summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-01-16s4:dsdb/password_hash: require a "Primary:Kerberos" blob in ↵Stefan Metzmacher1-0/+16
supplementalCredentials If this is missing a w2k8r2 server will reboot, when someone tries to change a password. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jan 16 17:10:07 CET 2012 on sn-devel-104
2012-01-16s3:selftest: rpcclient doesn't support smb2Stefan Metzmacher1-29/+27
metze
2012-01-14s3: ADS support is needed for dns updatesVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sat Jan 14 15:32:15 CET 2012 on sn-devel-104
2012-01-14KCC importldif/exportldif and intersite topologyDave Craft2-376/+2429
Add options for extracting an LDIF file from a database and reimporting the LDIF into a schema-less database for subsequent topology test/debug. Add intersite topology generation with computation of ISTG and bridgehead servers Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sat Jan 14 07:45:11 CET 2012 on sn-devel-104
2012-01-14Intersite KCC flags for pythonDave Craft1-0/+5
Add NTDSSITELINK options to dsdb class for use in python samba_kcc Signed-off-by: Andrew Tridgell <tridge@samba.org>
2012-01-14Intersite KCC flagsDave Craft1-0/+5
NTDSSITELINK option flags added Signed-off-by: Andrew Tridgell <tridge@samba.org>
2012-01-14idl: add to_null propertyDavid Disseldorp1-1/+8
to_null specifies that character conversion should only occur until the null pointer in an array based string. Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Jan 14 00:51:54 CET 2012 on sn-devel-104
2012-01-13idl: add to_null attribute to the spoolss devicename arrayDavid Disseldorp1-1/+1
OpenPrinterEx requests have also been observed in the wild carrying non-utf16 garbage after the device mode devicename field null terminator. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13idl: add to_null attribute to the spoolss formname arrayDavid Disseldorp1-1/+1
OpenPrinterEx requests have been observed in the wild carrying a device mode formname "A4" followed by non-utf16 garbage after the null terminator. Such requests currently fail during unmarshalling in the ndr_pull_charset() codepath, causing intermittent print job failures. This change ensures that garbage after the device mode formname null terminator is not processed in unmarshalling. https://bugzilla.samba.org/show_bug.cgi?id=8606 Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13ndr: add ndr_pull_charset_to_null()David Disseldorp2-0/+32
The same as ndr_pull_charset(), however only perform character conversion on bytes prior to and including the null terminator. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13idl: add parser for the to_null propertyDavid Disseldorp1-1/+5
Compile into a ndr_pull_charset_to_null call. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13s4-smbtorture: tweak spoolss_OpenPrinterEx devmodeDavid Disseldorp1-2/+2
Flip some bits after the null terminator in the spoolss device mode character arrays to trigger bug 8606. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13s3: Fix the talloc hierarchy in fetch_share_mode_unlockedVolker Lendecke1-1/+1
Thanks, metze for noticing! Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Jan 13 13:16:44 CET 2012 on sn-devel-104
2012-01-13s3-waf: check for KRB5_PDU_NONE as in the autoconf build.Günther Deschner1-0/+1
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Fri Jan 13 11:15:35 CET 2012 on sn-devel-104
2012-01-13s3-autoconf: fix the build of the pdb_ldap shared module in autoconf build ↵Günther Deschner2-5/+4
as well. Guenther
2012-01-13s3-waf: fix compile of pdb_ldap as shared module by moving ldap schema ↵Günther Deschner2-2/+3
helpers to libpdb.so These helpers are used in other parts of Samba as well (like in idmap and in the net provision code). Guenther
2012-01-13s3-waf: also check for gsskrb5_extract_authz_data_from_sec_context() duringGünther Deschner1-1/+2
configure. Guenther
2012-01-13s3:build: add auth/gensec/spnego.oStefan Metzmacher3-5/+11
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jan 13 06:32:30 CET 2012 on sn-devel-104
2012-01-13auth/gensec: move spnego.c to the toplevelStefan Metzmacher3-11/+7
metze
2012-01-13auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher2-107/+116
This makes the dependencies easier to handle. metze
2012-01-13s4:auth/gensec: inline packet_full_request_u32()Stefan Metzmacher1-1/+9
This removes the dependency to s4 specific code. metze
2012-01-13auth/gensec: add some more functions from gensec_start.c to gensec.hStefan Metzmacher2-16/+37
