A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Depending on S4U2Proxy the principal name for the resulting
ticket is not the principal of the client ticket.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
most of these warnings are not problems because of ample
use of abort() calls. However, the large number of warnings
makes it difficult to identify real problems. Initialize
the variables to shut up the compilers.
Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
By checking the client principal here, we compare the realm based on
the normalised realm, but do so early enough to validate the PAC (and
regenerate it if required).
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Samba4 may modify the case of the realm in a returned entry, but will no longer modify the case of the prinicipal components.
The easy way to keep this test passing is to consider also what we
need to do to get the krbtgt account for the PAC signing - and to use
krbtgt/<this>/@REALM component to fetch the real krbtgt, and to use
that resutl for realm comparion.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 08:47:44 UTC 2010 on sn-devel-104
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This means that no reply packet should be generated, but that instead
the user of the libkdc API should forward the packet to a real KDC,
that has a full database.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Some hdb modules (samba4) may change the case of the realm in
a returned result. Use that to determine if it matches the krbtgt
realm also returned from the DB (the DB will return it in the 'right' case)
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
If we don't do this, the PAC is given for the machine accout, not the
account being impersonated.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Pick the replykey to be the same as the preauth key, this allows
us to delay the picking of client key to when its needed, this
means that we can have a reply keys for PKINIT that is independant
of what keys the client have.
From RFC 4120, page 35
In preparing the authentication header, the client can select a sub-
session key under which the response from the Kerberos server will be
encrypted. If the client selects a sub-session key, care must be
taken to ensure the randomness of the selected sub-session key.
The client library alread handle this case.
Thanks to Sam Hartman to report this though Debian
Sign the client and auth time (like its done in the PAC) and let that
be ehough for now. Add a Typed hole so that we don't break wireprotocol
next time.
The problem was found by Matthieu Patou, whom also created the first
patch which I changed to look what the current code looks like.
History is tracked in [HEIMDAL-582].
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25338 ec53bebd-3082-4978-b11e-865c3cabbd6b
kdc Allow a password change when the password is expired
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Andrew Bartlett
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25294 ec53bebd-3082-4978-b11e-865c3cabbd6b
