Age | Commit message (Collapse) | Author | Files | Lines |
|
The parameters "lmNewHash" and/or "ntNewHash" could be NULL and when we perform
write operations on them (look below in the code) we could get SIGSEGVs!
|
|
|
|
|
|
This will be used by the linked_attribute module
|
|
This came from the linked_attributes module, but now the
repl_meta_data module needs the same functionality, so move it to a
common routine.
|
|
one-line wrapper)
|
|
|
|
Guenther
|
|
Guenther
|
|
|
|
|
|
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
|
|
|
|
consistency with Samba 3.
|
|
client code.
|
|
Guenther
|
|
Guenther
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.
Andrew Bartlett
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
|
|
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
|
|
Michael
(This used to be commit 3b0917dbc5399dc6835b523d762b244bdcf45b79)
|
|
(This used to be commit 3b8eec7ca334528cad3cdcd5e3fc5ee555d8d0e0)
|
|
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
|
|
(This used to be commit 9a1466abbd4115f4a57d794006aca29aa0184ced)
|
|
Andrew Bartlett
(This used to be commit bc607c334ff86624b891886a6f874da2bcff113e)
|
|
This change removes a dependency on objectclass=domainDNS, and avoids
a subtree search when we really know exactly where this record is.
Andrew Bartlett
(This used to be commit 52947fc0c019e57438a21e54953601b6cc08eb49)
|
|
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
|
|
(This used to be commit d28f2cb678b334086f601505c88e56b9c1ee559d)
|
|
Windows uses 2 different values to indicate an account doesn't expire: 0 and
9223372036854775807 (0x7FFFFFFFFFFFFFFFULL).
This function looks up the value of the accountExpires attribute and if the
value is either value indicating the account doesn't expire,
0x7FFFFFFFFFFFFFFFULL is returned.
This simplifies the tests for account expiration. There is no need to check
elsewhere in the code for both values, therefore a simple greater-than
expression can be used.
(This used to be commit 7ce5575a3a40cca4a45ec179a153f7e909065a87)
|
|
(This used to be commit 2b408e9ed4caf14e1ac047fd76127a5c979e5177)
|
|
This takes the previous patches further, so we catch all the cases
(the KDC looked at the time directly).
Andrew Bartlett
(This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf)
|
|
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
|
|
(My bad when copying this code into samdb_is_gc()).
Andrew Bartlett
(This used to be commit b4a95a89853a0ebd75b39f01bbdbf82e05e97bd7)
|
|
this can be shared with the CLDAP server (for the netlogon reply).
Andrew Bartlett
(This used to be commit 592c10ae11c94007e38404a7edea9fd8471f1907)
|
|
library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
|
|
ndr_struct_push_blob().
(This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
|
|
(This used to be commit 85eeecf997a071ca7e7ad0247e8d34d49b7ffcbb)
|