metze
2012-01-13auth/gensec: make sure functions from gensec.c are in gensec.hStefan Metzmacher2-5/+7
metze
2012-01-13s4:auth/gensec: fix compiler warnings in spnego.cStefan Metzmacher1-3/+0
metze
2012-01-13s3-selftest The krb5 encrypted CIFS test was wrongAndrew Bartlett2-1/+4
Sadly this fails in the test environement for now. It needs a /etc/krb5.keytab which we do not provide. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Fri Jan 13 04:57:22 CET 2012 on sn-devel-104
2012-01-13selftest: Do not run symbol check if setting up testenvAmitay Isaacs1-1/+1
Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Fri Jan 13 03:11:20 CET 2012 on sn-devel-104
2012-01-13Add comments to all functions (to help me understand it better).Jeremy Allison2-0/+32
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jan 13 01:35:03 CET 2012 on sn-devel-104
2012-01-12s3: Fix nested get_share_mode_lock callsVolker Lendecke1-5/+57
This forces us to only do one real get_share_mode_lock call and share the data between the nested get_share_mode_lock calls. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12s3: Move the share_mode_lock handling to its own fileVolker Lendecke4-417/+465
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12s3: Put an indirection layer into share_mode_lockVolker Lendecke9-173/+193
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12s3: Introduce get_share_mode_lock_fresh()Volker Lendecke7-41/+40
This slightly simplifies the code path for all callers which assume that a share mode exists already. Only the callers in open_file_ntcreate and open_directory will ever create new share modes. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12s3: Replace fill_share_mode_lock()Volker Lendecke1-84/+67
This replaces fill_share_mode_lock() with the two routines fresh_share_mode_lock() and parse_share_modes(). This lifts the decision whether a share mode already existed on level up. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12s4:repl_cleartext_pwd.py: add optional 'clear_utf16_name' parameterStefan Metzmacher1-7/+17
Not all cleartext password (machine passwords) can be converted to utf8, let's export the raw uint16_t array. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 23:58:12 CET 2012 on sn-devel-104
2012-01-12s4:repl_cleartext_pwd.py: add 'attmode' parameter to convert the attname to utf8Stefan Metzmacher1-5/+22
metze
2012-01-12s4:repl_cleartext_pwd.py: correctly compare attids as uint32_t valuesStefan Metzmacher1-5/+10
metze
2012-01-12s3-waf: auth_netlogond depends on tldap.Andreas Schneider1-0/+1
Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Thu Jan 12 17:33:10 CET 2012 on sn-devel-104
2012-01-12s3-waf: link SECRETS3 only against samba3util.Andreas Schneider1-1/+1
2012-01-12s3-waf: Create a smaller samba3util subsystem.Andreas Schneider1-7/+18
2012-01-12s4:pygensec/tests: add test for gensec_set_max_update_size()Stefan Metzmacher1-0/+54
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 14:47:05 CET 2012 on sn-devel-104
2012-01-12s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher2-4/+206
metze
2012-01-12s4:pygensec: add set_max_update_size() and max_update_size() functionsStefan Metzmacher1-0/+25
metze
2012-01-12auth/gensec: add gensec_*max_update_size()Stefan Metzmacher3-0/+22
This is only a hint for the backend, which may want to fragment update tokens. metze
2012-01-12s3: Split a line with 1 statementsVolker Lendecke1-1/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Thu Jan 12 13:10:19 CET 2012 on sn-devel-104
2012-01-12s3:smbd: explicitly ask for GENSEC_FEATURE_UNIX_TOKENStefan Metzmacher2-0/+6
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 11:22:53 CET 2012 on sn-devel-104
2012-01-12Revert "make paranoia check less paranoid" - check that key types strictly matchAndrew Bartlett1-1/+1
This reverts commit c25af51232616061bb08eea86aae595b4f029490 because otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Jan 12 09:43:07 CET 2012 on sn-devel-104
2012-01-12make hmac-md5 the keyed checksum type for arcfour-hmac-md5Andrew Bartlett1-1/+1
2012-01-12use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3Andrew Bartlett1-0/+8
This allows a strict link between checksum types and key types to be enforced. Andrew Bartlett
2012-01-12heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett1-12/+2
The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett3-9/+5
2012-01-12s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett6-44/+152
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett