summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23650: Fix remaining callers of krb5_kt_default().Günther Deschner1-3/+4
Guenther (This used to be commit b9d7a2962a472afb0c6b8e3ac5c2c819d4af2b39)
2007-10-10r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).Günther Deschner1-137/+1
Guenther (This used to be commit 19020d19dca7f34be92c8c2ec49ae7dbde60f8c1)
2007-10-10r23648: Allow to list a custom krb5 keytab file with:Günther Deschner1-2/+2
net ads keytab list /path/to/krb5.keytab Guenther (This used to be commit a2befee3f240543ea02ea99cebad886b54ae64eb)
2007-10-10r23647: Use smb_krb5_open_keytab() in smbd as well.Günther Deschner1-2/+2
Guenther (This used to be commit d22c0d291e1b4a1412164d257310bbbb99de6500)
2007-10-10r23646: Generalize our internal keytab handling to support a broader range ↵Günther Deschner1-47/+140
of default keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also fixes keytab support with Heimdal (which supports the WRFILE pragma as well now). Guenther (This used to be commit 7ca002f4cc9ec4139c0c48952ebf05f89b5795ef)
2007-10-10r23607: Add legacy support for Services for Unix (SFU) 2.0.Günther Deschner1-17/+55
Guenther (This used to be commit 11b390309b9677805e5b68f3a1b780658ae85137)
2007-10-10r23514: Remove unused function ads_get_dn_from_extended_dn().Jeremy Allison1-29/+0
Jeremy. (This used to be commit 03763bc5287fef5f100c911041668e23d4305f8d)
2007-10-10r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting ↵Gerald Carter1-1/+1
context flags. (This used to be commit 903145e957cd05b219fdf7d5fc1e35430938a24e)
2007-10-10r23474: Here's a small patch that disables the libkrb5.so replay cacheGerald Carter1-39/+63
when verifying a ticket from winbindd_pam.c. I've found during multiple, fast, automated SSH logins (such as from a cron script) that the replay cache in MIT's krb5 lib will occasionally fail the krb5_rd_req() as a replay attack. There seems to be a small window during which the MIT krb5 libs could reproduce identical time stamps for ctime and cusec in the authenticator since Unix systems only give back milli-seconds rather than the micro-seconds needed by the authenticator. Checked against MIT 1.5.1. Have not researched how Heimdal does it. My thinking is that if someone can spoof the KDC and TDS services we are pretty hopeless anyways. (This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
2007-10-10r23251: whoops! Fix compile errorGerald Carter1-2/+6
(This used to be commit 22a3ea40ac69fa3722abf28db845ab284a65ad97)
2007-10-10r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password ↵Jeremy Allison1-1/+2
data to krb5_prompter. Jeremy. (This used to be commit 232fc5d69d44404df13f6516864352f9a5721552)
2007-10-10r23080: Fix bug #4637 - we hads missed some cases whereJeremy Allison1-12/+24
we were calling PRS_ALLOC_MEM with zero count. Jeremy. (This used to be commit 9a10736e6fa276ca4b0726fbb7baf0daafbdc46d)
2007-10-10r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.Michael Adam1-1/+2
This fixes the build on solaris (host sun9). And hopefully doesn't break any other builds... :-) If it does, we need some configure magic. Thanks to Björn Jacke <bj@sernet.de>. (This used to be commit a43775ab36aa3d36108e1b5860bbee6c47e9b1b4)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke4-16/+16
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the ↵Günther Deschner1-0/+104
tokenGroup attribute. Guenther (This used to be commit e4e8f840605dfdf92ca60cc8fc6a4c85336565fb)
2007-10-10r22799: Fix the build.Günther Deschner1-1/+1
Guenther (This used to be commit 6e911c442bf9b076f43f99576f9b588df2c39233)
2007-10-10r22798: Add the "apply group policy" access bit (as seen in type 0x05 ↵Günther Deschner1-1/+4
ALLOWED OBJECT ACEs). Guenther (This used to be commit e138cbc876e50ae25cb15c5109a42bc8b800c1ba)
