[SCM] Samba Shared Repository - branch master updated
Joseph Sutton
jsutton at samba.org
Tue Mar 1 23:29:01 UTC 2022
The branch, master has been updated
via 791be84c3ee s4:kdc: hdb_samba4_audit() is only called once per request
via c9b0b4bfc4e s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
via 9399a15fabb s4:kdc: Adapt to removal of publicly accessible request structure members
via 94d387abd50 s4:kdc: Adapt to hdb_entry_ex removal
via 068f2bf117a s4:kdc: Increment plugin minor version
via 7cb68fdba75 third_party/heimdal_build: Don't generate .x source files
via 675f913e54d s4:kdc: Explicitly set plugin minor version
via b9f4ea8bdb7 third_party/heimdal_build: Add SFU source file
via f234361abea s4:kdc: Adapt to removal of auth audit event types
via 83586e8f584 s4:kdc: Rename windc to kdc plugin
via a5799cea037 s4:kdc: Add referral policy callback
via 0d37a192810 s4:kdc: Add 'not authorised' auth events
via 7989ef0aa7b s4:kdc: Adapt to removal of auth event details
via a2f7987d583 s4:kdc: Refactor HDB API
via f2ca9c5db7e third_party/heimdal_build: Add source files to build
via 51569b3152a third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)
via fccf9859786 third_party/heimdal_build: Define fallthrough macro for switch statements
from 8c97743511e smbd: Fix a use-after-free
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300
s4:kdc: hdb_samba4_audit() is only called once per request
So we need to restructure the logic a bit.
NOTE: This commit finally works again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Joseph Sutton <jsutton at samba.org>
Autobuild-Date(master): Tue Mar 1 23:28:22 UTC 2022 on sn-devel-184
commit c9b0b4bfc4e2e0b08b21f39bf56fd5395d66d66f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 2 10:00:17 2022 +1300
s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
This is to adapt to:
commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
Author: Luke Howard <lukeh at padl.com>
Date: Thu Jan 13 14:37:29 2022 +1100
kdc: move auth event definitions into KDC header
Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
kdc-audit.h.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 9399a15fabb5a1b8470b1069a098132e2fdb7f0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 23 09:53:27 2022 +1300
s4:kdc: Adapt to removal of publicly accessible request structure members
We now have to use the accessor functions instead.
This is an adaptation to Heimdal:
commit ec24edf7005c340018450a202d27ca75fcf322d4
Author: Luke Howard <lukeh at padl.com>
Date: Thu Jan 20 09:15:24 2022 +1100
kdc: add accessor functions for KDC request structure
Add accessor functions for use by Samba and other plugin developers.
Documentation is in kdc/kdc-accessors.h.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94d387abd5031c12989f925ee5eb733432402d1d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 19:41:14 2022 +1300
s4:kdc: Adapt to hdb_entry_ex removal
Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.
We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.
This is an adaptation to Heimdal commits:
commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh at padl.com>
Date: Fri Jan 7 12:15:55 2022 +1100
hdb: decorate HDB_entry with context member
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh at padl.com>
Date: Fri Jan 7 12:54:40 2022 +1100
hdb: eliminate hdb_entry_ex
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 068f2bf117ab9968011fdb8d60b98bb37d529658
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 16:30:27 2022 +1300
s4:kdc: Increment plugin minor version
This is an adaptation to Heimdal:
commit 40e4a4df09c2d6c3ba7bf14df1dee74a0bc18110
Author: Luke Howard <lukeh at padl.com>
Date: Mon Jan 10 12:50:37 2022 +1100
kdc: use astgs_request_t for client/server name (TGS)
Store the client and server principal name from the TGT and request
(respectively) in the astgs_request_t rather than using local variables.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7cb68fdba75c362cdfd8f3bf08bcd9c22bbe4556
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 19:12:28 2022 +1300
third_party/heimdal_build: Don't generate .x source files
This is an adaptation to Heimdal:
commit 9427796f1a65906f12768b28abdb5a928222f3c6
Author: Jeffrey Altman <jaltman at secure-endpoints.com>
Date: Wed Jan 5 15:45:23 2022 -0500
Generate .x source files as .c source files
The generated .x source and .hx header files are plain C source files.
Generate them as .c source files and avoid unnecessary file copying
and special makefile rules.
Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 675f913e54d8fddb9173c1e67b9d14885cc1d878
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 15:56:32 2022 +1300
s4:kdc: Explicitly set plugin minor version
This is an adaptation to Heimdal:
commit 7cc4b7a9e624f5eecfbb38607d4cc0870a895671
Author: Luke Howard <lukeh at padl.com>
Date: Wed Jan 5 13:08:11 2022 +1100
kdc: KDC plugin API contract notes
Add some notes about the KDC plugin API contract, and require plugins to
explicitly indicate which version of the API they support (remove the macro
alias for the current version).
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9f4ea8bdb70476d6cc6df962bf6b28805588ed5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 15:53:34 2022 +1300
third_party/heimdal_build: Add SFU source file
This is an adaptation to Heimdal:
commit 0287558838de79313e38026d2f0905ffc987d0b8
Author: Luke Howard <lukeh at padl.com>
Date: Fri Dec 24 13:49:55 2021 +1100
kdc: move Services for User implementation out of krb5tgs.c
Move the Services for User (SFU/S4U) implementation -- protocol transition and
constrained delegation -- into its own compilation unit, with an interface that
only takes an astgs_request_t, so it can be easily factored out into a plugin
module in the future.
This refactoring is also careful to update all client names in the request
structure after the SFU/S4U validation has successfully completed.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f234361abea4166ce4e10cfa4e7f4096b83480a9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 15:48:12 2022 +1300
s4:kdc: Adapt to removal of auth audit event types
This is an adaptation to Heimdal:
commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh at padl.com>
Date: Wed Jan 5 09:42:03 2022 +1100
hdb: consolidate preauth audit event types
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.
Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.
Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83586e8f5846fff7a8bbe47e743e03166b559584
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 14:39:13 2022 +1300
s4:kdc: Rename windc to kdc plugin
This is an adaptation to Heimdal:
commit fcff5933ade652343d7c169659da92fac0e6e0d4
Author: Luke Howard <lukeh at padl.com>
Date: Mon Jan 3 11:10:18 2022 +1100
kdc: rename windc to kdc plugin
Rename the "windc" plugin API to the more general "kdc" plugin API, for two
reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
controller, and the plugin API has accreted methods that are not specific to
emulating a domain controller (such as referral_policy and finalize_reply).
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5799cea037a4613ba4d1073fff6e6151ed06c76
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 19:25:06 2022 +1300
s4:kdc: Add referral policy callback
This is now used instead of a configuration option.
