In order to support batch jobs systems that run many users' jobs and
which jobs need credentials, we add a /get-tgts end-point that is a
batched version of the /get-tgt end-point. This end-point returns JSON.
Also, we make GETs optional, default to not-allowed in preference of
POSTs.
We also correct handling of POST (before POSTs with non-zero-length bodies
would cause the server to close the connection), and add additional CSRF
protection features, including the ability to disable all GET requests
for /get-keys and /get-config.
Add support for configuring the attributes of new principals created via
httpkadmind. This can be done via virtual host-based service
namespaces, which will provide default attributes even if disabled (but
the created principals will not be disabled, naturally), or via
krb5.conf.
Test that we can still do other things after `kadmin list` to make sure
we're not leaving -after listing- the connection in a state where other
operations can't work.
Also, no more sleeps at all in the test.
Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
This is an attempt to make sure we test realm migration aliases by doing
kinit w/ a hard alias name in a different realm, and that we can get
service tickets for services in the same and other realms some of which
are hard aliases in one direction, and some in the other.
Implement a variation on the op for listing principals where if the
client indicates support for the new variation then we stream the list
instead of collecting it into one reply. This is the server-side
version of the associated, preceding commit:
kadm5: Add online kadm5_iter_principals()
Not sure why we ever needed the run-kadmind-for-one-operation approach
to testing. Anyways, we probably don't. Ditching that and using the
--detach mechanism of daemonization means we don't need to sleep in the
test (except when we need to restart kadmind with different options).
We introduced a notion of soft vs. hard aliases in the previous commit
(hdb: Distinguish soft and hard principal aliases).
This commit corrects existing test cases and adds new test cases.
Soft aliases allow for the configuration of referrals using HDB entries.
Hard aliases are like copies of the aliased HDB entries. These are
useful for renaming principals (and realms).
See the preceding commit.
We will use the kdc_ rather than krb5_kdc_ prefix for new public APIs exported
from libkdc. Amend the recently introduced
request_{get,set,copy,delete}_attribute APIs to conform.
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Add some notes about the KDC plugin API contract, and require plugins to
explicitly indicate which version of the API they support (remove the macro
alias for the current version).
Rename the "windc" plugin API to the more general "kdc" plugin API, for two
reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
controller, and the plugin API has accreted methods that are not specific to
emulating a domain controller (such as referral_policy and finalize_reply).
Allow the windc plugin to also implement an audit callback. As part of this
change, both the HDB and windc audit function signatures are changed to return
void.
Add a referral policy hook to the TGS as a more elegant way of resolving
referral detection for Samba). The hook can either rewrite the server_princ in
the request, or it can return an error to disable built-in referral processing.
Add a new method for issuing referrals for entire namespaces of hostnames.
An alias of the form WELLKNOWN/HOSTBASED-NAMESPACE/service/namespace-fqdn@REALM
will cause all requests for host-based principals in the given namespace to be
referred to the given realm.
Make client_access plugin API take a single argument, astgs_request_t. Note: in
order to avoid making r->outpadata public (it's an internal buffer), but allow
Samba to modify the reply pa data, some pointer magic is required.
PACs are included when issuing TGTs, if there is no PAC_ATTRIBUTES buffer
(legacy behavior) or if the attributes buffer indicates the AS client requested
one.
Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.
Note: this changes the windc plugin ABI.
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
Samba includes the user's long-term credentials (encrypted in the AS reply key)
to allow legacy authentication protocols such as NTLM to work even if the
pre-authentication mechanism replaced the reply key (as PKINIT does).
Samba also needs to know whether the client explicitly requested a PAC be
included (or excluded), in order to defer PAC exclusion until a service ticket
is issued (thereby avoiding a name binding attack if the user is renamed
between TGT and service ticket issuance).
References:
https://bugzilla.samba.org/show_bug.cgi?id=11441https://bugzilla.samba.org/show_bug.cgi?id=14561Closes: #864
Original authors:
- Joseph Sutton <josephsutton@catalyst.net.nz>
- Andrew Bartlett <abartlet@samba.org>
- Stefan Metzmacher <metze@samba.org>
