Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
|
|
to do
(This used to be commit ad75cf869550af66119d0293503024d41d834e02)
|
|
Implement the 'DES only' flag.
Andrew Bartlett
(This used to be commit 9d42bb4b3d2a45da02f0525386468161494852cd)
|
|
correct partition.
Andrew Bartlett
(This used to be commit f661dafe4edcd017a8d3bda1a40ff8b0d7a1348e)
|
|
client.
Andrew Bartlett
(This used to be commit ae2913898c983dcba69b5d0b89c428e450e9bf5f)
|
|
replace it)
(This used to be commit eef117e4454ed5faeddfc0b18bd4f0128c922f36)
|
|
talloc_set_destructor() is type safe. The end result will be lots less
use of void*, and less calls to talloc_get_type()
(This used to be commit 6b4c085b862c0932b80b93e316396a53b993544c)
|
|
(This used to be commit cc290ece92196d2bdf39eaa9d3bb4a0af6ec782c)
|
|
Split of system/locale.h header from system/iconv.h
Previously, iconv wasn't being used on these systems
(This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba)
|
|
responding to
krbtgt/MY.REALM@MY.REALM
TGS ticket requests, but for the moment, these are still marked as
'server' requests by the kerberos5.c caller.
Andrew Bartlett
(This used to be commit afaee0a6b7aba3db118e6529c341c9377bc26546)
|
|
This includes many useful upstream changes, many of which should
reduce warnings in our compile.
It also includes a change to the HDB interface, which removes the need
for Samba4/lorikeet-heimdal to deviate from upstream for hdb_fetch().
The new flags replace the old entry type enum.
(This required the rework in hdb-ldb.c included in this commit)
Andrew Bartlett
(This used to be commit ef5604b87744c89e66e4d845f45b23563754ec05)
|
|
principal on strdup failure.
Andrew Bartlett
(This used to be commit d72fafc1f0089212634fc1a77352b47970e82410)
|
|
(This used to be commit 8ca4681861e24ddf7c4abcc97a4cf0e001d13e24)
|
|
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
|
|
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.
Andrew Bartlett
(This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
|
|
In particular, I've used the --leak-report-full option to smbd to
track down memory that shouldn't be on a long-term context. This is
now talloc_free()ed much earlier.
Andrew Bartlett
(This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
|
|
Update the rootdse module to use the new schema.
Andrew Bartlett
(This used to be commit b0b150d08ac39ed486071487826da2e306db6a0b)
|
|
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
|
|
(This used to be commit 65cf522b5e079de2cfd5fc989350cc127f6c5baa)
|
|
is new, and has no password. It may also occour in the future if we
allow PKINIT. In any case, it shouldn't segfault :-)
Andrew Bartlett
(This used to be commit 686fea241b7a8ca286099eadfa2ed177367dafdc)
|
|
it here.
Andrew Bartlett
(This used to be commit f282fab6113cbd6a431139cbe7f021864f31c3d1)
|
|
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
|
|
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
|
|
allow Win2000 machines to again use kerberos with Samba4.
Andrew Bartlett
(This used to be commit 5770409dcd0151a7303b16c565b1f68845b8622d)
|
|
hdb-ldb.
Andrew Bartlett
(This used to be commit 96e124b7bb9a916bbdfbfa36d24a1dafa262c552)
|
|
interface worked, so hdb-ldb.c and the glue have been updated.
Andrew Bartlett
(This used to be commit 8fd5224c6b5c17c3a2c04c7366b7e367012db77e)
|
|
To avoid a circular depenency, it is not allowed to use Krb5 as an
authentication mechanism, so this must be removed from the list. An
extension to the credentials system allows this function.
Also remove proto.h use for any of the KDC, and use NTSTATUS returns
in more places.
