Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
|
|
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
Andrew, please review!
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.
However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.
In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'. This allows us to
use the auth_context in processing the authentication reply .
Andrew Bartlett
|
|
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.
Andrew Bartlett
|
|
metze
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
|
|
(This used to be commit 719941e929ddb6fea011fcc0c8c6b91c26e586af)
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
|
|
in dssync tests.
(This used to be commit c7eae1c7842f9ff8b70cce9e5d6f3ebbbe78e83b)
|
|
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
|
|
(This used to be commit 2c6b755309fdf685cd0b0564272bf83038574a43)
|
|
global_loadparm.
(This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
|
|
auth but making it usable independently will be the next step.
(This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
|