Age | Commit message (Collapse) | Author | Files | Lines |
|
Win2008 domain (merged from v3-0-test).
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <sdanneman@isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
(This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
|
|
looking up trust credentials in our tdb.
commit fd0ae47046d37ec8297396a2733209c4d999ea91
Author: Steven Danneman <sdanneman@isilon.com>
Date: Thu May 8 13:34:49 2008 -0700
Use machine account and machine password from our domain when
contacting trusted domains.
(This used to be commit 69b37ae60757075a0712149c5f97f17ee22c2e41)
|
|
Guenther
(This used to be commit 82cbb3269b2e764c9c2a2fbcbe9c29feae07fb62)
|
|
everywhere.
Guenther
(This used to be commit fe904ee77a7fec1674e9db660978c40c17897f77)
|
|
Guenther
(This used to be commit b261f063125f8454d8f4e8f6b6f8aa5bc393ea34)
|
|
Guenther
(This used to be commit 2b178dcae608ecc05f62593a7a0c2a127b8b7ca2)
|
|
Guenther
(This used to be commit ce3728191b23badfd5eb92701e4cebf84273b61e)
|
|
We now open messages.tdb even before we do the become_daemon. become_daemon()
involves a fork and an immediate exit of the parent, thus the
parent_is_longlived argument must be set to false in this case. The parent is
not really long lived :-)
(This used to be commit 4f4781c6d17fe2db34dd5945fec52a7685448aec)
|
|
Guenther
(This used to be commit 538eefe22ad69540b9f73ffaa613d6be045de199)
|
|
Guenther
(This used to be commit 675bf42cfff89b05f21d77ca74eba20c4a24d44c)
|
|
Guenther
(This used to be commit 2d6a1c5da64195784b0b102edb268356a24d84b5)
|
|
(This used to be commit 99fc3283c4ecc791f5a242bd1983b4352ce3e6cf)
|
|
Reduce dependency on "cli" member of rpc_pipe_client struct
(This used to be commit 2e4c1ba38963cffe4c3f25ab24bc28975f2fc291)
|
|
This reduces the dependency on cli_state
(This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
|
|
metze
(This used to be commit 8e9fdef792e612e414444e7714a2fd4513892248)
|
|
Guenther
(This used to be commit b003ba65e34bb92bf71a7943957715cd7acbcce0)
|
|
My NT4SP6 which my DC here trusts sends 0x15 instead of 0x13, from looking at
the sniff at least the DC name is at the same place.
(This used to be commit 79bc6796b81395d591fc6ef389f153dd981fe68b)
|
|
... if there's no trust password
Attempt to fix bug 5350
(This used to be commit 99f6b63f3c637457fdda7ed930c6666171b25b61)
|
|
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
|
|
Do not overwrite the domain->domain_flags when setting infomation
in set_dc_type_and_flags_connect().
(This used to be commit 3414eac439b731ad7204b821ddc4fec54fe4435d)
|
|
Guenther
(This used to be commit 2586dc34e0f72204749f5bf10c8135cd3a753a42)
|
|
NetSamLogonEx has the advantage that it does not use the credential chain
(This used to be commit cfceb063f559f8549b8f24ce347be213c89303b0)
|
|
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not
provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC
mutex is needed per-node anyway, so it is perfectly fine to use a local mutex
only.
(This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6)
|
|
Guenther
(This used to be commit 4f3e97cbae3df8e12db37b8a8a0eaee947fa723a)
|
|
Guenther
(This used to be commit ce22abcea3446e4ad42e8e04654b9855b173c5a1)
|
|
Guenther
(This used to be commit ccf79cfa88c7f3a10d191f8f0eedb9d421c65f6c)
|
|
Guenther
(This used to be commit 8abeea9922ac09e7307730ee7695453718356873)
|
|
Guenther
(This used to be commit bdf8d562621e1a09bf83e2009dec24966e7fdf22)
|
|
Guenther
(This used to be commit e4e9d72724d547e1405b2ed4cec509d50ec88c8d)
|
|
Jerry, please have a look if you're fine with that.
Guenther
(This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c)
|
|
Guenther
(This used to be commit 3a3c1aed9bfc681457aa06f706fc6fe2d9b2e903)
|
|
On a DC, we always use the domain name given. On a domain member,
we use lp_workgroup(). This fixes a bug supporting trusted domains.
(This used to be commit 8b063a414149bdf401a8f854d55ed7dc6f94cb60)
|
|
hand-written ones.
Guenther
(This used to be commit d5ebfccebb1f1b56b45673a506fcdb414103c43b)
|
|
Interop fixes for AD specific flags. Original patch from Todd Stetcher.
(This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f)
|
|
fixes winbind krb5 session at least with heimdal).
Guenther
(This used to be commit 9cf3a98eacea2dd07f89245f147e002b3f49482e)
|
|
Pointed out by Steven Danneman on irc, thanks!
Jerry, Günther, please check!
(This used to be commit 9e71c89ac648040739ef2161a2e6c4299be1e35b)
|
|
rpccli_lsa_query_info_policy2().
Guenther
(This used to be commit 7a3fe68bef7acde9d9f8a7a44ce7e9432f3c5a95)
|
|
Guenther
(This used to be commit 73233a06d6f0f1346c48b465750af4b532cd7306)
|
|
This allows us to deal with child domains in transitive forest trusts.
It also allows us to fill in the forest name to the target domain to the
struct winbindd_domain *.
(This used to be commit ed30516bb0f55f9ba466debf91b6e33d1c28a484)
|
|
Jeremy.
(This used to be commit a5df44f5b7887d10c1e1a0b7a3dd05bcf31015e1)
|
|
sid_size did the same as ndr_size_dom_sid
(This used to be commit 8aec5d09ba023413bd8ecbdfbc7d23904df94389)
|
|
Guenther
(This used to be commit b7383818168863a7ba43c2456f8c44e96e76707a)
|
|
Don't fall back to schannel when trust creds could be obtained.
This is still not complete, but I am getting closer.
Michael
(This used to be commit 7c9fa597d684a25822b4db6615f28336f2d64ef3)
|
|
Make a copy of the machine_password and machine_account strings
in all conditional paths so that SAFE_FREE() will always be valid.
(This used to be commit 194c4640b158457a6d0d5ea91e28d41d619c77de)
|
|
Even if the session setup was anonymous, try and collect
trust creds with get_trust_creds() and use these before
falling back to schannel.
This is the first attempt to fix interdomain trusts.
(get password policy and stuff)
Michael
(This used to be commit e180bbd45452435e981192028a0ad90078c04236)
|
|
Michael
(This used to be commit 481f18b20d6d5ee12c62120a3559bb16cc98e465)
|
|
Do not attempt to do a session setup when in a trusted domain
situation (this gives STATUS_NOLOGON_TRUSTED_DOMAIN_ACCOUNT).
Use get_trust_pw_clear to get machine trust account.
Only call this when the results is really used.
Use the proper domain and account name for session setup.
Michael
(This used to be commit 18c66a364e0ddc4960769871ca190944f7fe5c44)
|
|
Michael
(This used to be commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074)
|
|
Up to now each caller used its own logic.
This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.
I hope I have not missed an important point here!
Michael
(This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f)
|
|
by retrieving trust password only, when it will be used.
Michael
(This used to be commit cdc60d8ae8c0ef804206b20b451e9557f97d4439)
|