Age | Commit message (Collapse) | Author | Files | Lines |
|
- added support for guids in cldap netlogon searches.
the cldap server now passes the LDAP-CLDAP torture test
(This used to be commit eb7979d9def389942fa1c54693d2dfcb8828f544)
|
|
my best guess now is that w2k3 converts the & in the cldap query to an |
for the ldap search. at least it behaves roughly like that.
(This used to be commit 1d6ab9aaefee71e3d0f87c1afae8ccdbae1f0e04)
|
|
cldap netlogon queries
(This used to be commit 7c1d0f449d3922a309fc86e5d9cb1e962a39805d)
|
|
ldap friendly filter strings
(This used to be commit 8890dd3ac331cffe83226a356c52df89c917c2b0)
|
|
- expose the ldap filter string parsing outside of ldap.c
(This used to be commit b644ff6fe164fbe359c47e4d34f5ad490ff61d5b)
|
|
(This used to be commit 992858e1b91c3ff05077afa8a7abe155198597d4)
|
|
- support 'modrdn' ldif
metze
(This used to be commit b6a1734699953964fcde6fe6ea7048496492eb33)
|
|
(This used to be commit 2b36f1dfdd6cf3ab89f63b541ae4cd905fb03c8d)
|
|
(This used to be commit 04af0e7c5de467a24b965ce1de2fb07621133164)
|
|
response.
To work around the fact that the type of the returned data is not
encoded in the packet, this required adding ndr_pull_union_blob()
which allows us to pull a blob into a union with a specified switch
value, in this case the switch value comes from the calling NtVer field.
(This used to be commit bd27e626c27be72913d1a1569ee6e2e2711df84e)
|
|
rafal
(This used to be commit f7aaa0bfcae7fd4518256a703ad237693ff0c295)
|
|
Andrew Bartlett
(This used to be commit 77b67da5b8187951ba8c25af85bbf716cf5b3561)
|
|
Andrew Bartlett
(This used to be commit 6d7f1daaf2a521864994e06b013c36287f27a129)
|
|
(This used to be commit cbeffe830b2d3aee2ba346034548fa273a08f409)
|
|
(This used to be commit a3f64357af75587a855cfedb58ce2583658c7d04)
|
|
(This used to be commit a0fa871c3fda9fce7da0b110ed313c930a677a80)
|
|
- added support for binary encoded search filters
- fixed some const handling
- changed the message type to an enum, to help debugging
(This used to be commit d5353b63428698d1ce95c50e2626f1841fa637e3)
|
|
rafal
(This used to be commit 47a7a6c3fcfd1ab159a6baa71cd5c7984334fddb)
|
|
with talloc() for the NTLMSSP system.
Andrew Bartlett
(This used to be commit 7a93ac49c28d433ccf0f077294f473fe728b9995)
|
|
user@REALM for the first time.
Fix the build for smbencrypt.c
Andrew Bartlett
(This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
|
|
- qfsinfo (query file system information)
- appendacl (append an ACL to existing file's security descriptor and get new
full ACL)
The second one also includes an improvement to security descriptor handling
which allows to copy security descriptor. Written by Peter Novodvorsky
<peter.novodvorsky@ru.ibm.com>
Both functions have corresponding torture tests added. Tested under valgrind and
work against Samba 4 and Windows XP.
ToDo: document composite call creation process in prog_guide.txt
(This used to be commit 441cff62ac75ed16851ce7b8daf9d03eb4c3ec79)
|
|
Thanks to lars and agruen for finding this
(This used to be commit 2acc06918574b1178eecf3d61026f84f85bb40e1)
|
|
Samba4 without Samba3 nmbd
(This used to be commit f4d07d7d3b6973b503d8c98f177471dd6cebfa92)
|
|
(This used to be commit c29279355c679e821665d028f207ee9ed6f857ef)
|
|
(This used to be commit 61d65d100d38529966f3f1803f66ed47540dc852)
|
|
netlogon query.
Note that this response is almost identical to the CLDAP netlogon
response, so adding that will now be quite easy.
