| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
we now check wheter the sec_channel_type matches the trust account type.
Guenther
(This used to be commit c35eb449375d53ffa0815897e7723c203be1f732)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix()
(This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f)
|
|
to make full use of the new talloc() interface. Discussed with Volker
and Jeremy.
* remove the internal mem_ctx and simply use the talloc()
structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
upcoming changes. Groups will most likely be replaced with a
'struct samg' in the future.
Note that there are now passbd API changes. And for the most
part, the wrapper functions remain the same.
While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs. The code also needs more testing under valgrind to
ensure it's not leaking memory.
But it's a start......
(This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
|
|
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
|
|
the correct part of the netlogon and schannel packets.
Jeremy.
(This used to be commit 4877f336b257e6f59833a6e0679959a2ec879974)
|
|
by schannel if "server schannel = true" was set.
Jeremy.
(This used to be commit fd84d9703ed01feb010df4ebb7e9ceb0d063780b)
|
|
Jeremy.
(This used to be commit ea82958349a57ef4b7ce9638eec5f1388b0fba2a)
|
|
for the creds store. This should fix the problems
Jerry reported (but I have still to run tests :-).
Jeremy.
(This used to be commit 43f095a38d66caa774d80fe32e1b96ec25dd1f07)
|
|
(This used to be commit a95d7d722273863efa820674672393fe6e5a33b7)
|
|
Bartlett's
Samba4 code.
Jeremy.
(This used to be commit a2fb436fc5dd536cfe860be93f55f9cb58139a0e)
|
|
I mean it this time :-).
Jeremy.
(This used to be commit 80f4868944d349015d2b64c2414b06466a8194aa)
|
|
Jeremy.
(This used to be commit a9e1d0f3b4fd7a0732a5023d0b4dcc2c4b1b03f8)
|
|
Jeremy.
(This used to be commit a164cfab420a2439dad8fd85f8b4d652087fa6b9)
|
|
Jeremy.
(This used to be commit 9437ffc84f4d924ab67f3e16ef507d2aeeeb5f34)
|
|
Jeremy
(This used to be commit f58d0ebf749ad6dab562e74e9fd2c16606183d6c)
|
|
Jeremy.
(This used to be commit 58544eb3c848e1dddd774270fbaae7d704a37b53)
|
|
makes fixes much easier to port. Fix the size of dc->sess_key to
be 16 bytes, not 8 bytes - only store 8 bytes in the inter-smbd
store in secrets.tdb though. Should fix some uses of the dc->sess_key
where we where assuming we could read 16 bytes.
Jeremy.
(This used to be commit 5b3c2e63c73fee8949108abe19ac7a448a033a7f)
|
|
Jeremy.
(This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
These can happen in normal operation (I think - not 100%
sure) and don't want to alarm admins. Jerry please add this
to 3.0.21b.
Jeremy.
(This used to be commit 47178b1b5ad06905f345a0f6b6267701d8aefddb)
|
|
Volker
(This used to be commit ae4ffc1cfb745a756d047c35f947f80acf4b0e55)
|
|
(This used to be commit 37d2bf02f37f6d1b5bac9523f085c00625722761)
|
|
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
Based on the Samba4 solution - stores data in
$samba/private/schannel_store.tdb.
This tdb is not left open but open and closed on demand.
Jeremy.
(This used to be commit a6d8a4b1ff31c5552075455dbd98cb58795958a9)
|
|
Jeremy.
(This used to be commit 86ffef8162393be3da81fda13772f0f1d40b0d08)
|
|
Ensure that the mach_acct and remote machine entries are
set correctly in struct dcinfo - we'll need this as a key
for a persistent schannel state later.
Jeremy.
(This used to be commit 47269b5c7161d740c2e86227de3acd9e08c53817)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
Jeremy.
(This used to be commit e1c9813d63a441037bc71622a29acda099d72f71)
|
|
defined locally because if we didn't find them as a DC we were marking
the response as authoritative. Now if it's not a domain we know, we
mark the response non-authoritative.
Fix from jpjanosi@us.ibm.com
(This used to be commit d522277b86ff728f6f2b9feb2f8e3fa38c43d162)
|
|
the user,
causing netlogon to return an invalid response for failed interactive logons.
(This used to be commit 4deb918b682fb51d8712cfdafc6210275dd10fc4)
|
|
NT_STATUS_NO_USER returned. We were moving to the next step in the
chain when the client wasn't. Only update when the user logs on.
(This used to be commit b01a3a4111f544eef5bd678237d07a82d1ce9c22)
|
|
login
scripts to be executed.
We were filling in our name as the server which processed the login, even
when it was done by a trusted DC.
Thanks to John Janosik <jpjanosi@us.ibm.com> for the fix.
(This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c)
|
|
before. Things tested: Domain join and subsequent interactive and network
logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right
now I've got problems with my W2k3 domain trusts. So this needs testing,
although I'm really confident that this does not break.
Volker
(This used to be commit c25b4afda2b657b73a6215d3ff36461a36496ba3)
|
|
version to 3.0.20pre1
(This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
|
|
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Andrew Bartlett
(This used to be commit 1833d0ab724d88411ebd79ac26f5642e7c8cfee3)
|
|
The purpose of this patch is to avoid changing the machine account
password, when it has 'already been changed'. This occours in
situations where the secure channel between the workstation and the DC
breaks down, such as occoured in the MS04-11 security patch. This
avoids LDAP replication load issues, due to the client changing the
password repeatedly.
We also now set the LM password to NULL explicitly, rather than the NT
password value, as this is what we get out of a vampire, or when a
long password is set (as XP seems to do these days).
Andrew Bartlett
(This used to be commit 1ad1317a815898b52b1803211ab7b502e331e782)
|
|
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().
For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation. This removes the 'need_reseed'
parameter from generate_random_buffer().
Andrew Bartlett
(This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
|
|
for setting up an schannel connection. This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
|
|
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
|
|
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
(This used to be commit 724e8d3f33719543146280062435c69a835c491e)
|
|
the \\ off the workstation.
Volker
(This used to be commit d01cb00aad76f8be9767fdcfd92c88ea5d8c4f14)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
Andrew Bartlett
(This used to be commit 256b85802e5820847fbad4305fcb0f5da2e51975)
|
|
(This used to be commit 6a9bfcd3b8996a0322f733689fd5e8bf24f224c8)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
When winbindd is running on a PDC the SAM_ACCOUNT for a trusted user
has a username of DOMAIN\user. Make sure to trim the domain part
from the username when filling in the net_sam_logon reply.
This fixes the browsing issues i was seen across domain trusts.
(This used to be commit 62e36e6ede067ace23f5473d04917c7eeedf07e2)
|
