| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This library intercepts seteuid and related calls, and simulates them
in a manner similar to the nss_wrapper and socket_wrapper
libraries. This allows us to enable the vfs_unixuid NTVFS module in
the build farm, which means we are more likely to catch errors in the
token manipulation.
The simulation is not complete, but it is enough for Samba4 for
now. The major areas of incompleteness are:
- no emulation of setreuid, setresuid or saved uids. These would be
needed for use in Samba3
- no emulation of ruid changing. That would also be needed for Samba3
- no attempt to emulate file ownership changing, so code that (for
example) tests whether st.st_uid matches geteuid() needs special
handling
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
Thanks to gd for the catch.
|
|
|
|
|
|
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
|
|
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
|
|
For example, some of the new shared functionality was previously in the wkssvc
torture test.
Andrew Bartlett
|
|
|
|
|
|
|
|
consistency with Samba 3.
|
|
This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)
Andrew Bartlett
|
|
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
|
|
metze
|
|
metze
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
|
|
metze
|
|
Eventually, we should move some of these parameters into a separate
struct (perhaps into smb_transport_options?), to avoid the long lists of
parameters.
|
|
should in the future only contain some settings required for gensec.
|
|
|
|
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
|
|
functions.
|
|
remove some unused functions.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
This is for bug 5664 reported by Tom <hto@arcor.de>.
Andrew Bartlett
(This used to be commit a106a4ccc435d149072fb884caf95e5517cd4204)
|
|
metze
(This used to be commit 6d640ee4b84c72f6c2da0ee047c9bac916bf3e57)
|
|
metze
(This used to be commit 699e3cdb52acdf2524347d8c053730306c579dd9)
|
|
<j.kerihuel@openchange.org>
metze
(This used to be commit c2cc8ef943e8c2e02edb1eb20214de245cc6914c)
|
|
metze
(This used to be commit b5187dd58ccae03e22ba8857c344a2d7d94f13b3)
|
|
Due to the new rules on prototypes, it must be a static header file.
Andrew Bartlett
(This used to be commit cf60a9b34ec2419b2bc03a37190cb17ad4cf3d5f)
|
|
Fix config.mk due to changing syntax.
Conflicts:
source/libcli/config.mk
source/nbt_server/config.mk
(This used to be commit 6a1c76f29f78183f44dfac6f468c5e728d2cb2cf)
|
|
(This used to be commit a63f458462d207d215a6e4ef8e480b0c8daedf6a)
|
|
(This used to be commit a6b52119940a900fb0de3864b8bca94e2965cc24)
|
|
middle.
(This used to be commit f4a77b96f9c17d853348b70794026e5b9e384942)
|
|
(This used to be commit 2860a7db5968c7007522cdb300eba390da929ab8)
|
|
(This used to be commit 42eb6b33462228467e65a51bbf624c481802b090)
|
|
Conflicts:
source/auth/config.mk
source/auth/gensec/config.mk
source/torture/smbtorture.c
(This used to be commit edfd02e59bba86b977bd60848f57a614691fff7a)
|
|
Trying to compile the latest git tree, I got some errors
"auth/pam_error.h not found" errors, it looks like it moved to
auth/ntlm/pam_errors.h.
Andrew Bartlett
(This used to be commit 95831a015ae076b52256961f771f50dd9b278e33)
|
|
I need to fix up the header inclusion, but this fixes things for now.
Andrew Bartlett
(This used to be commit 7c07edb24b31e7dc3e9b836ec4a6680ee2b04276)
|
|
This should help clarify the role of the various files around here
(done on Jelmer's request).
Andrew Bartlett
(This used to be commit efa399037511ced8978f2e7661a71aac7a384883)
|
