Age | Commit message (Collapse) | Author | Files | Lines |
|
installed.
Install pkg-config files.
(This used to be commit a86abe84e2cae7c6188c094a92c6b62aace02fdf)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list. An
extension to the credentials system allows this function.
Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.
Andrew Bartlett
(This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
|
|
metze
(This used to be commit c60bac5baa572a597ce6e1c2e3639be4c7daeefc)
|
|
NT_STATUS_CONNECTION_REFUSED when a KDC is not listening)
(This used to be commit 0f85fc204c6018f8403c2e8f75f683aed38ba83b)
|
|
error out immediatelly. This prevents a long timeout
(This used to be commit f6c0fccc06060582ef870a0ac590dabeec2f2e6a)
|
|
attach a restriction on available GENSEC mechanisms.
Andrew Bartlett
(This used to be commit 8154f2421f828be65ee89f21ed7ac0f5e2132ca9)
|
|
GENSEC mechansims. This will allow a machine join to an NT4 domain to
avoid even trying kerberos, or a sensitive operation to require it.
Andrew Bartlett
(This used to be commit 11c7a89e523f85afd728d5e5f03bb084dc620244)
|
|
share the MEMORY: keytab).
Andrew Bartlett
(This used to be commit 6c43de27086d3c463891598eb55a44877194cb0d)
|
|
Andrew Bartlett
(This used to be commit 55cb72f5cfe9a2c520c30e11ab34896588e91730)
|
|
function for enctype to string.
Andrew Bartlett
(This used to be commit ae6c968cb27f451e5f8cea62be7f33b4b4716f82)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
Andrew Bartlett
(This used to be commit 88a7b7805c11cb3a1be3222d3e4b0b3ad8aff2aa)
|
|
be updated.
This allows a new password to be written in, and old entries removed
(we keep kvno and kvno-1).
Clean up the code a lot, and add comments on what it is doing...
Andrew Bartlett
(This used to be commit 0a911baabad60a43741269d29a96fdd74e54331a)
|
|
list).
Andrew Bartlett
(This used to be commit fc4202dea88a72de061cb2e1caa7847fae37018f)
|
|
them 'later'. We will need to handle the errors when we call the
get_* methods.
Andrew Bartlett
(This used to be commit c6e572f87022b57cdfd8178eb5c23df67a92c453)
|
|
messages. As discussed with Andrew, this will soon be replaced with a
system that marks the credentials to use the machine accout from the
database rather than pre-loading the machine account details here.
The reason we got the annoying messages is this was being called
before smb.conf is loaded, so the code doesn't yet know the location
of the private directory
(This used to be commit 6aeb4bf3fe224a6f81962237bdda329ba828b493)
|
|
(This used to be commit 9c4436a124f874ae240feaf590141d48c33a635f)
|
|
Andrew Bartlett
(This used to be commit 9b3dedbc0bb12897a8f9bd4ec864de26b3835981)
|
|
Andrew Bartlett
(This used to be commit 41f09ef9342d0c9f09475a189d2bbdb50e611528)
|
|
Andrew Bartlett
(This used to be commit 571f9c9c51b93946d23f2b35ef76ac881994b8cc)
|
|
abartlet, tridge, lha: is there a better way?
metze
(This used to be commit b2b4969bdcdd85b1093d91184ff10eff9f74e550)
|
|
metze
(This used to be commit 06ccbc3fa99dc6396b2fe46adb51ef42431669eb)
|
|
metze
(This used to be commit 35e17abb8763e4d90725d007fefa76965260c124)
|
|
This patch changes the way lsb_search is called and the meaning of the returned integer.
The last argument of ldb_search is changed from struct ldb_message to struct ldb_result
which contains a pointer to a struct ldb_message list and a count of the number of messages.
The return is not the count of messages anymore but instead it is an ldb error value.
I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good
amount of places. I also tried to double check all my changes being sure that the calling
functions would still behave as before. But this patch is big enough that I fear some bug
may have been introduced anyway even if it passes the test suite. So if you are currently
working on any file being touched please give it a deep look and blame me for any error.
Simo.
(This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
|
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
Andrew Bartlett
(This used to be commit 890ad0412b9ee285fa25e8bab785a960a201057e)
|
|
KDC).
Andrew Bartlett
(This used to be commit 1643ad169cff56f20ba03644dec12124139ac44a)
|
|
kdc/hdb-ldb.c to share the routines used for auth/
This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).
Andrew Bartlett
(This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
|
|
to ldb, based on the sessionInfo we now pass around.
Andrew Bartlett
(This used to be commit 84e16e4ea7240409f15efd9f64344f9e0cec8111)
|
|
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
(This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)
|
|
(This used to be commit ce611eb5f31bc63fc23700e7a2c47e68b8f826aa)
|
|
(This used to be commit b2372cad367a29d7dca596dace703a349b381a09)
|
|
delegate by default.
Andrew Bartlett
(This used to be commit 49d489c81d5b5c86e032ed6edfda4590d1d1f2be)
|
|
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
(This used to be commit fd5fd03570c13f5644e53ff89ac8eca7c0985740)
|
|
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
(This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
|
|
via winbindd in Samba4.
Andrew Bartlett
(This used to be commit e63be25d0b6edbb17f0747663b0570145a4d55fb)
|
|
(thanks metze).
Andrew Bartlett
(This used to be commit 848831a1559d6569359bd6fb4993ccbef6ad86d8)
|
|
Andrew Bartlett
(This used to be commit 7e3c22f57be215b483ae15de4f754ed4188b5379)
|
|
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
(This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
|
|
metze
(This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
|
|
Andrew Bartlett
(This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
|
|
Andrew Bartlett
(This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
|
|
passwords.
Andrew Bartlett
(This used to be commit cb0b3c00572958f5ac8413cc651f627ca1871295)
|
|
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM
Add some more PUBLIC_HEADERS
(This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
|
|
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries.
- Writes out pkg-config files when building shared libs
- Supports automatic fallback to MERGEDOBJ (which is the default) or
OBJ_LIST (if ld -r is not supported)
Building with shared libs reduces the size of the Samba binaries from
197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging).
To build with shared libraries support enabled, run:
LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status
init functions don't get called correctly yet when using shared libs, so
you won't be able to actually run anything with success :-)
Once init functions are done, I'll look at support for loading shared
modules once again.
Based on a patch by Peter Novodvorsky (nidd on IRC).
(This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
|
|
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
|
|
logins and NTLM machine account logins.
Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
|
|
Andrew Bartlett
(This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
|
|
(Make it easy to see what was put into the keytab, so we can tell when
gssapi screams that it can't pull it out).
Andrew Bartlett
(This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
|