Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-08-09 | s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the ↵ | Günther Deschner | 1 | -7/+13 | |
secure channel. This is an important fix as the following could and is happening: * winbind authenticates a user via schannel secured netlogon samlogonex call, current secure channel cred state is stored in winbind state, winbind sucessfully decrypts session key from the info3 * winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the secure channel on the dc) * subsequent samlogonex calls use the new secure channel creds on the dc to encrypt info3 session key, while winbind tries to use old schannel creds for decryption Guenther | |||||
2010-08-05 | s3-secrets: only include secrets.h when needed. | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2010-08-05 | s3: avoid global include of ads.h. | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2010-07-07 | s3-winbindd: route samr chgpwd ops for own domain over internal samr pipe as ↵ | Günther Deschner | 1 | -0/+8 | |
well. Guenther | |||||
2010-07-06 | s3-winbind: Make sure that the policy handles are closed. | Andreas Schneider | 1 | -0/+12 | |
2010-05-31 | s3: only use netlogon/nbt header when needed. | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2010-05-18 | s3-rpc_client: move protos to cli_lsarpc.h | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2010-05-18 | s3-rpc_client: move protos to cli_netlogon.h | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2010-05-17 | s3-kerberos: pass down kdc_name to create_local_private_krb5_conf_for_domain(). | Günther Deschner | 1 | -2/+4 | |
Guenther | |||||
2010-05-17 | s3-winbind: make the getpeername() checks in cm_prepare_connection IPv6 aware. | Günther Deschner | 1 | -5/+25 | |
Note that this failure was hard to track, as winbind did only log a super helpful "cm_prepare_connection: Success" debug message. IPv6 gurus, please check Successfully tested in two independent IPv6 networks now. Guenther | |||||
2010-05-06 | s3: only include gen_ndr headers where needed. | Günther Deschner | 1 | -0/+1 | |
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time as follows: ccache build w/o patch real 4m21.529s ccache build with patch real 3m6.402s pch build w/o patch real 4m26.318s pch build with patch real 3m6.932s Guenther | |||||
2010-04-23 | s3: init_dc_connection() can't init for internal domains | Volker Lendecke | 1 | -0/+4 | |
This fixes a crash in winbindd_dual_pam_chng_pswd_auth_crap when given global_sam_name() in the domain field | |||||
2010-04-01 | s3:winbindd: fix problems with SIGCHLD handling (bug #7317) | Stefan Metzmacher | 1 | -3/+0 | |
The main problem is that we call CatchChild() within the parent winbindd, which overwrites the signal handler that was registered by winbindd_setup_sig_chld_handler(). That means winbindd_sig_chld_handler() and winbind_child_died() are never triggered when a winbindd domain child dies. As a result will get "broken pipe" for all requests to that domain. To reduce the risk of similar bugs in future we call CatchChild() in winbindd_reinit_after_fork() now. We also use a full winbindd_reinit_after_fork() in the cache validation child now instead instead of just resetting the SIGCHLD handler by hand. This will also fix possible tdb problems on systems without pread/pwrite and disabled mmap as we now correctly reopen the tdb handle for the child. metze | |||||
2010-04-01 | s3:winbindd: correctly invalidate the cached connection | Stefan Metzmacher | 1 | -6/+11 | |
There're maybe additional TCP connection for ncacn_ip_tcp. metze | |||||
2010-04-01 | s3:winbindd: make sure we don't try rpc requests against unaccessable domains | Stefan Metzmacher | 1 | -5/+28 | |
This makes sure we don't crash while trying to dereference domain->conn.cli->foo while trying to establish a rpc connection to the server. metze | |||||
2010-03-29 | s3:winbindd_cm: invalidate connection if cm_connect_netlogon() fails | Stefan Metzmacher | 1 | -2/+2 | |
metze | |||||
2010-03-29 | s3:winbindd: consistently use TALLOC_FREE(conn->foo_pipe) is we create a new ↵ | Stefan Metzmacher | 1 | -0/+5 | |
connection metze | |||||
2010-03-29 | s3:winbindd_cm: use rpccli_is_connected() helper function | Stefan Metzmacher | 1 | -4/+4 | |
metze | |||||
2010-03-29 | s3:winbindd_cm: use cli_state_is_connected() helper function | Stefan Metzmacher | 1 | -14/+4 | |
metze | |||||
2010-02-23 | s3 move the sitename cache in its own file | Simo Sorce | 1 | -0/+1 | |
2010-02-23 | s3:winbindd: never mark external domains as internal! | Stefan Metzmacher | 1 | -4/+1 | |
This way we can endup with silently using builtin_passdb_methods for an ad domain without an inbound trust. This fixes bug #7170. metze | |||||
