Age | Commit message (Collapse) | Author | Files | Lines |
|
Andrew Bartlett
(This used to be commit 7e3c22f57be215b483ae15de4f754ed4188b5379)
|
|
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
(This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
|
|
metze
(This used to be commit a29a107d95b67248ccd6036084829b080c892e40)
|
|
Andrew Bartlett
(This used to be commit e82fbb58ddaa3d38615d9a2d5e804f614edb2ff3)
|
|
Andrew Bartlett
(This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
|
|
passwords.
Andrew Bartlett
(This used to be commit cb0b3c00572958f5ac8413cc651f627ca1871295)
|
|
Make MODULE handling a bit more like BINARY, LIBRARY and SUBSYSTEM
Add some more PUBLIC_HEADERS
(This used to be commit 875eb8f4cc658e6aebab070029fd499a726ad520)
|
|
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries.
- Writes out pkg-config files when building shared libs
- Supports automatic fallback to MERGEDOBJ (which is the default) or
OBJ_LIST (if ld -r is not supported)
Building with shared libs reduces the size of the Samba binaries from
197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging).
To build with shared libraries support enabled, run:
LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status
init functions don't get called correctly yet when using shared libs, so
you won't be able to actually run anything with success :-)
Once init functions are done, I'll look at support for loading shared
modules once again.
Based on a patch by Peter Novodvorsky (nidd on IRC).
(This used to be commit 0b54405685674a2b19a28d77aae5b1136b5a4728)
|
|
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
|
|
logins and NTLM machine account logins.
Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
|
|
Andrew Bartlett
(This used to be commit 82527491b2212d34b676be1e26cc875ae2828e42)
|
|
(Make it easy to see what was put into the keytab, so we can tell when
gssapi screams that it can't pull it out).
Andrew Bartlett
(This used to be commit c56142c4ac7541fc30bdf4c77e34f5a50d80da76)
|
|
Andrew Bartlett
(This used to be commit eed8f4a03168a72910c829e490937c696c00b697)
|
|
Andrew Bartlett
(This used to be commit 89623af30f25150da42a17f825e202b2ae9f7898)
|
|
(We now ask the kerberos libraries to handle getting and unwapping the PAC).
Andrew Bartlett
(This used to be commit 6a0beb29da2aaa4d432cf9643924db3c2e77a858)
|
|
than doing ASN.1 parsing in Samba.
Also use the API function for getting a client from a ticket, rather
than just digging in the structure.
Andrew Bartlett
(This used to be commit 25d5ea6d724bd2b64a6086ae6e2e1c5148b8ca4a)
|
|
(This used to be commit 204185576c6a4df5e43e5a97cb13227407c09e6e)
|
|
itself in the auth_sam module.
Andrew Bartlett
(This used to be commit 0800942dbb1511586a896c6376c436a4552c54be)
|
|
Support installing libraries.
Get rid of pkg-config file (will be autogenerated later on).
(This used to be commit b4745032a2c55752c527026feb221ccc3dce10c8)
|
|
Andrew Bartlett
(This used to be commit ecacef213b28adb84d3ffb5b76bf1b079e25426c)
|
|
metze
(This used to be commit 716e6b0c883836e50400413cccbeb6fab5cb5744)
|
|
Andrew Bartlett
(This used to be commit bc6f6f9381b1038273f87feb35484dc61dd8bd8e)
|
|
we can round-trip all the way back to a server_info structure, not
just a filled in PAC_DATA. (I was worried about generated fields being
incorrect, or some other logical flaw).
Andrew Bartlett
(This used to be commit 11b1d78cc550c60201d12f8778ca8533712a5b1e)
|
|
I'm sure this will not be the final resting place, but it will do for
now.
Use the cracknames code in auth/ for creating a server_info given a
principal name only (should avoid assumtions about spliting a
user@realm principal).
Andrew Bartlett
(This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
|
|
Andrew Bartlett
(This used to be commit 4d9667f5a037eb15f6f0e4329314a37f148e9db7)
|
|
credentials. This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.
Needed for kpasswdd work.
Andrew Bartlett
(This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
|
|
reasonable value to fill in for the mechListMIC.
Andrew Bartlett
(This used to be commit 51d78de2b79f4ab75c86c3255c23a478c6822a0e)
|
|
and remove now duplicated unwrap_pac().
Andrew Bartlett
(This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
|
|
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
|
|
I'm also worried this might cause loops, if we get a 'force password
change', and the prompter tries to 'deal with it'.
Andrew Bartlett
(This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
|
|
http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
|
|
main gensec_krb5_start and always ask for sequence numbers.
Andrew Bartlett
(This used to be commit 801cd6c6ffa96ac79eb425adf7c97eb2cfcbed4a)
|
|
Andrew Bartlett
(This used to be commit ee9a93688d31d8da91b81e9b0f6fac3fa4894c13)
|
|
secureChannelType (non machine join records).
Andrew Bartlett
(This used to be commit 3dddf497ccf246af435e6e2802d8f3745f2e4fd3)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
header.
Andrew Bartlett
(This used to be commit a665b56085cbf89c6deaeef0deaed31fcbc07458)
|
|
the client doesn't guess correctly on the mech to use. It must back
off and try the mech the server selected from the list.
I'm not particularly attached to our SPNEGO parser, so while I can't
easily use the SPNEGO application logic in Heimdal, I'm going to look
closely at using the asn1 routines to avoid some pain here.
Andrew Bartlett
(This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
|
|
Jeremy.
(This used to be commit bfa41398a65037c6017b0af0ea1f0423011df150)
|
|
initial NTLMSSP negotiate blob of only 16 bytes - no strings
added ! (So don't try parsing them).
Jeremy.
(This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
|
|
NTLMSSP client and domain strings as Unicode, even when setting
flags as OEM. Cope with this.
Jeremy.
(This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
|
|
metze
(This used to be commit d9d3fe1b8aa34f5d87b73b94253b4230303cba76)
|
|
before the bad merge
metze
(This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
|
|
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
|
|
UDP or TCP.
Andrew Bartlett
(This used to be commit ae0b4028ff7033dab70687376c2090baa692cf58)
|
|
previous patch.
Andrew Bartlett
(This used to be commit 2c537d47ba99885c6462016342b1cc29df4c54c5)
|
|
authentication out of the various callers and into the kitchen
sink.. err, credentials subsystem.
This should ensure consistant logic, as well as get us one step closer
to security=server operation in future.
Andrew Bartlett
(This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
|
|
code in Samba3.
Andrew Bartlett
(This used to be commit 36e302bac87d0a07c86cc4c841d376c778630dab)
|
|
most of the changes are fixes to make all the ldb code compile without
warnings on gcc4. Unfortunately That required a lot of casts :-(
I have also added the start of an 'operational' module, which will
replace the timestamp module, plus add support for some other
operational attributes
In ldb_msg_*() I added some new utility functions to make the
operational module sane, and remove the 'ldb' argument from the
ldb_msg_add_*() functions. That argument was only needed back in the
early days of ldb when we didn't use the hierarchical talloc and thus
needed a place to get the allocation function from. Now its just a
pain to pass around everywhere.
Also added a ldb_debug_set() function that calls ldb_debug() plus sets
the result using ldb_set_errstring(). That saves on some awkward
coding in a few places.
(This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
|