Age | Commit message (Collapse) | Author | Files | Lines |
|
metze
(This used to be commit af63ed9eb3a5af3e4eeb84c66397255ea90ea764)
|
|
it's ugly, but they're used in torture tests
I hope to find a better solution for this later...
metze
(This used to be commit be8874e9d3f1a022a42ccd1262dc5ce7bd5d1a91)
|
|
metze
(This used to be commit 91a3a0b795ebe73d29b69bb40ae9e67b40f90212)
|
|
- build gensec_ntlmssp always static for now, because torture/auth/ntlmssp.c
needs to access functions from it
metze
(This used to be commit 43733c9556c1c92336780206e3f71bdee6e43eee)
|
|
buildsystem)
(This used to be commit 04c49e211fc4f80e03d9322b983bbde15baba640)
|
|
(This used to be commit 2c746980328431ab04852dc668899e3eb042da99)
|
|
(This used to be commit 2d655f05285a86bb1bbb882e4dd843def15c9dfa)
|
|
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
|
|
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
|
|
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.
Andrew Bartlett
(This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
|
|
default.
(This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4)
|
|
(This used to be commit 936d26ae64b93ef8f8b2fbc632b1c2fd60840405)
|
|
assumptions
about the data type being known.
(This used to be commit 991bec80e4f20c9fac9ab5c45b0fdf6d048cda66)
|
|
(This used to be commit aac1b99b362993352d80692afa55c38fc851c016)
|
|
(This used to be commit 9a188eb1f48a50d92a67a4fc2b3899b90074059a)
|
|
(This used to be commit bca0e8054f6d9c7adc9d92e0c30d4323f994c9e9)
|
|
metze
(This used to be commit 7b284174aa36fdd5d6841dab4934f1f6ecfba4ce)
|
|
this.
This tries to ensure that when we are a client, we cope with mechs
(like GSSAPI) that only abort (unknown server) at first runtime.
Andrew Bartlett
(This used to be commit cb5d18c6190fa1809478aeb60e352cb93c4214f6)
|
|
credentials.
Consistantly rename these elements in the IDL to computer_name.
Fix the server-side code to always lookup by this name.
Add new, even nastier tests to RPC-SCHANNEL to prove this.
Andrew Bartlett
(This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a)
|
|
We do need the gsskrb5_get_initiator_subkey() routine. But we should
ensure that we do always get a valid key, to prevent any segfaults.
Without this code, we get a different session key compared with
Win2k3, and so kerberised smb signing fails.
Andrew Bartlett
(This used to be commit cfd0df16b74b0432670b33c7bf26316b741b1bde)
|
|
isn't every parameter on NTLMSSP, but it is most of the important
ones.
This showed up that we had the '128bit && LM_KEY' case messed up.
This isn't supported, so we must look instead at the 56 bit flag.
Andrew Bartlett
(This used to be commit 990da31b5f63f1e707651af8bf1a3241a8309811)
|
|
NTLM2 signing code.
Andrew Bartlett
(This used to be commit 16e5c968756c40b8595503da47a1adb9cb09c447)
|
|
We were causing mayhem by weakening the keys at the wrong point in time.
I think this is the correct place to do it. The session key for SMB
signing, and the 'smb session key' (used for encrypting password sets)
is never weakened.
The session key used for bulk data encryption/signing is weakened.
This also makes more sense, when we look at the NTLM2 code.
Andrew Bartlett
(This used to be commit 3fd32a12094ff2b6df52f5ab2af7c0ffceb5a4a0)
|
|
encryption behaviour.
Andrew Bartlett
(This used to be commit 2b3b2f33a4c531f2b0f65521cc352e6d762e95bd)
|
|
The new RPC-SCHANNEL test shows that the full credentials state must
be kept in some shared memory, for some length of time. In
particular, clients will reconnect with SCHANNEL (after loosing all
connections) and expect that the credentials chain will remain in the
same place.
To achive this, we do the server-side crypto in a transaction,
including the fetch/store of the shared state.
