samba.git/source4/kdc/wscript_build, branch master Unnamed repository; edit this file 'description' to name the repository. s4:kdc:sdb_to_hdb key trust support 2025-09-16T23:23:42+00:00 Gary Lockyer gary@catalyst.net.nz 2025-08-11T00:00:03+00:00 f52ea1082bf245f6bfd424b6ba76c74881df97b5 Convert key trust public keys contained in the clients sdb records, and add to the HDB_Ext_KeyTrust extension on the clients HDB record Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Tue Sep 16 23:23:42 UTC 2025 on atb-devel-224 
Convert key trust public keys contained in the clients sdb records, and add
to the HDB_Ext_KeyTrust extension on the clients HDB record

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Sep 16 23:23:42 UTC 2025 on atb-devel-224
s4:kdc Support for key trust authentication 2025-07-29T05:31:10+00:00 Gary Lockyer gary@catalyst.net.nz 2025-07-25T01:22:27+00:00 33b55227db888acf70db9ff44c385a294e07ce36 Extract the public kes from msDS-KeyCredentialLink and populate the sdb structure. These values can then be passed to Kergeros to allow key trust authentication. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Tue Jul 29 05:31:10 UTC 2025 on atb-devel-224 
Extract the public kes from msDS-KeyCredentialLink and populate the sdb
structure.  These values can then be passed to Kergeros to allow key
trust authentication.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Jul 29 05:31:10 UTC 2025 on atb-devel-224
kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords 2024-06-10T04:27:30+00:00 Andrew Bartlett abartlet@samba.org 2024-05-20T23:14:50+00:00 1e1c80656f7d19d1cfde118bdba75a576da978f7 This ensures that before the KDC starts to process the entry we check if it is expired and rotate it. As an account with UF_SMARTCARD_REQUIRED simply can not expire unless msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and the Domain Functional Level is >= 2016 we do not need to do configuration checks here. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> 
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it.  As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
s4:kdc: Fix grammar 2024-04-21T22:10:36+00:00 Jo Sutton josutton@catalyst.net.nz 2024-04-09T03:07:23+00:00 460b1935b966f920cb117da6ca5a6ba9c48e7725 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged 2023-06-25T23:29:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-06-16T02:49:11+00:00 cf139d14218ab1423949fbc952ae056943858dc8 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:kdc: Add helper function to determine whether authentication to a server is allowed 2023-06-25T23:29:33+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-06-15T23:20:04+00:00 071ad174d925f9114be7873f5dbf569080a4cf39 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth: Move authn_policy code into auth subsystem 2023-06-15T05:29:28+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-06-15T02:59:10+00:00 b3a85655825fb6c6a1d668379c1ab004707dc56d This ensures that this code will still be usable by other libraries and subsystems if Samba is built with ‘--without-ad-dc’. We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have needed anyway. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.

We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:kdc: Add support for constructed claims (for authentication silos) 2023-05-18T01:58:24+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-03-28T02:10:50+00:00 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
s4:kdc: Look up authentication policies for Kerberos clients and servers 2023-05-18T01:03:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-04T03:06:40+00:00 1fdff3710511c92bd103473e4c296c98f971dd13 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:kdc: Add helper functions for authentication policies 2023-05-18T01:03:37+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-05-03T22:59:49+00:00 f547cf1db865f93f634e561945da9da44c697f29 These functions are not yet used. They are arranged into two libraries: ‘authn_policy’, containing the core functions, and ‘authn_policy_util’, containing utility functions that can access the database. This separation is so that libraries depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions without introducing a dependency cycle. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>