Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
(This used to be commit 7c93190843e77764be4d0f6d4f0b93061c192c98)
|
|
Win2008 domain (merged from v3-0-test).
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <sdanneman@isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
(This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
|
|
Slim the interface...
Michael
(This used to be commit 9971118c23900d81e885a013e738a67df790c90c)
|
|
Michael
(This used to be commit f7db445c828c0eef2c08b538bd07d485dc248689)
|
|
(This used to be commit fe8f9e427af3eb42d63fde96c4fe20a255facb95)
|
|
(This used to be commit 24ac40518f79fd480baaedc1d42f3b6fe8ea1c94)
|
|
(This used to be commit be5d54a363a57113e494202a2d22dd9bbcf13b41)
|
|
(This used to be commit 2ff908a902ec857856518eaddb5246dd5067063d)
|
|
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc562d86dcaa685419d0cb6ea276f100d)
|
|
the msdfs.c code.
Jeremy
(This used to be commit 54556df561d03d30b2fc21b9eaabe56b8c758301)
|
|
Michael
(This used to be commit ff7f0cad2eb108daa61a910cd9171ab0811a5f60)
|
|
(This used to be commit 93111ea0a1191e8547ad6cf112e2699d3bb3799b)
|
|
(This used to be commit 368454a27cb53a408ec416cbf37235b304592fb5)
|
|
(This used to be commit 35438a940734340d5d6389ae0551fe3c25902f93)
|
|
(This used to be commit 2834dacc8d49f77fe55fb5d7e3eb2dda431d1d3d)
|
|
(This used to be commit a3738aef59e97d4533010b048534d937d36c0950)
|
|
Jeremy, please check!
(This used to be commit a34f73521712e3820d417f0d9ed811723b7681d6)
|
|
This will replace all the user identity stuff in connection_struct, for now it
is just a source where the other fields in connection_struct are filled from.
(This used to be commit 0f53f9e7db9f99f239c4d0950452d0e2cde2ae8b)
|
|
(This used to be commit 03944f8d8934cff74e19fc036f7611c1491e0d57)
|
|
(This used to be commit 1e9319cf88b65a2a8d4f5099a1fe5297e405ed2e)
|
|
this can only be done via fset_nt_acl() using an open
file/directory handle. I'd like to do the same with
get_nt_acl() but am concerned about efficiency
problems with "hide unreadable/hide unwritable" when
doing a directory listing (this would mean opening
every file in the dir on list).
Moving closer to rationalizing the ACL model and
maybe moving the POSIX calls into a posix_acl VFS
module rather than having them as first class citizens
of the VFS.
Jeremy.
(This used to be commit f487f742cb903a06fbf2be006ddc9ce9063339ed)
|
|
"nss_token" from my point of view much better reflects what this flag actually
represents
(This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d)
|
|
v3-3-test
(This used to be commit bb8f098cdfd902bbb36426df2c4f8532881b3fcd)
|
|
Should map the created sd to printer jobs, not printer.
Jerry please test and I'll add to 3.2 if it passes. Thanks,
Jeremy.
(This used to be commit 0a1fe8d6013d925ab6695f6b7f189b731ec42ccc)
|
|
(This used to be commit 425ca59cce886daed0d6c63fe4382aee140c9518)
|
|
(This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805)
|
|
This one took a bit -- I hope I covered all data paths
(This used to be commit 74c88a44422f88d6e2f2cdbfdfa0bafe0dbe06c4)
|
|
(This used to be commit 570a6b80feb5b0dc23213ba936c721e766cd4818)
|
|
(This used to be commit aa2299d42adf4d27e707ac755e07be70d0af1bb4)
|
|
(This used to be commit 51d5d512f28eadc74eced43e5e7f4e5bdff3ff69)
|
|
(This used to be commit b36fd84186a656f86e4cfb9166fc0ecbffb422cb)
|
|
This makes pdb_get_unix_homedir unused. I wonder if that was ever really used...
(This used to be commit 36bfd32f1ff878e827db91e9bf233719ecca5b01)
|
|
(This used to be commit 41f9afd62d8cc6067582d452f3d53a5c67253b69)
|
|
(This used to be commit 32cd4bf34b614f7bb0b05a7ae5d7eb51d208a7c7)
|
|
Guenther
(This used to be commit d077ef64cd1d9bbaeb936566c2c70da508de829f)
|
|
(This used to be commit 559180f7d30606d1999399d954ceedc798c669a4)
|
|
being (correctly) used in the can_read/can_write checks for hide unreadable/unwritable
and this is more properly done using the functions in smbd/file_access.c.
Preparing to do NT access checks on all file access.
Jeremy.
(This used to be commit 6bfb06ad95963ae2acb67c4694a98282d3b29faa)
|
|
Guenther
(This used to be commit 2c41d69bcf6f0897ef9d444a8f167aff1772d562)
|
|
Guenther
(This used to be commit b9ac03bdfa5763c713674acd966ab5d4371992a5)
|
|
of entries
The ads_do_search_all_args() function attempts to string together several
LDAPMessage structures, returned across several paged ldap requests, into a
single LDAPMessage structure. It does this by pulling entries off the second
LDAPMessage structure and appending them to the first via the OpenLDAP specific
ldap_add_result_entry() call.
The problem with this approach is it skips non-entry messages such as the
result, and controls. These messages are leaked.
The short term solution as suggested by Volker is to replace the ads_*_entry()
calls with ads_*_message() calls so we don't leak any messages.
This fixes the leak but doesn't remove the dependence on the OpenLDAP specific
implementation of ldap_add_result_entry().
(This used to be commit f1a5405409c396df394611e2a234522572d2860a)
|
|
Guenther
(This used to be commit b11a5e70d38239fb50ba4606656e2168cc398a12)
|
|
Should be no functional change, just a change in the data structure
(This used to be commit 3433f430b0c1f7d350a40eac783385a2d30d905c)
|
|
(This used to be commit f9bc336affd2ce21a3c62880ecea2622f35653d1)
|
|
(This used to be commit 42de50d2cd43e760d776694f7b5f003ba51d7f84)
|
|
(This used to be commit f665afaaa3eff9ef54112e08ed034a6e1bb30edc)
|
|
The only user of this was decrypt_trustdom_secret, and this only needs the NT
hash anyway.
(This used to be commit 3d8c2a47e677a4c4aacf4abf148b1bd8163c3351)
|
|
Guenther
(This used to be commit 538eefe22ad69540b9f73ffaa613d6be045de199)
|
|
Now all those redundant fd's have vanished from the VFS API.
Michael
(This used to be commit 14294535512a7f191c5008e622b6708e417854ae)
|
|
(This used to be commit 45be749ed69f8c1ad3ebe8ea1f35c806db2ed5d0)
|
|
(This used to be commit 4840febcd481563c3d9b2fabc1fe1b2ae5a76cf6)
|