Age | Commit message (Collapse) | Author | Files | Lines |
|
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
|
|
Jeremy.
(This used to be commit 5ed61d5af6fe56e22135406256f5d1f7ccd6a376)
|
|
Jeremy.
(This used to be commit 4a04555e23b5fa53fbeb5b65a7c83cff1b0f9640)
|
|
allowed a CIFS client bug to remain unnoticed :-(.
I suck.
Jeremy.
(This used to be commit 29761173ee26b4713c9a12166a935c066fc3321b)
|
|
(This used to be commit 5ef0286b56b368abd4da2cbe3d826a3438f3acc3)
|
|
removed).
Jeremy.
(This used to be commit 645b0438dde0dad26e950b3184cc412d3d87560a)
|
|
to allow client to fragment large SPNEGO blobs (large krb5
tickets). Tested against W2K3R2. Should fix bug #4400.
Jeremy.
(This used to be commit b81c5c6adce51cec06df0e993534064b20666a8e)
|
|
where return value was incorrectly initialized.
Jeremy.
(This used to be commit 8d45f1f3b524031a34cfba21b677be8a09fc192c)
|
|
broken :-). This will do until Simo fixes the escape
calls properly.
Jeremy.
(This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
|
|
(This used to be commit 9a9b9421673ed1c455658d8ae79d7a1522a1baa7)
|
|
builtin
domain. Without this patch we leaked a DISPINFO for the (NULL) domain per
samr_connect*() call.
Volker
(This used to be commit 4423880ff47a94074c625a4f4f81c3b516faa644)
|
|
(This used to be commit 952f648d8132a0652bb03b9e7671239e57614ee9)
|
|
directly after another.
Guenther
(This used to be commit 76ba11d7770bac7c6db2eb1640139bbe270d82c3)
|
|
Guenther
(This used to be commit 28ce79629bc36929f508c1ccb1d27d48e8898045)
|
|
Guenther
(This used to be commit 7b18a4730d61c04867fc11df8980943d422589d8)
|
|
Guenther
(This used to be commit 8ff0903a17cfd8c09b73ef637484a72719e82071)
|
|
Guenther
(This used to be commit 020601ea0abeb15f2aef9da354fcf6d7d5459710)
|
|
proto should be required before creating any binary from now on.
Remove proto_exists from the all, pam_smbpass, and pam_bindind rule.
(This used to be commit 95d22979743c94565d9d0bbb64eb1e9adeba10d3)
|
|
(This used to be commit f63189907efe857ef51ff91470ddb8d21b9a41fa)
|
|
comment :-)
(This used to be commit fad2ee8aa3e99c31a0632a80b4a64dedb6e01495)
|
|
them. It just does not make sense to do a querydispinfo on an alias handle...
This fixes a memleak: Every samr_connect*() call leaked a DISP_INFO for the
(NULL) sid.
More cleanup pending: Essentially, we only need the DISP_INFO cache for the
get_global_sam_sid() domain. BUILTIN is fixed and small enough, and there are
no other domains around where enumerations could happen.
This also removes the explicit builtin_domain flags. I don't think this is
worth it. If this makes a significant difference, then we have a *VERY* tuned
RPC layer...
Jeremy, please check this. If it's ok, we might want to merge it across.
Volker
(This used to be commit 0aceda68a825788895759e79de55b080ad3f971d)
|
|
(This used to be commit b5fd72282da85f50a040fd949752bc71023ff055)
|
|
path.
Thanks,
Volker
(This used to be commit e795865d58472498097edc3fb68438ed08c38d8d)
|
|
(This used to be commit 934163782bf5444ee6535b628ef80dad4b5685e6)
|
|
Guenther
(This used to be commit bc04004c182b114749d8e33edcf835efb252d35d)
|
|
called with the -v option).
Patch from William Jojo <jojowil@hvcc.edu>.
Guenther
(This used to be commit 5889f588ee9bee6ceb6e6d517f6e69e42d55a574)
|
|
there is just no cache around for a user.
Guenther
(This used to be commit a6c249b59228c6891cde624f72fff23879dbd19f)
|
|
Guenther
(This used to be commit 7edbb636f7caf43135f0320cc08ff18a34a80594)
|
|
shoulder.... Correct fix for warning :-)
Jeremy.
(This used to be commit 773001870d22ef4ff7ec00f73661b59a63cade42)
|
|
Jeremy.
(This used to be commit 34675624e2be886188337a883a6c4a57ef7e3fe3)
|
|
is the case where we don't have memalign() or posix_memalign().
(This used to be commit 1635bac80011d15e3ed30b6d43b6e22b2ce2a000)
|
|
others don't get stuck with the winbindd hang.
Still waiting on additional confirmation from Guenther
that this fixes thes issues he was observing as well.
But it's been running in my local tree for a day without
problems.
(This used to be commit 0d2b80c6c4a744b05a0efdec352cddccc430e0c4)
|
|
Guenther
(This used to be commit 82f1da8117434c52c383b33a905b3765f0240d4a)
|
|
Slightly change the DEBUG 0 message as suggested by Volker on
samba-technical.
(This used to be commit c02921e95d41fe93c5913d79dfb690fcc1d73de4)
|
|
Jerry please check.
Simo.
(This used to be commit a5354aa9a0bd860500356f45d09fce3d01649c60)
|
|
The two culprits were
* pdb_get_account_policy()
* pdb_get_group_sid()
(This used to be commit 6a69caf6907fad01b13aa4358ce5c62506f98495)
|
|
post 3.0.23.
This implementation considers spaces in ldapsam configs. Such configs
are trunkated after the closing quote.
(This used to be commit 5cd9a2e25872db1881f2f67026bfcd52d060fc4b)
|
|
(This used to be commit 52e6a2ceab794875781575ed17ec86808f6e26da)
|
|
changed a password via pam_chauthtok. Only do this if
a) a user logs on using an expired password (or a password that needs to
be changed immediately) or
b) the user itself changes his password.
Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).
Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).
Guenther
(This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
|
|
Jeremy.
(This used to be commit 4a74d042c9108ed68cc92f27b390c261c0bc8885)
|
|
Jeremy.
(This used to be commit 42a846b3dfa50eea6592c6bb425f7bdb672c25f9)
|
|
but explicit shares in "default service" :-).
Jeremy.
(This used to be commit 90bdcce765998cc0f5768d24926d52b8a4a44f90)
|
|
errno into an NTSTATUS immediately.
Jeremy.
(This used to be commit 71dd02cc164197152e76d8141f906390c4bd1526)
|
|
Jeremy
(This used to be commit 6be078da267677e3e558033c28099e3932a17712)
|
|
on terminate. Pointed out by Herb.
Jeremy.
(This used to be commit 08998b74a51acd55eb6cbe095e682e2a79334736)
|
|
(This used to be commit 5876bedda51fce0c932ca0cdab074629b31a9c94)
|
|
(This used to be commit e73a418b5b0100936efb4c1133da3cfe3fcb61cd)
|
|
But I'd
see this as a design flaw in data_blob() and it made me look in that routine.
Jeremy, revert or merge please :-)
Volker
(This used to be commit e7e6b8b5e0b00cc0746db4e9baa2e860074f903a)
|
|
fragmented into "max xmit" size security blob
chunks. Bug #4400. Needs limits adding, and also
a client-side version.
Jeremy.
(This used to be commit aa69f2481aafee5dccc3783b8a6e23ca4eb0dbfa)
|
|
Guenther
(This used to be commit 5c4a58ff3ab261e32789f39f2cf478367b727318)
|