| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
cli_credentials code shortly.
Andrew Bartlett
(This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
|
|
(from librpc) will be moved into schannel.c soon.
Andrew Bartlett
(This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
(24 bytes) for singed packets
but it accepts 32 bytes from the client.
(w2k3 accept it the otherway arround too)
metze
(This used to be commit 08d4c3b9f8558ee40c73a22b3ec110b052f28110)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
|
|
Andrew Bartlett
(This used to be commit b484776cc4d48690d45c668f9253015eb0d6207d)
|
|
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I
need to look into it a bit more).
Add support to the Samba4 server for these logins. This will need
extension when we handle trusted domains as a DC, as it is a principal
name, not just another format for the username.
Andrew Bartlett
(This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
|
|
which will move in with the rest of GENSEC shortly).
Add the RID as another element in the schannel state.
Andrew Bartlett
(This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
|
|
GSS_C_DCE_STYLE support, it's just a start and does work correctly yet
metze
(This used to be commit 87ff661703f467db3dfcb33084041c3e2951e0ee)
|
|
when linking though.
(This used to be commit 2e1e8db6dc877eb32b51cfc3d9c8f463d14530ec)
|
|
Add #include "system/time.h" back (it was removed in some of these
places because the definitions were provided by <sys/time.h> on tridge's
platform.)
Andrew Bartlett
(This used to be commit 34b1da730304bed7fee5bae7cbde7fbccecb6af5)
|
|
thinks are not needed. Now to see how this fares on the build farm :)
(This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
|
|
(This used to be commit 196c45b834c39f293b9533cec5cfe5a77382d4e2)
|
|
enabled
(This used to be commit 93931b1a741a3722c311ada80c4c9d3d670f91b2)
|
|
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
|
|
metze
(This used to be commit 274ef2a206aa00b3155adc27f5b7e35d3fa52bf6)
|
|
metze
(This used to be commit 344367cc4cdb232c394ce45ab64cc357cce4259f)
|
|
Andrew Bartlett
(This used to be commit ffad9b22be595279b247fa72d51145830fecbb06)
|
|
need to pull in the whole dcerpc subsystem
- moved smbencrypt.c code into libcli/auth/
(This used to be commit 3351c636af23ad88649e84f4cb88fc1167d5c654)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
metze
(This used to be commit 522af7ecc0020b7c56182ca628f6d1623abe303e)
|
|
secrets.tdb from Samba3.
Andrew Bartlett
(This used to be commit 21bfda2a0d1c8373f8800269ed9b982e1b9a19e5)
|
|
of the SPNEGO state-machine. (Such as on LDAP and HTTP)
Andrew Bartlett
(This used to be commit c1cae6b3b1efe109a09e449ed2e09983431eac7e)
|
|
Andrew Bartlett
(This used to be commit a062ac122c402fb2cf31eb8e76f4077b1f33b8eb)
|
|
This uses LDB (a local secrets.ldb and the global samdb) to fill out
the secrets from an LSA perspective.
Some small changes to come, but the bulk of the work is now done.
A re-provision is required after this change.
Andrew Bartlett
(This used to be commit ded33033521a6a1c7ea80758c5c5aeeebb182a51)
|
|
- move some structs out of misc.idl
metze
(This used to be commit b6543a6e3057b5588ec50a2ebf6c7c932209efe6)
|
|
credentials struct it maintains.
Clearly much of this will be replaced with some system to pass and
store the session_info, as that is the 'right way' to handle this.
Andrew Bartlett
(This used to be commit c6fcb33a887fbf0c0b42c3bc331df942a985128c)
|
|
token in the client (the final token in the negotiation).
Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.
Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.
Fix the RPC-MULTIBIND test consequent to this merge.
Andrew Bartlett
(This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
|
|
doesn't need to
use function pointers anymore
- make the module init much easier
- a lot of cleanups
don't try to read the diff in auth/ better read the new files
it passes test_echo.sh and test_rpc.sh
abartlet: please fix spelling fixes
metze
(This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
|
|
- added #if TALLOC_DEPRECATED around the _p functions
- fixes the code that broke from the above
while doing this I fixed quite a number of places that were
incorrectly using the non type-safe talloc functions to use the type
safe ones. Some were even doing multiplies for array allocation, which
is potentially unsafe.
