Age | Commit message (Collapse) | Author | Files | Lines |
|
We have winbindd write a custom krb5.conf or use a kdc locator plugin
to do this properly now.
Andrew Bartlett
|
|
By reworking the 'fake DNS' file to use struct dns_rr_srv it should be
possible to emulate that resolver layer as well as the Samba4
sockaddr_storage* based layer. This will then give us a common DNS
emulation for 'make test'.
Andrew Bartlett
|
|
|
|
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.
Andrew Bartlett
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Mar 24 00:52:01 CET 2011 on sn-devel-104
|
|
We dereference "res" in various places, no point in checking. All current
callers send "res!=NULL".
|
|
Guenther
|
|
Instead use new header smb_ldap.h where all LDAP API related things are handled,
while smbldap.h only deals with our smbldap_X() API.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Mar 16 10:54:51 CET 2011 on sn-devel-104
|
|
|
|
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri Feb 25 01:55:26 CET 2011 on sn-devel-104
|
|
When compiled against heimdal, we need to use a more elegant API.
Andrew Bartlett
|
|
Guenther
|
|
Guenther
|
|
metze
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Jan 12 19:04:25 CET 2011 on sn-devel-104
|
|
Guenther
|
|
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
|
|
This does a length-limited check, and so avoids reading beyond the
allocated memory if the server sends less than 16 bytes.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This reduces the manual marshalling of these structures by removing
the duplication here.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
messages.
Jeremy.
|
|
<andreas.moroder@gmx.net>".
Jeremy.
|
|
|
|
|
|
Heimdal's krb5_kt_start_seq_get() will leave a non 0 fd in the krb5_kt_cursor
struct when it cannot find a given keytab.
Guenther
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
|
|
|
|
|
|
|
|
add helper function for both smb_krb5_kt_add_entry_ext() and
ads_keytab_flush()
|
|
|
|
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
Guenther
|
|
Guenther
|