summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2012-12-21s3-libads: Fix copy&paste error in ads_keytab_add_entry().Andreas Schneider1-1/+1
Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2012-11-05libads: Always free the talloc_stackframe() on error pathAndrew Bartlett1-0/+1
Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 5 03:33:32 CET 2012 on sn-devel-104
2012-10-02s3-kerberos: add aes enctypes to generated krb5.conf.Günther Deschner1-5/+24
Guenther
2012-10-02s3-krb5: use and request AES keys in kerberos operations.Günther Deschner2-1/+8
Guenther
2012-09-12Avoid overriding default ccache for ads operations.Simo Sorce3-7/+94
Avoid overriding default ccache for ads operations. Nowadays various samba components may need to use GSSAPI and a default cred cache to perform their tasks. This code was completely overriding the whole process default ccache name, thus altering the current credentials and sometimes hijacking them (or getting preemptively hijaked). By using gss_krb5_import_cred we can instead use a private ccache (necessary sometimes to use a different set of credentials fromt he default cifs/fqdn@realm one, for example when contacting foreign DCs using trust credentials) that does not affect the rest of the process. For the kerberos versions which don't have gss_krb5_import_cred we fallback to temp override of KRB5CCNAME and gss_acquire_cred. Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
2012-09-07s3-smbldap: use smbldap_ prefixed functionsAlexander Bokovoy1-1/+1
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison4-7/+30
2012-08-09Check error returns from strupper_m() (in all reasonable places).Jeremy Allison4-7/+33
2012-07-24lib/param: Move all enum declarations to lib/paramAndrew Bartlett5-0/+5
This is in preperation for the parameter table being made common. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt1-26/+3
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-06-27s3-param: Rename loadparm_s3_context -> loadparm_s3_helpersAndrew Bartlett1-1/+1
This helps clarify the role of this structure and wrapper function. The purpose here is to provide helper functions to the lib/param loadparm_context that point back at the s3 lp_ functions. This allows a struct loadparm_context to be passed to any point in the code, and always refer to the correct loadparm system. If this has not been set, the variables loaded in the lib/param code will be returned. As requested by Michael Adam. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
2012-05-26s3-libads: Use a reducing page size to try and cope with a slow LDAP serverAndrew Bartlett3-2/+13
If we cannot get 1000 users downloaded in 15seconds, try with 500, 250 and then 125 users at a time. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-26s3-libads: Map LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUTAndrew Bartlett1-0/+3
This allows Samba to then handle this error in the same way it would for RPC connections Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org>
2012-05-23Move source3/libads/dns.c to lib/addnsSimo Sorce3-970/+1
2012-05-23s3-ads-dns: Avoid unnecessary dependenciesSimo Sorce2-11/+3
2012-05-23s3-ads-dns: Break dependency on lp_parmSimo Sorce3-18/+34
In preparation of making this code common to s3 and s4
2012-05-23s3-ad-dns: Use more standard uint and booleans defsSimo Sorce1-35/+35
In preparation of making this code common to s3 and s4
2012-04-25s3:registry: remove usage of reg_objects from libads/ldap_printer.cGregor Beck1-89/+56
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-25lib/replace: split out GSSAPI from lib/replace/system/kerberos.h into ↵Alexander Bokovoy2-0/+2
lib/replace/system/gssapi.h With waf build include directories are defined by dependencies specified to subsystems. Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds when there are no system-wide gssapi/gssapi.h available. Split out GSSAPI header includes in a separate replacement header and use that explicitly where needed. Autobuild-User: Alexander Bokovoy <ab@samba.org> Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
2012-04-24s3: Attempt to fix the build without kerberosVolker Lendecke1-1/+2
Autobuild-User: Volker Lendecke <vl@samba.org> Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-23Make krb5 wrapper library common so they can be used all overSimo Sorce3-4/+48
2012-04-12clikrb5: Move pure krb wrapper functions from libads to clikrb5.Simo Sorce2-143/+0
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-03s3-libads: Remove ads_verify_ticket() as it is now unusedAndrew Bartlett2-788/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-libads: Rework kerberos_return_pac() to use GENSEC for the server-sideAndrew Bartlett1-22/+167
