Age | Commit message (Collapse) | Author | Files | Lines |
|
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
|
|
It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary
way the krbtgt account is recognised as special is that RID. This
should fix issues such as 'password expired' on the kpasswd service.
Andrew Bartlett
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
metze
|
|
|
|
|
|
consistency with Samba 3.
|
|
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
|
|
metze
|
|
metze
|
|
metze
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
metze
|
|
|
|
metze
|
|
should in the future only contain some settings required for gensec.
|
|
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
functions.
|
|
We supply this to krb5 as a plugin, so we must keep it around as long
as the krb5_context.
Andrew Bartlett
|
|
3.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.
I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.
Andrew Bartlett
|
|
This commit applies some cosmetic corrections for the KERBEROS library.
|
|
|
|
This reverts commit 05ea5e23cf4e70de0bd658b1c5c0ead133967091.
Conflicts:
source4/smbd/server.c
|
|
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
|
|
The IDL is declared to force the MessageType to 3 on output, so we
instead checked the same thing 255 times...
Andrew Bartlett
|
|
metze
|
|
This reverts commit 0e9008be35a5b334bd65e6417193d4b8f27bdc36.
|
|
|
|
(This used to be commit edea162a0e11f03b4b6069388abbca099f097386)
|
|
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.
Andrew Bartlett
(This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
|
|
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
|
|
metze
(This used to be commit 65057f17b0d9e83f1b775afdeb7ea91ce0e52cd1)
|
|
(This used to be commit 2c7195429411d68bc66f4100659c622df4f5a20a)
|
|
(This used to be commit a555334db67527b57bc6172e3d08f65caf1e6760)
|
|
This prepares the next commit...
metze
(This used to be commit 7d297f7fb7a3ac388390429db7cb16fa60d3f8c0)
|
|
At this stage, only arcfour-hmac-md5 trusts are used, and all trusts
are presumed bi-directional. Much more work still to be done.
Andrew Bartlett
(This used to be commit 3e9f5c28165e66d78c020d10b97b9dc4a0038cd8)
|
|
(This used to be commit c87d732b23ad7de8dc2f824bf11c9310fb4184e1)
|
|
Andrew Bartlett
(This used to be commit 8aba7c36231e58a91fbc6b4fc24c5693353aeef9)
|
|
metze
(This used to be commit cffed8e19e22a1fa7b7a322b153df5d54e4c3be2)
|
|
We shoule avoid using the private heimdal function
_krb5_principalname2krb5_principal()
metze
(This used to be commit 10db07c69addce6e90851fb55738d5f9e142946b)
|
|
This reverts commit 736ce50afd9da9b5fbc3db777fd5341dfa4b721a.
This breaks the build...
metze
(This used to be commit afd07073b9caa4b5f7d2ad747e79afaec4203506)
|
|
Andrew Bartlett
(This used to be commit 736ce50afd9da9b5fbc3db777fd5341dfa4b721a)
|
|
metze
(This used to be commit 1223cd17c79d130b46b0e0ccb0f6011c92441173)
|