Age | Commit message (Collapse) | Author | Files | Lines |
|
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 5 03:33:32 CET 2012 on sn-devel-104
|
|
Guenther
|
|
Guenther
|
|
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
|
|
|
|
|
|
|
|
This is in preperation for the parameter table being made common.
Andrew Bartlett
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
|
|
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This helps clarify the role of this structure and wrapper function.
The purpose here is to provide helper functions to the lib/param
loadparm_context that point back at the s3 lp_ functions. This allows
a struct loadparm_context to be passed to any point in the code, and
always refer to the correct loadparm system. If this has not been
set, the variables loaded in the lib/param code will be returned.
As requested by Michael Adam.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 27 17:11:16 CEST 2012 on sn-devel-104
|
|
If we cannot get 1000 users downloaded in 15seconds, try with 500, 250
and then 125 users at a time.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
This allows Samba to then handle this error in the same way it would for RPC connections
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
|
|
|
|
In preparation of making this code common to s3 and s4
|
|
In preparation of making this code common to s3 and s4
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
lib/replace/system/gssapi.h
With waf build include directories are defined by dependencies specified to subsystems.
Without proper dependency <gssapi/gssapi.h> cannot be found for embedded Heimdal builds
when there are no system-wide gssapi/gssapi.h available.
Split out GSSAPI header includes in a separate replacement header and use that explicitly
where needed.
Autobuild-User: Alexander Bokovoy <ab@samba.org>
Autobuild-Date: Wed Apr 25 00:18:33 CEST 2012 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This removes the last user of ads_verify_ticket(), and means that we
only have one code path to verify an incoming krb5 (GSSAPI) ticket.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
Found by callcatcher.
Andrew Bartlett
|
|
Found by callcatcher.
Andrew Bartlett
|
|
HAVE_KRB5 already implies that GSSAPI is present as well.
Andrew Bartlett
|
|
metze
|
|
build with krb5
|
|
Guenther
|
|
Guenther
|
|
This allows us to use the shared gensec_wrap() implementation already used by the
smb sealing code, as well as making this code more generic.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
With an empty sitename we asked for e.g.
_ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 21 17:23:25 CET 2011 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Dec 20 13:13:17 CET 2011 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Nov 17 03:47:53 CET 2011 on sn-devel-104
|
|
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Some Kerberos libraries don't do proper failover. This fixes the situation
where a KDC exists in DNS but is not reachable for some reason.
Ported to master by Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 17 11:25:37 CEST 2011 on sn-devel-104
|
|
Make ads_cldap_netlogon use it. It does not need the fancy multi stuff, but
excercising that code more often is better. And because we have to ask over the
network, the additional load should be neglectable.
Ported to master by Stefan Metzmacher <metze@samba.org>
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Oct 10 23:23:07 CEST 2011 on sn-devel-104
|
|
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Sep 26 18:24:25 CEST 2011 on sn-devel-104
|
|
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
|
|
No code change except for an early "return talloc_asprintf(..)" making an else
branch obsolete.
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Sep 18 23:31:28 CEST 2011 on sn-devel-104
|
|
|
|
be one second longer than the remote search timeout (which is
set to the "ldap timeout" value). This allows the remote search
timeout to fire in preference.
Allow lp_ldap_timeout() to be zero. Don't set the any local alarm
if so.
|
|
This message can happen with AD trusts that winbind can not cope with. The
message is not really clear and not worth spamming syslog always.
|
|
There is no need to mask out these flags as they simply are not set
yet.
The correct abstraction is to ask for NTLMSSP features.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Guenther
|
|
Guenther
|