Age | Commit message (Collapse) | Author | Files | Lines |
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Oct 5 09:45:15 CEST 2011 on sn-devel-104
|
|
to properly support multi-domain forests we need to determine if an
incoming username is part of a known forest domain or not. To do this
for all possible SPN forms, we need to use CrackNames.
This changes map_user_info() to use CrackNames if a SAM context is
available, and asks the CrackNames services to parse the incoming
username and domain into a NT4 form, which can then be used in the
SAM.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
We need to exclude GC partial replica naming contexts from SAM lookups
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Jelmer
|
|
This assists with avoiding duplicate symbols.
Andrew Bartlett
|
|
metze
|
|
|
|
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Aug 18 22:16:38 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Aug 14 17:18:46 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Sun Aug 14 00:38:13 CEST 2011 on sn-devel-104
|
|
|
|
If we pass variable references we don't get implicit casting!
metze
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Aug 8 14:53:53 CEST 2011 on sn-devel-104
|
|
This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced
by generated PIDL output.
Andrew Bartlett
|
|
|
|
This avoids having the same check in 3 different parts of the code
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
|
|
The auth4_context is already in the gensec_security structure, which is
available by de-reference here anyway.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This allows the current behaviour of the NTLMSSP code to be unchanged
while adding a way to hook in an alternate implementation via an auth
module.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The startup and runtime functions that have no dependencies are moved
into the top level.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Jul 29 05:33:03 CEST 2011 on sn-devel-104
|
|
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Use the object names as <modulename>.<objectname> to correctly generate the
object hierarchy in pydoc.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jul 25 09:45:01 CEST 2011 on sn-devel-104
|
|
This will allow the source3 auth code to call this without needing to
double-parse the SIDs
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
metze
|
|
metze
|
|
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.
metze
|
|
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.
metze
|
|
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
|
|
This will make the following changes easier to review.
metze
|
|
In order to make the following changes easier to review.
metze
|
|
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
|
|
This will make the following changes easier to review.
metze
|
|
metze
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
|
|
Due to library link orders, this is already the function that is being
used. However we still need to sort out the duplicate symbol issues,
probably by renaming things.
Andrew Bartlett
|
|
PRIMARY_GROUP_SID_INDEX
The system account was instanciated with wrong user an group SIDs, group
sid resulted being just the domain SID.
Bug seems to date from fbe6d155bf177c610ee549cc534650b0f0700e8a.
Andrew (B.) please check.
|
|
this prevents spurious error messages on client commands when when we
will fallback to NTLM authentication
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Relicts from commit 323c7445713d17989452b99bbb541248bb2388eb
Reviewed-by: Jelmer
|
|
Reviewed-by: Tridge
|
|
This allows us to print much more debugging in this critical situation.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jun 8 04:19:58 CEST 2011 on sn-devel-104
|
|
In a long-lived credentials cache situation, we may need to refetch
the ticket after (say) 10 hours. This code should help that happen,
by checking the lifetime before returning any credentials cache or
GSSAPI credentials.
Andrew Bartlett
|
|
This means that we will leave a slew of file based credentials caches
in /tmp, which should give some clues to the administrator or
developer via klist as to what has gone wrong.
Andrew Bartlett
|