| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
This was just TALLOC_ZERO_P
|
|
|
|
Remove "mem_ctx" from "struct auth_context"
|
|
|
|
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Inspired by the NTLMSSP merge work by Andrew Bartlett.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Inspired by the NTLMSSP merge work by Andrew Bartlett.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
is a data blob with a data pointer pointing to an allocation of length zero.
Jeremy.
|
|
|
|
|
|
By an oversight, the patchset for #4347 made the unlocking of a locked
account after the lockout duration ineffective.
Thanks to Björn for finding this!
Michael
|
|
Adding this comment makes me think, I could also
have changed make_server_info_sam() talloc_move
instead of talloc_steal, but that would have
changed the signature... Well the comment is a
first step. :-)
Michael
|
|
|
|
|
|
|
|
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
This is supposed to fixes Bug #4347 .
Michael
|
|
incrementation
This is a preparatory patch for the last part in fixing bug #4347 .
Michael
|
|
pdb_update_sam_account
Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.
Michael
|
|
Michael
|
|
for use after sam_password_ok() has been called.
Michael
|
|
So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.
Michael
|
|
This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.
Michael
|
|
This way it is more explicit that there is no allocated data here
that may leak.
Michael
|
|
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.
Michael
|
|
and removing bool variables and several checks.
Michael
|
|
Michael
|
|
metze
|
|
Andrew Bartlett
|
|
Karolin
|
|
Michael
|
|
A domain can't have a trust with itself.
This saves some roundtrips to the ldap server for ldapsam.
Michael
|
|
This saves some roundtrips to LDAP in an ldapsm setup.
Michael
|
|
This fixes a unused variable 'addr' warning on some platforms
|
|
initialize return variables.
Jeremy.
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Jeremy.
|
|
of getpwuid(0) if DEVELOPER is defined. I'm hoping the
build farm defines DEVELOPER...
Jeremy.
|
|
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.
In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.
But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
d8c54fddda2dba3cbc5fc13e93431b152813892e,
5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and
fbca26923915a70031f561b198cfe2cc0d9c3aa6)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.
So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)
I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.
Michael
|
|
Not all systems may have a "root" user, but all must have a passwd
entry for a uid of zero.
Jeremy.
|
|
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
|
|
Jeremy.
|