This is an adaption to Heimdal:
commit 3fa47f5a1a422e178d968a8ec0d59889eaa71548
Author: Luke Howard <lukeh at padl.com>
Date: Sun Jan 2 21:51:43 2022 +1100
kdc: add referral_policy callback to windc plugin
Add a referral policy hook to the TGS as a more elegant way of resolving
referral detection for Samba). The hook can either rewrite the server_princ in
the request, or it can return an error to disable built-in referral processing.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d37a1928100e229bea46701b41d4efa72e10266
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 12:16:49 2022 +1300
s4:kdc: Add 'not authorised' auth events
This is an adaptation to Heimdal:
commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh at padl.com>
Date: Sat Jan 1 23:44:05 2022 +1100
kdc: separate PKINIT/GSS authorization failure
Create a new audit event for PKINIT/GSS authorization (impersonation) failure
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7989ef0aa7b75b2e5af7be445fc64cbf49b2985c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 20:45:45 2022 +1300
s4:kdc: Adapt to removal of auth event details
This is an adaptation to Heimdal:
commit e15e711b13e2fb33f4480a054cba60b6c4c0183b
Author: Luke Howard <lukeh at padl.com>
Date: Sat Jan 1 18:05:51 2022 +1100
kdc: remove auth_event_details audit key
The auth event details audit key (formerly, parameter to auth_status)
contained, variously, an encryption type name; a PKINIT client certificate
name; or, a GSS initiator name. Audit these instead using individual keys that
reflect the values' contents.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a2f7987d58372cfc52bc5f9786c0719439956fee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 21 20:28:42 2022 +1300
s4:kdc: Refactor HDB API
This is an adaptation to Heimdal:
commit b1dcc1a47485165ada778ef3c3463cfc0779d183
Author: Luke Howard <lukeh at padl.com>
Date: Fri Dec 31 17:24:58 2021 +1100
kdc: refactor Samba-specific auditing API in terms of existing API
Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
with a view towards unifying the two APIs in a future commit.
The term "auth status" is replaced with "auth event", and the HDB auth_status
method is replaced with a more general purpose audit method which has access to
the entire request structure.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f2ca9c5db7e1bb20cfc6705633b48c32b1496334
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 14:09:52 2022 +1300
third_party/heimdal_build: Add source files to build
This is an adaptation to Heimdal:
commit be708ca3cf98900c61919f8ff7ced4428b5d1f32
Author: Nicolas Williams <nico at twosigma.com>
Date: Wed Dec 22 17:01:12 2021 -0600
gsskrb5: Add simple name attributes support
This adds Kerberos mechanism support for:
- composite principal name export/import
- getting rudimentary name attributes from GSS names using
gss_get_name_attribute():
- all (raw) authorization data from the Ticket
- all (raw) authorization data from the Authenticator
- transit path
- realm
- component count
- each component
- gss_inquire_name()
- gss_display_name_ext() (just for the hostbased service name type
though)
The test exercises almost all of the functionality, except for:
- getting the PAC
- getting authz-data from the Authenticator
- getting the transit path
TBD (much) later:
- amend test_context to do minimal name attribute checks as well
- gss_set_name_attribute() (to request authz-data)
- gss_delete_name_attribute()
- getting specific authorization data elements via URN fragments (as
opposed to all of them)
- parsing the PAC, extracting SIDs (each one as a separate value)
- some configurable local policy (?)
- plugin interface for additional local policy
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 51569b3152a952d07fddaa3a70d60c920618c704
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 1 14:17:54 2022 +1300
third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fccf9859786dfb50b317ea2296c2494997f0ae09
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 22 16:41:52 2022 +1300
third_party/heimdal_build: Define fallthrough macro for switch statements
This is an adaptation to Heimdal:
commit ddc61136100b32346c4c4efa2bb6ddb5baedfb3e
Author: Nicolas Williams <nico at twosigma.com>
Date: Fri Jan 14 16:32:04 2022 -0600
Use fallthrough statement attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/hdb-samba4.c | 181 ++-
source4/kdc/kdc-glue.c | 4 +-
source4/kdc/kdc-glue.h | 4 +-
source4/kdc/kdc-heimdal.c | 22 +-
source4/kdc/sdb_to_hdb.c | 26 +-
source4/kdc/wdc-samba4.c | 98 +-
source4/kdc/wscript_build | 2 +-
third_party/heimdal/.github/workflows/build.yml | 67 -
third_party/heimdal/.gitignore | 236 +++-
third_party/heimdal/Makefile.am | 1 -
third_party/heimdal/README.md | 9 +-
third_party/heimdal/admin/change.c | 1 -
third_party/heimdal/appl/afsutil/afslog.c | 2 +-
third_party/heimdal/appl/gssmask/gssmask.c | 2 +
third_party/heimdal/appl/kf/kf.c | 4 +-
third_party/heimdal/appl/otp/otp.c | 12 +-
third_party/heimdal/appl/test/gssapi_server.c | 23 +-
third_party/heimdal/appl/test/uu_server.c | 7 +
third_party/heimdal/appveyor.yml | 72 +-
third_party/heimdal/cf/Makefile.am.common | 19 +-
third_party/heimdal/cf/ax_check_sign.m4 | 54 +
third_party/heimdal/cf/check-compile-flag.m4 | 53 +
third_party/heimdal/cf/db.m4 | 6 +-
third_party/heimdal/cf/krb-prog-yacc.m4 | 12 +-
third_party/heimdal/cf/roken-frag.m4 | 6 -
third_party/heimdal/configure.ac | 38 +-
third_party/heimdal/import-lorikeet.sh | 22 +-
third_party/heimdal/include/Makefile.am | 33 +-
third_party/heimdal/include/bits.c | 51 +-
