| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
Guenther
|
|
Guenther
|
|
|
|
Guys, what are you doing here ? ;-)
Guenther
|
|
Guenther
|
|
"warning: assuming signed overflow does not occur when assuming that (X + c) < X is always false"
Guenther
|
|
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
Due to missing defines in modern kerberos libraries, this code was
not compiled and so this wasn't noticed.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
|
|
This is required for Solaris, which needs to link in librt to make use of
fdatasync().
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
performance counter code.
In the file rpc_server.c, function _winreg_QueryValue()
uint8_t *outbuf
Should be :
uint8_t *outbuf = NULL;
As it is later freed by
if (free_buf) SAFE_FREE(outbuf);
in some cases, this frees the unintialized outbuf, which causes a coredump.
|
|
|
|
Guenther
|
|
some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)
|
|
This reverts commit 911db761148. This was introduced in 18f1f5b56b140
intentionally.
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
If the parent is fast enough, the echo handler should not step in. When the
socket becomes readable, the echo handler goes to sleep for a second. If within
that second, the parent has picked up the SMB request from the net, the echo
handler will just go back to select().
|
|
|
|
|
|
|
|
(such as MIT krb5 1.7.1 on fedora 13).
This whole area needs more work and love later, for now it builds at least.
Kai, please check.
Guenther
|
|
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This allows for a future where the auth subsystem is async, and the
session key generation needs to happen in a callback.
This code is originally reworked into this style by metze for the
source4/ implementation.
The other change here is to introduce an 'out_mem_ctx', which makes
the API match that used in source4.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
There is no code path that sets nt_status before this point, without
a return.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This code will, I hope, soon be merged in common, and the Samba4
use case does not currently support talloc_tos() properly. Use another
context for now.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This is another 'belts and braces' check to avoid the use of the
weak 'LM_KEY' encryption when the client has chosen NTLMv2.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This ensures the client isn't confused and we don't enter this
weaker authentication scheme when we don't really, really need to.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This may help to avoid a number of possible MITM attacks where LM_KEY is
spoofed into the session. If the login wasn't with lanman
(and so the user chose to disclose their lanman response),
don't disclose back anything based on their lanman password.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This will allow this to be handled via common code in the future
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
libcli/auth Use true and false rather than True and False in common code
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
We need to call setup_ntlmssp_server_info() if status==NT_STATUS_OK,
or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
as this can trigger map to guest.
Jeremy.
|
|
secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
