Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
(This used to be commit 5e75ea7f2b568d76c8ced5f43171741532cc97c2)
|
|
were using
netr_GetDcAnyName all the time (which is the correct thing to do).
Fix the naming and opcode mixup in all branches.
Guenther
(This used to be commit def6464c872a5939f0028837254f2c019d2d71c8)
|
|
netr_DsRGetDCNameEx2) and add new ds request and reply flags, also add some
more WERROR codes.
Guenther
(This used to be commit 37ae7f419702c563bcd0d9c27c02bde7efd34dd7)
|
|
use the credential chain and only works over netlogon, but it would
allow multiple outstanding auth requests for a single workstation
account.
(This used to be commit 123290d0947191abca4a3b3d81718c823c1bc4a0)
|
|
we were calling PRS_ALLOC_MEM with zero count.
Jeremy.
(This used to be commit 9a10736e6fa276ca4b0726fbb7baf0daafbdc46d)
|
|
Jeremy.
(This used to be commit c622fb8536d955952a0fbf2441a4cb45a9feb9b0)
|
|
marshalling bugs.
Jeremy.
(This used to be commit 3df99006f8a52af7cff0fbca1bf16157a8648254)
|
|
calls. No functional changes. Looks bigger than it is :-).
Jeremy.
(This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
Guenther
(This used to be commit 7bbb3409a530a6ac9712992c87c63e056511517b)
|
|
more no previous prototype warnings
(This used to be commit 41be182f78762372ae13759ede5d2bd40a71d7f5)
|
|
gives just any DC), also make sure to set timeouts in rpcclient
accordingly so that we actually get the DC's reply.
Guenther
(This used to be commit 6091c8152a3998d2503cb0911a217ee904509633)
|
|
Guenther
(This used to be commit 44e228ac796fca2db8509915067511ed705032bf)
|
|
(This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19)
|
|
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
|
|
Jeremy.
Fix a parsing error that became apparent in 'make test': If we have no
group
rids in the info3 we set the array buffer pointer to "1" but fail to
actually
ship the array.
Volker.
(This used to be commit ee1b9207d3119c2b3e7c1c4e59250dbd323eae6a)
|
|
Guenther
(This used to be commit 7616317f9f45dfbc453a7687e8b8b6ff57ddb0a3)
|
|
pidl...
Fix Coverity # 15.
Volker
(This used to be commit 29b4b986cc225a98d263c883fd52e8b210099b9e)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
Jeremy.
(This used to be commit 9437ffc84f4d924ab67f3e16ef507d2aeeeb5f34)
|
|
Jeremy.
(This used to be commit 666b03b4a92800ed704b7f7e4b39f4e01ca47aee)
|
|
Jeremy.
(This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c)
|
|
Guenther
(This used to be commit c54430a7b5e40d3bdf8afdc813eb722c0a3b861e)
|
|
you the IP
address but also the fqdn of the remote dc and site info.
Volker
(This used to be commit 62d01ce7e6c14971084c208ab61f379cb172cb22)
|
|
(This used to be commit 9741818d2c54240ef1f38762396828adceb92b2a)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
> 0.
This fixes the PAC parsing for win2k DCs up to SP3. (Where full SIDs
are stored in the PAC instead of RIDs).
Guenther
(This used to be commit 3d5d5ddce2d0c602d985438af996e7af5ccef329)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
Guenther
(This used to be commit fdba056a2fbcc118e3d0584c280da1ee5f730f22)
|
|
Volker
(This used to be commit dbcc1de3f89de9f0b2fa75287e7640e824b58e20)
|
|
rename REG_CREATE_VALE -> REG_SET_VALUE
(This used to be commit 28d433351cf813c7fb57ebac0e0f4973c85f73e8)
|
|
This copy was length-limited, which broke when the NTLMv2 response was
more than 128 bytes in length.
Andrew Bartlett
(This used to be commit bae18aaaff7f9eff90db566b9a254a11d281aa01)
|
|
...hmmm... completely bogus. This does not affect us as a domain controller,
as we never set other_sids, but I have *no* idea how winbind got away with it.
Please review thoroughly, samba4 idl looks closer to reality here.
Test case: Member of w2k3 domain, authenticate as a user who is member of one
or more domain local groups. Easiest review with 'client schannel = no'.
Thanks,
Volker
(This used to be commit a0a6388830d9457de3e42686c64bddeba42954f8)
|
|
Based on samba4-idl. The decoding of account-lockout-string is somewhat
experimental though.
Guenther
(This used to be commit 721bf50d7446b8ce18bc1d45e17d4214d5a43d26)
|
|
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting
acct_flags with bizarre values, breaking a lot of things.
This patch is successfully running in a production environment for quite
some time now and is required to finally allow Exchange 5.5 to access
another Exchange Server when both are running on NT4 in a
samba-controlled domain. This also allows Exchange Replication to take
place, Exchange Administrator to access other Servers in the network,
etc. Fixes Bugzilla #1136.
Thanks abartlet for helping me with that one.
Guenther
(This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
To correct “net rpc vampire” core dump.
Jeremy.
(This used to be commit cd910ffc510f2007c2619d7a4d31e5e41de7d1d1)
|
|
for setting up an schannel connection. This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
|
|
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
(This used to be commit 724e8d3f33719543146280062435c69a835c491e)
|
|
a DC it trusts.
Volker
(This used to be commit ae6840320ff47827c2817549fe3133a57e3fe77f)
|
|
(This used to be commit 344e113368cb46fc4d26107d1cd276e4c76a6a9b)
|
|
to correctly parse plaintext netlogon calls with odd-length passwords
Andrew Bartlett
(This used to be commit de3c3cbeeb8b674ffc0dd8fe16913f15edcf9022)
|
|
info reply
Thanks to a bug report by 'musb'
(This used to be commit 310f90f3689d4acd16368a833f23ea5f9aaa0133)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
This is not the case. Count it after conversion.
Jeremy.
(This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
|
|
info delta correctly and thus crash when doing a net rpc samdump.
The easiest thing at the moment it to comment out these functions as
they seriously don't correspond with reality (netmon/ethereal) and the
data in the containers aren't used anyway.
(This used to be commit 695aa39c5d798b112f0a06281b499fcac8a5bf31)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|