samba.git/source4/kdc, branch master Unnamed repository; edit this file 'description' to name the repository. s4:kdc:db-glue:tests free principal 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-18T23:19:35+00:00 fb16086ba44ad1943ec6796c8d607ed4c37eb064 Call krb5_free_principal to quiet valgrind leak reports Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Call krb5_free_principal to quiet valgrind leak reports

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:kdc:db-glue altSecurityIdentities DN and serial reversed 2026-02-23T20:16:34+00:00 Gary Lockyer gary@catalyst.net.nz 2026-02-18T23:18:38+00:00 580051e5686d9a26d2502eb969f7a80e13519afb When altSecurityIdentities is set by RSAT / ADUC they store the Issuer and Subject DN in last to first order i.e. CN=Common Name, O=Organization, C=Country Need to reverse that to first to last order, i.e. C=Country, O=Organization, CN=Common name Which is how they're stored on the X509 certificates. Also the serial number is stored in reverse order. BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
       CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
       C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.

Also the serial number is stored in reverse order.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
CVE-2026-20833: s4:kdc: Make default domain supported enctypes AES by default 2026-02-18T00:49:34+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-01-30T02:03:42+00:00 802649fa35ed37de69f6ca0593a39399575ac6e4 If AES keys are available in the domain, assume that service accounts support AES by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998 Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
If AES keys are available in the domain, assume that service accounts support
AES by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
s4:kdc: Return SDB_ERR_NOENTRY if canonicalization is required 2026-01-21T03:43:35+00:00 Jennifer Sutton jennifersutton@catalyst.net.nz 2026-01-20T03:42:38+00:00 8cfe34739c7b75a687685e722540c2ac88b90d63 MIT Kerberos maps this error code to KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, avoiding problems from the KDC returning KRB5KRB_ERR_GENERIC. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
MIT Kerberos maps this error code to KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, avoiding
problems from the KDC returning KRB5KRB_ERR_GENERIC.

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
lib: Remove &data_blob_null refs 2026-01-20T11:53:34+00:00 Volker Lendecke vl@samba.org 2025-12-30T09:34:49+00:00 74858220d9fdcb26244d9fb5a0252c98e3a46e2d The next patch will remove the data_blob_null global constant. The APIs here are a bit weird in that they don't work fine with a NULL pointer but require a reference to a NULL blob. But that's few enough to add the special case in the callers. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> 
The next patch will remove the data_blob_null global constant. The
APIs here are a bit weird in that they don't work fine with a NULL
pointer but require a reference to a NULL blob. But that's few enough
to add the special case in the callers.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
s4:kdc: honour "kdc require canonicalization = yes" 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-26T20:29:00+00:00 2cfb2041deaccb38d144f59527a11673d7a0fd6d Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
kdc: match implicit dollar without canon affects AS_REQ client only 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-26T22:12:21+00:00 e904e8b229bd0fb84803adbb60b6a4b0a62addfc The smb.conf option kdc name match implicit dollar without canonicalization = no is supposed to avoid the dollar ticket attack by refusing to consider "foo$" as a match for "foo" unless canonicalization is requested. This was rather blunt however, as the only time we care about this is for the client name in an AS_REQ, and we can easily check whether that is the case. This makes the option less intrusive, allowing the use of "SERVER" for a server name rather than "SERVER$". A number of tests no longer fail. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
The smb.conf option

  kdc name match implicit dollar without canonicalization = no

is supposed to avoid the dollar ticket attack by refusing to consider
"foo$" as a match for "foo" unless canonicalization is requested.

This was rather blunt however, as the only time we care about this is for
the client name in an AS_REQ, and we can easily check whether that is the
case.

This makes the option less intrusive, allowing the use of "SERVER" for a
server name rather than "SERVER$". A number of tests no longer fail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
auth: Use new data_blob_..._s() functions and remove talloc_keep_secret() 2025-12-08T17:18:29+00:00 Pavel Filipenský pfilipensky@samba.org 2025-11-26T09:34:02+00:00 562c2a9b258288cbf3a5b07a9da56b69d0a5d7a2 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 s4:kdc: avoid reusing a variable name 2025-11-20T21:25:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-12T03:56:17+00:00 b3d88b24c88e8d79bf958da576759ea7391237ad fallback_principal was used for two different uses: a copy of the original principal from which to derive values, and a new principal which has the '$' appended on the account name. We might as well be clear and an optimising compiler won't see the difference. Whether we actually need a temporary principal as opposed to using the one that was passed in is a separate question. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
fallback_principal was used for two different uses: a copy of the
original principal from which to derive values, and a new principal
which has the '$' appended on the account name. We might as well be
clear and an optimising compiler won't see the difference.

Whether we actually need a temporary principal as opposed to using the
one that was passed in is a separate question.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
s4:kdc: do not match principal + '$' if smb.conf says not to 2025-11-20T21:25:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-11-12T03:22:05+00:00 7b9e22e696861100fe154394a006c9eba6bf397d With this patch we honour kdc name match implicit dollar without canonicalization = no Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
With this patch we honour

 kdc name match implicit dollar without canonicalization = no

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>