samba.git/source4/kdc, branch talloc-2.3.3

s4:kdc: prefer newer enctypes for preauth responses

2021-07-01T18:37:14+00:00

This matches Windows KDCs, which was demonstrated by the
krb5.as_req_tests tests.

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Thu Jul  1 18:37:14 UTC 2021 on sn-devel-184

s4:kpasswd: Check return code of cli_credentials_set_conf()

2021-06-29T02:19:35+00:00

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett

s4:kdc:mit: Fix heap-use-after-free

2021-02-03T04:19:36+00:00

We need to duplicate the string as lp_load() will free the s4_conf_file
pointer and set it again.

Found with AddressSanitizer.

Signed-off-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett

s4: rename source4/smbd/ to source4/samba/

2020-11-27T10:07:18+00:00

Signed-off-by: Ralph Boehme 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Ralph Böhme 
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184

lib/util: remove extra safe_string.h file

2020-08-28T02:18:40+00:00

lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore 
Reviewed-by: David Mulder 
Reviewed-by: Jeremy Allison 

Autobuild-User(master): Jeremy Allison 
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184

kdc: Remind us that these values need to match other values

2020-08-07T03:23:44+00:00

Signed-off-by: Andrew Bartlett 
Reviewed-by: Douglas Bagnall

kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for Primary:Kerberos

2020-07-28T14:04:26+00:00

Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.

If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Isaac Boukris 

Autobuild-User(master): Stefan Metzmacher 
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184

db-glue.c: set forwardable flag on cross-realm tgt tickets

2020-06-12T22:10:34+00:00

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Match Windows behavior and allow the forwardable flag to be
set in cross-realm tickets. We used to allow forwardable to
any server, but now that we apply disallow-forwardable policy
in heimdal we need to explicitly allow in the corss-realm case
(and remove the workaround we have for it the MIT plugin).

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184

mit-kdc: Explicitly reject S4U requests

2020-03-10T14:46:04+00:00

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 

Autobuild-User(master): Isaac Boukris 
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184

Sign and verify PAC with ticket principal instead of canon principal

2020-03-10T13:02:27+00:00

With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).

However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.

Signed-off-by: Isaac Boukris 
Reviewed-by: Andreas Schneider 
Reviewed-by: Guenther Deschner