Age | Commit message (Collapse) | Author | Files | Lines |
|
problems with order of socket closing in krb5
(This used to be commit 46a7d83c2b49798c6c5389c13ec2b9785c47b85b)
|
|
irpc_servers_byname()
metze
(This used to be commit b54584dfabee77ec7743cab431bda9765057a295)
|
|
with krb5:set_dns_canonicalize=yes
needed for the drsuapi replication, but we should fix this with
a kdc locator plugin ...
metze
(This used to be commit f0a12355bcfab47663e62f3d8ae820815210cdc5)
|
|
and we don't need an extra allocated string anyway
metze
(This used to be commit 44c27b2fe6f130332d9f7c6bdd901eb025aa3eff)
|
|
metze
(This used to be commit 255acbb1132891e0316a38f1d4721863bb7a7226)
|
|
(This used to be commit 5ff665b6531fdb4c7e56c49b7f923546d93b384c)
|
|
it any more.
Andrew Bartlett
(This used to be commit 367231ea2103b6442ecf8333cb7150dfd98c79f4)
|
|
way to go, as this has bitrotted over the past months.
This change in particular catches winbind up with the next
composite_create() function.
We also needed to remove an unused flags field, and fill in the lm
response.
Andrew Bartlett
(This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea)
|
|
I'll allow this to be configured from the secrets.ldb, but it should
fix some user issues.
Andrew Bartlett
(This used to be commit 0fd74ada220fb07d4ebe8c2d9b8ae50a387c2695)
|
|
metze
(This used to be commit e0e35965d1eaab182941d17da744b70c4234ca52)
|
|
we need to make sure -Iheimdal/lib/gssapi comes before -I/usr/local/include
metze
(This used to be commit a6ba465fa8b0a4a0835593526d3f2670736c2c8e)
|
|
metze
(This used to be commit fbf1b1bfa015e2126102d8eaf8861d779c21d969)
|
|
metze
(This used to be commit c8a210bc6fa2529944bb1303ba06fe0734bdd23e)
|
|
have the data for anything else.
Andrew Bartlett
(This used to be commit 9e0c0cd0ff678388436430bb1ba4eb7595cbefbd)
|
|
Andrew Bartlett
(This used to be commit 144ab7294d76397a5e6662d344105a0d59c9f423)
|
|
Andrew Bartlett
(This used to be commit bbde5b6a2f85f22110d6840857eaceb6b923c1b4)
|
|
metze
(This used to be commit 4e8f844be939a6e11a3bece4e7e66534fce00cc0)
|
|
machine account.
Andrew Bartlett
(This used to be commit 16a2bb87a80ffb921f267492f453eb3457666315)
|
|
match for what we are using it for here.
Andrew Bartlett
(This used to be commit 305d1421efff3f01db1dce499568874965058e79)
|
|
few authentication tests. Now that the tests correctly 'fail', I was
able to fix the credentials subsystem to honour USER and PASSWD.
To get --machine-pass working, I needed ldb to always load it's static
modules, so I put this in ldb_connect().
Andrew Bartlett
(This used to be commit 3430d8c072407a1c33c32229095fc9db2142b6fa)
|
|
convenience API to create an anonymous credential. Don't clobber
cmdline_credentials in the UNIX-WHOAMI test.
(This used to be commit 73cea4e0c66f57057ed12b07bbb94b4e783ba6bf)
|
|
connections
metze
(This used to be commit 426238eb45f0cc41d99961ac554c2528fd8e96f5)
|
|
- use "sambaPassword" only as virtual attribute for passing
the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
exacly how longhorn stores them. use password_hash:create_aes_key=yes
to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
if configured
TODO:
- find out how longhorn stores aes keys
- find out how the Primary:WDigest blob needs to be constructed
(not supported by w2k)
metze
(This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
|
|
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"
Note: you need to reprovision after this change!
metze
(This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
|
|
metze
(This used to be commit a246e4bbaaab6f98f50a3c28b47d2c541af7b44a)
|
|
Fix the join code to know that the ldb layer handles the keytab update.
