Age | Commit message (Collapse) | Author | Files | Lines |
|
for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).
Andrew Bartlett
(This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
|
|
uint32 [num_level2][num_level1][num_level0]
fix the order they're pushed and pulled, it should be like this
for (l2=0; l2 < num_level2; l2++) {
for (l1=0; l1 < num_level1; l1++) {
for (l0=0; l0 < num_level0; l0++) {
ndr_pull_uint32(...);
}
}
}
metze
(This used to be commit c10195f31383f51911edd8a32f8b5d5857d5bf2d)
|
|
metze
(This used to be commit fee5b6f40784e75a469320a584423c5030b69400)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
Andrew Bartlett
(This used to be commit 88a7b7805c11cb3a1be3222d3e4b0b3ad8aff2aa)
|
|
be updated.
This allows a new password to be written in, and old entries removed
(we keep kvno and kvno-1).
Clean up the code a lot, and add comments on what it is doing...
Andrew Bartlett
(This used to be commit 0a911baabad60a43741269d29a96fdd74e54331a)
|
|
standalone), and use only NTLMSSP.
(But doing so would break Samba3's client).
Andrew Bartlett
(This used to be commit e74ca624e74ed82788817e302a516208dc1421bd)
|
|
list).
Andrew Bartlett
(This used to be commit fc4202dea88a72de061cb2e1caa7847fae37018f)
|
|
Andrew Bartlett
(This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
|
|
them 'later'. We will need to handle the errors when we call the
get_* methods.
Andrew Bartlett
(This used to be commit c6e572f87022b57cdfd8178eb5c23df67a92c453)
|
|
when we havn't finished popt.
Andrew Bartlett
(This used to be commit e5c5eb97a0ab841442b2c3fb5ea67f0d21b42932)
|
|
Andrew Bartlett
(This used to be commit 05334e98fb1658965a822517365a86bc3906378b)
|
|
(This used to be commit ed90975bf50644f00da681eb7cc41123abc60f81)
|
|
talloc, and ldb is now LGPL
(This used to be commit 5bdd50fa38b1be28cf7bcddc561c743437e70cae)
|
|
we get a error from epoll about disabling events for a file descriptor
that is closed
(This used to be commit f32739307464a1f0c835cff886b8c4b960778900)
|
|
request strucutre. It will take a while for this to happen everywhere.
(This used to be commit b1d38153b8c1d2d5be2d41005eadb0e0aa46bd72)
|
|
it only appeared to be like a SMBtrans request as it was being called
with function 0x11c017 which is "named pipe read write"
I wonder if this means we could do DCE/RPC over SMB using ntioctl
calls as well?
(This used to be commit f2b8857797328be64b0b85e875ae6d108e2aeaaa)
|
|
metze
(This used to be commit 271d0af16d50bc89a384b56db70d569914273f6c)
|
|
metze
(This used to be commit 247f90c28d845fd2224cb07ed30d3e8122ba5644)
|
|
metze
(This used to be commit e5fef8519b28f66ce8a401fc866c8b9bf08c584d)
|
|
metze
(This used to be commit b8c5978df18b98db89069e02597d483f893e39ae)
|
|
being freed before being given to gensec_update()
(This used to be commit cf2cb4279e2b31989eee2fec848982b10fcc2136)
|
|
messages. As discussed with Andrew, this will soon be replaced with a
system that marks the credentials to use the machine accout from the
database rather than pre-loading the machine account details here.
The reason we got the annoying messages is this was being called
before smb.conf is loaded, so the code doesn't yet know the location
of the private directory
(This used to be commit 6aeb4bf3fe224a6f81962237bdda329ba828b493)
|
|
the number of warnings generated now.
(This used to be commit d479f2d7607adc698d71c5ba26932c72a26dcaab)
|
|
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
|
|
(This used to be commit e98c28941a6002042e0e429f99f14e7dd4920aa6)
|
|
(This used to be commit 0830ed0d60cdbd00e6f42dae2c7e295363bca17d)
|
|
- removed an unnecessary level of pointer in ldb_search structure
(This used to be commit b8d4afb14a18dfd8bac79882a035e74d3ed312bd)
|
|
(This used to be commit 8ca85842579a8a1d8f60259812d04eb7ee27d7aa)
|
|
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
|
|
The partitioning logic is still there, but we only have one
partition. If we need partitioning in the future it might be better to
remove this partitioning code and use a partitioning module instead
(This used to be commit f4685e7dc9bdc3b9e240c9f5891b9da9251f82e5)
|
|
module in @MODULES
(This used to be commit cfab88fcc2c740a6d3fd456a009fbb60061b3a53)
|
|
(This used to be commit 7d8b11174c97a3797673254c351c94436aa716b7)
|
|
the ldap server. The reason for the change is that ldb modules need
some way to get at the static info stored in the rootDSE (such as the
location of the schema) but they can't do that right now
(This used to be commit 7e226383f2cd2ce9bb3983ab6a3de454649f8a15)
|
|
andrew, this answers your question on irc about whether the same
session key mechanisms are used in smb2. They are - the RPC-LSA secret
tests pass fine over ncacn_np on SMB2, which means the session key
must be working
(This used to be commit 91327885a2b6432ba20a8dd1370b632240d3263d)
|
|
metze
(This used to be commit fd77cfa49016d403c3f4c60c2422d41498438c17)
|
|
Andrew Bartlett
(This used to be commit 9b3dedbc0bb12897a8f9bd4ec864de26b3835981)
|
|
Andrew Bartlett
(This used to be commit eaf8777e449f70f5694f29199c18f26b9647d558)
|
|
Allow ticket requests with only a netbios name to be considered 'null'
addresses, and therefore allowed by default.
Use the netbios address as the workstation name for the allowed
workstations check with krb5.
Andrew Bartlett
(This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87)
|
|
Andrew Bartlett
(This used to be commit 41f09ef9342d0c9f09475a189d2bbdb50e611528)
|
|
Andrew Bartlett
(This used to be commit 571f9c9c51b93946d23f2b35ef76ac881994b8cc)
|
|
it becomes implicit an MHOMED record
metze
(This used to be commit a5bced92a91f462ac6c41c04012aaeb3f77455de)
|
|
e.g. to return the first address of the 0x1B address as first
address in the 0x1C reply, and handle sgroup merge overflow
of 25 addresses
metze
(This used to be commit a80280e061c03f9d07f7d6df20228de7923bb000)
|
|
test
metze
(This used to be commit d34580ec70dca145ea7911be718ad1fc13297a20)
|
|
owned_released vs. replica
winsrepl torture test
metze
(This used to be commit c8c53593fc7831968499b5028417f0de0a7f421b)
|
|
(but only without socket_wrapper, I need to look at that later
and then add the different_owner test to NBT-WINSREPLICATION-QUICK
so that it'll be runned by make test)
metze
(This used to be commit 9ef33580345f12fafbab0a09644451c8b7600f7f)
|
|
(This used to be commit 6096d23fe0e58b6c3e4174a70a0faebd88fd5f79)
|
|
(This used to be commit afe2323dc10748b97e6b30dc0c783dbe04446d8c)
|
|
brainstorming this one.
(This used to be commit a969ad592ae4cd8f7c66b1df4763fdc70328c967)
|
|
(This used to be commit e2ed615a44d825f8c46755408a1a1657222a508b)
|