| Commit message (Collapse) | Author | Age |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
in heimdal-dev. Closes: #810990, #812130
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
are no longer shipped upstream.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
update. :-(
|
| |
|
| |
|
|\
| |
| |
| | |
Upstream version 1.7~git20150920+dfsg
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Change 29f6290fe60cebb4ad08860214e324af0c8b23b1 removed the
PA_ClientCanon* ASN.1 functionality but failed to remove the generated
symbols from the Windows export list.
Change-Id: I9a46532ed7d8612fbc597dec9848505d4b440e09
|
| | |\
| | | |
| | | | |
gssapi: Allow a NULL authenticator
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here. Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.
Original patch by Andrew Bartlett, restructured by Douglas Bagnall
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | | |
Samba Cross-realm support patches from metze
These patches were posted to heimdal-discuss by metze, and there were no objections there.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.
entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).
This is needed to route enterprise principals between AD domain trusts.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is not DRSUAPI specific, it works for all 3 part principals.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
FreeIPA can generate tickets with a client principal of
'host/hostname.example.com'.
verify_logonname() should just verify the principal name
in the PAC_LOGON_NAME is the same as the principal of
the client principal (without realm) of the ticket.
Samba commit b7cc8c1187ff967e44587cd0d09185330378f366
break this. We try to compare ['host']['hostname.example.com']
with ['host/hostname.example.com]' (as we interpret it as enterprise principal)
this fail if we don't compare them as strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | |/ /
| | | |
| | | |
| | | | |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Oid regenerate
The GSSAPI oid C files were originally generated by a perl 4 script that no longer runs on a modern system. Subsequently the C has been manually modified.
These patches update the script to perl 5 and alter its output to reflect the manually changed C.
Because modern perl uses hash randomisation, the order of the oids in the C file is sorted -- otherwise
they will be ordered differently every time, making changes hard to review.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is generated from lib/gssapi/oid.txt using lib/gssapi/gen-oid.pl,
which sorts the entries to ensure minimal diff churn when an oid is
added or changed.
The lack of effective changes can be seen by sorting both versions, a
bit like this:
$ git show HEAD~~:lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-OLD
$ cat lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-NEW
$ diff -u /tmp/gss_oid.c*
$ #Nothing to see!
This is of course not a reliable check in general, but works for this
simple file in concert with ordinary inspection.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As seen in commit cc47c8fa7 (Roland C. Dowdeswell <elric@imrryr.org>,
"Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix
issues"), compilers can be persuaded to dislike a single {NULL} and
prefer {NULL, NULL, NULL, NULL}. That patch altered the C code
directly; here we change the generating file to match.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
These missed out on the rk_UNCONST()ification by virtue of being added
in a parallel branch. In the diagram below, they got added in 02cf28e,
while the rk_UNCONSTs were added in f5f9014.
* cc47c8f Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
* 3069d80 Merge branch 'master' into lukeh/acquire-cred-ex
|\
| * f5f9014 Warning fixes from Christos Zoulas
* | 02cf28e implement gss_acquire_cred_ex with password support
|/
* 2170219 add more oids
rk_UNCONST amounts to a cast to (void *), removing const.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The invocation `require "getopts.pl"; Getopts(...)` works in Perl 4,
but not in recent Perl 5.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| | |\ \
| | | |/
| | |/| |
PK-INIT improvements
|