Age | Commit message (Collapse) | Author | Files | Lines |
|
The only user of this was decrypt_trustdom_secret, and this only needs the NT
hash anyway.
(This used to be commit 3d8c2a47e677a4c4aacf4abf148b1bd8163c3351)
|
|
(This used to be commit f8fb9b7e3759bec7fbcf93b27438ca6b03202ddb)
|
|
This abstracts away all references to rpc_pipe_client->cli, the only reference
is now in cli_pipe.c.
(This used to be commit c56e1c08cef107ff33a34346ceeca3475a102b19)
|
|
(This used to be commit 99fc3283c4ecc791f5a242bd1983b4352ce3e6cf)
|
|
(This used to be commit 45be749ed69f8c1ad3ebe8ea1f35c806db2ed5d0)
|
|
(This used to be commit 4840febcd481563c3d9b2fabc1fe1b2ae5a76cf6)
|
|
(This used to be commit d8a04b798c44c26a91a37fa7090dd071a1909166)
|
|
Also make sure that rpc_pipe_client->user_name is always talloced.
(This used to be commit 3f6c5b99664a75a6f490ee3b6980b89cacf7f579)
|
|
Reduce dependency on "cli" member of rpc_pipe_client struct
(This used to be commit 2e4c1ba38963cffe4c3f25ab24bc28975f2fc291)
|
|
(This used to be commit a9061e52e1ff8e31aa480f4a30cda64c9d93214e)
|
|
This reduces the dependency on cli_state
(This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
|
|
(This used to be commit a6d74a5a562b54f0b36934965f545fdeb1e8b34a)
|
|
This probably does not matter in current code, but without this it's not
possible to do the bind as a different user than the underlying smb user.
Jeremy, please check!
Thanks,
Volker
(This used to be commit b90062e33cbde7de4961414fd35a3a588760d002)
|
|
duplication.
(This used to be commit 428654b473ba44b2f5340eefef0d4fcd51aff558)
|
|
(This used to be commit 7bea00dca1ee08ef731dfa73110ef9c190a29919)
|
|
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
|
|
(This used to be commit 3fc85d22590550f0539215d020e4411bf5b14363)
|
|
(This used to be commit 376de8a0e4194e186b460911e3319b0f4448203e)
|
|
hand-written ones.
Guenther
(This used to be commit d5ebfccebb1f1b56b45673a506fcdb414103c43b)
|
|
Interop fixes for AD specific flags. Original patch from Todd Stetcher.
(This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f)
|
|
Michael
(This used to be commit 6a7f2a59fc370e226ddacb195059155f28c6c157)
|
|
This removes one forgotten call of cli_rpc_pipe_close(netlogon_pipe).
Correction of e77c4022cfbb868e608edcb06b676658b0e201ad.
Michael
(This used to be commit 7f6593cddef048dd05140b05d306c708d8134f0e)
|
|
Refactor the actual retrieval of the session key through the
established netlogon pipe out of get_schannel_session_key()
and get_schannel_session_key_auth_ntlmssp() into a new
function get_schannel_session_key_common().
(To avoid code duplication.)
Michael
(This used to be commit e77c4022cfbb868e608edcb06b676658b0e201ad)
|
|
Michael
(This used to be commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074)
|
|
Up to now each caller used its own logic.
This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.
I hope I have not missed an important point here!
Michael
(This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f)
|
|
them with malloc'ing accessor functions. Should save a
lot of static space :-).
Jeremy.
(This used to be commit 52dc5eaef2106015b3a8b659e818bdb15ad94b05)
|
|
Make us very explicit about how long a talloc ctx
should last.
Jeremy.
(This used to be commit ba9e2be2b5a59684e854609f9d82ea1633448c62)
|
|
Jeremy.
(This used to be commit 15074de938539e7a9c527d9a6d81792adc2ac3d0)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
|
|
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
|
|
(This used to be commit 918aad0d8b4b0c2caa8830726a17d3ad4d19f72a)
|
|
(This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
Jeremy, I'm afraid you removed the "domain->initialized" from the
set_dc_types_and_flags() call when the connect to PI_LSARPC_DS failed
(with rev. 19148).
This causes now that init_dc_connection_network is called again and
again which in turn rescans the DC each time (which of course fails each
time with NT_STATUS_BUFFER_TOO_SMALL). Just continue with the
non-PI_LSARPC_DS scan so that the domain is initialized properly.
Guenther
(This used to be commit c6f63a08f55a4121cbe5aac537d2ef983dc25a97)
|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
in smb.conf. This did work before the join rewrite.
Samba will have problems if you try to run any of the daemons
with an incorrect workgroup but it should not fail to join.
The summary is that a member server should always use it's
own machine name when setting up schannel since that is
the only account it has. Thanks to Volker for the discussion.
(This used to be commit 95763b94f709fe1ad9e381dbc6b364c2f3759024)
|
|
cli_rpc_pipe_open_krb5.
Guenther
(This used to be commit fa19099112490daa085bb310f2f4ed877bb22b40)
|
|
With this change (and setting lanman auth = no in smb.conf)
we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth.
Jeremy
(This used to be commit 93ca3eee55297eb7fdd38fca38103ce129987e2a)
|
|
Might need to rework prs_dcerpc_status().
Guenther
(This used to be commit 38b18f428ba941f4d9a14fa2de45cb0cd793a754)
|
|
kerberos_kinit_password_ext provides access to more options.
Guenther
(This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
|
|
(This used to be commit e49ca3af8c2522aee670e6b807d7b3df31be47f6)
|
|
* Fix inverted logic check for machine accounts in get_md4pw()
(This used to be commit a36529535dcb5a262e7627b80fb62a31240dc8ad)
|
|
trigger coverity checks by testing for NULL.
Jeremy.
(This used to be commit 6b4484159293d725613249adbfa01472dea1c722)
|
|
from jason@ncac.gwu.edu.
Jeremy.
(This used to be commit 00f8b4e1aa44904c91af8eb6ac4c3f196986c339)
|
|
not to, cope with a server that doesn't offer schannel also.
Jeremy
(This used to be commit 68005f6bdb70883eace0d9067c76c3360a803023)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|