This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.
Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Pick the replykey to be the same as the preauth key, this allows
us to delay the picking of client key to when its needed, this
means that we can have a reply keys for PKINIT that is independant
of what keys the client have.
From RFC 4120, page 35
In preparing the authentication header, the client can select a sub-
session key under which the response from the Kerberos server will be
encrypted. If the client selects a sub-session key, care must be
taken to ensure the randomness of the selected sub-session key.
The client library alread handle this case.
Thanks to Sam Hartman to report this though Debian
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Andrew Bartlett
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b
s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25293 ec53bebd-3082-4978-b11e-865c3cabbd6b
This change utilizes the addition of the e_data parameter to the
windc_plugin in the heimdal code to pass extended information back
to the client. The extended information is provided in an e-data
block as part of the kerberos error message, and allows the client
to determine which specific error condition occurred.
From Andrew Kroeger and Andrew Bartlet
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22693 ec53bebd-3082-4978-b11e-865c3cabbd6b
(get_pa_etype_info2): return the enctypes as sorted in the database
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21496 ec53bebd-3082-4978-b11e-865c3cabbd6b
salting to java that doesn't look at the returning padata for salting.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21411 ec53bebd-3082-4978-b11e-865c3cabbd6b
