Age | Commit message (Collapse) | Author | Files | Lines |
|
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
|
|
this out by asking GENSEC, just like everybody else.
Andrew Bartlett
(This used to be commit 0268d6c46b73bf2097247639df2532b5e8591531)
|
|
back to the 'not /dev/urandom' method of random number generation, I
don't want to be chasing down 'use of uninitialised value' though all
the crypto code.
Andrew Bartlett
(This used to be commit 31ff2cd8e11dee36c42f82dcfd85338d3ff704d3)
|
|
rafal
(This used to be commit 0f9a2aef6c87bd53c962b33bf78bf773d2319b97)
|
|
features merged back into gensec_gssapi.
(Removed because I've made some API changes, and it isn't worth
'fixing' the rudundent code to cope with changes)
Andrew Bartlett
(This used to be commit e8cf3d58ec956e41fc8d3e38363db3d5d838fe1d)
|
|
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
|
|
(This used to be commit f5956d150154cb4393dc323ae8ae1f936adee355)
|
|
soon-to-be-depricated 'realm'.
Add torture test for this behaviour.
Andrew Bartlet
(This used to be commit 6b9020661a13fd5ec6c5d1e21344d9f654978987)
|
|
back to the other options.
Andrew Bartlett
(This used to be commit 9153d7306124d5e4ffc0467728210e2e2235059f)
|
|
kerberos, and how Microsoft constructs their kerberos implementation.
Andrew Bartlett
(This used to be commit 5fa9be75d987af106fd798f6d5379b637a170b00)
|
|
(This used to be commit c1f1b5a9455c827f7baf382d919ab8a0eab49bb3)
|
|
(This used to be commit 9f1b15832d4a8bc9914751811fd10f6a35265b8d)
|
|
in DRSUAPI
-and some comments on what the attribute syntaxes matches what internal datatypes
metze
(This used to be commit 58c6887da48c2ebdec14529cb81e7589101f7aae)
|
|
correctly - it gets the realm from an initial no-attribute search
(This used to be commit 52d10c8d99521f9dd02891a30688472d96860aef)
|
|
(This used to be commit 2f80b2070f1fc99151f0a583271cd9047d53bab6)
|
|
(This used to be commit 45a0692be10a03032f9a4e26da3de08696c03464)
|
|
my best guess now is that w2k3 converts the & in the cldap query to an |
for the ldap search. at least it behaves roughly like that.
(This used to be commit 1d6ab9aaefee71e3d0f87c1afae8ccdbae1f0e04)
|
|
AAC, and User attributes in cldap netlogon queries
interestingly, while WinXP generated cldap filters with these set, the
w2k3 cldap server seems to completely ignore them, so I didn't need to
alter our cldap server at all to pass the test :-)
(This used to be commit 177c8becd2051c9d1f261358baf4b85ca89700d8)
|
|
cldap netlogon queries
(This used to be commit 7c1d0f449d3922a309fc86e5d9cb1e962a39805d)
|
|
ldap friendly filter strings
(This used to be commit 8890dd3ac331cffe83226a356c52df89c917c2b0)
|
|
(This used to be commit 6f4ad382d445c3cdb8e50727f09d79334076e02d)
|
|
- started adding support for the other cldap attributes that XP uses
(This used to be commit 1537558039b012a4124e6167ad7ebfd7486f05ff)
|
|
(This used to be commit 39c8acdaa5746bec9171a4624e24e4eea553bcb1)
|
|
attributes
example:
*: CASE_INSENSITIVE
by placing it in the @ATTRIBUTES object you make all the matching be case insensitive
to make an excepion to the general rule now you just need to create an entry like:
name: CASE_SENSITIVE
the key CASE_SENSITIVE currently does not exist but has the effect of making the code
ignore the wildcard default flag and being ldb case sensitive by default it let the
"name" attribute be case sensitive again
Tridge, can you look at this commit?
Should we introduce a CASE_SENSITVE/BINARY flag and handle it in the code ?
Simo.
