| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
with the latest bind9 nsupdate, we need to be able to control if the
ticket we use is forwardable
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when we are an RODC we need to be able to allow multiple auth backends
to process a single auth request. First the sam backend will try to
authenticate, using locally stored passwords. If this backend can't
find local passwords then it will try the winbind backend and
authenticate via a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
This ensures we get whenChanged, which is needed by the s3 winbind
code to ensure we don't repeatedly try to change the password
|
|
metze
|
|
This uses the winbind protocol directly, which needs to be avoided!
metze
|
|
We should only look at err if WBC_ERR_AUTH_ERROR is returned.
metze
|
|
metze
|
|
raise the debug level
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.
Andrew Bartlett
|
|
|
|
|
|
This isn't needed any more, and just introduces complexity.
|
|
There isn't a good reason why this code is duplicated.
Andrew Bartlett
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
This also changes the calling convention slightly - we should always
allocate this with talloc_zero() to allow some elements to be
optional. Some elements may only make sense in Samba3, which I hope
will use this common structure.
Andrew Bartlett
|
|
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
libcli/auth Use true and false rather than True and False in common code
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
this gets replaced by vnum from the build rule
|
|
This changes the talloc treatment of the session keys to avoid
memory duplication - the session key has always been allocated
onto the ntlmssp_context by the auth subsystem callback.
The remainder of the changes are cosmetics, such as avoiding
using lm_session_key as a pointer (and avoiding then doing an
if statement on something that is always true).
Andrew Bartlett
|
|
By re-adding this wrapper, the actual guts of these functions are now very
similar to that found in source3/libsmb/ntlmssp.c
This should make it easier to merge the implementations.
Andrew Bartlett
|
|
While it would save some CPU to only setup the session key when
requested (like windows does), this instead matches the
implementation in source3/libsmb/ntlmssp.c
We could re-add this later after the codebase is merged.
Andrew Bartlett
|
|
This does not change behaviour, and some of the whitespace isn't ideal, but
at the moment making this code more similar, even in cosmetics, will assist
later merge efforts.
Andrew Bartlett
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
It seems that because the flag is false, this always used the supplied credentials
rhather than establish anonymous connection.
|
|
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
not available in the DN."
This reverts commit fa9557fee3ca546878d99b77f1ff37f724c37024.
See post "Endi's Bug 7530 patches (LDAP backend)" on samba-technical.
|
|
The KDC needs this to determine what encryption types an entry supports
Andrew Bartlett
|
|
This will allow us to interpret this attibute broadly in Samba.
Andrew Bartlett
|
|
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
|
|
We can save one search operation if "only_childs" is false and when we had no
SID passed as extended DN component.
|
|
|
|
possible
And always catch LDB errors
|
|
available in the DN.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
To have the same order as in the structure definition.
|
|
Using "#!/usr/bin/env python" is more portable. It still isn't ideal
though, as we should really use the python path found at configure
time. We do that in many places already, but some don't.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This reverts commit 94e3b4a0d8b714c101803886d60ae6c484740d2f.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
Andrew, please review!
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
setUp methods are called, fix formatting.
|
|
|
