summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-12-10s3-winbind Improve memory handling in NTLMv2-backend plaintext authenticationAndrew Bartlett1-17/+6
Andrew Bartlett
2010-12-10s3-winbind Don't send the LM password to the server, everAndrew Bartlett1-11/+1
This is for the case where we have the plaintext password locally, and can construct the challenge-response values here. We should never ever use the LM password in domain authentication. The last domain controller to only have LM passwords stored was NT 3.5. Andrew Bartlett
2010-12-10s3-libsmb Don't ever ask for machine$ principals as a target.Andrew Bartlett1-30/+6
It is never correct to ask for a machine$ principal as the target of a kerberos connection. You should always connect via the servicePrincipalName. This current code appears to have built up from a series of minimal changes, as the codebase adapted the to lack of a SPNEGO principal from Windows 2008. Andrew Bartlett
2010-12-10s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'Andrew Bartlett2-0/+56
Andrew Bartlett
2010-12-10s3-docs Explain change to NTLMv2 by default in the clientAndrew Bartlett1-6/+7
2010-12-10s3-client Use NTLMv2 by default in the Samba clientAndrew Bartlett1-2/+2
This matches the improved security measures of Windows Vista. Andrew Bartlett
2010-12-10s3-smbd Don't send SPNEGO principal (rfc4178 hint) by defaultAndrew Bartlett3-0/+15
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org> turns off the sending of the principal in the negprot by default, matching Windows 2008 behaviour. This slowly works us back from this hack, which from an RFC perspective was never the right thing to do in the first place, but we traditionally follow windows behaviour. It also discourages client implmentations from relying on it, as if they do they are more open to man-in-the-middle attacks. Andrew Bartlett
2010-12-10s3-libads Default to NOT using the server-supplied principal from SPNEGOAndrew Bartlett4-6/+19
This principal is not supplied by later versions of windows, and using it opens up some oportunities for man in the middle attacks. (Becuase it isn't the name being contacted that is verified with the KDC). This adds the option 'client use spnego principal' to the smb.conf (as used in Samba4) to control this behaivour. As in Samba4, this defaults to false. Against 2008 servers, this will not change behaviour. Against earlier servers, it may cause a downgrade to NTLMSSP more often, in environments where server names are not registered with the KDC as servicePrincipalName values. Andrew Bartlett
2010-12-10subunitrun: Use unittest.TestProgram if subunit.TestProgram is notJelmer Vernooij2-27/+12
available. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Fri Dec 10 03:49:03 CET 2010 on sn-devel-104
2010-12-10s4-python: Add convenience function for forcibly importing bundledJelmer Vernooij2-4/+17
package.
2010-12-10subunitrun: Extend hack to cope with older system subunit run installs.Jelmer Vernooij1-0/+2
2010-12-10subunitrun: Remove global subunit module when reimporting from aJelmer Vernooij1-1/+6
different location.
2010-12-10s4-dist: Remove no longer existing files from blacklist (fixes 'makeJelmer Vernooij1-2/+1
dist' inclusion of configure)
2010-12-10s4-python: Fix use of bundled modules.Jelmer Vernooij1-1/+1
2010-12-10s4-python: Split up ensure_external_module.Jelmer Vernooij2-10/+23
2010-12-10selftest: Make sure system subunit.run has TestProgram.Jelmer Vernooij1-1/+1
2010-12-10smbtorture: Rename --list to --list-suites, add stub --list.Jelmer Vernooij4-13/+14
2010-12-10selftest: Check exit code when listing tests.Jelmer Vernooij1-0/+11
2010-12-10s4-selftest: Add convenience function for running testsuites usingJelmer Vernooij1-9/+17
subunitrun.
2010-12-10selftest: Allow discovering tests in pure python testsuites.Jelmer Vernooij1-2/+2
2010-12-10subunitrun: Support --list.Jelmer Vernooij1-3/+8
2010-12-10selftest: Rename $LIST to $LISTOPT for consistency with testrepository.Jelmer Vernooij1-2/+2
2010-12-10dnspython: Update to newer upstream snapshot.Jelmer Vernooij22-95/+1175
2010-12-10subunit: Update to newer upstream snapshot.Jelmer Vernooij8-16/+47
2010-12-10testtools: Import new upstream snapshot.Jelmer Vernooij36-367/+3694
2010-12-10selftest: add --list option.Jelmer Vernooij2-1/+25
2010-12-10selftest: Document --testenv in --help output, remove documentation forJelmer Vernooij1-1/+1
now obsolete --analyse-cmd.
