Age | Commit message (Collapse) | Author | Files | Lines |
|
Inspired by the NTLMSSP merge work by Andrew Bartlett.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Andrew Bartlett
|
|
Guenther
|
|
Guenther
|
|
"status" was used uninitialized on success -- metze, please check
(This used to be commit a0859529c853ffb756b1deee946923b6fff6136e)
|
|
metze
(This used to be commit b55b19190d9c1199be13727a75a5936d6f5f15a8)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit 3e155b249e03cc9f7bd0cbf3a3ab8a57536bf0ce)
|
|
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
|
|
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
|
|
warnings
for clock-skew errors.
Guenther
(This used to be commit 53c99d415d605ab03e3646f6096aff794457dd33)
|
|
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
(This used to be commit cb2dc715e33467c8b588161e816e72a948f6860c)
|
|
Guenther
(This used to be commit 2dea9464bba76af4315a8207ccd3e564ec19d146)
|
|
Guenther
(This used to be commit f31949ec3456134de474a0219a8cd5dcd15adea6)
|
|
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
(This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
|
|
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
(This used to be commit f783b32b65ee50e3730ae2d039ca04c9fc5a201a)
|
|
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
(This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
|
|
metze
(This used to be commit 29e2d8e044c9213643a2f5f29891ce853a839347)
|
|
metze
(This used to be commit a5e1f9fd293fab26d664a72ee652eb8ca72128b7)
|
|
libraries support wrapping hooks...
metze
(This used to be commit 581a1d3a20ffed42ccc7f35f163fd343ed12ccd3)
|
|
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
(This used to be commit cbaf44de1e1f8007dc4ca249791ea30d2902c7c4)
|
|
construct the principal
metze
(This used to be commit b545667d2a45a79bba05c9fe9e93a19951d60af7)
|
|
metze
(This used to be commit 83de27968d434d67d23851b0c285221c870ff75e)
|
|
sign and seal...
metze
(This used to be commit 4a4fc8cccbcbe17eebcefcd0107f7de60d751f5c)
|
|
metze
(This used to be commit 34ab84aceb86195743abd26c46a631640409725e)
|
|
metze
(This used to be commit 85d6cd3dfb5cbd9e899957265e352583ff608ed4)
|
|
(This used to be commit 8716edf157bf8866328f82eb6cf25e71af7fea15)
|
|
NOTE: only for the "GSSAPI" SASL mech yet
metze
(This used to be commit a079b66384b15e9d569dded0d9d6bd830e1a6dfa)
|
|
NOTE: windows servers are broken with sign only...
metze
(This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
|
|
metze
(This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
|
|
substructure.
metze
(This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
because we try "GSS-SPNEGO" first and all windows version support
that.
metze
(This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
|
|
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
|
|
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
(This used to be commit ab3150fe4ed2a629eb371db5f43ae09b9c583a64)
|
|
doesn't support GSS-SPNEGO in SASL
can someone please review this, maybe it's also for 3.0.25
metze
(This used to be commit 8c6930b7013b185af0530b04a7d5a49bc2ce7831)
|
|
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
(This used to be commit 1a2be06d4a1131952a97f94b05ae69b1dce4c300)
|
|
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
(This used to be commit 89bdd30e4b2bb9dbc2ab57c54be8c6d01cae5a26)
|
|
in the SPNEGO negTokenInit
(This used to be commit fe70c224964bf15d626bfd4e0cc6d060e45bba87)
|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).
We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
(This used to be commit 4fb57bce87588ac4898588ea4988eadff3a7f435)
|
|
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults. We suggest leaving this up to the defaults from the
libraries anyway.
Andrew Bartlett
(This used to be commit 0b72c04906b1c25e80b217a8f34fd3a8e756b9ca)
|
|
inside the #ifdef HAVE_KRB5
(This used to be commit c6cdf76c5809b4a4b145acb7dd4a695aaf7fcd28)
|
|
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
Jeremy.
(This used to be commit e77949175144cbe4cfa58788d13acc704eebc251)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
|