Andrew Bartlett
(This used to be commit d3fbc089f4161ae71b21077d50130fdabd8b2d77)
|
|
metze
(This used to be commit 1f8a037ac4f592d29f7d66e1f924efe1c5d8c2b0)
|
|
them as a hook on ldb modify, via a module.
This should allow the secrets.ldb to be edited by the admin, and to
have things update in the on-disk keytab just as an in-memory keytab
would.
This isn't really a dsdb plugin, but I don't have any other good ideas
about where to put it.
Andrew Bartlett
(This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
|
|
Andrew Bartlett
(This used to be commit 76812a0337fbfcb19939c6ee7a57975b6d690a4d)
|
|
of KDC behaviour. This should allow PKINIT to be turned on and
managed with reasonable sanity.
This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.
Andrew Bartlett
(This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
|
|
Andrew Bartlett
(This used to be commit 9ed9a032c249461e69242afc2e0ccdd47524064e)
|
|
uint32_t server_id
to
struct server_id server_id;
which allows a server ID to have an node number. The node number will
be zero in non-clustered case. This is the most basic hook needed for
clustering, and ctdb.
(This used to be commit 2365abaa991d57d68c6ebe9be608e01c907102eb)
|
|
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.
We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk. This is much easier than
listing every generated .o file individually.
This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts. I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.
The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller. In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.
(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).
Andrew Bartlett
(This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
|
|
this can be used when we start to support the FAST BIND LDAP Control
metze
(This used to be commit 0a73d3262d5deb5a9d0052751336413fbea370b1)
|
|
Andrew Bartlett
(This used to be commit 929fd1beee5cab647702a9b8d8d5e4c2aab23d11)
|
|
metze
(This used to be commit 4b9e196288f2deb3594db9ba2dd36d774e774574)
|
|
return a NULL DATA_BLOB
metze
(This used to be commit 7256481f08b5e860308e73c2b51926b55b1f4c43)
|
|
leading tag
metze
(This used to be commit 576d4c54cca844164b90e5d6ec71fe44b59607b7)
|
|
way to setup a Samba4 DC is to set 'server role = domain controller'.
We use the fSMORoleOwner attribute in the base DN to determine the PDC.
This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.
Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.
We also now use the ldb database to determine if we should run the
global catalog service.
In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.
Andrew Bartlett
(This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
|
|
so make it possible to force encryption or signing.
metze
(This used to be commit a91dc4a02a46370c52f59cbd4dea9580fa6efafa)
|
|
to work better against w2k, so we don't get redirected from
1.2.840.113554.1.2.2 to 1.2.840.48018.1.2.2 by a w2k server, causing 2 additional
auth roundtrips.
metze
(This used to be commit fa5c942ee99d3b5779598aa75f71d0317ba3f622)
|
|
negTokenTarg
this happens because we send 1.2.840.113554.1.2.2 before 1.2.840.48018.1.2.2
in the negTokenInit. And w2k's spnego code redirects us to use 1.2.840.48018.1.2.2
and then we start the our spnego engine with 1.2.840.48018.1.2.2 and in the then following
negTokenTarg w2k don't send the supportedMech (which means it aggrees in what we've choosen)
metze
(This used to be commit 5af5488593991ab4a2a8e17d38501ad9ec539020)
|
|
(This used to be commit 4f07542143ddf5066f0360d965f26a8470504047)
|
|
metze
(This used to be commit 9c992a39db32cbe35f0ecb8fe98223bb24a1e973)
|
|
- ldb_dn_get_linearized
returns a const string
- ldb_dn_alloc_linearized
allocs astring with the linearized dn
(This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
|
|
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
|
|
NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set.
Andrew Bartlett
(This used to be commit 04709c75afda0234c7236fba674bf53a265f8dbb)
|
|
(This used to be commit 17c2557834aad8c85fb640054c942f99bbce1d94)
|
|
(This used to be commit 8768bec81f57131a0c9754e8121b345c0be4a5d0)
|
|
metze
(This used to be commit 30963753fcd9d8db17ca5c8476cc85b7084b7e87)
|