summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r1789: compiler warnings from SuSEGerald Carter1-0/+4
(This used to be commit 7e44193be103fad273796218c8f5e5f9a1657c3c)
2007-10-10r1381: fixing behavior found by gd@sernet.de; we must use the ↵Gerald Carter1-4/+4
userPrincipalName value (host/hostname@REALM) and not the servicePrincipalName (host/fqdn@REALM) in the SASL binds (This used to be commit 959da6e176da9f6a687265e50489b7db3d6712c0)
2007-10-10r1378: Better debugging so I don't get confused what principal we mean.Jeremy Allison1-2/+2
Jeremy. (This used to be commit de80e8b1698d34637cf9c105a8fe02f435d83b02)
2007-10-10r1373: Fix from Guenther Deschner <gd@sernet.de> to ensure last error return ↵Jeremy Allison1-1/+2
is not invalid. Jeremy. (This used to be commit 4bdf914cba2a63d186138d1341a7260ad79da1f5)
2007-10-10r1330: Fix the build for systems without ldap headersVolker Lendecke1-1/+1
(This used to be commit b7267121af45d7173c310299bb52ae031ae1d501)
2007-10-10r1317: Patch from Joe Meadows "Joe Meadows" <jameadows@webopolis.com> toJeremy Allison1-1/+30
add a timeout to the ldap open calls. New parameter, ldap timeout added. Jeremy. (This used to be commit e5b3094c4cc75eb07f667dd1aeb73921ed7366ac)
2007-10-10r1285: Put variable definitions into a block before the statements...Volker Lendecke1-1/+1
Volker (This used to be commit e8786506b86f129ba6401c09b89a26bfb335440e)
2007-10-10r1282: gcc 3.2 on SuSE 8.2 does not like #ifdefs inside a macro argument ↵Volker Lendecke1-3/+5
(DEBUG). Volker (This used to be commit b491e76625f0d20fa9db2a3dbb22adc34ca7d414)
2007-10-10r1247: Final fix to make this compile on Heimdal.Jeremy Allison1-0/+4
Jeremy. (This used to be commit b462b8fa2f264bef62ed4cd2aaacb2f21e135068)
2007-10-10r1245: I think the parameter for "password" and "data" was reversed.Jeremy Allison1-2/+2
CHECK THIS ! Jeremy. (This used to be commit d4abeefe3e307ff226fba481ca2c743cde153e4b)
2007-10-10r1244: More Heimdal compile fixes.Jeremy Allison1-3/+9
Jeremy. (This used to be commit 92a5dc1880a4fe0f3c3b56fc0958dbac77506b4f)
2007-10-10r1243: Fix so this compiles with Heimdal (in Heimdal krb5_kt_cursor is a ↵Jeremy Allison1-16/+34
struct not a pointer). Jeremy. (This used to be commit 940f893d485a01e73afe714a70d724c2d41c7ad4)
2007-10-10r1236: Heimdal fixes from Guenther Deschner <gd@sernet.de>, more to come beforeJeremy Allison2-9/+20
it compiles with Heimdal. Jeremy. (This used to be commit dd07278b892770ac51750b87a4ab902d4de3a960)
2007-10-10r1223: Fix valgrind error with realm manipulation.... Damn macros :-(.Jeremy Allison1-2/+8
Jeremy. (This used to be commit 5a1d8c3c9b8daa435f6eb5bc1652bab138e05dbf)
2007-10-10r1222: Valgrind memory leak fixes. Still tracking down a strange one...Jeremy Allison3-16/+57
Can't fix the krb5 memory leaks inside that library :-(. Jeremy. (This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
2007-10-10r1221: Added the last of the system keytab patch from "Dan Perry" ↵Jeremy Allison1-1/+1
<dperry@pppl.gov>, fixed valgrind detected mem corruption in libads/kerberos_keytab.c. Jeremy. (This used to be commit 286f4c809cb1532b3f8ae7ddf92349c68cc8ce31)
2007-10-10r1215: Intermediate checkin of the new keytab code. I need to make sure IJeremy Allison3-182/+498
haven't broken krb5 ticket verification in the mainline code path, also need to check with valgrind. Everything now compiles (MIT, need to also check Heimdal) and the "net keytab" utility code will follow. Jeremy. (This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
2007-10-10r1214: Now compiles. Changed krb5_kt_free_entry to ↵Jeremy Allison1-12/+12
krb5_free_keytab_entry_contents Jeremy. (This used to be commit be8a2dc00dd876c4b596600ae72d4ac05f9ebe64)
2007-10-10r1193: Ensure we check for and use krb5_free_unparsed_name().Jeremy Allison1-3/+4
Jeremy. (This used to be commit af5a08f5ad895cb33c9134771da19ba5e709e742)
2007-10-10r1192: Fixed all memleaks/error code return path leaks I can find. Not sure ↵Jeremy Allison1-42/+94
if compiles yet, but will soon :-). Jeremy. (This used to be commit 0d982956f6ba2f284ffa4313a9e7581a79dbf397)
2007-10-10r1184: Keep latest changes... not compilable yet.Jeremy Allison1-13/+30
Jeremy. (This used to be commit 57c037c6c92d28b70e36859a639c53979126ff01)
2007-10-10r1183: Updates to the code cleanup so I don't lose my changes...Jeremy Allison1-52/+62
Jeremy. (This used to be commit 786a440c189556d5c122b2c9ddca9fdf6bd65d1d)