third_party/heimdal/include/config.h.w32 | 37 +-
third_party/heimdal/kadmin/add-random-users.c | 2 +-
third_party/heimdal/kadmin/add_enctype.c | 4 +-
third_party/heimdal/kadmin/ank.c | 40 +-
third_party/heimdal/kadmin/cpw.c | 16 +-
third_party/heimdal/kadmin/del.c | 12 +-
third_party/heimdal/kadmin/ext.c | 2 +-
third_party/heimdal/kadmin/get.c | 2 +
third_party/heimdal/kadmin/init.c | 202 ++-
third_party/heimdal/kadmin/kadm_conn.c | 9 +-
third_party/heimdal/kadmin/kadmin.1 | 33 +-
third_party/heimdal/kadmin/kadmind.c | 2 +
third_party/heimdal/kadmin/load.c | 54 +-
third_party/heimdal/kadmin/mod.c | 15 +-
third_party/heimdal/kadmin/rpc.c | 4 +-
third_party/heimdal/kadmin/server.c | 315 ++---
third_party/heimdal/kadmin/stash.c | 5 +-
third_party/heimdal/kcm/cache.c | 10 +-
third_party/heimdal/kcm/client.c | 37 +
third_party/heimdal/kcm/glue.c | 2 +-
third_party/heimdal/kcm/protocol.c | 24 +-
third_party/heimdal/kdc/Makefile.am | 14 +-
third_party/heimdal/kdc/NTMakefile | 18 +-
.../heimdal/kdc/altsecid_gss_preauth_authorizer.c | 85 +-
third_party/heimdal/kdc/bx509d.c | 170 ++-
third_party/heimdal/kdc/ca.c | 4 +-
third_party/heimdal/kdc/cjwt_token_validator.c | 9 +-
third_party/heimdal/kdc/config.c | 2 +-
third_party/heimdal/kdc/connect.c | 19 +-
third_party/heimdal/kdc/csr_authorizer.c | 2 +-
third_party/heimdal/kdc/default_config.c | 5 +-
third_party/heimdal/kdc/digest-service.c | 9 +-
third_party/heimdal/kdc/digest.c | 46 +-
third_party/heimdal/kdc/fast.c | 35 +-
third_party/heimdal/kdc/gss_preauth.c | 78 +-
.../heimdal/kdc/gss_preauth_authorizer_plugin.h | 6 +-
third_party/heimdal/kdc/headers.h | 3 +-
third_party/heimdal/kdc/hprop.8 | 1 -
third_party/heimdal/kdc/hprop.c | 23 +-
third_party/heimdal/kdc/hprop.h | 18 +-
third_party/heimdal/kdc/hpropd.8 | 3 -
third_party/heimdal/kdc/hpropd.c | 11 +-
third_party/heimdal/kdc/httpkadmind.c | 73 +-
third_party/heimdal/kdc/ipc_csr_authorizer.c | 20 +-
third_party/heimdal/kdc/kdc-accessors.h | 349 ++++++
.../gssapi/mech/mech_locl.h => kdc/kdc-audit.h} | 71 +-
third_party/heimdal/kdc/kdc-plugin.c | 658 ++++++++++
third_party/heimdal/kdc/kdc-plugin.h | 136 +++
third_party/heimdal/kdc/kdc-replay.c | 2 +
third_party/heimdal/kdc/kdc.h | 168 +--
third_party/heimdal/kdc/kdc_locl.h | 109 +-
third_party/heimdal/kdc/kerberos5.c | 691 +++++------
third_party/heimdal/kdc/krb5tgs.c | 946 ++++----------
third_party/heimdal/kdc/kstash.c | 2 +
third_party/heimdal/kdc/kx509.c | 130 +-
third_party/heimdal/kdc/libkdc-exports.def | 83 +-
third_party/heimdal/kdc/log.c | 10 +-
third_party/heimdal/kdc/misc.c | 103 +-
third_party/heimdal/kdc/mit_dump.c | 6 +-
third_party/heimdal/kdc/mssfu.c | 568 +++++++++
.../heimdal/kdc/negotiate_token_validator.c | 2 -
third_party/heimdal/kdc/pkinit.c | 30 +-
third_party/heimdal/kdc/process.c | 204 +++-
third_party/heimdal/kdc/rx.h | 79 --
third_party/heimdal/kdc/set_dbinfo.c | 2 +-
third_party/heimdal/kdc/simple_csr_authorizer.c | 24 +-
third_party/heimdal/kdc/string2key.c | 6 +-
third_party/heimdal/kdc/test_kdc_ca.c | 5 +-
third_party/heimdal/kdc/token_validator.c | 2 +-
third_party/heimdal/kdc/version-script.map | 78 +-
third_party/heimdal/kdc/windc.c | 252 ----
third_party/heimdal/kdc/windc_plugin.h | 92 --
third_party/heimdal/kpasswd/kpasswdd.c | 2 +
third_party/heimdal/kuser/generate-requests.c | 2 +-
third_party/heimdal/kuser/kgetcred.c | 3 +
third_party/heimdal/kuser/kimpersonate.c | 27 +-
third_party/heimdal/kuser/kinit.c | 34 +-
third_party/heimdal/kuser/klist.c | 15 +-
third_party/heimdal/kuser/kswitch.c | 5 +-
third_party/heimdal/kuser/kuser_locl.h | 4 +
third_party/heimdal/lib/asn1/MANUAL.md | 1287 ++++++++++++++++++++
third_party/heimdal/lib/asn1/Makefile.am | 361 +++---
third_party/heimdal/lib/asn1/NTMakefile | 281 +++--
third_party/heimdal/lib/asn1/README.md | 326 +++--
third_party/heimdal/lib/asn1/asn1-template.h | 75 +-
third_party/heimdal/lib/asn1/asn1_compile.1 | 263 +++-
third_party/heimdal/lib/asn1/asn1_print.c | 32 +-
third_party/heimdal/lib/asn1/asn1parse.y | 141 ++-
third_party/heimdal/lib/asn1/check-common.h | 3 +-
third_party/heimdal/lib/asn1/check-der.c | 2 +
third_party/heimdal/lib/asn1/check-gen.c | 144 ++-
third_party/heimdal/lib/asn1/check-gen.h | 9 +
third_party/heimdal/lib/asn1/check-template.c | 13 +
third_party/heimdal/lib/asn1/der_copy.c | 103 +-
third_party/heimdal/lib/asn1/der_get.c | 92 +-
third_party/heimdal/lib/asn1/der_put.c | 68 +-
third_party/heimdal/lib/asn1/extra.c | 8 +-
third_party/heimdal/lib/asn1/gen.c | 186 ++-
third_party/heimdal/lib/asn1/gen_copy.c | 47 +-
third_party/heimdal/lib/asn1/gen_decode.c | 6 +-
third_party/heimdal/lib/asn1/gen_encode.c | 29 +-
third_party/heimdal/lib/asn1/gen_free.c | 55 +-
third_party/heimdal/lib/asn1/gen_glue.c | 11 +-
third_party/heimdal/lib/asn1/gen_locl.h | 17 +-
third_party/heimdal/lib/asn1/gen_template.c | 172 ++-
third_party/heimdal/lib/asn1/krb5.asn1 | 46 +-
third_party/heimdal/lib/asn1/krb5.opt | 2 +
third_party/heimdal/lib/asn1/libasn1-exports.def | 6 +
third_party/heimdal/lib/asn1/main.c | 240 +++-
third_party/heimdal/lib/asn1/oid_resolution.c | 75 +-
third_party/heimdal/lib/asn1/symbol.h | 5 +-
third_party/heimdal/lib/asn1/template.c | 56 +-
third_party/heimdal/lib/asn1/test.asn1 | 12 +-
third_party/heimdal/lib/asn1/test.opt | 6 +
third_party/heimdal/lib/base/array.c | 4 +-
third_party/heimdal/lib/base/bsearch.c | 24 +-
third_party/heimdal/lib/base/data.c | 9 +-
third_party/heimdal/lib/base/db.c | 24 +-
third_party/heimdal/lib/base/dict.c | 8 +-
third_party/heimdal/lib/base/dll.c | 3 +-
third_party/heimdal/lib/base/error.c | 4 +-
