGary Lockyer2019-02-201-2/+4
| | | | | | | Generate and pass the logon_id in SamLogon calls Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* librpc idl: netlogon netr_identity_info logon_id to 64 bitGary Lockyer2019-02-201-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fold the two 32 bit values logon_id_high and logon_id_low into a single 64 bit logon_id in netr_identity_info. This will be used to tie together winbind and SamLogon requests in audit logging. Summary of the of the Query and Response from Microsoft on it's usage. [REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does the Reserved field have LogonId meaning? Questions: In NetrLogonSamLogonEx does the Reserved field (of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning? What is a valid LogonID, and does have any audit usage? Samba is sending a constant "deadbeef" in hex and would like to understand any usage of this field. Response: The NRPC spec is accurate in defining the field as Reserved, and without protocol significance. In the header file in our source code, it is defined as LogonId and commented as such, but it’s effectively not used. This is probably why the API structure has that field name. It may have been intended as such but it’s not used. Samba will send a random value in this field. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Fix size type for num_bind in kdc-heimdalAndreas Schneider2019-01-191-1/+1
| | | | | | | | | This fixes a compile error on sn-devel184. Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144
* s4: Add kerberos tracingSwen Schillig2018-12-202-4/+6
| | | | | | | | | | | | | Replace kerberos context initialization from raw krb5_init_context() to smb_krb5_init_context_basic() which is adding common tracing as well. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Thu Dec 20 01:31:17 CET 2018 on sn-devel-144
* krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()Volker Lendecke2018-11-283-43/+27
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* CVE-2018-16853: fix crash in expired passowrd caseIsaac Boukris2018-11-281-3/+4
| | | | | | | | | | | When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16853: Do not segfault if client is not setAndreas Schneider2018-11-281-0/+16
| | | | | | | | | This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16853: The ticket in check_policy_as can actually be a TGSIsaac Boukris2018-11-281-2/+6
| | | | | | | | | | | This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principalAndrew Bartlett2018-11-281-3/+3
| | | | | | | | | | | | | In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd prefork: restart on non zero exit codeGary Lockyer2018-11-231-1/+2
| | | | | | | | Restart any pre-fork master or worker process that exits with a non zero exit code. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-kdc: restore MIT KDC backendPhilipp Gesang2018-11-092-17/+20
| | | | | | | | | | | | | | | Fix fallout from the KDC prefork patchset (99aea42520fc..). GCC warns when Samba is being built with --with-system-mitkrb5. Fix this by adapting the signature of mitkdc_task_init() to match task_init which has been extended to return a status code. Status codes try to mimick those of kdc-heimdal.c:kdc_task_init() as closely as possible. Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* source4 smbd: pass instance number to post_forkGary Lockyer2018-11-071-1/+1
| | | | | | | | Pass the instance number to the post_fork hook. This is required to allow the rpc_server to support the prefork process model. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Update debug callsGary Lockyer2018-11-011-7/+8
| | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd kdc: allow the kdc to run in preforkGary Lockyer2018-11-011-40/+49
| | | | | | | | Modify the kdc to allow it to run in the prefork process model. The task_init function has been split up and code moved into the post_fork function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smdb: Add a post fork hook to the service APIGary Lockyer2018-11-012-26/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a post fork hook to the service API this will be called: - standard process model immediately after the task_init. - single process model immediately after the task_init - prefork process model, inhibit_pre_fork = true immediately after the task_init - prefork process model, inhibit_pre_fork = false after each service worker has forked. It is not run on the service master process. The post fork hook is not called in the standard model if a new process is forked on a new connection. It is instead called immediately after the task_init. The task_init hook has been changed to return an error code. This ensures the post_fork code is only run if the task_init code completed successfully. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* source4 smbd: Make the service_details structure constant.Gary Lockyer2018-11-012-2/+2
| | | | | | Make the service_details structure a static const. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* kdc: Improve code clarity with extra bracketsAndrew Bartlett2018-09-051-1/+1
| | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Sep 5 16:17:59 CEST 2018 on sn-devel-144
* auth: For NTLM and KDC authentication, log the authentication durationAndrew Bartlett2018-06-251-0/+3
| | | | | | | | | | | | | | This is not a general purpose profiling solution, but these JSON logs are already being generated and stored, so this is worth adding. Some administrators are very keen to know how long authentication takes, particularly due to long replication transactions in other processes. This complements a similar patch set to log the transaction duration. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