(This used to be commit 6e7754abd0c225527fb38363996a6e241b87b37e)
|
|
Andrew Bartlett
(This used to be commit 5598cda08b46e61695b753e049288a0b498502c4)
|
|
talloc_size() or talloc_array_p() where appropriate.
also fixed a memory leak in pvfs_copy_file() (failed to free a memory
context)
(This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
|
|
right.
Andrew Bartlett
(This used to be commit a742ea1e1221058ae6a99e317fbf18c80bc49aed)
|
|
GENSEC.
Andrew Bartlett
(This used to be commit c7acea9d5a097b51693f41de93274b857f7be0e3)
|
|
.enabled = True
on modules we know are good (and we want on be default) seems neater.
Andrew Bartlett
(This used to be commit 18850c66b7c8ac5e8caf08151dbb9b72cf93230f)
|
|
definition, not by hardcoded reference in loadparm.c
Andrew Bartlett
(This used to be commit 43558eaf7604d2bb0187e0d1ba0686935a965ad7)
|
|
I just need to fix a couple of NTLMv2 issues before we can fully pass,
and put this in test_rpc.sh, as a 'should pass' test.
Andrew Bartlett
(This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
|
|
default at this point), and include the GSSAPI OIDs in our source, per
advice by lha that this is easier than getting the includes right.
Andrew Bartlett
(This used to be commit 9ff8b2b4d12d364084df5c95a752ce2a0546053d)
|
|
these tests out a bit, but for now it's an indicator we can use.
Andrew Bartlett
(This used to be commit 2b0605dbaee18da4ebb676fc292b324d21805ef7)
|
|
(disabled by default, set parametric option: gensec:gssapi=yes to enable).
This module backs directly onto GSSAPI, and allows us to sign and seal
GSSAPI/Krb5 connections in particular. This avoids me reinventing the
entire GSSAPI wheel.
Currently a lot of things are left as default - we will soon start
specifiying OIDs as well as passwords (it uses the keytab only at the
moment). Tested with our LDAP-* torture tests against Win2k3.
My hope is to use this module to access the new SPNEGO implementation
in Heimdal, to avoid having to standards-verify our own.
Andrew Bartlett
(This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35)
|
|
In developing a GSSAPI plugin for GENSEC, it became clear that the API
needed to change:
- GSSAPI exposes only a wrap() and unwrap() interface, and determines
the location of the signature itself.
- The 'have feature' API did not correctly function in the recursive
SPNEGO environment.
As such, NTLMSSP has been updated to support these methods.
The LDAP client and server have been updated to use the new wrap() and
unwrap() methods, and now pass the LDAP-* tests in our smbtorture.
(Unfortunely I still get valgrind warnings, in the code that was
previously unreachable).
Andrew Bartlett
(This used to be commit 9923c3bc1b5a6e93a5996aadb039bd229e888ac6)
|
|
(This used to be commit 9f0bf657aeee86d859742fb4da3a0f806e7060b6)
|
|
- Use more of the clikrb5.c wrapper calls
- Don't use the session keytab if we kinit for the user.
Andrew Bartlett
(This used to be commit e15dbee00628475d5e1c1f329a7f9b199bc36360)
|
|
during torture tests)
(This used to be commit b9284c16dc37bf14fceeaa694e82f36a38b0dd93)
|
|
favor of talloc_free().
Andrew Bartlett
(This used to be commit 1933cd12fbaed56e13f2386b19de6ade99bf9478)
|
|
"") username is asked for.
Andrew Bartlett
(This used to be commit 9c9055603e1171e204f67b019900339f88414841)
|
|
- Update Samba4's kerberos code to match the 'salting' changes in
Samba3 (and many other cleanups by jra).
- Move GENSEC into the modern era of talloc destructors. This avoids
many of the memory leaks in this code, as we now can't somehow
'forget' to call the end routine.
- This required fixing some of the talloc hierarchies.
- The new krb5 seems more sensitive to getting the service name
right, so start actually setting the service name on the krb5 context.
Andrew Bartlett
(This used to be commit 278bf1a61a6da6ef955a12c13d7b1a0357cebf1f)
|
|
that simplifies the code a lot...
also add a note: we should fail the krb5 auth if there's no
PAC present (when heimdal is ready for that:-)
metze
(This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
|
|
metze
(This used to be commit 1ceeb77fc716729c69f2dba4a84579c366eefa1c)
|
