| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Call krb5_free_principal to quiet valgrind leak reports
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
When altSecurityIdentities is set by RSAT / ADUC they store the
Issuer and Subject DN in last to first order i.e.
CN=Common Name, O=Organization, C=Country
Need to reverse that to first to last order, i.e.
C=Country, O=Organization, CN=Common name
Which is how they're stored on the X509 certificates.
Also the serial number is stored in reverse order.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
If AES keys are available in the domain, assume that service accounts support
AES by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
MIT Kerberos maps this error code to KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, avoiding
problems from the KDC returning KRB5KRB_ERR_GENERIC.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
The next patch will remove the data_blob_null global constant. The
APIs here are a bit weird in that they don't work fine with a NULL
pointer but require a reference to a NULL blob. But that's few enough
to add the special case in the callers.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
The smb.conf option
kdc name match implicit dollar without canonicalization = no
is supposed to avoid the dollar ticket attack by refusing to consider
"foo$" as a match for "foo" unless canonicalization is requested.
This was rather blunt however, as the only time we care about this is for
the client name in an AS_REQ, and we can easily check whether that is the
case.
This makes the option less intrusive, allowing the use of "SERVER" for a
server name rather than "SERVER$". A number of tests no longer fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
fallback_principal was used for two different uses: a copy of the
original principal from which to derive values, and a new principal
which has the '$' appended on the account name. We might as well be
clear and an optimising compiler won't see the difference.
Whether we actually need a temporary principal as opposed to using the
one that was passed in is a separate question.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
With this patch we honour
kdc name match implicit dollar without canonicalization = no
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
or from "" to "$", though I am not sure it is easy to get this far
with an empty account name.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
There is a single linear successful path through the 'num_comp == 1'
and various NULL checks, but it is written in a branchy fashion as if
you could skip some portion.
git diff -b is probably useful.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
This will be required in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
Fix Coverity issue CID 1666664
115 char* ts = ldb_timestring(msg, created);
>>> CID 1666664: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "ts" when calling
>>> "ldb_msg_add_string".
116 ldb_msg_add_string(msg, "whenCreated", ts);
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
|
|
Map the content of sdb_certificate_mappings to the hdb extension
HDB_Ext_CertificateMapping
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Oct 10 02:30:06 UTC 2025 on atb-devel-224
|
|
Extract certificate mappings from the altSecurityIdentities attribute and
populate the new sdb_certificate_mappings element of sdb
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Fix:
*** CID 1665466: Resource leaks (RESOURCE_LEAK)
/source4/kdc/sdb_to_hdb.c: 482 in sdb_entry_to_hdb_entry()
476 }
477
478 h->context = ske;
479 if (ske != NULL) {
480 ske->kdc_entry = h;
481 }
>>> CID 1665466: Resource leaks (RESOURCE_LEAK)
>>> Variable "kt" going out of scope leaks the storage "kt.val" points to.
482 return 0;
483 error:
484 free_hdb_entry(h);
485 return rc;
This is almost certainly a false positive as when kt.len == 0, kt.val will be
NULL. But changing the condition to kt.val != NULL, will not do any harm.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Thu Sep 25 07:13:28 UTC 2025 on atb-devel-224
|
|
Signed-off-by: Mike L. <cl.jeremy@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep 17 13:19:25 UTC 2025 on atb-devel-224
|
|
Convert key trust public keys contained in the clients sdb records, and add
to the HDB_Ext_KeyTrust extension on the clients HDB record
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Sep 16 23:23:42 UTC 2025 on atb-devel-224
|
|
msDS-KeyCredentialLink will be stored as a BinaryDN and not a binary blob.
This commit updates db-glue and it's tests accordingly.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
talloc_steal the data pointers of pub_key, modulus and exponent onto pub_key.
To allow fuzz testing of ndr_pull_KeyMaterialInternal the KeyMaterialInternal
struct may not be a talloc_context. So the data portions will be allocated on
the ndr context.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Extract the public kes from msDS-KeyCredentialLink and populate the sdb
structure. These values can then be passed to Kergeros to allow key
trust authentication.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Tue Jul 29 05:31:10 UTC 2025 on atb-devel-224
|
|
Add public keys to the sdb entry to allow them to be passed to Kerberos
for key trust authentication.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
../../source4/kdc/db-glue.c:968:14: warning: Access to field 'kvno' results in a dereference of a null pointer (loaded from variable 'entry') [clang-analyzer-core.NullDereference]
968 | entry->kvno = returned_kvno;
| ~~~~~ ^
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
md.padata_value is not needed even if no error occurred.
kdc_request_add_encrypted_padata copies data from it to newly allocated r->ek.encrypted_pa_data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15813
Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
sdb_entry_free was not releasing memory for s->etypes->val.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15812
Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Length of key list was reduced to one but unused keys were not deallocated before changing the length.
As such, free_sdb_entry/sdb_keys_free function could not release unused keys indexed from 1 onwards on entry deallocation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15712
Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Remove unused function:
static inline struct ldb_val talloc_steal_ldb_val(TALLOC_CTX *mem_ctx, struct ldb_val val)
From source4/kdc/ad_claims.c
1 error generated.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Anoop C S <anoopcs@samba.org>
|
|
again if it's already there
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
It comes along as delegated_proxy.pac_princ now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
pac is valid
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
If we have a device_pac we also have device_server/krbtgt_entry, while
device_entry is optional.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
delegated_proxy_krbtgt_entry
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
samba_kdc_entry_pac_from_trusted() will soon assert that
it has a valid krbtgt_entry.
In the long run this should be passed from the caller...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