2010-12-10pidl: use $CC -E if $CPP is not defined, if both undefined use cppMatthieu Patou1-2/+8
Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Fri Dec 10 01:26:44 CET 2010 on sn-devel-104
2010-12-10build: use CPP and CC values when calling pidlMatthieu Patou2-1/+19
2010-12-10build: introduce SAMBA_CHECK_PYTHON_HEADERSMatthieu Patou5-4/+13
This function is a wrapper around waf's check_python_header. It avoids searching more than once for the headers bringing a small speed improvement and a better lisibility of the logs. But it's mainly to avoid a nasty bug when python libraries are in path pointed by python_LIBPL (ie. /usr/local/lib/python2.6/config/) instead of python_LIBDIR (ie. /usr/local/lib). On the first call waf will correctly find that in order to link with python libs it needs to add -L$python_LIBPL. But on the next calls of check_python_headers, waf will use both the current library path value (ie. -L/usr/local/lib/python2.6/config) and -L$python_LIBDIR (ie. /usr/local/lib/) which will make him beleive that python libraries are in $python_LIBDIR which at the end will make the final link test fails in check_python_headers as it will not use the good directory. So by avoiding calling check_python_headers more than once we avoid making waf fooling itself.
2010-12-10build: finishing fixing broken libiconv on hpuxMatthieu Patou1-0/+2
2010-12-09s4 libcli: Add libcli_echo lib and torture testKai Blin8-0/+372
Autobuild-User: Kai Blin <kai@samba.org> Autobuild-Date: Thu Dec 9 23:57:03 CET 2010 on sn-devel-104
2010-12-09s4: Implement UDP echo server exampleKai Blin4-0/+388
This is a simple UDP-based echo server. It is mainly intended as an example on how to do server service tasks in s4.
2010-12-09s4:pyrpc_util: s/typename/type_name to avoid c++ warningsStefan Metzmacher2-6/+6
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Dec 9 17:55:57 CET 2010 on sn-devel-104
2010-12-09talloc: pytalloc-util should not have an ABI-file yetStefan Metzmacher1-2/+0
Somehow I forgot to remove this after discussion with Jelmer. metze
2010-12-09wintest Remove the password expiry as the first stepAndrew Bartlett2-4/+13
This is particularly important before dcpromo, as the password will otherwise be expired in the new domain. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 9 13:33:00 CET 2010 on sn-devel-104
2010-12-09waf: remove the restriction that private libraries must not have a vnumAndrew Tridgell5-19/+6
we need the vnum for ABI checking for public libraries built as private libraries when bundled Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Dec 9 12:47:41 CET 2010 on sn-devel-104
2010-12-09waf: fixed path to abi_directoryAndrew Tridgell1-1/+1
this broke in a recent patch
2010-12-09s4-spnego Match Windows 2008, and no longer supply a name in the CIFS NegprotAndrew Bartlett1-10/+1
Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Dec 9 08:50:28 CET 2010 on sn-devel-104
2010-12-09s4-lsa Implement kerberos ticket life policyAndrew Bartlett8-11/+117
We now no longer print tickets with a potentially infinite life, and we report the same life over LSA as we use in the KDC. We should get this from group policy, but for now it's parametric smb.conf options. Andrew Bartlett
2010-12-09s4-tests Workaround new default of 'client ntlmv2 auth = yes' in testsAndrew Bartlett2-3/+3
The new default breaks some tests that were assuming LM or NTLM auth Andrew Bartlett
2010-12-09s4-client Use NTLMv2 by default in the Samba4 client.Andrew Bartlett1-0/+1
2010-12-09waf: add a dependency between the library and its vscriptAndrew Tridgell2-1/+3
Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Dec 9 04:32:18 CET 2010 on sn-devel-104
2010-12-09waf: don't use symbol versioning on our modulesAndrew Tridgell1-3/+6
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-09waf: use vscripts for our private libraries tooAndrew Tridgell2-15/+14
if the library has a vnum, then use it. If it doesn't have a vnum then use the application version for symbol versions
2010-12-09waf: make mkdir_p on a empty string not recurse foreverAndrew Tridgell1-1/+1
2010-12-09waf-abi: auto-generate per-symbol versions from ABI filesAndrew Tridgell7-23/+92
This changes our version-script generation to use the ABI files that are saved in git with each version number change of our public libraries. We use these ABI files to generate a linker version script that gives the exact version number that each symbol was introduced. This provides us with automatic fine grained symbol versioning. Pair-Programmed-With: Jelmer Vernooij <jelmer@samba.org> Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-09build: do not duplicate the checks for python in samba4Matthieu Patou2-14/+3
Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Thu Dec 9 00:47:23 CET 2010 on sn-devel-104
2010-12-08build: Cope with broken libiconvMatthieu Patou1-1/+5
library iconv needs mbrtowc but some system didn't provide it (ie. HP-UX 11.0) Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Wed Dec 8 23:19:19 CET 2010 on sn-devel-104
2010-12-08dcerpc.idl: fix typo 0x800000000 => 0x80000000Stefan Metzmacher1-1/+1
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Dec 8 20:13:03 CET 2010 on sn-devel-104
generated by cgit (git 2.34.1) at 2024-07-12 18:34:28 +0000