Age | Commit message (Collapse) | Author | Files | Lines |
|
- if you want kerberos now, you need to unpack a lorikeet heimdal
tree in source/heimdal/. If source/heimdal/ does not exist at
configure time then all kerberos features are disabled. You cannot
use an external kerberos library for now. That may change later.
- moved lib/replace/ config stuff to lib/replace/ and create a
lib/replace/replace.h. That allows the heimdal build to use our
portability layer, and prevenets duplicate definitions of functions
like strlcat()
- if you do enable heimdal, then you will need to do 'make
HEIMDAL_EXTERNAL' before you build Samba. That should be fixed once
I explain the problem to jelmer (the problem is the inability to
set a depend without also dragging in the object list of the
dependency. We need this for building the heimdal asn1 compiler and
et compiler.
- disabled all of the m4 checks for external kerberos libraries. I
left them in place in auth/kerberos/, but disabled it in
configure.in
some of the heimdal_build/ code is still very rough, for example I
don't correctly detect the correct awk, flex, bison replacements for
heimdal_build/build_external.sh. I expect to fix that stuff up over
the next few days.
(This used to be commit d4648249b2c7fc8b5e7c0fc8d8f92ae043b5691f)
|
|
metze
(This used to be commit 73d597bacf83492ed3da2307dd6785548b903b39)
|
|
management system I proposed on samba-technical a couple of days
ago. Essentially it is a very lightweight way for any code in Samba to
make IDL based rpc calls to anywhere else in the code, without the
client or server having to go to the trouble of setting up a full rpc
service.
It can be used with any of our existing IDL, but I expect it will
mostly be used for a new set of Samba specific management calls.
The LOCAL-IRPC torture test demonstrates how it can be used by calling
the echo_AddOne() call over this transport.
(This used to be commit 3d589a09954eb8b318f567e1150b0c27412fb942)
|
|
called from multiple backends. (ldb_sqlite3 needs it too.) Added parameter
for a callback function that determines whether an attribute needs case
folding.
- begin to prepare for sqlite3 in build process
- work-in-progress updates, on ldb_sqlite3
(This used to be commit a80bced0b96ffb655559a43cf7f4d7a34deb5a7d)
|
|
(This used to be commit 54ff16b9a198237999cedd973cced70a62f03418)
|
|
rafal
(This used to be commit be3b283b20af0b17d8c9711f362b63b881ffbc1c)
|
|
(This used to be commit 512536c9165eb4a630c8bf4e43e71def26006047)
|
|
included Heimdal) to Samba4.
Andrew Bartlett
(This used to be commit 51ba3ea60c265b837821b6c3e031dfe229c10d6a)
|
|
metze
(This used to be commit e9f30ad69800a9858676c467f7f12aceff693358)
|
|
in esp scripts
lpGet takes 4 forms
v = lpGet("type:parm"); gets a parametric variable
v = lpGet("share", "type:parm"); gets a parametric variable on a share
v = lpGet("parm"); gets a global variable
v = lpGet("share", "parm"); gets a share variable
in all cases a ejs object of the appropriate type for the variable is returned.
This commit also adds the function typeof() which returns the type of an object
(This used to be commit 5537a0d38d4805cbc2dad0d6f76db15173b1fd60)
|
|
(This used to be commit 31543e1eae03d22343ea8c970494af36eb07b41f)
|
|
This includes an embedded server side scripting system called 'esp'
(see http://www.appwebserver.org/products/esp/esp.html) and javascript
based scripting language called 'esj' (see
http://www.appwebserver.org/products/ejs/ejs.html)
The justification for including this scripting language is that it
should make it much easier to write a high quality web interface for
Samba4. The scripting language can call into any Samba4 library code
(so for example it will be able to make ldb and loadparm calls), plus
it provides easy support for forms, cookies, sessions etc.
There is still quite a bit more work to do on the web server, but
there is enough here now for people to look at and comment. I will be
committing some sample web pages that test esp functionality shortly.
(This used to be commit 26f0ba92c0c565ac9e4cb5a079d795d4262497dd)
|
|
Original patch provided by Gregory Leocadie <gleocadie@idealx.com>
rafal
(This used to be commit eb83a8210a939a0512f505a283148898ba6eceb1)
|
|
dual-install systems.
Andrew Bartlett
(This used to be commit efc24f1a4592270634dca253689c1b54e154d8b8)
|
|
Andrew Bartlett
(This used to be commit f4b7484516b956baabb3eba3f233da29fc101100)
|
|
Andrew Bartlett
(This used to be commit 5749b63f171acb99c63bfe24312050b316644082)
|
|
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.
Andrew Bartlett
(This used to be commit a7e2ecfac9aaacd673e3583b62139e4f4e114429)
|
|
Finally remove the distinction between 'krb5' and 'ms_krb5'. We now
don't do kerberos stuff twice on failure. The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process. All modules have been updated to supply a
NULL-terminated list of OIDs.
In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.
Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.
The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line. It will soon loose the
requirement for a on-disk keytab too.
The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.
Andrew Bartlett
(This used to be commit 0101728d8e2ed9419eb31fe95047944a718ba135)
|
|
(This used to be commit 8d63cd33a223cccb21d808747e9c97da53629fbc)
|
|
support, and
filling in some of the returned parameters is quite rough, but it seems to work OK
(This used to be commit e564e3e596915414fad07c94f7ea8a0d9c3a1140)
|
|
(This used to be commit e51e0dffa8f8bff9bd1535751e805b548b6c6d7f)
|
|
rafal
(This used to be commit 3389cfb1354532aad4245b281a5637b58802a276)
|
|
This brings in a compatability layer for Samba3 in Samba4 - where we
will start to define file formats and similar details.
