Age | Commit message (Collapse) | Author | Files | Lines |
|
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add. So, we can't short-circuit the operation just because we found
the domain group.
Andrew Bartlett
|
|
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
|
|
If we don't use the winbind backend, we don't (for now) need a
messaging context- and we don't have one in LDB at the moment.
Andrew Bartlett
|
|
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
|
|
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
|
|
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
|
|
|
|
|
|
We perhaps need a more general API here, but for now extend the
credentials API to return the password last changed time that the
s3compat layer will need.
Andrew Bartlett
|
|
In other times, we might have used talloc_reference here, but this
isn't used as much these days.
Andrew Bartlett
|
|
This allows for the rare case where the caller knows the target
principal. The check for lp_client_use_spnego_principal() is moved to
the spengo code to make this work.
Andrew Bartlett
|
|
This allows us to tell the credentials code where we want the
credentials put.
Andrew Bartlett
|
|
This means that we consider the ccache only as reliable as the least
specified of the inputs we used.
This means that we will regenerate the ccache if any of the inputs change.
Andrew Bartlett
|
|
The idea here is to make it not dependent on the system's default
realm.
Andrew Bartlett
|
|
Andrew Bartlett
|
|
the talloc python interface for tp_alloc and tp_dealloc relies on a
cast to a py_talloc_Object to find the talloc_ctx (see
py_talloc_dealloc). This means we rely on the talloc_ctx for the
object being directly after the PyObject_HEAD
This fixes the talloc free with references bug in samba_dnsupdate
The actual problem was the tp_alloc() call in
PyCredentialCacheContainer_from_ccache_container() which used a cast
from a py_talloc_Object to a PyCredentialCacheContainerObject. That
case effectively changed the parent/child relationship between the
talloc_ctx and the ccc ptr.
This patch changes all the structures that follow this pattern to put
the TALLOC_CTX directly after the PyObject_HEAD, to ensure that if
anyone else decides to do a dangerous cast like this that it won't
cause the same sort of subtle breakage.
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
|
use nt_errstr() when no error available
|
|
The auth context was in the past only for NTLM authentication, but we
need a SAM, an event context and and loadparm context for calculating
the local groups too, so re-use that infrustructure we already have in
place.
However, to avoid problems where we may not have an auth_context (in
torture tests, for example), allow a simpler 'session_info' to be
generated, by passing this via an indirection in gensec and an
generate_session_info() function pointer in the struct auth_context.
In the smb_server (for old-style session setups) we need to change the
async context to a new 'struct sesssetup_context'. This allows us to
use the auth_context in processing the authentication reply .
Andrew Bartlett
|
|
This code isn't ideal, but it is better than needing to consult the
main SamDB in things like a torture test.
Andrew Bartlett
|
|
|
|
system does
metze
|
|
This should always return a simple structure with no need to consult a
DB, so remove the event context, and simplfy to call helper functions
that don't look at privilages.
Andrew Bartlett
|
|
A torture test to demonstrate will be added soon.
Andrew Bartlett
|
|
This isn't used often, but it is generally better not to leak it onto
what may be a longer-term context.
Andrew Bartlett
|
|
|
|
assignment of the challenge
This is a string buffer and not a DATA_BLOB.
|
|
|
|
This works with both standalone lib builds and bundled builds
|
|
we won't be using the mk -> wscript generator again
|
|
these are needed so we can support a system talloc without using the
bundled talloc.h
|
|
this is preparation for being able to use system versions of these
libraries
|
|
them
|
|
|
|
|
|
|
|
|
|
We need to only enable the cyrus_sasl module if we have sasl/sasl.h
|
|
Rewrote wafsamba using a new dependency handling system, and started
adding the waf test code
|
|
|
|
|
|
|
|
available"
This reverts commit 3e091a82167f51b7d9abf00755bede9354932c6b.
This should be fixed through the new build system when it lands in "master".
|
|
This macro assumed that all errors were runtime errors.
|
|
FreeBSD 7.2 needs this.
|
|
When we have a system talloc library, we still need to grab pytalloc.h
from lib/talloc. We don't want to just use -Ilib/talloc, as otherwise
we'll get the in-tree talloc.h which may not be compatible with the
system talloc.h
So we need to give the path to pytalloc.h
|
|
Now all data should be initialised
|
|
These were causing thousands of warnings on solaris8
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|