2007-10-10r22797: We are only interested in the DACL of the security descriptor, so ↵Günther Deschner2-19/+51
search with the SD_FLAGS control. Guenther (This used to be commit 648df57e53ddabe74052e816b8eba95180736208)
2007-10-10r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:Gerald Carter1-0/+70
When asked to create a machine account in an OU as part of "net ads join" and the account already exists in another OU, simply move the machine object to the requested OU. (This used to be commit 3004cc6e593e6659a618de66f659f579e71c07f7)
2007-10-10r22714: Prevent DNS lookup storms when the DNS servers are unreachable.Gerald Carter1-9/+40
Helps when transitioning from offline to online mode. Note that this is a quick hack and a better solution would be to start the DNS server's state between processes (similar to the namecache entries). (This used to be commit 4f05c6fe26f4abd7ca71eac339fee2ef5e254369)
2007-10-10r22701: Fix the krb5_nt_status error table and add the "no DCs found" mappingGerald Carter1-2/+4
(This used to be commit 2ab617fbbffbd6bf98ee02150f62b87a2610531f)
2007-10-10r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and makeGünther Deschner1-3/+29
winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
2007-10-10r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the ↵Günther Deschner1-0/+121
NTSTATUS codes directly out of the krb5_error edata. Guenther (This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69)
2007-10-10r22663: Restructure kerberos_kinit_password_ext() error path.Günther Deschner1-53/+33
Guenther (This used to be commit 997ded4e3f0dc2199b9a66a9485c919c16fbabc6)
2007-10-10r22590: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-4/+8
That should be it.... Jeremy. (This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison2-11/+23
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r22479: Add "net ads keytab list".Günther Deschner1-0/+112
Guenther (This used to be commit 9ec76c542775ae58ff03f42ebfa1acc1a63a1bb1)
2007-10-10r22460: Adding a generic ads_ranged_search() function.Günther Deschner1-1/+173
Guenther (This used to be commit b8828ea2516876fe5dd76083864418db2f042be0)
2007-10-10r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ↵Günther Deschner1-3/+37
ranged LDAP queries more generic. Michael, feel free to overwrite these and the following. Guenther (This used to be commit 0475b8eea99ebb467e52225ad54f4302a77376b9)
2007-10-10r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't criticalStefan Metzmacher1-5/+10
because we try "GSS-SPNEGO" first and all windows version support that. metze (This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
2007-10-10r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.Jeremy Allison1-1/+2
Jeremy. (This used to be commit 7c45bd3a47fc2b24c5f1351a241ace2201c857d2)
2007-10-10r22092: - make spnego_parse_auth_response() more generic andStefan Metzmacher1-1/+1
not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
2007-10-10r22079: Tsk, tsk, Metze didn't compile before check-in :-).Jeremy Allison1-1/+1
Merge the memory leak fix (with fix :-) to 3.0.25. Jeremy. (This used to be commit ab3150fe4ed2a629eb371db5f43ae09b9c583a64)
2007-10-10r22078: fix memory leak in not often used code, we only use it if the serverStefan Metzmacher1-3/+3
doesn't support GSS-SPNEGO in SASL can someone please review this, maybe it's also for 3.0.25 metze (This used to be commit 8c6930b7013b185af0530b04a7d5a49bc2ce7831)
2007-10-10r21968: Don't use gss-types in proto headers.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 829580414d89ff4aa0f45906e455849c55f508b1)
2007-10-10r21967: Add conversion from gss errors to nt status.Jeremy Allison1-1/+10
Jeremy (This used to be commit 8ba138efd097b08dcfe98f99b67c77579babf250)
2007-10-10r21922: Fixed the build by rather horrid means. I really needJeremy Allison1-2/+4