third_party/heimdal/lib/base/error_string.c | 7 +-
third_party/heimdal/lib/base/expand_path.c | 58 +-
third_party/heimdal/lib/base/heimbase-svc.h | 8 +-
third_party/heimdal/lib/base/heimbase.c | 35 +-
third_party/heimdal/lib/base/heimbase.h | 9 +-
third_party/heimdal/lib/base/heimbasepriv.h | 3 +-
third_party/heimdal/lib/base/log.c | 363 ++++--
third_party/heimdal/lib/base/number.c | 22 +-
third_party/heimdal/lib/base/plugin.c | 16 +-
third_party/heimdal/lib/base/string.c | 6 +-
third_party/heimdal/lib/base/test_base.c | 6 +-
third_party/heimdal/lib/base/version-script.map | 7 +
third_party/heimdal/lib/com_err/Makefile.am | 2 +-
third_party/heimdal/lib/gss_preauth/pa_client.c | 3 +-
third_party/heimdal/lib/gss_preauth/pa_common.c | 5 -
third_party/heimdal/lib/gssapi/Makefile.am | 55 +-
third_party/heimdal/lib/gssapi/NTMakefile | 38 +-
third_party/heimdal/lib/gssapi/gss-token.c | 11 +-
third_party/heimdal/lib/gssapi/gssapi/gssapi.h | 16 +-
.../heimdal/lib/gssapi/gssapi/gssapi_krb5.h | 2 +
.../heimdal/lib/gssapi/krb5/accept_sec_context.c | 140 +--
third_party/heimdal/lib/gssapi/krb5/acquire_cred.c | 52 +-
third_party/heimdal/lib/gssapi/krb5/arcfour.c | 13 +-
third_party/heimdal/lib/gssapi/krb5/copy_ccache.c | 5 +-
.../heimdal/lib/gssapi/krb5/export_sec_context.c | 2 +-
third_party/heimdal/lib/gssapi/krb5/external.c | 19 +-
third_party/heimdal/lib/gssapi/krb5/import_name.c | 35 +-
.../heimdal/lib/gssapi/krb5/init_sec_context.c | 41 +-
third_party/heimdal/lib/gssapi/krb5/name_attrs.c | 1171 ++++++++++++++++++
third_party/heimdal/lib/gssapi/krb5/store_cred.c | 5 +-
third_party/heimdal/lib/gssapi/krb5/test_kcred.c | 6 +-
.../heimdal/lib/gssapi/libgssapi-exports.def | 2 +-
.../heimdal/lib/gssapi/mech/gss_compare_name.c | 10 +-
third_party/heimdal/lib/gssapi/mech/gss_cred.c | 6 +-
.../lib/gssapi/mech/gss_export_sec_context.c | 4 +
.../heimdal/lib/gssapi/mech/gss_import_name.c | 82 +-
.../lib/gssapi/mech/gss_import_sec_context.c | 6 +-
third_party/heimdal/lib/gssapi/mech/gss_krb5.c | 7 +-
.../heimdal/lib/gssapi/mech/gss_mech_switch.c | 47 +-
.../heimdal/lib/gssapi/mech/gss_pname_to_uid.c | 4 +
third_party/heimdal/lib/gssapi/mech/mech_locl.h | 11 +-
.../heimdal/lib/gssapi/ntlm/accept_sec_context.c | 2 +
third_party/heimdal/lib/gssapi/ntlm/creds.c | 4 -
third_party/heimdal/lib/gssapi/ntlm/crypto.c | 5 +-
.../heimdal/lib/gssapi/ntlm/delete_sec_context.c | 6 +
.../heimdal/lib/gssapi/ntlm/init_sec_context.c | 22 +-
third_party/heimdal/lib/gssapi/ntlm/kdc.c | 1 +
third_party/heimdal/lib/gssapi/sanon/import_name.c | 25 +-
.../heimdal/lib/gssapi/spnego/accept_sec_context.c | 1 +
third_party/heimdal/lib/gssapi/spnego/negoex_ctx.c | 28 +-
third_party/heimdal/lib/gssapi/test_context.c | 168 ++-
third_party/heimdal/lib/gssapi/test_kcred.c | 18 +-
third_party/heimdal/lib/gssapi/test_names.c | 464 ++++++-
third_party/heimdal/lib/gssapi/version-script.map | 2 +-
third_party/heimdal/lib/hcrypto/Makefile.am | 27 +-
third_party/heimdal/lib/hcrypto/bn.c | 8 +-
third_party/heimdal/lib/hcrypto/des.c | 1 +
third_party/heimdal/lib/hcrypto/dh-ltm.c | 57 +-
third_party/heimdal/lib/hcrypto/dh.c | 2 +-
third_party/heimdal/lib/hcrypto/engine.c | 35 +-
third_party/heimdal/lib/hcrypto/evp.c | 9 +-
third_party/heimdal/lib/hcrypto/hmac.c | 28 +-
third_party/heimdal/lib/hcrypto/hmac.h | 2 +-
.../lib/hcrypto/libtommath/bn_mp_set_double.c | 2 +-
.../lib/hcrypto/libtommath/bn_s_mp_rand_platform.c | 2 +-
.../heimdal/lib/hcrypto/libtommath/demo/test.c | 2 +-
.../heimdal/lib/hcrypto/libtommath/etc/tune.c | 2 +-
third_party/heimdal/lib/hcrypto/rsa-ltm.c | 7 +-
third_party/heimdal/lib/hcrypto/rsa.c | 7 +-
third_party/heimdal/lib/hcrypto/test_hmac.c | 6 +-
third_party/heimdal/lib/hcrypto/validate.c | 3 +-
third_party/heimdal/lib/hdb/Makefile.am | 67 +-
third_party/heimdal/lib/hdb/NTMakefile | 12 +-
third_party/heimdal/lib/hdb/common.c | 375 ++++--
third_party/heimdal/lib/hdb/db.c | 22 +-
third_party/heimdal/lib/hdb/db3.c | 22 +-
third_party/heimdal/lib/hdb/ext.c | 4 +-
third_party/heimdal/lib/hdb/hdb-keytab.c | 22 +-
third_party/heimdal/lib/hdb/hdb-ldap.c | 363 +++---
third_party/heimdal/lib/hdb/hdb-mdb.c | 22 +-
third_party/heimdal/lib/hdb/hdb-mitdb.c | 89 +-
third_party/heimdal/lib/hdb/hdb-sqlite.c | 39 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 2 +-
third_party/heimdal/lib/hdb/hdb.c | 98 +-
third_party/heimdal/lib/hdb/hdb.h | 175 +--
third_party/heimdal/lib/hdb/hdb.opt | 5 +
third_party/heimdal/lib/hdb/keys.c | 2 +-
third_party/heimdal/lib/hdb/keytab.c | 50 +-
third_party/heimdal/lib/hdb/libhdb-exports.def | 1 -
third_party/heimdal/lib/hdb/ndbm.c | 53 +-
third_party/heimdal/lib/hdb/print.c | 20 +-
third_party/heimdal/lib/hdb/test_concurrency.c | 58 +-
third_party/heimdal/lib/hdb/test_namespace.c | 162 ++-
third_party/heimdal/lib/hdb/version-script.map | 1 -
third_party/heimdal/lib/hx509/Makefile.am | 3 +-
third_party/heimdal/lib/hx509/ca.c | 21 +-
third_party/heimdal/lib/hx509/cert.c | 42 +-
third_party/heimdal/lib/hx509/cms.c | 6 +-
third_party/heimdal/lib/hx509/collector.c | 3 +-
third_party/heimdal/lib/hx509/crypto.c | 4 +
third_party/heimdal/lib/hx509/error.c | 66 +-
third_party/heimdal/lib/hx509/file.c | 12 +-
third_party/heimdal/lib/hx509/hxtool.c | 28 +-
third_party/heimdal/lib/hx509/keyset.c | 5 +-
third_party/heimdal/lib/hx509/ks_file.c | 29 +-
third_party/heimdal/lib/hx509/name.c | 71 +-
third_party/heimdal/lib/hx509/print.c | 5 +
third_party/heimdal/lib/hx509/req.c | 22 +-
third_party/heimdal/lib/hx509/revoke.c | 4 +
third_party/heimdal/lib/hx509/sel-gram.y | 4 +
third_party/heimdal/lib/hx509/softp11.c | 8 +-