The 'net samdump' command uses 'password server = ' for now, and
performs a similar task to Samba3's 'net rpc samsync'.
Andrew Bartlett
(This used to be commit 550f17f9924fe783917318753de7d1a388423908)
|
|
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.
(Yes, jelmer objects to this inclusion of the kitchen sink ;-)
Andrew Bartlett
(This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
|
|
Andrew Bartlett
(This used to be commit 106047032fe269f02c8ef71937e9d2e4ae0a4eb7)
|
|
with talloc() for the NTLMSSP system.
Andrew Bartlett
(This used to be commit 7a93ac49c28d433ccf0f077294f473fe728b9995)
|
|
want it to hang around not commited.
rafal
(This used to be commit 98d98b9bc7437e744e1e730fa8005b43fb1b672b)
|
|
rafal
(This used to be commit 3752122550dcdd1d954c602a28f4b6ad26fe3a0e)
|
|
- qfsinfo (query file system information)
- appendacl (append an ACL to existing file's security descriptor and get new
full ACL)
The second one also includes an improvement to security descriptor handling
which allows to copy security descriptor. Written by Peter Novodvorsky
<peter.novodvorsky@ru.ibm.com>
Both functions have corresponding torture tests added. Tested under valgrind and
work against Samba 4 and Windows XP.
ToDo: document composite call creation process in prog_guide.txt
(This used to be commit 441cff62ac75ed16851ce7b8daf9d03eb4c3ec79)
|
|
Thanks to lars and agruen for finding this
(This used to be commit 2acc06918574b1178eecf3d61026f84f85bb40e1)
|
|
track the use of un-initialised values.
This change will require a recompile from clean, as the enum
describing the status of each element now has a default of
CRED_UNINITIALISED.
Andrew Bartlett
(This used to be commit 83c2eb806d43f588bd06336aa7e2dbdc00dc2c67)
|
|
parsing incoming netlogon requests. No replies are sent yet.
(This used to be commit 3b34df6a674cd2aeddc354cdadae3f0e1c000d45)
|
|
(This used to be commit 47e1452da08d06b0b9f15545b3b2b0631f15bac2)
|
|
a handle as parameter,
EnumPorts
EnumPrinterDrivers
EnumMonitors
EnumPrintProcessors
EnumPrinters
we now do cross checks between the different info levels
and sore the results in a global context,
so that we later can add cross checks between the different object types
- add idl for EnumMonitors and EnumPrintProcessors
metze
(This used to be commit 92a3721bc7a28d521090b10eb3b1eed089036432)
|
|
can be enabled on the buildfarm without requiring --enable-developer
- Support tcp and udp being used on the same port
- FIx some portability issues (should fix the build on
some hosts on the buildfarm)
- Ignore setting TCP_NODELAY on (semi-)TCP sockets rather then complain about
it not being supported (saves us from a couple of error messages for each
connection that is opened)
(This used to be commit 443fb7853b8d3cb516c442fdc595038544b75738)
|
|
(This used to be commit a2ef9225f15e369af7b884262b997ab321fd24d6)
|
|
dom_sid in it
metze
(This used to be commit 460d1b089e494efaeb0c8c7fd4601a9ef57123c5)
|
|
redirects traffic (currently just IP traffic) over unix domain sockets
if the SOCKET_WRAPPER_DIR environment variable has been set.
Aim is to use this for the Samba4 torture suite on the buildfarm.
The socket_wrapper library can only be used if Samba was compiled with
--enable-developer.
test_rpc.sh passes against a local smbd with SOCKET_WRAPPER_DIR set.
(and ethereal showed no traffic whatsoever)
Stuff that still needs to be fixed in socketwrapper:
- Give ENETUNREACH if target is not localhost
- A given port number can only be used for UDP /or/ TCP, not both.
- Perhaps allow some calls to circumvent socketwrapper (do we need DNS?)
(This used to be commit f8a63a843ccca092d9756b64e09175d37c08550a)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
painful, so don't call lp_*() functions until the post stage (rather
than in the cli_credentails_init(), which is called in the pre stage),
and don't open the secrets.ldb looking for the machine account details
until we actually need them (well after popt is done, and we know we have the other things right).
Set the domain and realm, as well as the account and password for -P
(fetch machine password) operation.
Allow NETLOGON credentials to be stored in this structure - will allow
SCHANNEL to be made more generic.
Clarify why we don't do special checks for NULL pointers, particularly
in the anonymous check (it indicates a programmer error, not a
run-time condition).
Also make lib/credentials.c a little more consistant.
Andrew Bartlett
(This used to be commit 730e6056b730c15008772c30cd6f7c03fb6b7e5f)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
Fix a couple of bugs in the new cli_credentials code
(This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50fe8c2683ea23e9df41ce8ad774db98)
|
|
Implement push side of NDR_LEN4|NDR_NOTERM strings (pull side was already present)
(This used to be commit ea61ec1122841716ed5d90085ba79e7bf691bd6a)
|
|
metze
(This used to be commit 3e6ec811288d74921bf3e393213e75d928156772)
|
|
metze
(This used to be commit 1084ad4bfce6bc20537f5bfccb5a25b60f503b32)
|
|
metze
(This used to be commit f543eb4ede54ac361017878574b3f4b6ffc9f2d5)
|
|
(This used to be commit 7f6ea98e0f338c3c9f1132c6d64a54266c1b9cfa)
|
|
- Always put IID in vtables (useful for asserts)
- Add table to keep track of DCOM proxy classes
- Bunch of smaller bug fixes
(This used to be commit 26d5a0b92c66bc86d0c26f687f83fa712342ac32)
|