2010-01-06 | s3: Fix infinite loop in NCACN_IP_TCP asa there is no timeout. Assume ↵ | Bo Yang | 1 | -1/+2 | |
lsa_pipe_tcp is ok but network is down, then send request is ok, but select() on writeable fds loops forever since there is no response. Signed-off-by: Bo Yang <boyang@samba.org> | |||||
2009-11-26 | s3-rpc: Avoid including every pipe's client and server stubs everywhere in ↵ | Günther Deschner | 1 | -0/+4 | |
samba. Guenther | |||||
2009-11-24 | s3: Always try SamLogonEx | Volker Lendecke | 1 | -2/+6 | |
Required for cluster systems working in a Samba domain. With NT4 this won't work, but real NT4 DCs should not be around in environments that pay big bucks for a cluster... And if they are, they can always install a Samba DC trusting that NT4 domain. | |||||
2009-10-13 | s3: use enum netr_SchannelType all over the place. | Günther Deschner | 1 | -1/+1 | |
Guenther | |||||
2009-10-05 | Revert "s3: Attempt to fix machine password change" | Volker Lendecke | 1 | -2/+0 | |
This reverts commit 20a8ea91e10af167067cc794a251265aaf489e75. Ooops, this should not have been committed. | |||||
2009-10-05 | s3: Attempt to fix machine password change | Volker Lendecke | 1 | -0/+2 | |
2009-09-25 | s3:winbindd_cm: don't invalidate the whole connection when just samr gave ↵ | Stefan Metzmacher | 1 | -1/+12 | |
ACCCESS_DENIED metze | |||||
2009-09-24 | Revert "s3:winbindd: use a tcp connection for lsa in case ↵ | Stefan Metzmacher | 1 | -9/+0 | |
lookup_names/lookup_sids doesn't work over ncacn_np" This reverts commit f23691cffd39e5df81b7b075e61ed1def6cce9f6. This should not have been commited... metze | |||||
2009-09-24 | s3:winbindd: use a tcp connection for lsa in case lookup_names/lookup_sids ↵ | Günther Deschner | 1 | -0/+9 | |
doesn't work over ncacn_np metze | |||||
2009-09-23 | s3:winbind: Fix an uninitialized variable | Volker Lendecke | 1 | -1/+1 | |
2009-09-22 | s3-winbindd: Fix Bug #6711: trusts to windows 2008 (2008 r2) not working. | Günther Deschner | 1 | -0/+2 | |
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp connection when talking to AD for LSA lookup calls. In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve sids and names. Guenther | |||||
2009-09-22 | s3-winbindd: add cm_connect_lsa_tcp(). | Günther Deschner | 1 | -0/+59 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: use dcerpc_AuthLevel and remove duplicate set of flags. | Günther Deschner | 1 | -5/+5 | |
Guenther | |||||
2009-09-11 | s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel(). | Günther Deschner | 1 | -3/+4 | |
Guenther | |||||
2009-09-11 | s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp ↵ | Günther Deschner | 1 | -1/+2 | |
and cli_rpc_pipe_open_ntlmssp. Guenther | |||||
2009-09-09 | s3-winbindd: Fix Bug #6700: Use dns domain name when needing to guess server ↵ | Günther Deschner | 1 | -1/+1 | |
principal. Patch from Robert LeBlanc <robert@leblancnet.us>. Thanks! Guenther | |||||
2009-08-23 | s3:winbind: For internal domains it is pointless to connect to a DC | Volker Lendecke | 1 | -0/+6 | |
2009-07-28 | Added prefer_ipv4 bool parameter to resolve_name(). | Jeremy Allison | 1 | -2/+2 | |
W2K3 DC's can have IPv6 addresses but won't serve krb5/ldap or cldap on those addresses. Make sure when we're asking for DC's we prefer IPv4. If you have an IPv6-only network this prioritizing code will be a no-op. And if you have a mixed network then you need to prioritize IPv4 due to W2K3 DC's. Jeremy. | |||||
2009-07-27 | Fix a typo | Volker Lendecke | 1 | -1/+1 | |
2009-05-07 | Fix some type-punned warnings | Volker Lendecke | 1 | -2/+5 | |
2009-04-21 | s3-secdesc: use SEC_FLAG_MAXIMUM_ALLOWED instead of SEC_RIGHTS_MAXIMUM_ALLOWED. | Günther Deschner | 1 | -9/+9 | |
Guenther | |||||
2009-04-20 | Fix to use modified cli_rpc_pipe_open_schannel_with_key API | Andrew Bartlett | 1 | -2/+2 | |
2009-04-20 | Remove use of talloc_reference in cli_rpc_pipe_open_schannel_with_key() | Andrew Bartlett | 1 | -1/+1 | |
2009-04-14 | s3: Fix ntlm_auth and winbindd to use new common libcli/auth APIs | Andrew Bartlett | 1 | -9/+9 | |
2009-04-14 | Rework Samba3 to use new libcli/auth code (partial) | Andrew Bartlett | 1 | -0/+1 | |
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett | |||||
2009-03-18 | s3: remove POLICY_HND. | Günther Deschner | 1 | -3/+3 | |
Guenther | |||||
2009-03-17 | Fix a valgrind error | Volker Lendecke | 1 | -1/+1 | |
Found in "make test" -- if we can't connect at all, "cli" is uninitialized | |||||
2009-03-13 | Remove pwd_cache.c, it was doing nothing. Make user_name, domain, and | Jeremy Allison | 1 | -14/+25 | |
password talloc'ed strings within the cli_struct. Jeremy. | |||||
2009-03-06 | s3:winbindd_cm: remove useless cli_setup_signing_state(*cli, Undefined) call | Stefan Metzmacher | 1 | -2/+0 | |
cli_setup_signing_state() with Undefined is a noop. metze |