(This used to be commit 5f10707e8ac36db03f3aa3e1ee1c40a9d9da2016)
|
|
(This used to be commit 8d63cd33a223cccb21d808747e9c97da53629fbc)
|
|
query with this
in uppercase)
(This used to be commit f0c37555ff30c3e5ff4680d0b33bc105ebd3a0b1)
|
|
I can now join winxp -> samba4 DC using long name, and login. The nice
thing is there are no delays now, as the client likes the replies it gets
(This used to be commit 5aff7d36f3e535e305820ae42b023ae53cc0daf9)
|
|
support, and
filling in some of the returned parameters is quite rough, but it seems to work OK
(This used to be commit e564e3e596915414fad07c94f7ea8a0d9c3a1140)
|
|
(This used to be commit dc25be9d69a65680f7942ed29c2d791d6ce7248a)
|
|
- expose the ldap filter string parsing outside of ldap.c
(This used to be commit b644ff6fe164fbe359c47e4d34f5ad490ff61d5b)
|
|
(This used to be commit 992858e1b91c3ff05077afa8a7abe155198597d4)
|
|
giving valgrind errors
(This used to be commit 7af0c547e0c0da3bc78a1ee6c2ab29114d8625cc)
|
|
(This used to be commit 6d15e9511115cc30ee213ec91320a2dccde15b8f)
|
|
This also includes other changes to reduce memory use by GENSEC when
not being used for sign/seal operations. This should lower tridge's K
'per connection' benchmark further.
Andrew Bartlett
(This used to be commit 4a5829401b20c10091185bbd93236477523459b2)
|
|
Andrew Bartlett
(This used to be commit 77d054c65aeecfc0d1156d750f7b8025cb154d3a)
|
|
same time, but with different names. This just helps me avoid
conflicts when I merge up my other changes.
Andrew Bartlett
(This used to be commit 27e6a853a5160cb1ad595bea25e891eeae439662)
|
|
metze
(This used to be commit 0c1cd40bcea748d65938bb2dc8160ea07e9ec851)
|
|
metze
(This used to be commit 3536029e8fb1da1ca689e0b7aa1f3edfb7967790)
|
|
- support 'modrdn' ldif
metze
(This used to be commit b6a1734699953964fcde6fe6ea7048496492eb33)
|
|
metze
(This used to be commit 161ecce7441649629b97ce1ca903b9704e06f66b)
|
|
metze
(This used to be commit 491d7804f5f5bdfb43ae09b81c2cbc34fab2246d)
|
|
Andrew Bartlett
(This used to be commit 400899995b2c2ed54a114f8f55e5fb36592298b9)
|
|
must register the 'MS' OID for the domain join to progress.
Andrew Bartlett
(This used to be commit c8fbda6bfd96d5d57cd52bc15d8695547effe2e3)
|
|
This patch allows a suitably patched Heimdal GSSAPI library (detected
in configure) to supply to us the session keys, and further compleats
the gensec_gssapi module. This is tested for CIFS, but fails for LDAP
at this point (that is what I'll work on next).
We currently fill out the 'session info' from the SAM, like
gensec_krb5 does, but both will need to use the PAC extraction
functions in the near future.
Andrew Bartlett
(This used to be commit 937ee361615a487af9e0279145e75b6c27720a6b)
|
|
(This used to be commit 2b36f1dfdd6cf3ab89f63b541ae4cd905fb03c8d)
|
|
(This used to be commit e51e0dffa8f8bff9bd1535751e805b548b6c6d7f)
|
|
(This used to be commit 04af0e7c5de467a24b965ce1de2fb07621133164)
|
|
response.
To work around the fact that the type of the returned data is not
encoded in the packet, this required adding ndr_pull_union_blob()
which allows us to pull a blob into a union with a specified switch
value, in this case the switch value comes from the calling NtVer field.
(This used to be commit bd27e626c27be72913d1a1569ee6e2e2711df84e)
|
|
enum, otherwise
it will assume its a struct
(This used to be commit 9a8f3e3c4cc3bad804b4fab3a7248e6fd88f3749)
|
|
rafal
(This used to be commit a784c46dd40ee2ea00fb67caeb358e76cdc0712f)
|