summaryrefslogtreecommitdiff
path: root/source3/utils
AgeCommit message (Collapse)AuthorFilesLines
2012-04-03s3-ntlm_auth: use manage_gensec_request for squid-2.5-ntlmsspAndrew Bartlett1-178/+9
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSPAndrew Bartlett1-2/+3
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-ntlm_auth: add ntlm_auth_generate_session_info_pac()Andrew Bartlett1-0/+144
Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-04-03s3-ntlm_auth Use GENSEC for gss-spnego serverAndrew Bartlett1-404/+390
This imports the gensec handling code from the source4 ntlm_auth, which will eventually be used for all the NTLMSSP and SPNEGO clients and servers but which is only used for gss-spnego for now. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-03-30More strlcat/strlcpy truncate checks.Jeremy Allison1-3/+9
2012-03-24use usleep rather than sys_usleep in various places, in anticipation of ↵Jelmer Vernooij2-2/+2
usleep moving to libreplace.
2012-03-15s3-krb5: Remove GSS_WRAP_IOV conditionalAndrew Bartlett1-1/+1
We already confirm that we have this functionality before we set HAVE_KRB5 at configure time. Andrew Bartlett
2012-03-10s3: fix build on AIXBjörn Jacke1-1/+2
Autobuild-User: Björn Jacke <bj@sernet.de> Autobuild-Date: Sat Mar 10 19:07:20 CET 2012 on sn-devel-104
2012-03-04s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett1-4/+0
This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04s3: print a nice warning when HAVE_ADS is not enabled but you still try to ↵Matthieu Patou1-0/+5
do net rpc keytab vampire
2012-03-01s3-ntlm_auth fix up gss-spnego-client so as to work with gss-spnegoAndrew Bartlett1-16/+5
The SPNEGO code changed since this was last tested. Andrew Bartlett
2012-03-01s3-ntlm_auth: Wrap kerberos token in GSSAPIAndrew Bartlett1-2/+6
While windows will accept this ticket without the wrapping, it is nicer to follow the standard and wrap it up in GSSAPI. This should allow the ntlm_auth gss-spnego-client to talk to the ntlm_auth gss-spengo server. Reported by Christof Schmitt <christof.schmitt@us.ibm.com> Andrew Bartlett
2012-03-01s3-ntlm_auth: Add --target-service and --target-hostname optionsAndrew Bartlett1-9/+40
This will allow the gss-spnego-client protocol to work with modern SPNEGO servers that do not send the principal in the mechListMIC. Andrew Bartlett
2012-02-24Remove unused function.Jeremy Allison1-21/+0
2012-02-24s3-ntlm_auth: Convert ntlm_auth to use gensec_ntlmssp server-sideAndrew Bartlett1-99/+327
This uses the common gensec_ntlmssp server code for ntlm_auth, removing the last non-gensec use of the NTLMSSP server. Andrew Bartlett
2012-02-23s3-utils: Remove unused connect_to_ipc_krb5()Andrew Bartlett2-57/+0
Found by callcatcher. Andrew Bartlett
2012-02-20s3-ntlm_auth: allow ntlm_auth --diagnostics to pass againAndrew Bartlett3-8/+12
This still requires that the server permit LM passwords, but our s3dc test environment has this enabled. Andrew Bartlett
2012-02-16Rename obscure defined constants.Christopher R. Hertel (crh)1-2/+2
Replaced the undescriptive SMB_PORT1 and SMB_PORT2 defined constants with the slightly more descriptive names NBT_SMB_PORT and TCP_SMB_PORT. Also replaced several hard-coded references to the well-known port numbers (139 and 445, respectively) as appropriate. Small changes to clarify some comments regarding the two transport types. Signed-off-by: Simo Sorce <idra@samba.org> Autobuild-User: Simo Sorce <idra@samba.org> Autobuild-Date: Thu Feb 16 08:29:41 CET 2012 on sn-devel-104
2012-02-09s3-net: Don't use an internal krb5 for kdc lookup.Andreas Schneider1-19/+23
This replaces the use of the internal krb5_locate_kdc() function with our own get_kdc_list() function. Signed-off-by: Günther Deschner <gd@samba.org>
2012-02-03Only ask for specific permissions required when setting an ACL.Jeremy Allison1-3/+12
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Feb 3 03:07:33 CET 2012 on sn-devel-104
2012-01-31s3:net ads join: remove a useless empty comment blockMichael Adam1-2/+1
Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Tue Jan 31 18:37:45 CET 2012 on sn-devel-104
2012-01-31s3:net ads join: add a comment for the call to _net_ads_join_dns_update()Michael Adam1-0/+5
2012-01-31s3:net ads join: reduce indentation in _net_ads_join_dns_updates()Michael Adam1-46/+47
2012-01-31s3:net ads join: move dns update code out to new function ↵Michael Adam1-77/+84
_net_ads_join_dns_updates()
2012-01-31s3:net ads join: improve comment for dns update blockMichael Adam1-4/+4
2012-01-31s3:net ads join: improve status evaluation for call to net_update_dns()Michael Adam1-2/+5
untangle assignment from check and log error code in message if failed.
