Age | Commit message (Collapse) | Author | Files | Lines |
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
allowedWorkstations on Krb5.
Andrew Bartlett
(This used to be commit dbf73a82fc7d1f82e2ad45e545cefdd9a5b24215)
|
|
Andrew Bartlett
(This used to be commit 6bb1b244284a209ebcb50c17ad59d4528658da0b)
|
|
Andrew Bartlett
(This used to be commit 6d439cae989efff7530d75e5dd21faa8e5230059)
|
|
UUID strings as GUID_from_string seems to have trouble with
uppercased ones.
(This used to be commit 16ea96c81ed88f197007335f442c9e62b4ccd6de)
|
|
Andrew Bartlett
(This used to be commit 890ad0412b9ee285fa25e8bab785a960a201057e)
|
|
KDC).
Andrew Bartlett
(This used to be commit 1643ad169cff56f20ba03644dec12124139ac44a)
|
|
the code in auth/auth_sam.c for consistancy. This will also allow us
to have one place for a backend directory hook.
I will use a very similar hook to add the PAC.
Andrew Bartlett
(This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
|
|
(This used to be commit e8926a4e171a7bf74c220fa825ef5fa9e297fa47)
|
|
(This used to be commit f9bbc83f5316773520ce06c267ac9c0f1eb189e6)
|
|
(This used to be commit f341c8b4c8e8b8096c604b5842b9b7f7c4c9653c)
|
|
(This used to be commit f0e4075db5e913d2262058bb7234c446160823d9)
|
|
wanted. There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name. Likewise, the name may be a netbios, not DNS name.
This should avoid some nasty DNS lookups.
Andrew Bartlett
(This used to be commit da0ff19856a8f41eb64787990d47d2961824711d)
|
|
possibly
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
(This used to be commit d14948fdf687c8f70ef9ec35445b7eb04da84253)
|
|
(This used to be commit 419b28d02d6c5a03bd33eaeabf1b42bfab9155dd)
|
|
(This used to be commit 16467008c64d84f29bec0ea45767bb1050726b34)
|
|
kdc/hdb-ldb.c to share the routines used for auth/
This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).
Andrew Bartlett
(This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
|
|
The aim here is to restructure the queries to match the queries we do
in auth, then to share the code that does the actual query (at least
for user logins).
Then we can generate the PAC from that shared query, rather than a
seperate query.
Andrew Bartlett
(This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
|
|
credentials to be NULL, where the client is requesting a CIFS style
server-first negTokenInit.
Andrew Bartlett
(This used to be commit eba652ecc89766304fdad14463072dc311693701)
|
|
to ldb, based on the sessionInfo we now pass around.
Andrew Bartlett
(This used to be commit 84e16e4ea7240409f15efd9f64344f9e0cec8111)
|
|
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
(This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
|
|
(This used to be commit ce611eb5f31bc63fc23700e7a2c47e68b8f826aa)
|
|
(This used to be commit dc0e9f8d1a2285623e99dcccf055b4860ddd1294)
|
|
(This used to be commit 4a32df49e66b49b20b78bf165869b7592bb626fd)
|
|
wb_domain_request, now that we have queued rpc requests.
Volker
(This used to be commit 848522d1b64c1c283ac1ea7ce7f1a7a1b014a2aa)
|
|
(This used to be commit 3e4ab756f421acd747e9ea4c48b0f61d48dfa8fd)
|
|
(This used to be commit 558c29971d5855308a9d8dfd21e8ac7ec24abc01)
|
|
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
|
|
password or delegation.
Add the ability to delegate for RPC pipes on the RPC proxy backend
(the backend itself seems be having problems however).
Andrew Bartlett
(This used to be commit a7e946bc37e4acfbe2c483b4f1ead0341f9b3d19)
|
|
(This used to be commit 4143c22e3077bd5aecb3427ff0a8857dab799400)
|
|
metze
(This used to be commit e992119bf3a7004c095214b3279c78e59f2c5e2b)
|
|
this is to test if that works on irix 6.4 where we can only use 16 chars for the sun_path
of the unix sockets.
the plan is to make multiple interfaces possible with socket wrapper,
and the format will change to ("%c%02X%04X", type, iface, port),
which is also 7 char to the file name
metze
(This used to be commit e60d491864ad7ea7f981bc1918ace4ee3fb2d77a)
|
|
(This used to be commit 696fa87a212e65d6337c39a84f682b64b52593a5)
|
|
argument to split()
(This used to be commit 25131efea8c1a2b0bfa7f999766ebcbab8fa8006)
|
|
the core elements of a Samba4 domain
(This used to be commit bee45531eaa1f7b96f123c146af3bc30681ebdec)
|
|
pieces a string is split into. This allows for a fix in the variable
substitution used in provisioning
(This used to be commit be06785d4835abcbc7d75c0176c85a8ecc0cc11d)
|
|
consistancy.
Andrew Bartlett
(This used to be commit 8787eb982f899c68a490fb9c71c21ec1d9ec0308)
|
|
needed for mmc management of Samba4.
(This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
|
|
metze
(This used to be commit fc53eab2f1bdae471ee68c4b67f57b1eb0821f61)
|
|
metze
(This used to be commit 1b62959a3dd11fface6642e5843224752e188b4a)
|
|
this only happens with socket_wrapper as socket_connect() returns NT_STATUS_OK
instead of NT_STATUS_MORE_PROCESSING_REQUIRED, and we missed to replace the
fde event handler...
metze
(This used to be commit f04001f28007ad6bbecdcdf0d1d5887e378d2467)
|
|
the handler calls talloc_free(wrepl_socket)
metze
(This used to be commit bf0b96f057c7f4ac39409c8710ec0cfb55d9fb04)
|
|
metze
(This used to be commit 630f571934c1119dc3156a1e4b909fc6d5ae95fc)
|
|
(This used to be commit 2b3ad67b5d53e8c63d81e9fe4ef237c5c927d595)
|
|
not the addresses that are returned in it
metze
(This used to be commit 82e19d68086e795d68cd11eda21448f695aac0a3)
|
|
metze
(This used to be commit 5f45d070208eedaef59bff5f7e05f37719285d84)
|
|
metze
(This used to be commit 0231926e0a017bb65a900867a6dee7ca52d7ffe9)
|
|
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
(This used to be commit e60cdb63fb37e44252f83a56a6302f0bd22dec4d)
|
|
cropping up occasionally for ages. The problem was the generic reg
code setting up a backend_data value, which it has no business doing
(backend_data is for backends ...)
(This used to be commit 9d6d03fd1d360e15883bb1b8917ccedcc0d97a5d)
|
|
(This used to be commit daa9dcd8f4b1dde801091ec64faa8158481d171c)
|