Age | Commit message (Collapse) | Author | Files | Lines |
|
Volker
(This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
(This used to be commit 3daefe9d17fb2c7b1c4d21593465e6788555b0fb)
|
|
down; bug 437
(This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
|
|
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
(This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
|
|
already have ads_search_retry() for this. However, neither
domain_sid() nor sequence_nunber() used this function. So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
(This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
|
|
keytab support code, but it won't be enabled until we add that to smb.conf.
Adapted from the work of Guenther Deschner (gd@suse.com).
Please hammer on this...
(This used to be commit a26fa5bee24c73cd835f59bb18162ab07760d76a)
|
|
(This used to be commit 97e4778103744419ecaeb0058460041ef01b2e2a)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
(This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
|
|
(This used to be commit 617feab4223f5ba3cc5e090de5e63da72fce49df)
|
|
(This used to be commit f8a092e7b42cd157cf86240984be40badd0afd87)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
(This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
|
|
auth.realm. So directly pass that instead of setting up and tearing
down the ADS_STRUCT.
Volker
(This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
|
|
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
Jeremy.
(This used to be commit d57d9b99dfc2a83d91b952a11eb1ae4cf37e6467)
|
|
Jeremy
(This used to be commit 382d1732ca8e4d0909eb5a95f7327213913da37b)
|
|
is not multi-process safe.
Jeremy.
(This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
|
|
KRB5_BAD_ENCTYPE.
Heimdal has the latter, not the former.
Jeremy.
(This used to be commit e8425df77c2e917c819592d93833a164ee3b5338)
|
|
it's a different rc than KRB5_BAD_ENCTYPE (which exists on both MIT and
Heimdal). This will just make the debug show up at level 3 always.
Jeremy, you may want to revisit this, but it's probably not worth the hassle.
(This used to be commit 4ff322ccf9c8485bcfe67e658d48f190f03547b0)
|
|
Jeremy.
(This used to be commit 29dd71ddea480f6163ebbc9d8860a7930ae84066)
|
|
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
|
|
(This used to be commit 6edc7e0a744a5d8c6332758b800a2646ef16dd77)
|
|
(This used to be commit 83376671c511be4bb10d3fca8e49e5f6ef792b9c)
|
|
the incoming addresses....
Jeremy.
(This used to be commit 4e9359a1f67a44b2981579383327ba774e1c31f9)
|
|
(This used to be commit 8d8d85ecd62dba075d90e54ec75da9b1328784fb)
|
|
treating the returned message id as an error code.
(This used to be commit 42fdcef324d7a04e69c0078482e1a6b8a67ade94)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
published printers.
At the moment we don't search using any parameters but this can be
fixed by changing the LDAP search string. Also we should contact
the global catalog at SRV _gc._tcp instead of the ldap server we
get back from ads_startup().
(This used to be commit 814519c5de7f962623163b732c8589abd355d845)
|
|
(This used to be commit ae6c05ea726da13fc1a18398d1ffe56f34e1edb9)
|
|
(This used to be commit 5ffb8e0920be2da19ac3f442b9bf56c159011822)
|
|
* check negative connection cache before ads_try_connect()
in ads_find_dc()
(This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
* move back to qsort() for sorting IP address in get_dc_list()
* remove dc_name_cache in cm_get_dc_name() since it slowed
things down more than it helped. I've made a note of where
to add in the negative connection cache in the ads code.
Will come back to that.
* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
of MAX_ALLOWED)
* only enumerate domain local groups in our domain
* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
|
|
otherwise we can segv or return garbage
(This used to be commit d1316656b03e2bc85263b65d24977923ee6f39b7)
|
|
versions. Fixes bug #154.
(This used to be commit 986eae40f7669d15dc75aed340e628aa7efafddc)
|
|
(This used to be commit c22a4074bd2b998339826ba629fe48153639ec18)
|
|
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
|
|
Hide it behind a level 10, with #ifdef DEBUG_PASSWORD instead.
Andrew Bartlett
(This used to be commit 9d4e327850fb00083241f3e68f866590c44e1823)
|
|
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
|
|
(This used to be commit 4169de6d8fb1b13de3892ec787886cc1543736a1)
|
|
we wouldn't build.
(This used to be commit 0e9836c4e9e71494b10d71a5f3d5f7da2888c5ef)
|
|
Jeremy.
(This used to be commit d7a23afe14b0d3ad8ecb7d994768705a32055d9a)
|
|
user@realm, where realm might not be the realm we are joining.
Andrew Bartlett
(This used to be commit 00e08efb5cd21bf42be9125d3188efbf9d13b8b7)
|
|
Andrew Bartlett
(This used to be commit 317158972ec944742ba47b213999def9abbf7452)
|
|
our SASL code - help in printing a useful error message.
Andrew Bartlett
(This used to be commit 984321bfab79a1ff20b504e115e94bd6270f0196)
|
|
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|