2012-01-31s3:net ads join: interpret return code of ads_kinit_password() in dns update ↵Michael Adam1-1/+8
block If failed, print according error message and skip the attempt to do dns update.
2012-01-31s3:net ads join: check for malloc success and react accordingly in dns ↵Michael Adam1-0/+5
update block
2012-01-31s3:net ads join: check for success of fetching machine password in dns ↵Michael Adam1-0/+5
update block log and cleanup accordingly if failed
2012-01-31s3:net ads join: untangle assignment from check, fix return code and improve ↵Michael Adam1-2/+8
error logging only the dns update failed, not the join. Also do proper memory cleanup
2012-01-31s3:net ads join: reduce indentation and improve logging in the dns update ↵Michael Adam1-13/+17
code block by doing an early goto done upon error condition
2012-01-31s3:net ads join: untangle assignment from check.Michael Adam1-1/+2
2012-01-31s3:net registry: fix a copy and paste error in a help textMichael Adam1-2/+2
2012-01-24s3: Remove a typedefVolker Lendecke1-3/+3
We have it in README.Coding to avoid typedef for structs, but I think it also applies to enums. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Jan 24 22:45:50 CET 2012 on sn-devel-104
2012-01-24s3: Remove a typedefVolker Lendecke1-3/+3
2012-01-18s3-librpc: pass struct ndr_interface_table down to ↵Andrew Bartlett1-1/+1
cli_pipe_open_generic/spnego() This allows the target service (as determined from the IDL) to be passed to GSSAPI (rather than the current, incorrect, "cifs"). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-utils/net: pass struct ndr_interface_table downAndrew Bartlett13-138/+137
This will allow the target service (as determined from the IDL) to be passed to GSSAPI (rather than the current, incorrect, "cifs"). Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3-build: Rework object lists to allow gse gensec moduleAndrew Bartlett1-39/+0
This also allows the spnego_parse_krb5_wrap() function to be shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18s3: Add a "lock_order" argument to db_openVolker Lendecke6-10/+20
This will be used to enforce a lock hierarchy between the databases. We have seen deadlocks between locking.tdb, brlock.tdb, serverid.tdb and notify*.tdb. These should be fixed by refusing a dbwrap_fetch_locked that does not follow a defined lock hierarchy.
2012-01-17s3:smbcontrol: avoid using messaging_event_context()Stefan Metzmacher1-10/+7
metze
2012-01-17s3:smbcontrol: pass tevent_context down to wait_replies()Stefan Metzmacher1-10/+11
metze
2012-01-17s3:smbcontrol: pass tevent_context down to subcommandsStefan Metzmacher1-38/+69
metze
2012-01-12s3: Put an indirection layer into share_mode_lockVolker Lendecke1-3/+5
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-11s3-librpc Rename and rework cli_rpc_pipe_open_ntlmssp() to be genericAndrew Bartlett1-1/+3
This also includes renaming the helper function rpccli_ntlmssp_bind_data, and allows this function to operate on any gensec-supplied auth type. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06Fix bug #8687 - net memberships usage info is wrongJeremy Allison1-1/+1
Typo in usage. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Jan 6 00:30:20 CET 2012 on sn-devel-104
2011-12-19s3-net: Fix the return codes. 0 on success, -1 on failureAmitay Isaacs1-2/+2
Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Mon Dec 19 01:57:24 CET 2011 on sn-devel-104
2011-12-13s3:smbcontrol: remove unused "samsync" and "samrepl" commandsStefan Metzmacher1-30/+0
metze
2011-12-12s3: Remove a bunch of calls to procid_self()Volker Lendecke7-10/+8
All callers to messaging_[re]init only used procid_self()
2011-12-06s3:net registry check: replace rawmemchr by functionally equivalent portable ↵Michael Adam1-2/+2
strchr rawmemchr is glibc only - not portable. Remarked by Ira Cooper. Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Tue Dec 6 12:20:48 CET 2011 on sn-devel-104
2011-12-06Revert "Remove rawmemchr calls - found by Ira Cooper. These are ↵Michael Adam1-4/+3
glibc-specific calls, makes us completely non-portable." This reverts commit 82b1702284ba2bb61b23e1f14ce9145d896c36c0. This is not functionally equivalent, needs to be done differently.