summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
AgeCommit message (Collapse)AuthorFilesLines
2026-01-15s4:auth: Implement ‘krb5 acceptor report canonical client name’ option ↵Jennifer Sutton1-0/+4
for Heimdal Adjust tests to match the new behaviour. The implementation is simply to set a flag that is already present in upstream Heimdal. Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2026-01-07lib: Don't call a function to initialize an empty DATA_BLOBVolker Lendecke1-2/+2
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org>
2025-11-13s4:kdc always include the PACGary Lockyer1-0/+13
Set the heimdal always_include_pac configuration flag, based on the samba kdc always include pac option Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Thu Nov 13 23:12:55 UTC 2025 on atb-devel-224
2024-07-02s4:auth: Correct order of parameters in documentationJo Sutton1-1/+1
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-05-22s4:libnet_export_keytab: add only_current_keys optionStefan Metzmacher1-1/+2
By default we also export on the old and older passwords... In order to do a kinit with a keytab it might we useful to include only the current keys. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24s4:auth: Export AES128 gMSA keys along with AES256 keys by defaultJo Sutton1-1/+1
This is what an existing test expects. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21s4:auth: Update error messagesJo Sutton1-2/+2
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21s4:auth: Allocate strings on shorter‐lived memory contextJo Sutton1-4/+4
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21s4:auth: Fix grammar in error messageJo Sutton1-1/+1
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-14s4-auth/kerberos: Report errors observed during ↵Andrew Bartlett1-0/+1
smb_krb5_remove_obsolete_keytab_entries() Previously any errors noticed during the main loop would be ignored. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
2024-03-14s4-auth/kerberos: Do not add true duplicates to exported keytabAndrew Bartlett2-3/+130
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber ↵Andrew Bartlett1-0/+4
is wrong Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14auth/credentials: Cope with GMSA 5min password preview in ↵Andrew Bartlett1-0/+1
cli_credentials_set_gmsa_passwords() This is unused in Samba currently, but is a subtle race that will be difficult to debug if this is ever used, so this makes things easier for some future developer. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"Andrew Bartlett1-0/+191
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()Andrew Bartlett1-13/+17
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPESAndrew Bartlett1-0/+2
This allows us to mask out RC4 and insist on the modern AES types where that makes sense. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14s4-auth/kerberos: Remove unused paremters to create_keytab()Andrew Bartlett1-3/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-12auth: Simplify smb_krb5_send_to_kdc_state_destructor()Volker Lendecke1-7/+3
Replace a call to dbwrap_fetch_locked() with the higherlevel dbwrap_delete(). Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-21s4:auth: Clarify comment about requiring FAST armorJoseph Sutton1-3/+3
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08s4:auth: Fix code spellingJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-29s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentialsAndrew Bartlett2-0/+48
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-11-01s4:auth: Check that the PAC is not NULL before dereferencing itJoseph Sutton1-0/+5
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25s4:auth: Fix code spellingJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13s4:auth: Remove event context on failureJoseph Sutton1-0/+3
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13s4:auth: Fix resource leak (CID 1107222)Joseph Sutton1-0/+2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27s4:auth: Fix ‘user_info_dc_out’ leakJoseph Sutton1-2/+2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27s4:auth: Return a talloc‐allocated resource groups structureJoseph Sutton1-7/+19
Future callers will rely on resource_groups_out being talloc‐allocated. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27s4:auth: Introduce helper variable ‘resource_groups_in’Joseph Sutton1-4/+4
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27s4:auth: Make returning resource groups the last thing we doJoseph Sutton1-10/+10
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14lib:krb5_wrap: Remove Heimdal‐only krb5_princ_component() implementationJoseph Sutton1-4/+0
This implementation is no longer called: using a variable of static storage duration as a conduit for return values is only asking for trouble. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14lib:krb5_wrap: Add Heimdal‐specific smb_krb5_princ_component() implementationJoseph Sutton1-1/+1
This implementation doesn’t rely on a variable of static storage duration being used as a conduit for the return value. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14lib:krb5_wrap: Add smb_krb5_princ_component()Joseph Sutton1-0/+5
For now this function is a mere wrapper round krb5_princ_component(), but one whose interface allows for a more sensible implementation. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14s4:auth: Add missing space to error messageJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14s4:auth: Fix code spellingJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08s4:auth: Add missing newlines to logging messagesJoseph Sutton1-2/+2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-03s4:auth: Fix code spellingAndreas Schneider3-16/+16
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-31auth:kerberos: Fix resource leak in smb_krb5_update_keytab()Pavel Filipenský1-5/+6
Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container()Pavel Filipenský1-6/+16
Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31auth:kerberos: Fix resource leak in parse_principal()Pavel Filipenský1-8/+19
Reported by Red Hat internal covscan leaked_storage: Variable "princ" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31s4:auth: Fix trailing whitespaces in kerberos_util.cPavel Filipenský1-9/+9
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-02-08s4:kdc: Add resource SID compressionJoseph Sutton2-4/+29
The domain-local groups that are added to the PAC of a service ticket are now, if the service doesn't disclaim support for SID compression, placed into the resource groups structure in PAC_LOGON_INFO. In a TGS exchange directed to a KDC, rather than to a service, the resource groups structure is simply copied into the updated PAC without any processing being done. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08auth: Exclude resource groups from a TGTJoseph Sutton1-1/+3
Resource group SIDs should only be placed into a service ticket, but we were including them in all tickets. Now that we have access to the group attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if we're creating a TGT. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08s4-auth: Make PAC parameters constJoseph Sutton1-2/+2
These functions have no need to modify the PACs passed in, and this change permits us to operate on const PACs in the KDC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-11-08build: Remove unused dependenciesJoseph Sutton1-1/+1
We don't need to include these any more, and removing them allows us to simplify the build system for system Heimdal builds. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-21s4-auth: Mention correct PAC buffer in error msgJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-10-21s4-auth: Fix typo in erberos_pac_to_user_info_dc()Joseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-07-27CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGTJoseph Sutton1-0/+44
We use the presence or absence of a REQUESTER_SID PAC buffer to determine whether the ticket is a TGT. We will later use this to reject TGTs where a service ticket is expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2022-03-04krb5-mit: Enable S4U client support for MIT buildIsaac Boukris1-11/+0
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm ↵Stefan Metzmacher3-33/+284
plugin interface With the recent heimdal upgrade we better try to use the send_to_realm() hooks as it allows us to handle the KDC lookup as well as only getting each logical request just once in the testing code, which makes it let dependend on the heimdal internal kdc lookup logic. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-01-19s4:kerberos: adjust smb_krb5_debug_wrapper() to embedded heimdalAndrew Bartlett1-1/+5
In future we need a real configure check for Heimdal 8. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 17:17:43 +0000