Age | Commit message (Collapse) | Author | Files | Lines |
|
TODO: check why this is needed.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jul 15 12:26:25 CEST 2011 on sn-devel-104
|
|
As mit_samba_update_pac_data() doesn't support adding
S4U_DELEGATION_INFO to the pac (and I have no clue how to add that)
we should disable S4U2Proxy until this is implemented.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
|
|
metze
|
|
metze
|
|
metze
|
|
This fixes a few Coverity errors
|
|
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
|
|
|
|
when we need to listen on a wildcard address, we now listen on a list
of sockets, usually 0.0.0.0 and ::
|
|
metze
|
|
flags.trusted_for_delegation
metze
|
|
The iface_count, iface_n_bcast, and load_interfaces functions
conflicted with functions of the same name in source3, so the source4
functions were renamed. Hopefully we can actually wrap one around the
other in future.
Andrew Bartlett
|
|
|
|
This better reflects what this structure is
Andrew Bartlett
|
|
convert_string*()
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
|
|
|
|
By having kdc_tcp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_socket, kdc_process_fn_t, kdc_tcp_call and kdc_tcp_socket
private to kdc.c again.
metze
|
|
By having kdc_udp_proxy_send/recv(), which just asks any writeable
dc for a reponse blob, we simplify the interaction between
client-local and local-writeable sockets.
This allows us to make kdc_udp_call and kdc_udp_socket private to
kdc.c again.
metze
|
|
metze
|
|
Bit shifting is non-trivial in C:-)
This
int32_t a = 0x12340000;
uint32_t b = (a >> 16);
results in 0x00001234, but this
int32_t a = 0xEDCB0000;
uint32_t b = (a >> 16);
results in 0xFFFFEDCB, while we expected 0x0000EDCB.
metze
|
|
this prevents conflicts with the s3 auth modules. The auth modules in
samba3 may appear in production smb.conf files, so it is preferable to
rename the s4 modules for minimal disruption.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
|
|
This context is used in ldb, and ldb modules apparently abort if nesting is not
allowed.
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Mon Feb 7 20:58:02 CET 2011 on sn-devel-104
|
|
otherwise msg->dn would be non-minimal and would fail in searches
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 24 12:09:00 CET 2010 on sn-devel-104
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
|
|
|
|
Discovered by Tru64 build
|
|
We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC. We should get
this from group policy, but for now it's parametric smb.conf options.
Andrew Bartlett
|
|
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
|
|
81fe27bcc0148d410ca4617f8759b9df1a5e935c)
|
|
this prevents us having two lp_ctx contexts in these tools which leads
to bizarre behaviour
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Thanks to Hongwei Sun for the clear description of the algorithim
involved. Importantly, it isn't possible to remove encryption types
from the list, only to add them over the defaults (DES and
arcfour-hmac-md5, and additional AES for DCs and RODCs).
This changes the behaviour for entries with
msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos
reported finding set by ADUC when attempting to store cleartext
passwords.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
|
|
The KDC sets different flags for the AS-REQ (this is client-depenent)
and the TGS-REQ to determine if the realm should be forced to the
canonical value. If we do this always, or do this never, we get into
trouble, so it's much better to honour the flags we are given.
Andrew Bartlett
|
|
This avoids setting these values when the caller simply does not care
Andrew Bartlett
|
|
This will allow these calls to honour the flags passed in from the KDC
Andrew Bartlett
|
|
We should never get a cross-realm ticket that was not issued by a full
DC, but if someone claims to have such a thing, reject it rather than
segfaulting on the NULL client pointer.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Nov 15 23:59:34 UTC 2010 on sn-devel-104
|
|
The PAC was being regenerated on all normal DCs, because they don't
have a msDS-SecondaryKrbTgtNumber attribute. Instead we need to check
if it's set and not equal to our RODC number, allowing RODCs to trust
the full DCs and itself, but not other RODCs.
Andrew Bartlett
|
|
we should reset the realm part of the principal, but not the lowercase
realm embedded in the 'krbtgt/realm@REALM'.
Andrew Bartlett
|
|
|
|
We should check the errors from krb5_kdc_windc_init and we now need to
additionally run krb5_kdc_pkinit_config()
Andrew Bartlett
|
|
This remains an abuse, because it relies on setting into the krb5_principal
structure, but at least it causes less trouble for the server.
Andrew Bartlett
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Nov 15 00:13:59 UTC 2010 on sn-devel-104
|
|
|
|
when we are an RODC and we get a request for a principal that we don't
have the right secrets for, we need to proxy the request to a
writeable DC. This happens for both TCP and UDP requests, for both
krb5 and kpasswd
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
|
|
This means that when we are an RODC, and an account does not have the
password attributes, we can now indicate to the kdc code that it
should forward the request to a real DC.
(The proxy code itself is not in this commit).
Andrew Bartlett
|
|
this is in preparation for doing forwarding of packets for RODCs
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the special handling was to cope with the conflict with the kdc.h
header
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|