samba.git/source4/heimdal/kdc, branch talloc-2.1.10 Unnamed repository; edit this file 'description' to name the repository. heimdal: Pass extra information to hdb_auth_status() to log success and failures 2017-03-29T00:37:28+00:00 Andrew Bartlett abartlet@samba.org 2017-02-21T01:07:54+00:00 f498ba77df2313e78863e5f2706840c43e232a96 We now pass on the original client name and the client address to allow consistent audit logging in Samba across multiple protocols. We use config->db[0] to find the first database to record incorrect users. Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.

We use config->db[0] to find the first database to record incorrect
users.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
heimdal: Add initializer for stack pointers 2017-03-27T18:08:18+00:00 Andrew Bartlett abartlet@samba.org 2017-03-20T02:15:39+00:00 a998c0073f508437714f462661165309049c1b10 This helps ensure we know these are NULL until set Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
This helps ensure we know these are NULL until set

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
HEIMDAL:kdc: make it possible to disable the principal based referral detection 2017-03-10T10:37:22+00:00 Stefan Metzmacher metze@samba.org 2017-01-29T16:19:14+00:00 209886e95c3afe1e4e50bacc30b40a543856a7a0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
HEIMDAL:kdc: add krb5plugin_windc_pac_pk_generate() hook 2016-07-22T21:34:21+00:00 Stefan Metzmacher metze@samba.org 2016-05-20T06:29:30+00:00 0022ea9efb0e7809fa2d060b294320eb0479cdd2 This allows PAC_CRENDENTIAL_INFO to be added to the PAC when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains an encrypted PAC_CRENDENTIAL_DATA. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This allows PAC_CRENDENTIAL_INFO to be added to the PAC
when using PKINIT. In that case PAC_CRENDENTIAL_INFO contains
an encrypted PAC_CRENDENTIAL_DATA.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
HEIMDAL:kdc: reset e_text after successful pre-auth verification 2016-07-22T21:34:20+00:00 Stefan Metzmacher metze@samba.org 2016-05-20T12:57:57+00:00 f61833082ad5370bf67d316ec2f0a37e55d4eb60 This is already fixed in upstream heimdal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This is already fixed in upstream heimdal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
kerberos: Return enc data on PREAUTH_FAILED 2016-07-05T08:52:32+00:00 Garming Sam garming@catalyst.net.nz 2016-05-09T04:14:51+00:00 978bc8681e74ffa17f96fd5d4355094c4a26691c Without the enc data, Windows clients will perform two AS-REQ causing the password lockout count to increase by two instead of one. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144 
Without the enc data, Windows clients will perform two AS-REQ causing the password
lockout count to increase by two instead of one.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul  5 10:52:32 CEST 2016 on sn-devel-144
heimdal make kvno unisgned internally 2016-05-24T01:00:39+00:00 Uri Simchoni uri@samba.org 2016-05-17T10:45:11+00:00 b2b951d14fa9464cf2333e611e5b651e1d57cf01 The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144 
The folks at heimdal didn't like the patch in
commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted
that kvno should remain unsigned internally, even though it is
encoded as signed in packets. This patch reverts some of the
unsigned->signed changes in that commit, and resolves conversion
issues - in order to be aligned with upstream Heimdal.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144
heimdal: encode/decode kvno as signed integer 2016-05-07T19:14:21+00:00 Uri Simchoni uri@samba.org 2016-05-05T20:40:22+00:00 6379737b7ddc6ccb752238c5820cc62e76a8da17 This patch changes the encoding/decoding of kvno (key version number) in blobs and packets to signed integer, for compatibility with Windows. Reportedly, MIT Kerberos does the same. This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599 in the heimdal tree. According to the Kerberos spec (RFC 4120 5.2.9), the kvno field in encrypted data object is an unsigned integer that fits in 32 bits. The Heimdal Kerberos component bundled with Samba conforms to this. However, Windows deviates from the standard and encodes kvno as a signed integer, and this creates interoperability issues. ASN.1 DER has no special encoding for unsigned integer. A 32-bit unsigned integer is encoded as a signed integer, so while a signed 32-bit integer (covering the range of -0x80000000..0x7fffffff) is encoded using up to 4 bytes, an unsigned integer (covering 0..0xffffffff) could require 5 bytes. Normally, kvno for a given account starts at 1 and increments on password changes. Kerberos defined this as unsigned because there's no meaning for negative version numbers, so the standard writers figured 4 billion versions is better than 2 billion. It was not expected for a kvno to really go past 0x7fffffff and the disctinction usually does not matter. However, RODCs use kvnos which have the most-significant bit set. In Active Directory, RODCs have a private secret for the krbtgt, because the assumption is that the RODC is less secure, and recovering the domain krbtgt secret from the RODC would compromise the security of the entire domain. The kvno field is being used to identify the private krbtgt account that owns the key - the upper 16 bits are the RODC id, and the lower 16 bits identify the key version number for this specific RODC. It's common to have an RODC id greater than 0x8000, and therefore to have a kvno larger than 0x7fffffff, which would be DER-encoded using 5 bytes. Windows encodes kvno as signed integer - basically taking the 32 bits and treating them as a signed integer rather than an unsigned integer. This means that in Windows a kvno can always be encoded using 4 bytes, and Windows DCs reject a kvno encoded using more than 4 bytes without even generating an error response (the DC assumes it's an attack). Heimdal re-encodes the TGT when it creates a TGS request. Obviously it cannot decode and encode the encrypted parts but it does re-encode the plain parts, which include the kvno. That leads to a 5-byte kvno in the TGS request, which is rejected without an error response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 7 21:14:21 CEST 2016 on sn-devel-144 
This patch changes the encoding/decoding of kvno (key version number)
in blobs and packets to signed integer, for compatibility with Windows.
Reportedly, MIT Kerberos does the same.