Andrew Bartlett
(This used to be commit 5f9dddd02c9c821675d2ccd07561a55edcd7f5b4)
|
|
Andrew Bartlett
(This used to be commit 0c4ea6f6413e260a15c0afe331a066ea7051fd9f)
|
|
Andrew Bartlett
(This used to be commit b60531b109cf9539a9d58d46436f397346352cee)
|
|
Andrew Bartlett
(This used to be commit 05334e98fb1658965a822517365a86bc3906378b)
|
|
ticket to be reduced in validity).
Andrew Bartlett
(This used to be commit 5575a1443b5225140f401bde7f897f96dfe73b39)
|
|
This patch changes the way lsb_search is called and the meaning of the returned integer.
The last argument of ldb_search is changed from struct ldb_message to struct ldb_result
which contains a pointer to a struct ldb_message list and a count of the number of messages.
The return is not the count of messages anymore but instead it is an ldb error value.
I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good
amount of places. I also tried to double check all my changes being sure that the calling
functions would still behave as before. But this patch is big enough that I fear some bug
may have been introduced anyway even if it passes the test suite. So if you are currently
working on any file being touched please give it a deep look and blame me for any error.
Simo.
(This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
|
|
Andrew Bartlett
(This used to be commit c4a9d025d6485c19bf1f2e98f83ac68b276247e4)
|
|
We now put the PAC in the AS-REP, so that the client has it in the
TGT. We then validate it (and re-sign it) on a TGS-REQ, ie when the
client wants a ticket.
This should also allow us to interop with windows KDCs.
If we get an invalid PAC at the TGS stage, we just drop it.
I'm slowly trying to move the application logic out of hdb-ldb.c, and
back in with the rest of Samba's auth system, for consistancy. This
continues that trend.
Andrew Bartlett
(This used to be commit 36973b1eef7db5983cce76ba241e54d5f925c69c)
|
|
the code in auth/auth_sam.c for consistancy. This will also allow us
to have one place for a backend directory hook.
I will use a very similar hook to add the PAC.
Andrew Bartlett
(This used to be commit 4315836cd8c94eb8340c4050804face4d0066810)
|
|
kdc/hdb-ldb.c to share the routines used for auth/
This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).
Andrew Bartlett
(This used to be commit da38bcefa752a508abd28e8ff6277b493d24c2dd)
|
|
The aim here is to restructure the queries to match the queries we do
in auth, then to share the code that does the actual query (at least
for user logins).
Then we can generate the PAC from that shared query, rather than a
seperate query.
Andrew Bartlett
(This used to be commit 4395d087e19286536dbb41fa5758491b302fa437)
|
|
in the hdb-ldb code.
Andrew Bartlett
(This used to be commit f71149c88d9648f5b2b1d1480dc8d45c551b0231)
|
|
Andrew Bartlett
(This used to be commit cf67af421686e7a89334e10296a3a07c1f8f6298)
|
|
Andrew Bartlett
(This used to be commit 3b6c9c7cbc1d5c4dd32d3c1db18ddbccbb8cf17a)
|
|
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
|
|
Merge these norealm functions from lorikeet-heimdal.
Andrew Bartlett
(This used to be commit 6aef275efd7f434f65824eb3dd129c8e5efd8731)
|
|
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m!
(This used to be commit 200a8f6652cb2de7a8037a7a4c2a204b50aee2b1)
|
|
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655752cc8ea3bc5b7ea87792291302091)
|
|
distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
|
|
potential oops in kdc code.
Found by coverity.
(This used to be commit 3b707b928969c87ac7e9948a567a3ebbc754f28c)
|
|
Andrew Bartlett
(This used to be commit cf8bf1e9f3d771fb3ea14949cd6963c3e9ac6c2d)
|
|
metze
(This used to be commit 232b04bf3e5ff185cf8c6401a19960afd42b5d6c)
|
|
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
|
|
Andrew Bartlett
(This used to be commit 40088b9566e8f63897958fc99d99dedb38e0cb69)
|