Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
The underlying problem was that with ldapsam:trusted we require the
a group mapping for the primary group of every user, including root.
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Mon Feb 20 22:36:23 CET 2012 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Mon Feb 20 17:01:11 CET 2012 on sn-devel-104
|
|
By testing more things against s3member (which is security=ads against samba4)
we can improve our test coverage.
Andrew Bartlett
|
|
|
|
This still requires that the server permit LM passwords, but our s3dc test
environment has this enabled.
Andrew Bartlett
|
|
This allows ntlm_auth --diagnostics to work against the local DC, just
as it works against a member server.
Andrew Bartlett
|
|
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Sun Feb 19 23:14:15 CET 2012 on sn-devel-104
|
|
|
|
|
|
get_share_mode_lock_fresh is just a confusing name
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Sun Feb 19 19:16:41 CET 2012 on sn-devel-104
|
|
|
|
Found by callcatcher.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 09:01:15 CET 2012 on sn-devel-104
|
|
Found by callcatcher.
Andrew Bartlett
|
|
|
|
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
|
|
This matches check_ntlm_password() and generate_session_info_pac()
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
|
|
Found by callcatcher.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 17 13:48:05 CET 2012 on sn-devel-104
|
|
Found by callcatcher.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
Now that there is only one gensec_ntlmssp server, some of these functions can be static
For the rest, put the implemtnation of the gensec_ntlmssp code into ntlmssp_private.h
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
There is no longer any samba3-specific code left here.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This is now identical code, so there is no need to duplicate it.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Also have a reasonable fallback for when it is not set.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gensec_ntlmssp_server_start()
|
|
This crypto is incredibly poor, and can technically be enabled on an otherwise more
secure connection that uses NTLM for the actual authentication leg. Therefore
disable it by default.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This will help syncing this rotuine up with gensec_ntlmssp_server_start().
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gensec_ntlmssp3_server
This is possible because we now supply the auth4_context abstraction that this
code is looking for.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
The ntlmssp_server code will be in common shortly, and aside from a
symbol name or two, moving the client code causes no harm and makes
less mess. We will also get the client code in common very soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
auth4_context
This avoids creating a second auth_context, as it is a private pointer
in the auth4_context that has already been passed in, and makes the
gensec_ntlmssp code agnostic to the type of authentication backend
behind it. This will in turn allow the ntlmssp server code to be
further merged.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.
Andrew Bartlett
|
|
|
|
|
|
All our supported krb5 libs provide this.
Andrew Bartlett
|
|
|
|
We no longer need to call poll() directly inside smbd !
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Feb 17 02:49:13 CET 2012 on sn-devel-104
|
|
sys_poll() is only needed if the signal pipe is set up and used, but as
no signal handler ever writes to the pipe, this can all be removed.
signal based events are now handled via tevent.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes. Also, the smb sealing client/server already check for the
gensec_have_feature().
This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
|
|
This is not honoured by the common SPNEGO code.
This matches mondern windows versions which do not send this value, as
it would be insecure for a client to rely on it. (See also the
depricated client use spnego principal directive).
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This was previously needed because SPNEGO was only available in the AD DC.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This ensures that we use the same SPNEGO code on session setup and on
DCE/RPC binds, and simplfies the calling code as spnego is no longer
a special case in cli_pipe.c
A special case wrapper function remains to avoid changing the
application layer callers in this patch.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as
it (reasonably, I suppose) invalidates the gssapi context on which it
is called. Instead, we look to the type of session key which is
negotiated, and see if it not AES (or newer).
If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO
so that we know to generate valid mechListMic values in SPNEGO.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|