* kdc: Fix CID 1435720 Unchecked return valueVolker Lendecke2018-05-241-2/+10
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Fix spelling s/fowarding/forwarding/Mathieu Parent2018-05-121-1/+1
| | | | | | Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* samdb: Add remote address to connectGary Lockyer2018-05-105-6/+20
| | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: make sure we expand group memberships of the local domainStefan Metzmacher2018-03-191-0/+11
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: pass krbtgt and server to samba_kdc_update_pac_blob()Stefan Metzmacher2018-03-194-1/+16
| | | | | | | | | This will be used for SID expanding and filtering. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: remember is_krbtgt, is_rodc and is_trust samba_kdc_entryStefan Metzmacher2018-03-192-1/+8
| | | | | | | | | This can later be used for sid filtering and similar things. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kdc: disable support for CROSS_ORGANIZATION domainsStefan Metzmacher2018-02-281-0/+9
| | | | | | | | | | | | | | We don't support selective authentication yet, so we shouldn't silently allow domain wide authentication for such a trust. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144
* s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in ↵Stefan Metzmacher2018-02-281-0/+10
| | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4:kdc: make use of dsdb_trust_parse_tdo_info() in ↵Stefan Metzmacher2018-02-281-10/+19
| | | | | | | | | samba_kdc_trust_message2entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* mit-kdb: support MIT Kerberos 1.16 KDB API changesAlexander Bokovoy2018-01-193-15/+42
| | | | | | | | | | | | | | | | | | | | MIT Kerberos 1.16 adds ability to audit local and remote addresses during AS_REQ processing. As result, audit_as_req callback signature was changed to include the addresses and KDB API version was increased. Change mit-kdb code to properly expose audit_as_req signature KDC expects in 1.16 version. Also update #ifdefs to account for the new KDB API version. This commit does not add actual audit of the local and remote IP addresses, it only makes it possible to compile against MIT Kerberos 1.16. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jan 19 01:36:22 CET 2018 on sn-devel-144
* s4:kdc: only map SDB_ERR_NOT_FOUND_HERE to HDB_ERR_NOT_FOUND_HEREStefan Metzmacher2017-12-061-6/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | HDB_ERR_NOT_FOUND_HERE indicated a very specific error on an RODC. We should not map any error to HDB_ERR_NOT_FOUND_HERE, we should just pass errors along unmapped. Otherwise we'll hit the logic bug in: if (ret == KDC_PROXY_REQUEST) { uint16_t port; if (!sock->kdc_socket->kdc->am_rodc) { DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC")); talloc_free(call); goto done; } And just don't send an error message to the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13132 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Dec 6 23:16:54 CET 2017 on sn-devel-144
* gpo: Apply kerberos settingsDavid Mulder2017-11-201-1/+2
| | | | | | | | | Add kdc kerberos settings to gpo.tdb, then retrieve those settings in lpcfg_default_kdc_policy. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:kdc: Pass down the task to get access to model_ops for kpasswd serverAndreas Schneider2017-10-271-3/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* source4/smbd: Do not overstamp the process model with "single"Gary Lockyer2017-10-192-19/+6
| | | | | | | | | Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct service_details in the init function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* source4/smbd: refactor the process model for preforkGary Lockyer2017-10-193-3/+35
| | | | | | | | | | | | | | | | | | Refactor the process model code to allow the addition of a prefork process model. - Add a process context to contain process model specific state - Add a service details structure to allow service to indicate which process model options they can support. In the new code the services advertise the features they support to the process model. The process model context is plumbed through to allow the process model to keep track of the supported options, and any state the process model may require. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* mit-kdb: Fix NULL pointer check after mallocAndreas Schneider2017-07-241-1/+1
| | | | | | | | | | | | This fixes building with GCC 7.1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144
* mit_samba: Fix the MIT KDC build with the latest changesAndreas Schneider2017-06-011-1/+4
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Garming Sam <garming@samba.org> Autobuild-Date(master): Thu Jun 1 07:12:47 CEST 2017 on sn-devel-144
* netlogon: Implement SendToSam along with its winbind forwardingGarming Sam2017-05-301-1/+29
| | | | | | | | | | | This allows you to forward bad password count resets to 0. Currently, there is a missing access check for the RODC to ensure it only applies to cached users (msDS-Allowed-Password-Replication-Group). (further patches still need to address forcing a RWDC contact) Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Send bad password via NETLOGON in RODCGarming Sam2017-05-302-8/+73
| | | | | | | | | | This means that a RWDC will be collecting the badPwdCount to ensure domain wide lockout. TODO The parameters should be better constructed. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* hdb: Dupe a copy of repl secrets into the KDCGarming Sam2017-05-302-2/+52
| | | | | | | When you have an RODC, this will force the fetch of secrets if not found here Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status