| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The clients that do only lanman auth are on their way out, the
passwords are case insensitive, it does not support unicode and we
should not store such a poor hash of the password if we can avoid it.
Andrew Bartlett
|
|
|
|
consistency with Samba 3.
|
|
The Win7-beta domain process has changed. It no longer uses SAMR for
setting the password, and instead uses a ldap modify on a SASL
encrypted ldap connection. We didn't handle that as the unicodePwd
attribute has a dual use, holding the nt style MD4 hases for DRS
replication, but holding a UTF-16 plaintext password for a LDAP
modify.
This patch copes with the ldap unicodePwd modify by recognising the
format and creating the correct attributes on the fly. Note that this
assumes we will never get a unicodePwd attribute set in NT MD4 format
with the first 2 and last 2 bytes set to 0x22 0x00.
Andrew Bartlett is looking at a more robust solution, possibly using a
flag to say that this modify came via ldap, and not internal ldb
calls.
|
|
The only 2 modules escaping the rule so far are rootdse and partitions
|
|
This fixes the creation of the user object for incoming trusts
in dcesrv_lsa_CreateTrustedDomain_base().
And now w2k3 trust samba4 just fine:-)
metze
|
|
now to work out how to test this ...
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
3.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
metze
(This used to be commit fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6)
|
|
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
(This used to be commit 08618bbd508ede0bb9e1922fae562cffdca41cbd)
|
|
like windows
metze
(This used to be commit ca9cd81a1798fb15195566422b3cad7c282fce89)
|
|
metze
(This used to be commit 4ad73a0bf8952783d3d9a7339c0c4fd8ca28981a)
|
|
the hashes
metze
(This used to be commit 5edff84429ef0d03b47a438e18861d26c97e17b6)
|
|
metze
(This used to be commit 1bf552856f3a930c4716ceb73d9ba9adf7502d3d)
|
|
metze
(This used to be commit 19b8c8e37bafab050ab61266c35006efada2947c)
|
|
metze
(This used to be commit 5b860572686167d0291161f6597f143e538e2f3a)
|
|
metze
(This used to be commit 26e9169d454349795ad0bc64d7f65059541ab89e)
|
|
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
|
|
Andrew Bartlett
(This used to be commit d2b5f40d80008ca3269118915409333755b6eac3)
|
|
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
|
|
(This used to be commit ce332130ea77159832da23bab760fa26921719e2)
|
|
everywhere.
(This used to be commit 85c96a325867f7bcdb412ebc53f8a47dbf7cd89b)
|
|
(This used to be commit c863f4ebde8efa1a695b4469142d6719e30bc419)
|
|
library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
|
|
ndr_struct_push_blob().
(This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
|
|
(This used to be commit 6ac86f8be7d9a8c5ab396a93e6d1e6819e11f173)
|
|
(This used to be commit e53e79eebef3ece6978f0a2b4a1ee0a0814bb5d2)
|
|
(This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
|
|
(This used to be commit 7780bf285fdfc30f89409d0436bad0d4b6de5cd4)
|
|
global_loadparm.
(This used to be commit 37d05fdc7b0e6b3211ba6ae56b1b5da30a6a392a)
|
|
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/
metze
(This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
|
|
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
|
|
(This used to be commit fd697d77c9fe67a00939a1f04b35c451316fff58)
|
|
number in more places.
(This used to be commit df9cebcb97e20564359097148665bd519f31bc6f)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
ts=4 lines that I accidently added earlier.
(This used to be commit 0bcb21ed740fcec0f48ad36bbc2deee2948e8fc7)
|
|
(This used to be commit 31993cf67b816a184a4a4e92ef8ca2532c797190)
|
|
dead anyway, and a segfault would leave us with more infomation.
Andrew Bartlett
(This used to be commit 62320616ff8795ff18c8f49029d81f12558c10ed)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
(This used to be commit 1abda90f15bcfb56ac56b01fd2b7343fade3843c)
|
|
context. We now have an event context on the torture_context, and we
can also get one from the cli_credentials structure
(This used to be commit c0f65eb6562e13530337c23e3447a6aa6eb8fc17)
|
|
see http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
for how the hashes are supposed to be (but w2k3 doesn't to some correctly...)
this is a verify nice tool to test the hash genaration, but
you need to add support for "" realm strings...
http://fresh.t-systems-sfr.com/unix/src/www/httpauth-0.6.tar.gz:a/httpauth-0.6/tools/mkha1.c
metze
(This used to be commit 26d51741b6aa54c47ee039ac14390f1f0ee51e30)
|
|
so that ndr_pull will fail if version isn't 3 and we notice
if the format changes...
metze
(This used to be commit 91f7a094cfd04405c224b9579146d814cba507b3)
|
|
- use "sambaPassword" only as virtual attribute for passing
the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
exacly how longhorn stores them. use password_hash:create_aes_key=yes
to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
if configured
TODO:
- find out how longhorn stores aes keys
- find out how the Primary:WDigest blob needs to be constructed
(not supported by w2k)
metze
(This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
|
|
metze
(This used to be commit 97fc985bd062b6ad5a58dd6ce883a637043283a1)
|
|
for the keytype field...
metze
(This used to be commit e96aa8980097712d7666a85f17c7214486d99618)
|
