Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client)
will not select krb5.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This imports the gensec handling code from the source4 ntlm_auth, which
will eventually be used for all the NTLMSSP and SPNEGO clients and servers
but which is only used for gss-spnego for now.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
|
usleep moving to libreplace.
|
|
We already confirm that we have this functionality before we set HAVE_KRB5 at
configure time.
Andrew Bartlett
|
|
Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Sat Mar 10 19:07:20 CET 2012 on sn-devel-104
|
|
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
|
do net rpc keytab vampire
|
|
The SPNEGO code changed since this was last tested.
Andrew Bartlett
|
|
While windows will accept this ticket without the wrapping, it is
nicer to follow the standard and wrap it up in GSSAPI.
This should allow the ntlm_auth gss-spnego-client to talk to
the ntlm_auth gss-spengo server.
Reported by Christof Schmitt <christof.schmitt@us.ibm.com>
Andrew Bartlett
|
|
This will allow the gss-spnego-client protocol to work with modern
SPNEGO servers that do not send the principal in the mechListMIC.
Andrew Bartlett
|
|
|
|
This uses the common gensec_ntlmssp server code for ntlm_auth, removing
the last non-gensec use of the NTLMSSP server.
Andrew Bartlett
|
|
Found by callcatcher.
Andrew Bartlett
|
|
This still requires that the server permit LM passwords, but our s3dc test
environment has this enabled.
Andrew Bartlett
|
|
Replaced the undescriptive SMB_PORT1 and SMB_PORT2 defined constants
with the slightly more descriptive names NBT_SMB_PORT and TCP_SMB_PORT.
Also replaced several hard-coded references to the well-known port
numbers (139 and 445, respectively) as appropriate.
Small changes to clarify some comments regarding the two transport
types.
Signed-off-by: Simo Sorce <idra@samba.org>
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Thu Feb 16 08:29:41 CET 2012 on sn-devel-104
|
|
This replaces the use of the internal krb5_locate_kdc() function with
our own get_kdc_list() function.
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Feb 3 03:07:33 CET 2012 on sn-devel-104
|
|
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue Jan 31 18:37:45 CET 2012 on sn-devel-104
|
|
|
|
|
|
_net_ads_join_dns_updates()
|
|
|
|
untangle assignment from check and log error code in message if failed.
|
|
block
If failed, print according error message and skip the attempt to do dns update.
|
|
update block
|
|
update block
log and cleanup accordingly if failed
|
|
error logging
only the dns update failed, not the join.
Also do proper memory cleanup
|
|
code block
by doing an early goto done upon error condition
|
|
|
|
|
|
We have it in README.Coding to avoid typedef for structs, but I
think it also applies to enums.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Jan 24 22:45:50 CET 2012 on sn-devel-104
|
|
|
|
cli_pipe_open_generic/spnego()
This allows the target service (as determined from the IDL) to be
passed to GSSAPI (rather than the current, incorrect, "cifs").
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This will allow the target service (as determined from the IDL) to be
passed to GSSAPI (rather than the current, incorrect, "cifs").
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This also allows the spnego_parse_krb5_wrap() function to be shared.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This will be used to enforce a lock hierarchy between the databases. We have
seen deadlocks between locking.tdb, brlock.tdb, serverid.tdb and notify*.tdb.
These should be fixed by refusing a dbwrap_fetch_locked that does not follow a
defined lock hierarchy.
|
|
metze
|
|
metze
|
|
metze
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
This also includes renaming the helper function
rpccli_ntlmssp_bind_data, and allows this function to operate on any
gensec-supplied auth type.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Typo in usage.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jan 6 00:30:20 CET 2012 on sn-devel-104
|