(This used to be commit 1ea4ed4ad1d9336f8288283688fa2d7bebfa533c)
|
|
workstations can now login
to a Samba4 domain.
(This used to be commit df146d64ebce6b462c08a1f30919390fcf8196cb)
|
|
clients when a user tries to login)
(This used to be commit 08ded62156b387457bc56b5910e1ddc813b375bd)
|
|
without
Samba3 nmbd
(This used to be commit 4507bdc339505e91118d403948946f4a98a4f562)
|
|
test suite, but doesn't yet seem to satisfy a nt4 client. I'm
investigating.
(This used to be commit 406217262dff5adb5d0cb0028198e08f66cc85f4)
|
|
ndr code for handling sids and security descriptors now that we have a
sid in the nbt IDL
(This used to be commit f8e77fcdeac704aed5e501aa9108f3ed0ab26ca4)
|
|
(This used to be commit d7e6e395cedef47dc182094c91f764e248b9b149)
|
|
parsing incoming netlogon requests. No replies are sent yet.
(This used to be commit 3b34df6a674cd2aeddc354cdadae3f0e1c000d45)
|
|
now tries to bind to port 138 if possible, so if you run it as root
and smbd/nmbd is not running then it works against windows servers
(This used to be commit 52ccdb79bc922be52c24dd393323dbbee83a2aea)
|
|
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a
windows server sends a reply, but the windows server sends the reply
to the wrong port (it always sends to 138), so the test suite doesn't
see it.
(This used to be commit a7634625dbc944dd8256a822be290010f341a571)
|
|
datagrams. This adds the IDL to parse mailslot packets, plus mailslot
dispatch and listener registration code.
mailslots are used for UDP/138 browse and netlogon packets
(This used to be commit f20e7e5200de736b3451d748ed716be638f93502)
|
|
(This used to be commit 47e1452da08d06b0b9f15545b3b2b0631f15bac2)
|
|
server. Currently just listens on port 138 and parses the packets
(using IDL like the rest of NBT). This allows me to develop the
structures and test with real packets
(This used to be commit 10d64a525349ff96695ad961a3cfeb5bc7c8844f)
|
|
auth/gensec and auth/kerberos.
This also pulls the kerberos configure code out of libads (which is
otherwise dead), and into auth/kerberos/kerberos.m4
Andrew Bartlett
(This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
|
|
up issues I introduced during the merge, that caused a segfault.
I've still not got the keytab code to work for me (using Samba3 to
generate the keytab) so this is still not fully tested, but it's
better than it was.
To add debugging, I now use the krb5_get_error_message() function from
Heimdal when present, to return the custom error string, which
contains far, far more information than the simple error code does.
(This last point may well be worth merging back into 3.0)
Andrew Bartlett
(This used to be commit ed5755d9d1e48df7ae77a9410d30e10cb8b0cbd7)
|
|
client. The issue was actually a cut-and-paste bug, I was filling in
the .old not the .nt1 part of the union.
I've also removed the 'error checks' - I'll shortly document the API
for the credentials code to clarify that it will always return a
pointer here, except in cases of programmer error.
Tridge: I hope this is OK.
Andrew Bartlett
(This used to be commit 6439de9ec8c8d24197ea69dc337473e54c8b36b8)
|
|
(This used to be commit ff6663aac8ed475bf65d9c06d7f2447a9827898c)
|
|
libcli/auth/schannel.c and libcli/auth/schannel_sign.c
Andrew Bartlett
(This used to be commit 1e0e66d7202d3f0e7fb3c90f2ca608fa08a713a6)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
Andrew Bartlett
(This used to be commit b5260cf0d4c4f2e81a310d1c94160c9fbaaa331f)
|
|
(untested at this point).
Andrew Bartlett
(This used to be commit ef7f9a01b4f3fa41fd7981b260fa2fadc7ce10ad)
|
|
cli_credentials code shortly.
Andrew Bartlett
(This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
|
|
(from librpc) will be moved into schannel.c soon.
Andrew Bartlett
(This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
metze needs a working tree...
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
|