oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,746 Commits 2 Branches 2 Tags
717ad8b04393353b51d9fd430c65e179fcdefb44
Commit Graph

430 Commits

Author SHA1 Message Date
Love Hornquist Astrand
013fb45a7f Make the send e_text on time skew error default to make it work with windows clients. 2009-08-04 20:19:44 +02:00
Andrew Bartlett
f8c121b282 Add support for user principal names in certificates [HEIMDAL-602] 
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ.  (This was a TODO in
the Heimdal KDC)

The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
 2009-08-04 09:34:58 +02:00
Love Hörnquist Åstrand
97b8122bc6 Report HDB_AUTH_SUCCESS for PK-INIT too. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25308 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:34:18 +00:00
Love Hörnquist Åstrand
7829e74641 Provide auth_status to backend. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25307 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:33:06 +00:00
Love Hörnquist Åstrand
d3de015b79 Check locked-out flag for client and server. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25306 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:32:56 +00:00
Love Hörnquist Åstrand
506b98d110 Patch from Andrew bartlett via heimdal-bugs@h5l.org 
kdc Allow a password change when the password is expired

    This requires a rework on Heimdal's windc plugin layer, as we want
    full control over what tickets Heimdal will issue.  (In particular, in
    case our requirements become more complex in future).

    The original problem was that Heimdal's check would permit the ticket,
    but Samba would then deny it, not knowing it was for kadmin/changepw

    Andrew Bartlett

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 03:16:46 +00:00
Love Hörnquist Åstrand
ba04bad361 From Andrew Bartlet via heimdal-bugs@h5l.org 
s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookups

    The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
    list user principal name) in an AS-REQ.  Evidence from the wild
    (Win2k8 reportadely) indicates that this is instead valid for all
    types of requests.

    While this is now handled in heimdal/kdc/misc.c, a flag is now defined
    in Heimdal's hdb so that we can take over this handling in future (once we start
    using a system Heimdal, and if we find out there is more to be done
    here).

    Andrew

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25293 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 03:16:35 +00:00
Love Hörnquist Åstrand
c0d30cc7d3 handle out of memory 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25206 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-05-09 14:22:05 +00:00
Love Hörnquist Åstrand
4aa92f9db1 Less empty if statements. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25120 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-16 08:17:26 +00:00
Love Hörnquist Åstrand
542528a7ce try to clean up ckey handling, esp when there is no ckey 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25098 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-06 02:50:39 +00:00
Love Hörnquist Åstrand
b8071a368c spelling 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25097 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-04-06 02:50:08 +00:00
Love Hörnquist Åstrand
6b95eec5c9 new signature for _kdc_pk_rd_padata 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25000 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-29 09:05:00 +00:00
Love Hörnquist Åstrand
4205308775 Always generate session key 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24975 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-28 17:08:31 +00:00
Love Hörnquist Åstrand
033c14110f simplify 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24941 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-25 15:36:47 +00:00
Love Hörnquist Åstrand
3aa4a14ef3 move generation of session key to preauth hook. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24940 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-25 15:36:36 +00:00
Love Hörnquist Åstrand
3bea35ccc5 Disable anonymous code. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24598 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-04 22:07:32 +00:00
Love Hörnquist Åstrand
c8dfcede53 intern export is_anonymous() 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24592 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-04 22:06:32 +00:00
Love Hörnquist Åstrand
64748478da Move the check client/anonoymous logic to pkinit.c 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24578 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-04 22:04:08 +00:00
Love Hörnquist Åstrand
c1bfc5bd1d Only send etype-info{,2} for the enctype we selected. 
Process pkinit anon requests.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24569 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-04 22:02:34 +00:00
Love Hörnquist Åstrand
b744467bb7 Check windc access after check_flags. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24566 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-02-04 22:01:55 +00:00
Love Hörnquist Åstrand
6561b13ccb Verify flags after the user been required to prove its identity * with 
in a preauth mech, matches windows AD behavior.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24563 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-31 22:10:37 +00:00
Love Hörnquist Åstrand
065ff8fae9 collect enctype printing into one statement 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24560 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-31 21:07:13 +00:00
Love Hörnquist Åstrand
f4aeb0d5cf better error message 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24194 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-15 04:31:12 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
80e3051b41 make excpetion for known weak types 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23599 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-17 14:11:29 +00:00
Love Hörnquist Åstrand
7fcd266fdd use krb5_set_error_message 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23316 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-06-23 04:32:32 +00:00
Love Hörnquist Åstrand
4ac470d33e Match name in ClientCanonicalizedNames with -10 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22753 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-03-24 12:08:24 +00:00
Love Hörnquist Åstrand
8888b88979 kdc: Provide extended error information in AS-REP error replies. 
This change utilizes the addition of the e_data parameter to the
   windc_plugin in the heimdal code to pass extended information back
   to the client.  The extended information is provided in an e-data
   block as part of the kerberos error message, and allows the client
   to determine which specific error condition occurred.

