A careful code review was undertaken, and it was determined
that the best way to store the extended attributes was in a
native ASN1 encoded field. LDAP does not understand the
SEQUENCE of SEQUENCE structures used extensively throughout
the extended attributes structure, and there was already a
precedent set for storing the krb5Key data in a native ASN1
encoded field.
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.
entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).
This is needed to route enterprise principals between AD domain trusts.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.
Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty. As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't. This could cause
the KDC or kadmin to report invalid key size errors.
If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().
Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
The use of the wrong value for the length of ":mkey=" was identified
by Brian May and reported via github:
https://github.com/heimdal/heimdal/issues/40
Change-Id: I0aed86a5bb0359b7a266369076fde5e62f23b5fe
This uses a seperate hdb-ldap-secret-file configuration value, which
specifies an external file that may be used to supply the LDAP bind dn
and password. This allows that specific file to be configured with more
restrictive permissions than the global krb5.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
Commit 9f696b11c2 changed the
behaviour of key expiry for principals that have an sambaPwdLastSet
attribute in LDAP. The change was twofold:
* if "password_lifetime" is not set in kdc.conf a default lifetime
of 1 year is enforced
* krb5PasswordEnd is not honoured.
This patch causes pw_end to be modified only if sambaPwdLastSet
*and* "password_lifetime" is defined in kdc.conf.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
To stop the errors when building concurrently, we make a number of
changes:
1. stop including generated files in *_SOURCES,
2. make *-protos.h and *-private.h depend on the *_SOURCES,
3. make all objects depend on *-{protos,private}.h,
4. in a few places change dir/header.h to $(srcdir)/dir/header.h,
This appears to work for me with make -j16 on a 4-way box.
synchronize the export lists on Windows and UNIX.
When new functions are exported on UNIX or Windows,
the "test" build target on Windows will verify if
the export lists are in sync.
Change-Id: I9df3607983b03ee8dc6fa7cd22f85b07a6cee784
heim_abort and heim_assert are not exported from heimdal.dll.
must link against heimbase to use them.
Change-Id: I57a29b90360f9036723c114f03a95684a4802529