oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,871 Commits 2 Branches 2 Tags
a2db5caebfb2bf05cd6ec526b5ad94e3a33c4dd6
Commit Graph

1736 Commits

Author SHA1 Message Date
Love Hornquist Astrand
c6a9bdb140 spelling 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
5edb5d0275 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
6a74bba8f9 move out generic fast packet building into fast.c 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
e372cc6b8a re-shuffle to make c90 compatible 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
1af9487bff got fetch armor key 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
a1feab396e more ticket bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
d04289855e more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
96299ac2bb no warnings 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
3b034b231d more bits 2011-07-24 20:24:35 -07:00
Love Hornquist Astrand
7802e24170 first drop of the AS-REQ FAST + krb-error FAST codepath 2011-07-24 20:24:34 -07:00
Love Hornquist Astrand
f2c7370609 announce fx-fast 2011-07-24 20:24:34 -07:00
Love Hörnquist Åstrand
f102ee7831 compiler warning 2011-07-24 19:56:09 -07:00
Love Hörnquist Åstrand
1124c4872d KVNOs are krb5uint32 in RFC4120, make it so 2011-07-24 14:23:45 -07:00
Love Hörnquist Åstrand
af4aea85ae cast to avoid size_t vs int issue 2011-07-24 13:07:07 -07:00
Love Hörnquist Åstrand
c5db78a3c2 switch to use use_strongest_server_key 
use the same behavior as 1.4 release.
 2011-07-24 10:33:28 -07:00
Stefan Metzmacher
296548d34a kdc: pass down the delegated_proxy_principal to the verify_pac() function 
This is needed in order to add the S4U_DELEGATION_INFO to the pac.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
626d2607d5 kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5 
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d49 in heimdal/master
 and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master)
changed the windc_plugin interface, so we need to change the
version number.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
aabb937b46 kdc: don't allow self delegation if a backend check_constrained_delegation() hook is given 
A service should use S4U2Self instead of S4U2Proxy.

Windows servers allow S4U2Proxy only to explicitly configured
target principals.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
6cb0e81760 kdc: pass down the server hdb_entry_ex to check_constrained_delegation() 
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Stefan Metzmacher
d6a56b847b kdc: use the correct client realm in the EncTicketPart 
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-07-23 11:48:11 -07:00
Love Hörnquist Åstrand
12403a31ce sprinkle more windows files 2011-07-23 11:18:21 -07:00
Love Hörnquist Åstrand
7aaba443bc add NTMakefile and windows directories 2011-07-17 12:16:59 -07:00
Love Hörnquist Åstrand
d756ad019a make tests pass again 2011-06-19 11:49:33 -07:00
Stefan Metzmacher
e54d07a9b6 kdc: check and regenerate the PAC in the s4u2proxy case 
TODO: we need to add a S4U_DELEGATION_INFO to the PAC later.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Stefan Metzmacher
9ab4070800 kdc: pass the correct principal name for the resulting service ticket 
Depending on S4U2Proxy the principal name for the resulting
ticket is not the principal of the client ticket.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Stefan Metzmacher
2c031ca78c kdc: let check_PAC() to verify the incoming server and krbtgt cheksums 
For a normal TGS-REQ they're both signed with krbtgt key.
But for S4U2Proxy requests which ask for contrained delegation,
the keys differ.

metze

Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-19 10:26:11 -07:00
Love Hörnquist Åstrand
e9e4f99f01 add missing space in log message 2011-06-14 22:00:25 -07:00
Nicolas Williams
f93a56f931 Set improved enctypes parameter defaults to better match the RFC. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
c06d5ebfda Fixes to patches that add *use-strong* parameters. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
8ada355954 Forgot to default use_strongest_server_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
76a192b906 Forgot to default preauth_use_strongest_session_key... 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
256cf6ea12 This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
481fe133b2 Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Nicolas Williams
a7a8a7e95c Initial patch to add as-use-strongest-session-key and same for tgs krb5.conf parameters for the KDC. These control the session key enctype selection algorithm for the AS and TGS respectively: if TRUE then they prefer the strongest enctype supported by the client, the KDC and the target principal, else they prefer the first enctype fromt he client's list that is also supported by the KDC and the target principal. 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
 2011-06-14 20:35:19 -07:00
Love Hornquist Astrand
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
Thomas Klausner
db8e287e41 Use "Fl Fl" for long options. 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-05-21 11:54:14 -07:00
Jeffrey Altman
6850d6a65f avoid uninit variable and unreachable code warnings 
most of these warnings are not problems because of ample
use of abort() calls.  However, the large number of warnings
makes it difficult to identify real problems.  Initialize
the variables to shut up the compilers.

Change-Id: I8477c11b17c7b6a7d9074c721fdd2d7303b186a8
 2011-05-17 12:02:16 -04:00
Love Hornquist Astrand
657297a738 clean the last bits of KRB4 support in KDC 2011-05-07 11:44:15 -07:00
Love Hornquist Astrand
b1909b2daa Fixes from NetBSD via Thomas Klausner and Roland C. Dowdeswell 2011-05-04 21:31:10 -07:00
Love Hornquist Astrand
9a1a5e5da6 Mandoc and spelling fixes from Thomas Klausner 2011-04-29 20:37:33 -07:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand
c178563bef use ntlm_service 2011-04-14 12:54:15 -07:00
Love Hornquist Astrand
d9b3c87fc3 use unix sockets too 2011-04-14 12:54:15 -07:00
Love Hornquist Astrand
00b3524892 link with libheimntlm.la 2011-04-14 12:54:15 -07:00
Stefan Metzmacher
a02402bb19 HEIMDAL:kdc: correctly propagate HDB_ERR_NOT_FOUND_HERE to via tgs_parse_request() and _kdc_tgs_rep() 
metze

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-03-12 11:37:13 -08:00
Jelmer Vernooij
e380769729 kdc.h: Include hdb.h first, so kdc.h can be included standalone. 
This makes it a bit easier to find libhdb in e.g. configure tests and
is consistent with the main header files for the other Heimdal
libraries, none of which has any prerequisite other headers.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-02-26 13:06:15 -08:00
Andrew Bartlett
6ee82593ec heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as well 
This fixes Win2003 domain logons against Samba4, which need a
canonicalised reply, and helpfully do set that flag.

Specifically, they need that realm in krbtgt/realm@realm that these
both match exactly in the reply.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2011-02-23 19:46:21 -08:00
Love Hornquist Astrand
b746f1ce34 add _kdc_db_fetch and _kdc_free_ent for digest-service 2011-01-30 12:12:30 -08:00
Asanka C. Herath
6d662f71d7 Windows: Fix export lists 2010-11-29 10:53:49 -05:00
Love Hornquist Astrand
290aed8056 add missing ; 2010-11-28 19:49:27 -08:00