From Andrew Kroeger and Andrew Bartlet


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22693 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-03-19 08:57:49 +00:00
Love Hörnquist Åstrand
5fed824f37 its vs it\'s etc. From Bjorn Sandell 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22071 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-11-14 20:04:50 +00:00
Love Hörnquist Åstrand
6f7200b830 Adding same enctype is enough one time. From Andy Polyakov and Bjorn Sandell. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22016 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-10-24 20:41:20 +00:00
Love Hörnquist Åstrand
8b335a5c13 (get_pa_etype_info2): more paranoia, avoid sending warning about pruned etypes. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21974 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-10-18 19:45:03 +00:00
Love Hörnquist Åstrand
6a5e6b676a (older_enctype): old windows enctypes (arcfour based) "old", this to support windows 2000 clients (unjoined to a domain). From Andy Polyakov. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21964 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-10-18 18:23:22 +00:00
Love Hörnquist Åstrand
8d40c2994b check return value of alloc functions, from Charles Longeau 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21745 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-07-31 16:11:25 +00:00
Love Hörnquist Åstrand
525a60ea59 Java 1.6 expects the name to be the same type, lets allow that 
uncomplicated name-types.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21529 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-07-13 12:37:14 +00:00
Love Hörnquist Åstrand
45637f2bcc Don't send newer enctypes in ETYPE-INFO. 
(get_pa_etype_info2): return the enctypes as sorted in the database


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21496 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-07-11 09:20:21 +00:00
Love Hörnquist Åstrand
59f03abf38 Improve the default salt detection to avoid returning v4 password 
salting to java that doesn't look at the returning padata for salting.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21411 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-07-04 20:13:29 +00:00
Love Hörnquist Åstrand
6b687aaa00 Constify. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21040 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-06-10 06:20:59 +00:00
Love Hörnquist Åstrand
1c488f05de If _kdc_pk_check_client failes, bail out directly and hand the error back to the client. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20742 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-05-31 17:15:15 +00:00
Love Hörnquist Åstrand
4d85d882e1 Also add a KRB5_PADATA_PK_AS_REQ_WIN for windows pk-init (-9) to make MIT clients happy. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20734 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-05-31 16:00:37 +00:00
Love Hörnquist Åstrand
26c0e3189d catch failures from _krb5_principalname2krb5_principal 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20697 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-05-30 14:32:26 +00:00
Love Hörnquist Åstrand
9fe7e832c7 Return the same error codes as a windows KDC. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20279 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-22 02:05:53 +00:00
Love Hörnquist Åstrand
81a108b1d0 Make handling of replying e_data more generic, from metze. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20277 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-22 02:01:12 +00:00
Love Hörnquist Åstrand
21ddb4aee9 Fix (string const and shadow) warnings, from metze. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20276 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-22 01:50:37 +00:00
Love Hörnquist Åstrand
937df31de8 Select a session enctype from the list of the crypto systems supported 
enctype, is supported by the client and is one of the enctype of the
enctype of the krbtgt.

The later is used as a hint what enctype all KDC are supporting to
make sure a newer version of KDC wont generate a session enctype that
and older version of a KDC in the same realm can't decrypt.

But if the KDC admin is paranoid and doesn't want to have "no the
best" enctypes on the krbtgt, lets save the best pick from the client
list and hope that that will work for any other KDCs.

Reported by metze.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20271 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-22 01:21:46 +00:00
Love Hörnquist Åstrand
b0e9eb4583 switch some "return ret" to "goto out". 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20243 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-17 00:06:03 +00:00
Love Hörnquist Åstrand
6e6d429311 Pass down canonicalize request to hdb layer, sign client referrals. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20242 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-17 00:04:54 +00:00
Love Hörnquist Åstrand
99d0e79fb4 (_kdc_find_padata): if there is not padata, there is nothing find. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19906 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-01-14 22:39:41 +00:00
Love Hörnquist Åstrand
d7bdb6f04c Use other keys to sign with. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19805 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-01-10 18:16:42 +00:00
Love Hörnquist Åstrand
e8638c2c7a Check for KRB5_PADATA_PA_PAC_REQUEST to check if we should include the 
PAC in the krbtgt.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19689 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-01-04 13:27:27 +00:00