Age | Commit message (Collapse) | Author | Files | Lines |
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
files; will watch the build farm on this to make sure things don't blow up
(This used to be commit e92583cecd79adea25caedd1599ac8f36733a923)
|
|
(This used to be commit fb69597629bad305f227b5bab62e0f170d3c164c)
|
|
undefining the HAVE_MMAP symbol.
(This used to be commit c420195231457d3202157490f4bec335a788d8b4)
|
|
different (but by implicit conversion hopefully compatible... ;-)
prototype. Fix the build for that.
(This used to be commit 497b190edc42cec40fc80e9d9eb6aa4e1a466ac5)
|
|
(This used to be commit 589e94f4ffa325acfd6562a84906639e19fd5d33)
|
|
Jeremy.
(This used to be commit 455ed2d51d86f39ce0fa6e6abca31a5425d2ea17)
|
|
from Jim McDonough. It is to enable cyrus sasl to provide the
gss-spnego support. For a preliminary patch to cyrus sasl see
http://samba.sernet.de/cyrus-gss-spnego.diff
Volker
(This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
|
|
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
|
|
the build farm machines that I don't have direct access to (hpntc9I).
(This used to be commit b01965823341bbabb74dcbc09d379b43db2ec680)
|
|
- changed --enable-developer debug to use -gstabs as it makes the
samba binaries about 10x smaller and is still quite functional for
samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
|
|
There are lots of things wrong with this patch, including:
1) it overrides a user chosen configuration option
2) it adds lots of complexity inside a loop when a tiny piece of code
outside the loop would do the same thing
3) it does no error checking, and is sure to crash on some systems
If you want this functionality then try something like this at the end
of charset_name():
#ifdef HAVE_NL_LANGINFO
if (strcasecmp(ret, "LOCALE") == 0) {
const char *ln = nl_langinfo(CODESET);
if (ln) {
DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln));
return ln;
}
}
#endif
then users can set 'display charset = LOCALE' to get the locale based
charset. You could even make that the default for systems that have
nl_langinfo().
(This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
|
|
Samba should preferentially use the locale information from the native system,
and only fall back on 'display charset' if this is unavailable or unsupported.
(This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
|
|
keep putting bzero BSD'ism's into our source code. Make this an error like
bcopy and others to prevent it in future.
Jeremy.
(This used to be commit 80d043231626192db85f08ccea062b91fcf999cc)
|
|
Jeremy.
(This used to be commit 48853140749b74053f1a7857a983397b6e9a0234)
|
|
Includes sambaUnixIdPool objectclass
Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
|
|
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
|
|
(This used to be commit 1f98ced3163e26818c12829801729bc28f858de7)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
1. Finally work with cascaded modules with private data storage per module
2. Convert VFS API to macro calls to simplify cascading
3. Add quota support to VFS layer (prepare to NT quota support)
Patch by Stefan (metze) Metzemacher, with review of Jelmer and me
Tested in past few weeks. Documentation to new VFS API for third-party developers to follow
(This used to be commit 91984ef5caa2d13c5d52e1f535bd3bbbae1ec978)
|
|
(This used to be commit 3033a63cefb5f28d4460885f7f4e4ecaed95443c)
|
|
(This used to be commit f277cd54ea6be5cad6ea765d992bc4133765ef92)
|
|
(This used to be commit 5c978e39f2879d900a1bcad535b489f4cd440906)
|
|
(This used to be commit 66fcf6b4938a87e5ded7c7e5830a6a54e4439544)
|
|
(This used to be commit 2a962393017e65cb67944740e4faaad9902764e8)
|
|
(This used to be commit a4b5f2c01bae049edc4f385cb0441bbde4fb443b)
|
|
fixed getsmbpass replacement test
(This used to be commit 2aa2767ed5dc5290d6f71174bbf1be7d75a97d8b)
|
|
(This used to be commit 03a5e62300f3cfb96d14570b73a758e6fa64c449)
|
|
This patch catches up on the rest of the work - as much string checking
as is possible is done at compile time, and the rest at runtime.
Lots of code converted to pstrcpy() etc, and other code reworked to correctly
call sizeof().
Andrew Bartlett
(This used to be commit c5b604e2ee67d74241ae2fa07ae904647d35a2be)
|
|
session key and auth verifier patches.
Andrew Bartlett
(This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
|
|
(This used to be commit 935c66f6a02c7ba764fbcc643a91833deb588bc0)
|
|
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
|
|
- setenv() replacement
- mimir's ASN1/SPNEGO typo fixes
- (size_t)-1 fixes for push_* returns
- function argument signed/unsigned correction
- ASN1 error handling (ensure we don't use initiailsed data)
- extra net ads join error checking
- allow 'set security discriptor' to fail
- escape ldap strings in libads.
- getgrouplist() correctness fixes (include primary gid)
Andrew Bartlett
(This used to be commit e9d6e2ea9a3dc01d3849b925c50702cda6ddf225)
|
|
Jeremy.
(This used to be commit e79dc0dade1ab1c9f8b3af5c01248bda70cfd582)
|
|
the dog again.
(This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
|
|
Jeremy.
(This used to be commit 1b71786c161cd8ec4c3c0c6b178370ed50feeef4)
|
|
Jeremy.
(This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
|
|
kerberos_verify...
Jeremy.
(This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458)
|
|
if no kerberos selected. Noticed by Metze.
Jeremy.
(This used to be commit 0c98f779f05431ac4d298c9f021fca85d16aebae)
|
|
to add a function without an explicit #ifdef HEIMDAL which I'm trying
to avoid.
Jeremy.
(This used to be commit 92ecd0bf0fe2cc4f6c86ca48e6e458e726470a50)
|
|
Jeremy.
(This used to be commit 4333be5732de07786254382a4aa41333783d81b5)
|
|
detect for now, I still have vague hopes of hiding the differences
between MIT and Heimdal with a compatibility layer....
Jeremy.
(This used to be commit 54d83de8a23937f1d8179a7e2596df3c50785618)
|
|
*sync up configure.in
*don't build torture tools in make all
*make sure to remove torture tools as part of make clean
(This used to be commit 0fb724b3216eeeb97e61ff12755ca3a31bcad6ef)
|
|
warnings. (Adds a lot of const).
Andrew Bartlett
(This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
|
|
(This used to be commit 9e5297131cc53d7161aa74566f147b98e1c27aaa)
|
|
Check return in ldap.
Jeremy.
(This used to be commit 66eff26fc930e37035bba8672f5fd3aeae71078d)
|
|
Jeremy.
(This used to be commit ec4ed45563f9d8e25fcfd88840944a90b3139c3e)
|
|
Jeremy.
(This used to be commit 8dcbfa4e770d74d4ce6faaf1a0597d07d0a5cc81)
|
|
0x80000000 -> 0xFFFFFFFF would fail as they were being cast
from IVAL (uint32) to SMB_OFF_T (off_t or off64_t, both *signed* types).
The sign extension would cause the offset to be treated as negative.
Thanks to Herb for helping me track this one down (IRIX is good for large
file tests :-).
Jeremy.
PS. That horrid EXEXIST thing has broken configure.....
(This used to be commit 2d14c442bc601a277458b69f05a763aa2a1ab3b7)
|
|
(This used to be commit 1a25dc776ddc36de9a214e023becff1ceb10290c)
|