third_party/heimdal/lib/ipc/Makefile.am | 4 +
third_party/heimdal/lib/ipc/server.c | 15 +-
third_party/heimdal/lib/kadm5/ad.c | 2 +
third_party/heimdal/lib/kadm5/chpass_s.c | 56 +-
third_party/heimdal/lib/kadm5/context_s.c | 16 +-
third_party/heimdal/lib/kadm5/create_s.c | 32 +-
third_party/heimdal/lib/kadm5/delete_s.c | 8 +-
third_party/heimdal/lib/kadm5/ent_setup.c | 78 +-
third_party/heimdal/lib/kadm5/get_princs_s.c | 8 +-
third_party/heimdal/lib/kadm5/get_s.c | 143 +--
third_party/heimdal/lib/kadm5/init_c.c | 12 +-
third_party/heimdal/lib/kadm5/init_s.c | 6 +-
third_party/heimdal/lib/kadm5/iprop-log.c | 67 +-
third_party/heimdal/lib/kadm5/ipropd_common.c | 1 +
third_party/heimdal/lib/kadm5/ipropd_master.c | 31 +-
third_party/heimdal/lib/kadm5/ipropd_slave.c | 8 +-
third_party/heimdal/lib/kadm5/log.c | 172 ++-
third_party/heimdal/lib/kadm5/marshall.c | 254 ++--
third_party/heimdal/lib/kadm5/modify_s.c | 12 +-
third_party/heimdal/lib/kadm5/prune_s.c | 10 +-
third_party/heimdal/lib/kadm5/randkey_c.c | 2 +-
third_party/heimdal/lib/kadm5/randkey_s.c | 26 +-
third_party/heimdal/lib/kadm5/rename_s.c | 32 +-
third_party/heimdal/lib/kadm5/set_keys.c | 2 +
third_party/heimdal/lib/kadm5/setkey3_s.c | 28 +-
third_party/heimdal/lib/kafs/Makefile.am | 2 +
third_party/heimdal/lib/kafs/afskrb5.c | 2 -
third_party/heimdal/lib/kafs/afssys.c | 2 +
third_party/heimdal/lib/kafs/rxkad_kdf.c | 8 +-
third_party/heimdal/lib/krb5/Makefile.am | 4 +-
third_party/heimdal/lib/krb5/NTMakefile | 2 +
third_party/heimdal/lib/krb5/acache.c | 27 +-
third_party/heimdal/lib/krb5/acl.c | 2 +-
third_party/heimdal/lib/krb5/addr_families.c | 19 +-
third_party/heimdal/lib/krb5/aes-test.c | 22 +-
third_party/heimdal/lib/krb5/asn1_glue.c | 94 +-
third_party/heimdal/lib/krb5/auth_context.c | 5 +-
third_party/heimdal/lib/krb5/cache.c | 25 +-
third_party/heimdal/lib/krb5/context.c | 15 +-
third_party/heimdal/lib/krb5/crypto-evp.c | 7 +-
third_party/heimdal/lib/krb5/crypto.c | 7 +-
third_party/heimdal/lib/krb5/data.c | 7 +-
third_party/heimdal/lib/krb5/dcache.c | 14 +-
third_party/heimdal/lib/krb5/deprecated.c | 10 +-
third_party/heimdal/lib/krb5/enomem.c | 2 +-
third_party/heimdal/lib/krb5/error_string.c | 19 +-
third_party/heimdal/lib/krb5/expand_path.c | 4 +-
third_party/heimdal/lib/krb5/fast.c | 13 +-
third_party/heimdal/lib/krb5/fcache.c | 15 +-
third_party/heimdal/lib/krb5/generate_subkey.c | 2 +-
third_party/heimdal/lib/krb5/get_cred.c | 54 +-
third_party/heimdal/lib/krb5/get_in_tkt.c | 2 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 147 +--
third_party/heimdal/lib/krb5/kcm.c | 267 +++-
third_party/heimdal/lib/krb5/keytab.c | 68 +-
third_party/heimdal/lib/krb5/keytab_file.c | 3 +-
third_party/heimdal/lib/krb5/keytab_keyfile.c | 2 +-
third_party/heimdal/lib/krb5/krb5.conf.5 | 6 -
third_party/heimdal/lib/krb5/krb5.h | 116 +-
third_party/heimdal/lib/krb5/krb5_locl.h | 2 +
third_party/heimdal/lib/krb5/krbhst-test.c | 17 +-
third_party/heimdal/lib/krb5/krbhst.c | 24 +-
third_party/heimdal/lib/krb5/krcache.c | 31 +-
third_party/heimdal/lib/krb5/kx509.c | 62 +-
.../heimdal/lib/krb5/libkrb5-exports.def.in | 7 +
third_party/heimdal/lib/krb5/mcache.c | 4 +-
third_party/heimdal/lib/krb5/mk_cred.c | 15 +-
third_party/heimdal/lib/krb5/pac.c | 137 ++-
third_party/heimdal/lib/krb5/pkinit.c | 21 +-
third_party/heimdal/lib/krb5/principal.c | 33 +-
third_party/heimdal/lib/krb5/rd_cred.c | 2 +-
third_party/heimdal/lib/krb5/rd_req.c | 66 +-
third_party/heimdal/lib/krb5/replay.c | 4 +-
third_party/heimdal/lib/krb5/salt-arcfour.c | 6 +-
third_party/heimdal/lib/krb5/scache.c | 91 +-
third_party/heimdal/lib/krb5/send_to_kdc.c | 14 +-
third_party/heimdal/lib/krb5/sp800-108-kdf.c | 5 +-
third_party/heimdal/lib/krb5/store.c | 24 +-
third_party/heimdal/lib/krb5/store_emem.c | 25 +-
third_party/heimdal/lib/krb5/store_stdio.c | 2 +
third_party/heimdal/lib/krb5/test_alname.c | 2 +-
third_party/heimdal/lib/krb5/test_ap-req.c | 1 +
third_party/heimdal/lib/krb5/test_cc.c | 10 +-
third_party/heimdal/lib/krb5/test_hostname.c | 4 +-
third_party/heimdal/lib/krb5/test_rfc3961.c | 1 +
third_party/heimdal/lib/krb5/test_set_kvno0.c | 5 +-
third_party/heimdal/lib/krb5/ticket.c | 91 +-
third_party/heimdal/lib/krb5/transited.c | 19 +-
third_party/heimdal/lib/krb5/verify_user.c | 13 +-
third_party/heimdal/lib/krb5/version-script.map | 7 +
third_party/heimdal/lib/ntlm/digest.c | 2 +-
third_party/heimdal/lib/ntlm/ntlm.c | 75 +-
third_party/heimdal/lib/otp/otp_md.c | 4 +-
third_party/heimdal/lib/roken/Makefile.am | 6 +-
third_party/heimdal/lib/roken/base32-test.c | 3 +-
third_party/heimdal/lib/roken/base32.c | 12 +-
third_party/heimdal/lib/roken/base64-test.c | 3 +-
third_party/heimdal/lib/roken/base64.c | 4 +-
third_party/heimdal/lib/roken/copyhostent.c | 3 +-
third_party/heimdal/lib/roken/detach.c | 3 +-
third_party/heimdal/lib/roken/dirent-test.c | 6 +-
third_party/heimdal/lib/roken/environment.c | 15 +-
third_party/heimdal/lib/roken/fnmatch.c | 2 +-
third_party/heimdal/lib/roken/freeaddrinfo.c | 2 +-
third_party/heimdal/lib/roken/freehostent.c | 2 +-
third_party/heimdal/lib/roken/getaddrinfo.c | 10 +-
third_party/heimdal/lib/roken/getcap.c | 996 ---------------
third_party/heimdal/lib/roken/getipnodebyaddr.c | 2 +-
third_party/heimdal/lib/roken/getipnodebyname.c | 2 +-
third_party/heimdal/lib/roken/getnameinfo.c | 8 +-
third_party/heimdal/lib/roken/getuserinfo.c | 30 +-
third_party/heimdal/lib/roken/hex-test.c | 35 +-
third_party/heimdal/lib/roken/hex.c | 28 +-
third_party/heimdal/lib/roken/mergesort_r.c | 4 +-
third_party/heimdal/lib/roken/ndbm_wrap.c | 2 +
