Age | Commit message (Collapse) | Author | Files | Lines |
|
Windows does not use a KVNO when it checks it's passwords, and MIT
doesn't check the KVNO when no acceptor identity is specified (looping
over all keys in the keytab).
Andrew Bartlett
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Mon Mar 14 23:53:46 CET 2011 on sn-devel-104
|
|
This should definitely fix bug #7858.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Feb 25 12:39:21 CET 2011 on sn-devel-104
|
|
This reverts commit 80e23c68d83a7c9989f87d5a88a78bb76d222afc.
A better patch has been provided by Milan Crha in the following commit.
|
|
The lex/yacc files were generated on Fedora 14, and have empty
filenames in #line declarations. I don't know why this is, but it
seems best just to omit the #line statements.
This is what was causing Valgrind on Fedora not to run on Samba
binaries and programs linked to Samba libraries.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 25 11:46:56 CET 2011 on sn-devel-104
|
|
aa88eb1a05c4985cc23fb65fc1bad75bdce01c1f)
|
|
Convert hbase and hcrypto to libraries.
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri Dec 17 21:09:25 CET 2010 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
still needs to be made a proper library).
|
|
|
|
|
|
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX.
The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform
is broken because mechqueue.h's definition won't be used as SLIST_HEAD
is already defined.
The definition occurs when net/if.h is included as it includes
sys/queue.h
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
|
|
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Dec 1 00:59:59 CET 2010 on sn-devel-104
|
|
this e_data field in a kerberos error packet tells windows to do clock
skew recovery.
See [MS-KILE] 2.2.1 KERB-ERROR-DATA
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
Heimdal uses HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE,
and we need to provide a link between these and Samba's function
attribute handling.
Andrew Bartlett
|
|
5734d03c20e104c8f45533d07f2a2cbbd3224f29)
|
|
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Nov 11 10:37:03 UTC 2010 on sn-devel-104
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The clock skew handling was previously only on properly wrapped
GSSAPI, and was skipped for DCE-style. This allows the ASN.1 errors
from the krb5_rd_req to suggest parsing as a kerberos error packet.
Andrew Bartlett
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov 8 07:58:09 UTC 2010 on sn-devel-104
|
|
There are exceptions from the expected behaviour of 'checksum type
matches key type' that we must deal with here, or else we can't serve
DES-only servers.
Andrew Bartlett
|
|
|
|
the lex code in heimdal had a function error_message() which conflicts
with a function from the com_err library. This replaces it with
lex_err_message()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
1bea031b9404b14114b0272ecbe56e60c567af5c)
|
|
42cabfb5b683dbcb97d583c397b897507689e382)
I based this on Matthieu's import of lorikeet-heimdal, and then
updated it to this commit.
Andrew Bartlett
|
|
|
|
This was a wonderful bug!
On some Fedora systems, but not on Ubuntu, there is a difference
between UTC and GMT. Heimdal replaced timegm() with _der_timegm()
which did not account for that difference (which is 24 seconds at the
moment). This led to a mutual authentication failure.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
If we re-use this context, we overwrite the timestamp while talking
to the KDC and fail the mutual authentiation with the target server.
Andrew Bartlett
|
|
If the host running this code used IPv6 forms for IPv4 addreses
then the check for '.' would not be sufficient to determine that this
isn't a name we should mangle. Instead, check if it can be parsed
as a numeric address first, and only then mangle.
Andrew Bartlett
|
|
In this case, the whole request packet should be forwarded to
a real KDC, with full secrets, as we don't have the password.
This could also be used to implement 'play dead when the LDAP
server is down'.
Andrew Bartlett
|
|
This should allow master key rollover.
(but the real reason is to allow multiple krbtgt accounts, as used by
Active Directory to implement RODC support)
Andrew Bartlett
|
|
When you have a domain search list in resolv.conf, and one of the DNS
servers for a searched domain is uncontactable then we would timeout
resolving DNS names.
Avoid this by adding a '.' to the hostname if the hostname already has
a '.' in it, which we assume to mean it is fully qualified.
|
|
Karolin
|
|
metze
|
|
Karolin
|
|
This allows us to resolve multiple forms of a name, allowing for
example machine$@REALM to get an S4U2Self ticket for
host/machine@REALM.
Andrew Bartlett
|
|
Karolin
|
|
|
|
f4e0dc17709829235f057e0e100d34802d3929ff)
|
|
|
|
a5e675fed7c5db8a7370b77ed0bfa724196aa84d)
|
|
security issues
|