This removes the last user of ads_verify_ticket(), and means that we only have one code path to verify an incoming krb5 (GSSAPI) ticket. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-03-30More strlcat/strlcpy truncate checks.Jeremy Allison1-2/+9
2012-02-23s3-libads: Remove unused ads_set_machine_password()Andrew Bartlett2-33/+0
Found by callcatcher. Andrew Bartlett
2012-02-23s3-libads: Remove unused ads_pull_sids_from_extendeddn()Andrew Bartlett2-62/+0
Found by callcatcher. Andrew Bartlett
2012-02-13s3-libads: Move to using only the HAVE_KRB5 defineAndrew Bartlett2-13/+11
HAVE_KRB5 already implies that GSSAPI is present as well. Andrew Bartlett
2012-01-20s3:kerberos_verify: ads_dedicated_keytab_verify_ticket() only needs read accessStefan Metzmacher1-1/+1
metze
2012-01-10krb5: Require krb5_get_host_realm and krb5_free_host_realm be available to ↵Andrew Bartlett1-4/+0
build with krb5
2012-01-09s3-libads: pretty print a keytab list.Günther Deschner1-2/+2
Guenther
2012-01-09s3-libads: fix malloc/talloc mismatch in ads_keytab_verify_ticket().Günther Deschner1-1/+1
Guenther
2012-01-06s3-libads Use NTLMSSP via auth_generic/gensecAndrew Bartlett1-90/+79
This allows us to use the shared gensec_wrap() implementation already used by the smb sealing code, as well as making this code more generic. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-libads Factor out a new routine ↵Andrew Bartlett2-9/+48
kerberos_get_principal_from_service_hostname() This is now used in the GSE GSSAPI client, so that when we connect to a target server at the CIFS level, we use the same name to connect at the DCE/RPC level. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-21s3-dns: prevent from potentially doing wrong SRV DNS lookups.Günther Deschner1-1/+1
With an empty sitename we asked for e.g. _ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Dec 21 17:23:25 CET 2011 on sn-devel-104
2011-12-20s3: Fix some False/NULL hickupsVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Dec 20 13:13:17 CET 2011 on sn-devel-104
2011-11-17s3-smbldap: move ldap_open_with_timeout out of smb_ldap.h to ads where it lives.Günther Deschner1-0/+7
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Nov 17 03:47:53 CET 2011 on sn-devel-104
2011-10-18ntlmssp: Move ntlmssp code to auth/ntlmsspAndrew Bartlett1-1/+1
This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-17s3: Before adding KDC's to the krb5.conf, cldap ping themVolker Lendecke1-47/+101
Some Kerberos libraries don't do proper failover. This fixes the situation where a KDC exists in DNS but is not reachable for some reason. Ported to master by Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Oct 17 11:25:37 CEST 2011 on sn-devel-104
2011-10-17Add cldap_multi_netlogon_send/recvVolker Lendecke2-42/+314
Make ads_cldap_netlogon use it. It does not need the fancy multi stuff, but excercising that code more often is better. And because we have to ask over the network, the additional load should be neglectable. Ported to master by Stefan Metzmacher <metze@samba.org>
2011-10-10libcli/cldap: don't pass tevent_context to cldap_socket_init()Stefan Metzmacher1-1/+1
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Oct 10 23:23:07 CEST 2011 on sn-devel-104
2011-09-26s3: Slightly simplify print_kdc_line()Volker Lendecke1-10/+8
No code change except for an early "return talloc_asprintf(..)" making an else branch obsolete. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Sep 26 18:24:25 CEST 2011 on sn-devel-104
2011-09-26s3: Slightly simplify print_kdc_line()Volker Lendecke1-20/+19
No code change except for an early "return talloc_asprintf(..)" making an else branch obsolete.
2011-09-26s3: Slightly simplify print_kdc_line()Volker Lendecke1-49/+52
No code change except for an early "return talloc_asprintf(..)" making an else branch obsolete.
2011-09-18s3: Add some const to create_local_private_krb5_conf_for_domainVolker Lendecke2-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Sun Sep 18 23:31:28 CEST 2011 on sn-devel-104
2011-09-18s3: Add some const to print_kdc_lineVolker Lendecke1-1/+1
2011-08-19If "ldap timeout" is non-zero, set the local search timeout toJeremy Allison1-19/+36
be one second longer than the remote search timeout (which is set to the "ldap timeout" value). This allows the remote search timeout to fire in preference. Allow lp_ldap_timeout() to be zero. Don't set the any local alarm if so.
2011-08-17s3: Increase a debug level in ads_find_dcVolker Lendecke1-1/+2
This message can happen with AD trusts that winbind can not cope with. The message is not really clear and not worth spamming syslog always.
2011-08-03s3-ntlmssp Remove auth_ntlmssp_and_flags()Andrew Bartlett1-1/+0
There is no need to mask out these flags as they simply are not set yet. The correct abstraction is to ask for NTLMSSP features. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-10source3/libads/ldap_schema.h: fix licence/copyrightGünther Deschner1-0/+25
Guenther