third_party/heimdal/lib/roken/net_write.c | 7 +-
third_party/heimdal/lib/roken/resolve-test.c | 2 +-
third_party/heimdal/lib/roken/roken-common.h | 6 +
third_party/heimdal/lib/roken/roken.h.in | 60 +-
third_party/heimdal/lib/roken/snprintf.c | 2 +-
third_party/heimdal/lib/roken/socket.c | 29 +-
third_party/heimdal/lib/roken/strftime.c | 7 +-
third_party/heimdal/lib/roken/strptime.c | 2 +-
third_party/heimdal/lib/roken/strtoll.c | 3 +
third_party/heimdal/lib/roken/strtoull.c | 3 +
third_party/heimdal/lib/roken/test-getuserinfo.c | 3 +-
third_party/heimdal/lib/roken/test-mini_inetd.c | 2 +-
third_party/heimdal/lib/roken/timeval.c | 215 +++-
third_party/heimdal/lib/roken/version-script.map | 5 +-
third_party/heimdal/lib/roken/vis.c | 17 +-
third_party/heimdal/lib/sl/Makefile.am | 2 +-
third_party/heimdal/lib/sl/sl.c | 2 +
third_party/heimdal/lib/sl/slc-gram.y | 1 +
third_party/heimdal/lib/wind/idn-lookup.c | 6 +-
third_party/heimdal/lib/wind/utf8.c | 18 +-
.../heimdal/packages/windows/installer/NTMakefile | 33 +-
.../windows/installer/heimdal-installer.wxs | 20 +-
third_party/heimdal/tests/bin/setup-env.in | 1 +
third_party/heimdal/tests/gss/Makefile.am | 2 +
third_party/heimdal/tests/gss/check-basic.in | 4 +-
third_party/heimdal/tests/gss/check-context.in | 12 +-
third_party/heimdal/tests/gss/check-gssmask.in | 4 +-
third_party/heimdal/tests/gss/check-ntlm.in | 4 +-
third_party/heimdal/tests/gss/check-spnego.in | 4 +-
third_party/heimdal/tests/gss/krb5.conf.in | 15 +
third_party/heimdal/tests/java/check-kinit.in | 2 +-
third_party/heimdal/tests/kdc/Makefile.am | 32 +-
third_party/heimdal/tests/kdc/check-bx509.in | 5 +-
third_party/heimdal/tests/kdc/check-canon.in | 2 +-
third_party/heimdal/tests/kdc/check-cc.in | 47 +-
third_party/heimdal/tests/kdc/check-delegation.in | 2 +-
third_party/heimdal/tests/kdc/check-des.in | 2 +-
third_party/heimdal/tests/kdc/check-digest.in | 2 +-
third_party/heimdal/tests/kdc/check-fast.in | 2 +-
third_party/heimdal/tests/kdc/check-hdb-mitdb.in | 2 +-
third_party/heimdal/tests/kdc/check-httpkadmind.in | 2 +-
third_party/heimdal/tests/kdc/check-iprop.in | 2 +-
third_party/heimdal/tests/kdc/check-kadmin.in | 2 +-
third_party/heimdal/tests/kdc/check-kdc.in | 9 +-
third_party/heimdal/tests/kdc/check-kinit.in | 2 +-
third_party/heimdal/tests/kdc/check-kpasswdd.in | 2 +-
third_party/heimdal/tests/kdc/check-pkinit.in | 4 +-
third_party/heimdal/tests/kdc/check-referral.in | 2 +-
third_party/heimdal/tests/kdc/check-tester.in | 3 +
third_party/heimdal/tests/kdc/check-uu.in | 2 +-
.../tests/kdc/{krb5.conf.in => krb5-kcm.conf.in} | 18 +-
third_party/heimdal/tests/kdc/krb5.conf.in | 3 +
third_party/heimdal/tests/ldap/check-ldap.in | 2 +-
third_party/heimdal/tests/plugin/Makefile.am | 6 +-
third_party/heimdal/tests/plugin/check-pac.in | 6 +-
third_party/heimdal/tests/plugin/kdc_test_plugin.c | 207 ++++
third_party/heimdal/tests/plugin/krb5.conf.in | 15 +
third_party/heimdal/tests/plugin/windc.c | 161 ---
third_party/heimdal/windows/NTMakefile.sdk | 130 ++
third_party/heimdal/windows/NTMakefile.w32 | 7 +-
third_party/heimdal_build/config.h | 2 +
third_party/heimdal_build/krb5/kdc-plugin.h | 1 +
third_party/heimdal_build/krb5/windc_plugin.h | 1 -
third_party/heimdal_build/wscript_build | 57 +-
440 files changed, 14573 insertions(+), 7671 deletions(-)
delete mode 100644 third_party/heimdal/.github/workflows/build.yml
create mode 100644 third_party/heimdal/cf/ax_check_sign.m4
create mode 100644 third_party/heimdal/cf/check-compile-flag.m4
create mode 100644 third_party/heimdal/kdc/kdc-accessors.h
copy third_party/heimdal/{lib/gssapi/mech/mech_locl.h => kdc/kdc-audit.h} (51%)
create mode 100644 third_party/heimdal/kdc/kdc-plugin.c
create mode 100644 third_party/heimdal/kdc/kdc-plugin.h
create mode 100644 third_party/heimdal/kdc/mssfu.c
delete mode 100644 third_party/heimdal/kdc/rx.h
delete mode 100644 third_party/heimdal/kdc/windc.c
delete mode 100644 third_party/heimdal/kdc/windc_plugin.h
create mode 100644 third_party/heimdal/lib/asn1/MANUAL.md
create mode 100644 third_party/heimdal/lib/asn1/check-gen.h
create mode 100644 third_party/heimdal/lib/gssapi/krb5/name_attrs.c
create mode 100644 third_party/heimdal/lib/hdb/hdb.opt
delete mode 100644 third_party/heimdal/lib/roken/getcap.c
copy third_party/heimdal/tests/kdc/{krb5.conf.in => krb5-kcm.conf.in} (91%)
create mode 100644 third_party/heimdal/tests/plugin/kdc_test_plugin.c
delete mode 100644 third_party/heimdal/tests/plugin/windc.c
create mode 100644 third_party/heimdal/windows/NTMakefile.sdk
create mode 100644 third_party/heimdal_build/krb5/kdc-plugin.h
delete mode 100644 third_party/heimdal_build/krb5/windc_plugin.h
Changeset truncated at 500 lines:
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 71260d3ed0a..6e87345e2c3 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -45,6 +45,8 @@
#include "../lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "lib/messaging/irpc.h"
+#include "hdb.h"
+#include <kdc-audit.h>
static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
{
@@ -78,7 +80,7 @@ static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const ch
return HDB_ERR_DB_INUSE;
}
-static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
+static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
{
return HDB_ERR_DB_INUSE;
}
@@ -92,6 +94,24 @@ static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db,
return 0;
}
+static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
+{
+ /*
+ * This function is now called for every HDB entry, not just those with
+ * 'context' set, so we have to check that the context is not NULL.
