Age | Commit message (Collapse) | Author | Files | Lines |
|
we now require the full domain name, for the DNS/CLDAP lookup
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The DC is now found via DNS/CLDAP
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this gives access to the CLDAP/DNS finddc code from python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this prevents conflicts with old generated files and we can only even
return one DC with this interface.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
finddcs_nbt is currently unused, but will later be a fallback is a
cldap DC find fails.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this may later be changed to do fallback to NBT as well, but for now
cldap is sufficient
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we are a RODC, don't respond with the writable bit in the server
type response of netlogon requests
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this finds DCs with a specified set of server_type bit using SRV
lookups and CLDAP
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
we already have a 'v' in scope
|
|
If we use "ip" we end up with a PF_INET6 socket which breaks sendto()
for v4 addresses.
|
|
this allows for multiple replies to a SRV lookup
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The secure channel type is needed to work out what DC to connect to
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
As a RODC we need to forward some auth requests to a writable DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we are an RODC we need to be able to allow multiple auth backends
to process a single auth request. First the sam backend will try to
authenticate, using locally stored passwords. If this backend can't
find local passwords then it will try the winbind backend and
authenticate via a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the mixture of async and sync code in gensec makes a EOF on a socket
during a session setup cause a crash. The simplest solution is to
stop processing events on the socket until the session setup is
complete.
|
|
|
|
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
It can be useful for a irpc message to be one-way, where the client
sends a messages and the server does not reply. This will be used for
things like a triger message from an auth context to the drepl server
to tell it to try a REPL_SECRET on a user in a RODC.
Previously we've used raw messaging for messages that have no reply,
but that doesn't allow us to use messages described by IDL
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
el has already been checked for NULL
|
|
need to use ssize_t, not size_t for error handling
|
|
|
|
|
|
|
|
down_req is not initialised yet
|
|
|
|
|
|
|
|
through an smb.conf option.
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Jeremy.
|
|
string_to_sid() to be used in formatted strings like FOO/S-1-5-XXXX-YYYY/BAR.
Jeremy.
|
|
Andrew Bartlett
|
|
The manual parser failed to constrain the maximum number of
sub-authorities to 15, allowing an overflow of the array.
Andrew Bartlett
|
|
This ensures that the maximum number of sub-authorities is respected,
otherwise we may run off the end of the array.
Andrew Bartlett
|
|
The source3 code repsects the limit of a maximum of 15 subauths,
while the source4 code does not, creating a security issue as
we parse string-form SIDs from clients.
Andrew Bartlett
|
|
This ensures that this, unlike the MAXSUBAUTHS macro, can't get
out of sync with the structure.
Andrew Bartlett
|
|
|
|
Andrew Bartlett
|
|
there's no point in not profiling times if no monotonic clock is found -
monotonic and realtime clock are equally fast. Just use clock_gettime_mono
instead.
|
|
that clock is a CPU burnometer but we need a chronometer for profiling.
|
|
in Solaris 8 CLOCK_HIGHRES was the (only) name for CLOCK_MONOTONIC
|
|
Guenther
|
|
system will take care of that.
|
|
of gensec on dcerpc.
|
|
fails.
|