2007-10-10r1182: Partial re-write of keytab code to clean up, remove memory leaks etc. ↵Jeremy Allison1-47/+77
Work in progress ! It seems the krb5 interfaces are so horrible it's impossible to write good error checking code :-(. Jeremy. (This used to be commit 03f8c8bc07c9d8a378a34c271dcc088d17adb342)
2007-10-10r1180: New file - basis of new system keytab code.Jeremy Allison1-0/+434
Jeremy. (This used to be commit 858e849af697bba67ebaa970257d93b6cff7d9e0)
2007-10-10r764: More memleak fixes in error code path from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-1/+6
Jeremy. (This used to be commit 9647394e7c79c81ac4cf276a2c4b9e16eb053ec2)
2007-10-10r562: Memory leak fix in error code path from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-1/+4
Jeremy. (This used to be commit ac501348f473045a7846ffd9bc6b9eb4682b8987)
2007-10-10r541: fixing segfault in winbindd caused -r527 -- looks like a bug in ↵Gerald Carter3-8/+8
heimdal; also initialize some pointers (This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
2007-10-10r533: More memory leak fixes from kawasa_r@itg.hitachi.co.jp. I need toJeremy Allison1-8/+32
valgrind winbindd with these in.... Jeremy. (This used to be commit fa4774b73d338a0c0df09f23cd738279bf4e71a2)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-11/+7
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r39: * importing .cvsignore filesGerald Carter1-2/+0
* updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
2004-03-24Fix bugzilla # 1208Jim McDonough2-3/+38
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-22bug 1195: add flag to ADS_STRUCT so we know who owns the main structure's ↵Gerald Carter1-8/+11
memory (not the members though) (This used to be commit 4449e0e251190b741f51348819669453f0758f36)
2004-02-08Bug found by gd - the new range-reterival code did still had 'member'Andrew Bartlett1-2/+3
hardcoded into it. This didn't matter, as we only use it for 'member' so far... Andrew Bartlett (This used to be commit 8621899112e720411715ea53558d5146ff04eeb0)
2004-02-03Fix for a bug where the mutex could be left locked. Also remove theJeremy Allison1-146/+8
memory keytab code which has no effect. Driven by bug report from "Rob J. Caskey" <rcaskey@uga.edu>. Jeremy. (This used to be commit 4cb8facbf9fa6fa5233fdb363ceac4b304d263d4)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-14/+14
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett2-6/+22
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-06Fix segfualt caused by incorrect configuration. If lp_realm() was not set,Andrew Bartlett1-5/+9
but security=ADS, we would attempt to free the principal name that krb5 never allocated. Also fix the dump_data() of the session key, now that we use a data_blob to store that. Andrew Bartlett (This used to be commit 4ad67f13404ef0118265ad66d8bdfa256c914ad0)
2004-01-05Try to keep vl happy - shorten some of these lines.Andrew Bartlett1-6/+12
(This used to be commit 3a4c56e4c60854bbd291adc7d321d3869e6dedab)
2004-01-05There is some memory corruption hidden somewhere in our winbind code. If IAndrew Bartlett1-4/+8
could reproduce it, I would fix it, but for now just make sure we always SAFE_FREE() and set our starting pointers to NULL. Andrew Bartlett (This used to be commit c279e178bc122e1e2aa519f7a373a3d93672a3ac)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-17/+22
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-8/+130
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-05I'm not quite sure what happened here - but replace the ads_sid_to_dnAndrew Bartlett1-9/+9
function with one that compiles. Andrew Bartlett (This used to be commit 0d5b0345a60741ae50f6770d9cecf698864cd209)
2004-01-05Add a utilty function for converting a sid to a DN.Andrew Bartlett1-0/+74
Andrew Bartlett (This used to be commit 49a7a3fd17cfeef439e2049a51dbfcbc037f1a93)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-92/+8
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-8/+92
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31auth/auth_util.c:Andrew Bartlett1-1/+1
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-13Fix from ndb@theghet.to to allow an existing LDAP machine account to beJeremy Allison1-12/+29
re-used, rather than created from scratch. Jeremy. (This used to be commit 6d46e66ac2048352ca60f92fc384f60406024d4b)
2003-11-26Get rid of a const warningVolker Lendecke1-1/+1
Volker (This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)