+ */
+ if (entry->context != NULL) {
+ /* this function is called only from hdb_free_entry().
+ * Make sure we neutralize the destructor or we will
+ * get a double free later when hdb_free_entry() will
+ * try to call free_hdb_entry() */
+ talloc_set_destructor(entry->context, NULL);
+
+ /* now proceed to free the talloc part */
+ talloc_free(entry->context);
+ }
+}
+
static int hdb_samba4_fill_fast_cookie(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx)
{
@@ -130,7 +150,7 @@ static int hdb_samba4_fill_fast_cookie(krb5_context context,
static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
- hdb_entry_ex *entry_ex)
+ hdb_entry *entry_ex)
{
krb5_error_code ret = SDB_ERR_NOENTRY;
TALLOC_CTX *mem_ctx;
@@ -218,7 +238,7 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
krb5_const_principal principal,
unsigned flags,
krb5_kvno kvno,
- hdb_entry_ex *entry_ex)
+ hdb_entry *entry_ex)
{
struct samba_kdc_db_context *kdc_db_ctx;
struct sdb_entry_ex sdb_entry_ex = {};
@@ -272,7 +292,7 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
}
static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
- hdb_entry_ex *entry)
+ hdb_entry *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
struct sdb_entry_ex sdb_entry_ex = {};
@@ -301,7 +321,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign
}
static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
- hdb_entry_ex *entry)
+ hdb_entry *entry)
{
struct samba_kdc_db_context *kdc_db_ctx;
struct sdb_entry_ex sdb_entry_ex = {};
@@ -337,7 +357,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
static krb5_error_code
hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
- hdb_entry_ex *entry,
+ hdb_entry *entry,
krb5_const_principal target_principal)
{
struct samba_kdc_db_context *kdc_db_ctx;
@@ -346,7 +366,7 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- skdc_entry = talloc_get_type_abort(entry->ctx,
+ skdc_entry = talloc_get_type_abort(entry->context,
struct samba_kdc_entry);
ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
@@ -373,7 +393,7 @@ hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
static krb5_error_code
hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
- hdb_entry_ex *entry,
+ hdb_entry *entry,
krb5_const_principal certificate_principal)
{
struct samba_kdc_db_context *kdc_db_ctx;
@@ -382,7 +402,7 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
- skdc_entry = talloc_get_type_abort(entry->ctx,
+ skdc_entry = talloc_get_type_abort(entry->context,
struct samba_kdc_entry);
ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
@@ -409,14 +429,14 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
static krb5_error_code
hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
- hdb_entry_ex *client_entry,
- hdb_entry_ex *server_target_entry)
+ hdb_entry *client_entry,
+ hdb_entry *server_target_entry)
{
struct samba_kdc_entry *skdc_client_entry
- = talloc_get_type_abort(client_entry->ctx,
+ = talloc_get_type_abort(client_entry->context,
struct samba_kdc_entry);
struct samba_kdc_entry *skdc_server_target_entry
- = talloc_get_type_abort(server_target_entry->ctx,
+ = talloc_get_type_abort(server_target_entry->context,
struct samba_kdc_entry);
return samba_kdc_check_client_matches_target_service(context,
@@ -500,15 +520,10 @@ static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
irpc_handle, &req);
}
-static krb5_error_code hdb_samba4_auth_status(krb5_context context,
- HDB *db,
- hdb_entry_ex *entry,
- const struct timeval *start_time,
- const struct sockaddr *from_addr,
- const char *original_client_name,
- int hdb_auth_status,
- const char *auth_details,
- const char *pa_type)
+static krb5_error_code hdb_samba4_audit(krb5_context context,
+ HDB *db,
+ hdb_entry *entry,
+ hdb_request_t r)
{
struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
struct samba_kdc_db_context);
@@ -516,16 +531,66 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
uint64_t logon_id = generate_random_u64();
+ heim_object_t auth_details_obj = NULL;
+ const char *auth_details = NULL;
+
+ char *etype_str = NULL;
+
+ heim_object_t hdb_auth_status_obj = NULL;
+ int hdb_auth_status;
+
+ heim_object_t pa_type_obj = NULL;
+ const char *pa_type = NULL;
+
+ struct auth_usersupplied_info ui;
+
+ size_t sa_socklen = 0;
+
+ hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
+ if (hdb_auth_status_obj == NULL) {
+ /* No status code found, so just return. */
+ return 0;
+ }
+
+ hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
+
+ pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, "pa");
+ if (pa_type_obj != NULL) {
+ pa_type = heim_string_get_utf8(pa_type_obj);
+ }
+
+ auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
+ if (auth_details_obj != NULL) {
+ auth_details = heim_string_get_utf8(auth_details_obj);
+ } else {
+ auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
+ if (auth_details_obj != NULL) {
+ auth_details = heim_string_get_utf8(auth_details_obj);
+ } else {
+ heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
+ if (etype_obj != NULL) {
+ int etype = heim_number_get_int(etype_obj);
+
+ krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
+ if (ret == 0) {
+ auth_details = etype_str;
+ } else {
+ auth_details = "unknown enctype";
+ }
+ }
+ }
+ }
+
/*
* Forcing this via the NTLM auth structure is not ideal, but
* it is the most practical option right now, and ensures the
* logs are consistent, even if some elements are always NULL.
