| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
the spec.
GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating
a buffer size and what integrity protection/privacy should be used.
I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3.
I'm doing this in the hope that Apple clients as well as SASL-based
LDAP tools may get a bit further.
I still can't get ldapsearch to work, it fails with the ever-helpful
'Local error'.
Andrew Bartlett
(This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
|
|
In particular, I've used the --leak-report-full option to smbd to
track down memory that shouldn't be on a long-term context. This is
now talloc_free()ed much earlier.
Andrew Bartlett
(This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
|
|
Andrew Bartlett
(This used to be commit 3570a62876dcd656b328bf8c2c1be617ae9a8fd7)
|
|
We don't want temporary memory hanging around on the long-term
contexts.
Andrew Bartlett
(This used to be commit 85b3f6ebddfb655fdd08d1799752e562a6ff9cb1)
|
|
context.
Andrew Bartlett
(This used to be commit 1e840aa43679ceccb2a3afc694a5de0828147e8c)
|
|
From here we can add tests to Samba for kerberos, forcing it on and
off. In the process, I also remove the dependency of credentials on
GENSEC.
This also picks up on the idea of bringing 'set_boolean' into general
code from jpeach's cifsdd patch.
Andrew Bartlett
(This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)
|
|
(This used to be commit f7c28d31481f6479f258cd878d173cbc42ed9de0)
|
|
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
|
|
(This used to be commit e9ec3a379c45ea210a810b1cb5d65b966b7319cc)
|
|
(This used to be commit 01e98966ca955e86ec46f8bce3892899e2717df9)
|
|
length of the (possibly null) pointer.
In reality this should come to us either 16 or 0 bytes in length, but
this is the safest test.
This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk>
Andrew Bartlett
(This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
|
|
- fix compilation of auth/kerberos/krb5_init_context.c on AIX
metze
(This used to be commit 0e1ad08a8515056f4ed0923889bef04d85b84964)
|
|
gsskrb5_get_initiator_subkey() routine is bougs. We can indeed use
gss_krb5_get_subkey().
This is fortunate, as there was a segfault bug in 'initiator' version.
Andrew Bartlett
(This used to be commit ec11870ca1f9231dd3eeae792fc3268b31477e11)
|
|
Andrew Bartlett
(This used to be commit 08f8b2aadbc815f91fbe50a5ebcbf33504bcd7cc)
|
|
Andrew Bartlett
(This used to be commit f4386f7af17add82e88373adb1d585261d13355c)
|
|
we are going to try and have a 'real' NT token for these users, it is
going to get messy fast. I want to go down the idmap road, but we
don't have the infrustucure for that yet.
Andrew Bartlett
(This used to be commit c90d5e82ff4836765f328b2acf20fd09ec91189b)
|
|
Andrew Bartlett
(This used to be commit 37f342b01095787d4a63a419c6ab3657680c2637)
|
|
Andrew Bartlett
(This used to be commit 8f70d6270a788494dd07430f778ee90a51551e66)
|
|
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
|
|
metze
(This used to be commit ec1a7b5cefc32172ea97338a7101fe8416071b69)
|
|
Andrew Bartlett
(This used to be commit c10491fb9be1eb8a13f03ed16fd3ed799315287e)
|
|
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
|
|
with clients compiled against the MIT Kerberos implementation. (Which
checks for address in KRB-PRIV packets, hence my comments on socket
functions earlier today).
It also fixes the 'set password' operation to behave correctly (it was
previously a no-op).
This allows Samba3 to join Samba4. Some winbindd operations even work,
which I think is a good step forward. There is naturally a lot of work
to do, but I wanted at least the very basics of Samba3 domain membership
to be available for the tech preview.
Andrew Bartlett
(This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
|
|
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force
specific modules to always be included
(This used to be commit f9eede3d40098eddc3618ee48f9253cdddb94a6f)
|
|
(This used to be commit 98ec52beeed47c71861c284c7aae66269c074e66)
|
|
removal of this header.
Andrew Bartlett
(This used to be commit 17d4d49fe13831a4b9092b57a6279c128e10d36b)
|
|
(This used to be commit 7ff1ecdc6fa9e360dedf9737da6ce1941ad5033e)
|
|
subsystems.
This allows Samba libraries to be used by other projects (and parts of
Samba to be built as shared libraries).
(This used to be commit 44f0aba715bfedc7e1ee3d07e9a101a91dbd84b3)
|
|
metze
(This used to be commit fd7812beb21ccd14a0e7fd9db0a6eba22ebab0b2)
|
|
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
|
|
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
|
|
commits some of these that I know to be correct in the kerberos area.
Andrew Bartlett
(This used to be commit 6787b3737c27f5136152b007b0ee2ae314efac3c)
|
|
(This used to be commit ca8db1a0cd77682ac2c6dc4718f5d753a4fcc4db)
|
|
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
|
|
(This used to be commit c92ace494f92084ddf178626cdf392d151043bc7)
|
|
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
|
|
We now use a different system for initializing the modules for a subsystem.
Most subsystems now have an init function that looks something like this:
init_module_fn static_init[] = STATIC_AUTH_MODULES;
init_module_fn *shared_init = load_samba_modules(NULL, "auth");
run_init_functions(static_init);
run_init_functions(shared_init);
talloc_free(shared_init);
I hope to eliminate the other init functions later on (the
init_programname_subsystems; defines).
(This used to be commit b6d2ad4ce0a91c4be790dd258820c492ff1787ea)
|
|
Andrew Bartlett
(This used to be commit cf1883c3cc1feecf3ddd7f36dbbca3bdf068bee2)
|
|
We still have Win2000 issues, but now we correctly handle the case
where NTLMSSP is chosen as an authentication mech, but the OID list
still contains Kerberos as a later option.
Andrew Bartlett
(This used to be commit dc2b2c33f89b84bd221c9009750a22ff42fc462d)
|
|
Andrew Bartlett
(This used to be commit 31046cd22b45de6c62c9f122a81cfc898e818308)
|
|
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.
For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:
password server = ncacn_np:mypdc
Andrew Bartlett
(This used to be commit 272013438f53bb168f74e09eb70fc96112b84772)
|
|
- the objectClass needs to be added to the list of attributes to make
the check for objectClass=computer work
- the short version of the name needs to be used for the 'cn' in
cracknames
(This used to be commit 53f0fb77c3c1bd15620f1dbb12e0d8f9fededf4b)
|
|
This is for use on user-supplied arguments to printf style format
strings which will become ldb filters. I have used it on LSA, SAMR
and the auth/ code so far.
Also add comments to cracknames code.
Andrew Bartlett
(This used to be commit 8308cf6e0472790c1c9d521d19322557907f4418)
|
|
Needs changes to our client code for automated testing.
Andrew Bartlett
(This used to be commit e751d814149d847ff1699542a4fa81eb8ca129ec)
|
|
command line processing system.
This is a little ugly at the moment, but works. What I cannot manage
to get to work is the extraction and propogation of command line
credentials into the js interface to ldb.
Andrew Bartlett
(This used to be commit f34ede763e7f80507d06224d114cf6b5ac7c8f7d)
|
|
Andrew Bartlett
(This used to be commit 949137e3122a3163a9fc923a418633a791364afe)
|
|
installed.
Install pkg-config files.
(This used to be commit a86abe84e2cae7c6188c094a92c6b62aace02fdf)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list. An
extension to the credentials system allows this function.
Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.
Andrew Bartlett
(This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
|
|
metze
(This used to be commit c60bac5baa572a597ce6e1c2e3639be4c7daeefc)
|
