Age | Commit message (Collapse) | Author | Files | Lines |
|
Andrew Bartlett
|
|
This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.
We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.
Andrew Bartlett
|
|
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
|
|
This matches the improved security measures of Windows Vista.
Andrew Bartlett
|
|
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.
This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour. It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.
Andrew Bartlett
|
|
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
|
|
|
|
|
|
Before we rejected the authentication if we don't support the
first spnego mech the client offered.
We now negotiate the first mech we support.
This fix works arround problems, when a client
sends the NEGOEX (1.3.6.1.4.1.311.2.2.30) oid,
which we don't support.
metze
|
|
metze
|
|
metze
|
|
account.
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue Dec 7 17:37:52 CET 2010 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Dec 7 16:50:23 CET 2010 on sn-devel-104
|
|
Guenther
|
|
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue Dec 7 15:18:03 CET 2010 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Dec 7 14:01:46 CET 2010 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Dec 7 13:07:51 CET 2010 on sn-devel-104
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
If a child dies, the parent process right away closes the socket.
This is wrong, with tevent we still have events pending. This works
fine for epoll but does not for at least the FreeBSD select variant.
Tevent sticks a closed socket into the select masks. This then
returns an error EBADF. When this happens, the parent winbind dies
instead of forking a new child.
This moves the socket close from the SIGCHLD cleanup function to
the socket receiver. I could not reproduce the parent death anymore
and it did not create an obvious fd leak.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Dec 6 23:21:02 CET 2010 on sn-devel-104
|
|
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Dec 6 21:18:07 CET 2010 on sn-devel-104
|
|
|
|
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Dec 6 17:34:45 CET 2010 on sn-devel-104
|
|
Autobuild-User: Jim McDonough <jmcd@samba.org>
Autobuild-Date: Sat Dec 4 18:23:54 CET 2010 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri Dec 3 13:54:25 CET 2010 on sn-devel-104
|
|
Guenther
|
|
Guenther
|
|
inside pwrite under the covers.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Dec 3 03:39:42 CET 2010 on sn-devel-104
|
|
|
|
vfs_slow_fallocate()
and use that from both the truncate and fill_sparse functions.
Jeremy.
|
|
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Dec 3 02:26:23 CET 2010 on sn-devel-104
|
|
Jeremy.
|
|
allocate is on
Tries posix_fallocate() and then falls back to old code.
Jeremy.
|
|
this needs some rework. Sourced shell code cannot take arguments, at least no
portable shell. This generates errors on the buildfarm sind quite a while.
|
|
|
|
Jeremy.
|
|
Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Thu Dec 2 01:18:19 CET 2010 on sn-devel-104
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 1 19:35:50 CET 2010 on sn-devel-104
|
|
possible.
Guenther
|
|
Guenther
|
|
Guenther
|
|
This finally allows mixed case module names like the classic build
(./configure --shared_modules=charset_CP850)
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 1 18:39:14 CET 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Dec 1 08:43:37 CET 2010 on sn-devel-104
|
|
|
|
This module is from hell. Please make 100% sure that you did test it
properly when touching it! This module has probably given me more grey
hair than any other piece of Samba, so PLEASE PLEASE PLEASE be careful here!!!
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Dec 1 00:13:58 CET 2010 on sn-devel-104
|
|
Guenther
|
|
Guenther
|