*/
- struct auth_usersupplied_info ui = {
+ ui = (struct auth_usersupplied_info) {
.mapped_state = true,
.was_mapped = true,
.client = {
- .account_name = original_client_name,
+ .account_name = r->cname,
.domain_name = NULL,
},
.service_description = "Kerberos KDC",
@@ -534,9 +599,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
.logon_id = logon_id
};
- size_t sa_socklen = 0;
-
- switch (from_addr->sa_family) {
+ switch (r->addr->sa_family) {
case AF_INET:
sa_socklen = sizeof(struct sockaddr_in);
break;
@@ -548,10 +611,10 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
}
switch (hdb_auth_status) {
- case HDB_AUTHSTATUS_AUTHORIZATION_SUCCESS:
+ case KDC_AUTH_EVENT_CLIENT_AUTHORIZED:
{
TALLOC_CTX *frame = talloc_stackframe();
- struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
+ struct samba_kdc_entry *p = talloc_get_type(entry->context,
struct samba_kdc_entry);
struct netr_SendToSamBase *send_to_sam = NULL;
@@ -566,18 +629,12 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
}
talloc_free(frame);
- break;
}
- case HDB_AUTHSTATUS_CLIENT_LOCKED_OUT:
- case HDB_AUTHSTATUS_CORRECT_PASSWORD:
- case HDB_AUTHSTATUS_WRONG_PASSWORD:
- case HDB_AUTHSTATUS_GENERIC_SUCCESS:
- case HDB_AUTHSTATUS_GENERIC_FAILURE:
- case HDB_AUTHSTATUS_PKINIT_SUCCESS:
- case HDB_AUTHSTATUS_PKINIT_FAILURE:
+ FALL_THROUGH;
+ default:
{
TALLOC_CTX *frame = talloc_stackframe();
- struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
+ struct samba_kdc_entry *p = talloc_get_type(entry->context,
struct samba_kdc_entry);
struct dom_sid *sid
= samdb_result_dom_sid(frame, p->msg, "objectSid");
@@ -589,7 +646,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
NTSTATUS status;
int ret;
- ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
+ ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
sa_socklen,
&remote_host);
if (ret != 0) {
@@ -613,7 +670,11 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
}
ui.auth_description = auth_description;
- if (hdb_auth_status == HDB_AUTHSTATUS_WRONG_PASSWORD) {
+ if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
+ status = NT_STATUS_OK;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
+ status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
status = NT_STATUS_WRONG_PASSWORD;
/*
@@ -624,25 +685,29 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
if (kdc_db_ctx->rodc) {
send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
}
- } else if (hdb_auth_status == HDB_AUTHSTATUS_CLIENT_LOCKED_OUT) {
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
status = NT_STATUS_ACCOUNT_LOCKED_OUT;
- } else if (hdb_auth_status == HDB_AUTHSTATUS_CORRECT_PASSWORD) {
- status = NT_STATUS_OK;
- } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_SUCCESS) {
- status = NT_STATUS_OK;
- } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_FAILURE) {
- status = NT_STATUS_GENERIC_COMMAND_FAILED;
- } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_SUCCESS) {
- status = NT_STATUS_OK;
- } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_FAILURE) {
- status = NT_STATUS_PKINIT_FAILURE;
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
+ if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+ status = NT_STATUS_PKINIT_NAME_MISMATCH;
+ } else {
+ status = NT_STATUS_ACCOUNT_RESTRICTION;
+ }
+ } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
+ if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
+ status = NT_STATUS_PKINIT_FAILURE;
+ } else {
+ status = NT_STATUS_GENERIC_COMMAND_FAILED;
+ }
} else {
+ DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
+ hdb_auth_status);
status = NT_STATUS_INTERNAL_ERROR;
}
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
- start_time,
+ &r->tv_start,
&ui,
status,
domain_name,
@@ -651,12 +716,12 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
TALLOC_FREE(frame);
break;
}
- case HDB_AUTHSTATUS_CLIENT_UNKNOWN:
+ case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
{
struct tsocket_address *remote_host;
int ret;
TALLOC_CTX *frame = talloc_stackframe();
- ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
+ ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
sa_socklen,
&remote_host);
if (ret != 0) {
@@ -673,7 +738,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
log_authentication_event(kdc_db_ctx->msg_ctx,
kdc_db_ctx->lp_ctx,
- start_time,
+ &r->tv_start,
&ui,
NT_STATUS_NO_SUCH_USER,
NULL, NULL,
@@ -682,6 +747,9 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context,
break;
}
}
+
+ free(etype_str);
+
return 0;
}
@@ -721,6 +789,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
(*db)->hdb_dbc = NULL;
(*db)->hdb_open = hdb_samba4_open;
(*db)->hdb_close = hdb_samba4_close;
+ (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
(*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
(*db)->hdb_store = hdb_samba4_store;
(*db)->hdb_firstkey = hdb_samba4_firstkey;
@@ -736,7 +805,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
(*db)->hdb__del = NULL;
(*db)->hdb_destroy = hdb_samba4_destroy;
- (*db)->hdb_auth_status = hdb_samba4_auth_status;
+ (*db)->hdb_audit = hdb_samba4_audit;
(*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
(*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
(*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c
index c6cc61ad02d..671e506b8cc 100644
--- a/source4/kdc/kdc-glue.c
+++ b/source4/kdc/kdc-glue.c
@@ -34,7 +34,7 @@
int kdc_check_pac(krb5_context context,
DATA_BLOB srv_sig,
struct PAC_SIGNATURE_DATA *kdc_sig,
- struct hdb_entry_ex *ent)
+ hdb_entry *ent)
{
krb5_enctype etype;
int ret;
@@ -52,7 +52,7 @@ int kdc_check_pac(krb5_context context,
}
}
- ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key);
+ ret = hdb_enctype2key(context, ent, NULL, etype, &key);
if (ret != 0) {
return ret;
diff --git a/source4/kdc/kdc-glue.h b/source4/kdc/kdc-glue.h
index 3b85468c499..47642e12432 100644
--- a/source4/kdc/kdc-glue.h
+++ b/source4/kdc/kdc-glue.h
@@ -28,7 +28,7 @@
#include <hdb.h>
#include <heimbase.h>
#include <kdc.h>
-#include <krb5/windc_plugin.h>
+#include <krb5/kdc-plugin.h>
#include "kdc/samba_kdc.h"
#include "kdc/kdc-server.h"
@@ -50,5 +50,5 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
int kdc_check_pac(krb5_context krb5_context,
DATA_BLOB server_sig,
struct PAC_SIGNATURE_DATA *kdc_sig,
- hdb_entry_ex *ent);
+ hdb_entry *ent);
#endif
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index 2abb5eab925..ddf3b649da2 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -42,7 +42,7 @@
NTSTATUS server_service_kdc_init(TALLOC_CTX *);
-extern struct krb5plugin_windc_ftable windc_plugin_table;
+extern struct krb5plugin_kdc_ftable kdc_plugin_table;
/**
Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
@@ -191,7 +191,7 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
(krb5_kdc_configuration *)kdc->private_data;
enum ndr_err_code ndr_err;
int ret;
- hdb_entry_ex ent;
+ hdb_entry ent;
krb5_principal principal;
@@ -235,7 +235,7 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
&ent);
if (ret != 0) {
- hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
+ hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
return NT_STATUS_LOGON_FAILURE;
@@ -247,7 +247,7 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
ret = kdc_check_pac(kdc->smb_krb5_context->krb5_context, srv_sig, &kdc_sig, &ent);
- hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
+ hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
if (ret != 0) {
@@ -408,8 +408,6 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
kdc_config->svc_use_strongest_session_key = false;
kdc_config->use_strongest_server_key = true;
- kdc_config->autodetect_referrals = false;
-
kdc_config->force_include_pa_etype_salt = true;
/*
@@ -472,19 +470,19 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
return;
}
- /* Register WinDC hooks */
+ /* Register KDC hooks */
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
- PLUGIN_TYPE_DATA, "windc",
- &windc_plugin_table);
+ PLUGIN_TYPE_DATA, "kdc",
+ &kdc_plugin_table);
if(ret) {
- task_server_terminate(task, "kdc: failed to register windc plugin", true);
+ task_server_terminate(task, "kdc: failed to register kdc plugin", true);
return;
}
- ret = krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context);
+ ret = krb5_kdc_plugin_init(kdc->smb_krb5_context->krb5_context);
if(ret) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list