Age | Commit message (Collapse) | Author | Files | Lines |
|
domain when krb5 auth is enabled
Signed-off-by: Bo Yang <boyang@samba.org>
|
|
|
|
This is particuarly in the netlogon client (but not server at this
stage)
|
|
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
|
|
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
This was marked as a resource leak. This change makes the code a bit clearer
that we always free error_string.
|
|
|
|
|
|
|
|
This fixes bug #5865
|
|
|
|
(This used to be commit 18bf2b2028e64403a79b7cc06d3185a3e526d97d)
|
|
This fixes bug #4235.
Patch from Pawel Worach <pawel.worach@gmail.com> with some linebreaks
added by me.
Also fix one BH message that the original patch didn't fix.
(This used to be commit 098380760d20bad2a45c3b12ab2a5e4d2b856175)
|
|
To not conflict with WBFLAG_PAM_INFO3_TEXT.
This should fix pam_winbind.
metze
(This used to be commit 1b8ed6c0ffb2548442bb7e9d848117ce9b1c65c0)
|
|
Guenther
(This used to be commit ea609d1b0e82d7c366dd73013228003136264b64)
|
|
(This used to be commit cf671ca35bff09af56c67e789a86a3b86093b5fb)
|
|
(This used to be commit 97768628f5ec533818b7f5165e92c156d668b79b)
|
|
(This used to be commit af438426222f4990f3e4103babbbb5de03ade93d)
|
|
Now rewriting the helpers one after the other can start.
(This used to be commit 2479a0c3adf46b2d0a9b109ce689c93296f16a62)
|
|
(This used to be commit f8243d1913cd19401ce6a13f53c6b84a36fc9dd6)
|
|
This ports over my changes from Samba4
(This used to be commit 4a475baf26ba9f99bc05f13dd2745494174a00c1)
|
|
(This used to be commit ab0ee6e9a6a9eee317228f0c2bde254ad9a59b85)
|
|
ads_verify_ticket as it's always derefed.
Jeremy.
(This used to be commit 0599d57efff0f417f75510e8b08c3cb7b4bcfcd8)
|
|
them with malloc'ing accessor functions. Should save a
lot of static space :-).
Jeremy.
(This used to be commit 52dc5eaef2106015b3a8b659e818bdb15ad94b05)
|
|
Jeremy.
(This used to be commit 041163551194102ca67fef52c57d87020a1d09bc)
|
|
Jeremy.
(This used to be commit 6f9c2910bdda605f90967e0aa6a84b8094f3a197)
|
|
(This used to be commit 5f205ab48d8ac3b7af573ea0be1ce095ab835448)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
init_request => winbindd_init_request
free_response => winbindd_free_response
read_reply => winbindd_read_reply
write_sock => winbind_write_sock
read_sock => winbind_read_sock
close_sock => winbind_close_sock(void)
metze
(This used to be commit 8a95d7a7edcfa5e45bccc6eda5c45d9c308cb95d)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.
There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator. Checked against MIT 1.5.1. Have not
researched how Heimdal does it.
My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
The background behind this patch is that we're using ntlm_auth with
Wine. Windows allows us to pass in a NULL domain and a username of the
form of "user@domain" and this is converted into an NTLMSSP_AUTH packet
with a NULL domain name and a username of the same form.
Jeremy.
(This used to be commit 32b040fe05707d5ce6322cb41d36cfdd2c3b31fc)
|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
ntlm_auth
(This used to be commit 2d877e41d1fdf71b45074f257930062539e379d8)
|
|
(This used to be commit 089b51e28cc5e3674e4edf5464c7a15673c5ec0f)
|
|
specified.
Jeremy.
(This used to be commit 5d9bb91ab7bb080b56b25849e646143ab3ad8252)
|
|
the username by forcing it to be specified. Still
split out domain \ user for the ones that do use
it.
Jeremy.
(This used to be commit c097e107391cd97dd829c19b672b6a7adece504f)
|
|
domain and user args. if only given a parameter of the
form --username DOMAIN\user. When called by firefox
or other user apps they may not know what the domain
is (and they don't care). They just want to pass the
contents of $USERNAME without having to parse it
or guess a domain.
Jeremy.
(This used to be commit 5f51417916ed8bfc0dd08f44e669cb044fc83d01)
|
|
Jeremy.
(This used to be commit 37c636eb480e3736b143653231d73620152eb470)
|
|
call ntlmssp_end on a null pointer ! (Doh !).
Jeremy.
(This used to be commit 7b53932b5190c78b2b483f36af95174fe38ed45e)
|
|
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
|
|
and 305.
Volker
(This used to be commit 4f6605a4880f54f2c7d1f3c7554408d893bc623c)
|
|
A patch to make ntlm_auth recognize three new commands in
ntlmssp-client-1 and squid-2.5-ntlmssp:
The commands are the following:
Command: SF <hex number>
Reply: OK
Description: Takes feature request flags similar to samba4's
gensec_want_feature() call. So far, only NTLMSSP_FEATURE_SESSION_KEY,
NTLMSSP_FEATURE_SIGN and NTLMSSP_FEATURE_SEAL are implemented, using the same
values as the corresponding GENSEC_FEATURE_* flags in samba4.
Command: GF
Reply: GF <hex number>
Description: Returns the negotiated flags.
Command: GK
Reply: GK <base64 encoded session key>
Description: Returns the negotiated session key.
(These commands assist a wine project to use ntlm_auth for signing and
sealing of bulk data).
Andrew Bartlett
(This used to be commit bd3e06a0e4435f1c48fa3b7862333efe273119ee)
|
|
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain. This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).
The precalculated blobs do not reveal the plaintext password.
Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|