This makes it a bit easier to find libhdb in e.g. configure tests and
is consistent with the main header files for the other Heimdal
libraries, none of which has any prerequisite other headers.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.
Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
The interaction with Samba4 is subtle - it calls
krb5_kdc_get_config(), but not configure() - but must have PKINIT set
up.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This starts up the pkinit configuration and sets some default values,
and is needed in a seperate function so Samba4 can call it from it's
own KDC wrapper.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Once DLLs and EXEs are built, they need to have their manifests
processed and signed. These steps are encapsulated in the EXEPREP and
DLLPREP Makefile macros. Use them instead of invoking each processing
macro individually.
An MIT dump file may contain multiple key sets for one principal, with
different kvnos. The Heimdal database can only represent a single
kvno, and previously the kvno was set to the last key found in the entry
and all keys were added to the entry. Since kvnos are given from high
to low in the database dump, this would result in the principal getting
the kvno of the oldest key and all keys stored without regard for kvno.
Instead, ignore all keys with kvnos lower than the first kvno we see and
only store keys with a kvno matching it. If we see a key with a kvno
higher than the first kvno we see, exit with an error since that case is
not currently handled (and should not happen in a typical MIT database
dump).
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