This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599
in the heimdal tree.

According to the Kerberos spec (RFC 4120 5.2.9), the kvno field
in encrypted data object is an unsigned integer that fits in
32 bits. The Heimdal Kerberos component bundled with Samba
conforms to this. However, Windows deviates from the standard
and encodes kvno as a signed integer, and this creates
interoperability issues.

ASN.1 DER has no special encoding for unsigned integer. A 32-bit
unsigned integer is encoded as a signed integer, so while a signed
32-bit integer (covering the range of -0x80000000..0x7fffffff) is
encoded using up to 4 bytes, an unsigned integer (covering
0..0xffffffff) could require 5 bytes.

Normally, kvno for a given account starts at 1 and increments on
password changes. Kerberos defined this as unsigned because there's
no meaning for negative version numbers, so the standard writers figured
4 billion versions is better than 2 billion. It was not
expected for a kvno to really go past 0x7fffffff and the disctinction
usually does not matter. However, RODCs use kvnos which
have the most-significant bit set.

In Active Directory, RODCs have a private secret for the krbtgt,
because the assumption is that the RODC is less secure, and
recovering the domain krbtgt secret from the RODC would compromise
the security of the entire domain. The kvno field is being used
to identify the private krbtgt account that owns the key - the
upper 16 bits are the RODC id, and the lower 16 bits identify
the key version number for this specific RODC. It's common to
have an RODC id greater than 0x8000, and therefore to have a
kvno larger than 0x7fffffff, which would be DER-encoded using
5 bytes.

Windows encodes kvno as signed integer - basically taking the
32 bits and treating them as a signed integer rather than an
unsigned integer. This means that in Windows a kvno can
always be encoded using 4 bytes, and Windows DCs reject a kvno
encoded using more than 4 bytes without even generating an error
response (the DC assumes it's an attack).

Heimdal re-encodes the TGT when it creates a TGS request. Obviously
it cannot decode and encode the encrypted parts but it does re-encode
the plain parts, which include the kvno. That leads to a 5-byte
kvno in the TGS request, which is rejected without an error
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May  7 21:14:21 CEST 2016 on sn-devel-144
s4/heimdal: allow SPNs in AS-REQ 2016-04-25T08:35:14+00:00 Ralph Boehme slow@samba.org 2016-04-24T05:39:25+00:00 20dc68050df7b1b0c9d06f8251183a0a6283fcaf This allows testing keytabs with service tickets. Windows KDCs allow this as well. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This allows testing keytabs with service tickets. Windows KDCs allow
this as well.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
heimdal:kdc: add support for HDB_ERR_WRONG_REALM 2015-07-08T16:38:20+00:00 Stefan Metzmacher metze@samba.org 2015-02-10T13:37:29+00:00 2d98800219e1bc434cccc09322b4b509879d2a7d A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ. entry_ex->entry.principal->realm needs to return the real realm of the principal (or at least a the realm of the next cross-realm trust hop). This is needed to route enterprise principals between AD domain trusts. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.

entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).

This is needed to route enterprise principals between AD domain trusts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>