Also: add support for ignoring null enctype / zero-length keys,
which *can* be found in MIT DB entries created in pre-historic
times.
Also: make the mitdb HDB backend more elegant (e.g., use the ASN.1
compiler's generated sequence/array utility functions.
Also: add a utility function needed for kadm5 kvno change
improvements and make kadmin's mod --kvno work correctly and
naturally.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Heimdal can be executed in environments in which the user
account profile is not loaded. In such environments it is
not possible to use PROV_RSA_FULL as it stores required
data within the profile. Instead, fallback to PROV_RNG which
does not store data within the profile and can be used to access
secure random number generator routines.
Change-Id: If600246f39645ed6bf5af0dd237f5adfddcf6c0c
on a big endian machine, usage of this file in the kernel
is somewhat troublesome since the linux kernel already has
a well known global/#define called current.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This will be used to indicate to the backend if a fetch is for
an AS REQ or TGS REQ. Samba needs to take some action in the
HDB_F_FOR_TGS_REQ case and always canonicalize the principal
names, even without HDB_F_CANON.
metze
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
The 'min_args' and 'max_args' values were ignored whenever
an 'argument' value was not present as a child of the 'command'.
'argument' values are often specified as children of the 'option'
value when more than one 'option' is an argument.
This patchset counts the number of 'argument' values specified
under a 'command' regardless of the level at which it appears.
If there are any 'argument' values, the 'min_args' and 'max_args'
are used to generate validation code for the 'command'.
Change-Id: Idc6129b4ff29914ac990f693b4dba51a30bdc971
Krb5 admin patches 2nd
This has all the patches needed for krb5_admind to build and pass most tests, that includes:
- more kadm5 API compatibility (including very basic profile functionality)
- multi-kvno support (useful for key rollovers) (a test for this is included in tests/db/check-kdc)
Unfinished:
- password history (currently uses key history, needs to be separated and use digests)
- policies (only default policy allowed)
- mit kdb changes not tested yet
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Added to 11 out of 14 directories with map files. Not lib/ntlm,
lib/hcrypto and kdc which have the map file as an explicit dependency
to _OBBJECTS.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
Windows does not use a KVNO when it checks it's passwords, and MIT
doesn't check the KVNO when no acceptor identity is specified (looping
over all keys in the keytab).
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
The libkadm5 functions hdb_open() and close around all HDB ops. This
meant the previous implementation of kadm5_lock() and unlock would
always result in a core dump. Now we hdb_open() for write in
kadm5_lock() and hdb_close() in kadm5_unlock(), with all kadm5_s_*()
functions now not opening nor closing the HDB when the server context
keep_open flag is set.
Also, there's now kadmin(8) lock and unlock commands. These are there
primarily as a way to test the kadm5_lock()/unlock() operations, but
MIT's kadmin.local also has lock/unlock commands, and these can be
useful for scripting (though they require much care).