to restructure libsmb/smb_signing.c so it isn't in the base libs path but lives in libsmb instead (like smb_seal.c does). Jeremy. (This used to be commit 1b828f051d0782201f697de15ff973bd6b097d5b)
2007-10-10r21863: Fix debug messages with incorrect function name.Jeremy Allison1-15/+15
Jeremy. (This used to be commit d432d81c8321a4444b970169a5c7c3c5709de8e5)
2007-10-10r21855: Fix a memleak in the krb5 locator and comment out gfree_all() which ↵Günther Deschner1-2/+4
doesn't make sense as long as it doesn't work as an lp_unload(). Guenther (This used to be commit 128ea9bebbb215e41d2f0576e1a73c6a362b7467)
2007-10-10r21850: After Jerry explained to me the HORRIBLE way in whichJeremy Allison1-5/+15
the MIT gss libraries *SUCK*, move the frees to the end of the function so MIT doesn't segfault..... Add a comment so that another engineer knows why I did this. Jeremy. (This used to be commit 1a2be06d4a1131952a97f94b05ae69b1dce4c300)
2007-10-10r21847: Fix memory leaks in error paths (and in main code path in one case...)Jeremy Allison1-5/+13
in sasl bind. Wonder why coverity didn't find these ? Jeremy. (This used to be commit 89bdd30e4b2bb9dbc2ab57c54be8c6d01cae5a26)
2007-10-10r21845: Refactor the sessionsetupX code a little to allow usJeremy Allison2-31/+74
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to a client when there's clock skew. Will help people debug this. Prepare us for being able to return the correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED" error with associated krb5 clock skew error to allow clients to re-sync time with us when we're eventually able to be a KDC. Jeremy. (This used to be commit c426340fc79a6b446033433b8de599130adffe28)
2007-10-10r21831: Back out r21823 for a while, this is going into a bzr tree first.Volker Lendecke1-3/+1
Volker (This used to be commit fd0ee6722ddfcb64b5cc9c699375524ae3d8709b)
2007-10-10r21823: Let secrets_store_machine_password() also store the account name. ↵Volker Lendecke1-1/+3
Not used yet, the next step will be a secrets_fetch_machine_account() function that also pulls the account name to be used in the appropriate places. Volker (This used to be commit f94e5af72e282f70ca5454cdf3aed510b747eb93)
2007-10-10r21822: Adding experimental krb5 lib locator plugin.Günther Deschner1-0/+384
This is a starting point and may get changed. Basically we need follow the exact same path to detect (K)DCs like other Samba tools/winbind do. In particular with regard to the server affinity cache and the site-awarness for DNS SRV lookups. To compile just call "make bin/smb_krb5_locator.so", copy to /usr/lib/plugin/krb5/ (Heimdal HEAD) or /usr/lib/krb5/plugins/libkrb5/ (MIT) and you should immediately be able to kinit to your AD domain without having your REALM with kdc or kpasswd directives defined in /etc/krb5.conf at all. Tested with todays Heimdal HEAD and MIT krb5 1.5. Guenther (This used to be commit 34ae610bd5b9fd1210f16beac07a1c5984144ca7)
2007-10-10r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.James Peach1-1/+1
(This used to be commit 4f6c2826aa1ac240b02122a40fe9a1ccabaaaf27)
2007-10-10r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the differentJames Peach1-2/+2
calling convention in the latest MIT changes. Apparantly Heimdal is also changing to this calling convention. (This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5)
2007-10-10r21755: Memory leak fixes from Zack Kirsch <zack.kirsch@isilon.com>.Jeremy Allison1-2/+7
Jeremy. (This used to be commit 02d08ca0be8c374e30c3c0e665853fa9e57f043a)
2007-10-10r21608: Fix a couple of memleaks in error code paths beforeJeremy Allison1-1/+2
Coverity finds them :-) Jeremy. (This used to be commit cbe725f1b09f3d0edbdf823e0862edf21e16d336)
2007-10-10r21606: Implement escaping function for ldap RDN valuesSimo Sorce2-4/+18
Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)