Andrew Bartlett
(This used to be commit 982a6aa871c9fce17410a9712cd9fa726025ff90)
|
|
responses...
Also trust OpenLDAP to be pedantic about it, breaking connections to AD.
In any case, we now get this 'right' (by nasty overloading hacks, but
hey), and we can now use system-supplied OpenLDAP libs and SASL/GSSAPI
to talk to Samba4.
Andrew Bartlett
(This used to be commit 0cbe18211a95f811b51865bc0e8729e9a302ad25)
|
|
the spec.
GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating
a buffer size and what integrity protection/privacy should be used.
I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3.
I'm doing this in the hope that Apple clients as well as SASL-based
LDAP tools may get a bit further.
I still can't get ldapsearch to work, it fails with the ever-helpful
'Local error'.
Andrew Bartlett
(This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
|
|
In particular, I've used the --leak-report-full option to smbd to
track down memory that shouldn't be on a long-term context. This is
now talloc_free()ed much earlier.
Andrew Bartlett
(This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
|
|
Andrew Bartlett
(This used to be commit 3570a62876dcd656b328bf8c2c1be617ae9a8fd7)
|
|
We don't want temporary memory hanging around on the long-term
contexts.
Andrew Bartlett
(This used to be commit 85b3f6ebddfb655fdd08d1799752e562a6ff9cb1)
|
|
context.
Andrew Bartlett
(This used to be commit 1e840aa43679ceccb2a3afc694a5de0828147e8c)
|
|
From here we can add tests to Samba for kerberos, forcing it on and
off. In the process, I also remove the dependency of credentials on
GENSEC.
This also picks up on the idea of bringing 'set_boolean' into general
code from jpeach's cifsdd patch.
Andrew Bartlett
(This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
|
|
(This used to be commit f7c28d31481f6479f258cd878d173cbc42ed9de0)
|
|
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
|
|
(This used to be commit e9ec3a379c45ea210a810b1cb5d65b966b7319cc)
|
|
(This used to be commit 01e98966ca955e86ec46f8bce3892899e2717df9)
|
|
length of the (possibly null) pointer.
In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.
This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>
Andrew Bartlett
(This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
|
|
- fix compilation of auth/kerberos/krb5_init_context.c on AIX
metze
(This used to be commit 0e1ad08a8515056f4ed0923889bef04d85b84964)
|
|
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use
gss_krb5_get_subkey().
This is fortunate, as there was a segfault bug in 'initiator' version.
Andrew Bartlett
(This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
|
|
Andrew Bartlett
(This used to be commit 08f8b2aadbc815f91fbe50a5ebcbf33504bcd7cc)
|
|
Andrew Bartlett
(This used to be commit f4386f7af17add82e88373adb1d585261d13355c)
|
|
we are going to try and have a 'real' NT token for these users, it is
going to get messy fast. I want to go down the idmap road, but we
don't have the infrustucure for that yet.
Andrew Bartlett
(This used to be commit c90d5e82ff4836765f328b2acf20fd09ec91189b)
|
|
Andrew Bartlett
(This used to be commit 37f342b01095787d4a63a419c6ab3657680c2637)
|
|
Andrew Bartlett
(This used to be commit 8f70d6270a788494dd07430f778ee90a51551e66)
|
|
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
|
|
metze
(This used to be commit ec1a7b5cefc32172ea97338a7101fe8416071b69)
|
|
Andrew Bartlett
(This used to be commit c10491fb9be1eb8a13f03ed16fd3ed799315287e)
|
|
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
|
|
with clients compiled against the MIT Kerberos implementation. (Which
checks for address in KRB-PRIV packets, hence my comments on socket
functions earlier today).
It also fixes the 'set password' operation to behave correctly (it was
previously a no-op).
This allows Samba3 to join Samba4. Some winbindd operations even work,
which I think is a good step forward. There is naturally a lot of work
to do, but I wanted at least the very basics of Samba3 domain membership
to be available for the tech preview.
Andrew Bartlett
(This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
|
|
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force
specific modules to always be included
(This used to be commit f9eede3d40098eddc3618ee48f9253cdddb94a6f)
|