| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
human-readable format.
Volker
(This used to be commit 4e3a2eb8e04c3a669d94e38d81e994606fa6ef9d)
|
|
Volker
(This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
|
|
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
(This used to be commit d72d77c42741714f2e32d0e24e706929242f1c62)
|
|
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
|
|
winreg pipe if it doesn't work. Fixes bug #534.
I will go back and add the same logic for the shutdown itself, even though
that works so far against win2k (haven't tested all win clients).
(This used to be commit e660b04e8f2446bb8a6590e9afcb5ab49f90a701)
|
|
Based on work by Ken Cross (kcross@nssolutions.com).
(This used to be commit 8ef7ac22ef1a60dca0a2d01dc6ff4ba14bc1549a)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
goes to stdout.
Note: This change permits use of testparm processing of smb.conf to be
redirected into a file that can be used as an smb.conf file. ie: All
information that should not be in smb.conf will be on stderr, all pertinent
smb.conf info will go to stdout.
Example of use:
A fully documented smb.conf.master file can be maintained.
To create smb.conf do:
testparm -s > smb.conf
(This used to be commit 0450dc97731d95c7cd3b2c8a54721991fd6165df)
|
|
(This used to be commit f8994483484cab47f0d6a6934979f69402dba894)
|
|
From Joachim Schmitz <schmitz@hp.com>
(This used to be commit 22655a65ab73576557487e73c550b45296e534ec)
|
|
Jeremy.
(This used to be commit 93669f329eccec34d4a1da6239ae9759f067fb8b)
|
|
- Also check global 'hosts allow'/'hosts deny' when checking access to share
- Warn when user specifies 2 arguments instead of 1 or 3.
Patch from Jay Fenlason <fenlason@redhat.com>
(This used to be commit 2690c185f01b8fb4307dc803fb90c00400f2da69)
|
|
Jeremy.
(This used to be commit e4c955c98e90901b047c475f204af93a57578248)
|
|
afs share -- this is an AFS share, do AFS magic things
afs username map -- We need a way to specify the cell and possibly
weird username codings for several windows domains
in the afs cell
Volker
(This used to be commit 4a3f7a9356cd5068d9ed4fd6e2336d9bf7923fbd)
|
|
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
|
|
(This used to be commit 37db75fc95aec2510a0ead0c97f44e80b00696d9)
|
|
me to expose a type arguement to make_sec_desc(). We weren't copying
the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on
auto inherited checks.
Jeremy.
(This used to be commit 28b315a7501f42928d73efaa75f74146ba95cf2d)
|
|
exists.
Jeremy.
(This used to be commit c8bfde5be9f0a3603f7333ff4266ad19c20cb9f9)
|
|
The RAP NetShareEnum() call has a length limit of 12 characters (not 8, as
previously tested). Took DaveCB's suggested and added a note listing some
of the client systems that might be affected.
(This used to be commit be06e52ce05e88f3872563a61ae29f62afd614fc)
|
|
-w option need the password on the command line
(This used to be commit fa7dea1710bac38f5f68be2e56a24ef5cca09ff5)
|
|
entry. Bug #431.
(This used to be commit bc8a181477866d0d97324bf45431bcdff895ad18)
|
|
Display an error if we can't create a posix account for the user
(e.g no add user/machine script was specified; bug #323).
(This used to be commit 0c35ba2cd65ff64c5db2b20d5528a0d486cba51e)
|
|
we can override the value in smb.conf with the -w option.
Migrating accounts from another domain can now be done like:
# bin/net join bdc -w nt4dom -Uadministrator%password
# bin/net rpc vampire -w nt4dom -U administrator%password
(This used to be commit d7bd3c1efbd02a7ca01ad9a4b242ea4cc4a63c1f)
|
|
(This used to be commit c030d1401950b6efcbdf30ad899c25a61efb1814)
|
|
Jeremy.
(This used to be commit 28631ef23f855ce91740fd144e3dc235a3ae7af6)
|
|
This implements some kind of improved AFS support for Samba on Linux with
OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have
OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile
into secrets.tdb with 'net afskey'. If this is done, on each tree connect
smbd creates a Kerberos V4 ticket suitable for use by the AFS client and
gives it to the kernel via the AFS syscall. This is meant to be very
light-weight, so I did not link in a whole lot of libraries to be more
platform-independent using the ka_SetToken function call.
Volker
(This used to be commit 5775690ee8e17d3e98355b5147e4aed47e8dc213)
|
|
smb.conf
Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
|
|
Also added shortcut so that 'net lookup foo#1b' works.
(This used to be commit f38679201e301d66473e74506f07812590d19fa4)
|
|
Also make sure thet ads_startup uses lp_realm instead of
just relying on the workgroup name. Fixes bug in net ads join
when the workgroup defaults to "WORKGROUP" and we ignore the
realm name.
(This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)
|
|
(This used to be commit 233568dd6b08d3dfb48a712b763dfc31c03b229d)
|
|
string.h anyways.
(This used to be commit 71034cede83b5605b25a4d3b640086294244c239)
|
|
(This used to be commit f566de0541373fab97caa6b0f574f79e68ae74dc)
|
|
Jeremy.
(This used to be commit 86ebf990431903b12ec24a4d9af00d665e828145)
|
|
Include patch to manually set the machine trust account
password (on request from jht) to mimic 2.2. behavior.
last changes before RC2 (not counting syncing the docs).
(This used to be commit ce090371449097d4e5010e1219d449db8b0ccac5)
|
|
a printable name on node status.
Jeremy.
(This used to be commit 6585446afd29768fde8c3f882bfb57554cf4e4da)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
(This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
|
|
asking for password without a piece of error message or explanation.
rafal
(This used to be commit d46793b33577f7e77b7632b016918e3ce175c238)
|
|
rafal
(This used to be commit 836746beabda583f7d86bb7e6faa855f172a888d)
|
|
(This used to be commit 28f1d7b201932eb3864af3d71ec862670898822c)
|
|
IP and TCP checksums are not calculated, but that should not matter.
(This used to be commit aa96f780015c031e0c5a0e8773f192502c10c919)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
same ads_verify_ticket routine that smbd uses, so in the current state
we have to be have the host password in secrets.tdb instead of the
keytab. This means we have to be an ADS member, but it's a start.
Volker
(This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
|
|
from a samba log file and view it in ethereal, including the DCE/RPC, RAP, etc
calls that are contained in a packet, just like you would with a real
network sniff!
(This used to be commit 6a76750dc4d8b539b7571ac4939c003b6ffa86a9)
|
|
(This used to be commit 6ec683e24e220a40b02b203b918a0008d90264f0)
|
|
Actually let the user explicitly specify a rid...
Volker
(This used to be commit 3aed9c8a4ac97ef55772ddae1e1cb0a5a1a15767)
|
|
(This used to be commit b4499c8aab44e25cb4406498018bde0bc4ed4ca9)
|
|
10 for data contents as well) and creates a packet trace readable by
ethereal.
What does not work yet:
- SMB data contents (log level 5)
- SMB data contents beyond the 512 byte range (log level 99 or something?)
(This used to be commit 95b1d4933b0de63613fe041c273d413d86909b4b)
|
