| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This would seem to match the documentation requirements for the PAC
verfication over NETLOGON, but I can't get Win2k3 to accept it so far.
Andrew Bartlett
(This used to be commit acfa87f3411a61bdd9066fbbba2bcfbe2a60cbbe)
|
|
However, I have still not figured out this protocol yet, and the docs
are rather unclear... :-(
Andrew Bartlett
(This used to be commit d878643071a1477435a267e2944461d367cdfa79)
|
|
Serialization header
Now we should be able to handle bigendian PAC_LOGON_INFO buffers.
metze
(This used to be commit adbff0b0f92aa0742a8293071776b388879cbd8e)
|
|
a new one we don't break our server
(This used to be commit 5e08b285319e35afd3a9a6e6f5f59145350f2d80)
|
|
Until we worked out the PAC_TYPE_UNKNOWN_12 format (or received documentation)
ignore it so that the PAC parsing can proceed.
Guenther
(cherry picked from commit 3630ec26c99fdea46c47117d026f9bffb2c4590a)
(This used to be commit 0c1ccbc183c1d2967da2d9a17033f3b116ff7387)
|
|
unknown1 and unknown2 are offset headers for the strings.
Guenther
(cherry picked from commit 7af70e75b9abf92921f33ec4207ad486ee2493d6)
(This used to be commit ad19da7f83761948f379921560da34bb6a01e625)
|
|
We need at least to parse this in order to correctly support kerberized session
setup from w2k8 as well as local pam_winbind logons using kerberos.
Guenther
(cherry picked from commit 4ba62d49d740c43cf17ceef1534cf1c8a7e4a130)
(This used to be commit ef0971206cda598e6bfad2ff06a3d2e9e8131682)
|
|
metze
(This used to be commit 30657ae0ebdb85ae995a3dfe3ce123851fd92e0f)
|
|
(This used to be commit 6fb3b4be10d204bec61a1fddd1c50c1c24d52ebf)
|
|
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.
We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk. This is much easier than
listing every generated .o file individually.
This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts. I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.
The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller. In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.
(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).
Andrew Bartlett
(This used to be commit 75fddbbc0811010a28ca5bb597b573b3f10ef6d6)
|
|
(This used to be commit 1df96af3103795f609165e7a7344e1bf6046be79)
|
|
(This used to be commit 347ae9628202ca4de4318ef8156999239aad9192)
|
|
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
|
|
Andrew Bartlett
(This used to be commit cde98e9ad1990ae9da89d6449b3f0e15f00f4e54)
|
|
(This used to be commit 426ac78108b35adc8412d12d2d888c3d5ddf4171)
|
|
Andrew Bartlett
(This used to be commit 0ce6513e342abf9e35a76dd080ab99d1762cb3c1)
|
|
try to include just the BASENAME.h files (containing only structs)
(This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
|
|
Remove some headers from include/includes.h (they're now only included
in the file they are used)
(This used to be commit 7213b7498eacac2c2cd03cf6aace376ce153cc7c)
|
|
back and
forth between GUID structs and strings in several places.
(This used to be commit 3564e2f967ef72d6301b4f7e9a311cebcded4d75)
|
|
(This used to be commit b773d848e854394f36351f97130a20a245367b2c)
|
|
(This used to be commit 231d01a3e79b26884409d24d8e25fc4ab8567d89)
|
|
level (required for signature verification).
Andrew Bartlett
(This used to be commit 76c224f28885759daae45e02a7637f2451dc84d3)
|
|
other than arcfour-hmac-md5. Currently we still fail to verify other
signatures however.
Andrew Bartlett
(This used to be commit 2e5884fc2472c6bcc7e6e083c28a4da6b2f72af1)
|
|
(I have included the krbtgt key from my test network).
It turns out the krbtgt signature is over the 16 (or whatever,
enc-type dependent) bytes of the signature, not the entire structure.
Also do not even try to use Kerberos or GSSAPI on an IP address, it
will only fail.
Andrew Bartlett
(This used to be commit 3b9558e82fdebb58f240d43f6a594d676eb04daf)
|
|
length too,
it's always 16 bytes smaller than the size in the PAC_BUFFER
we now dump the blob's on LOCAL-PAC with -d 10
metze
(This used to be commit 4ef721ce53539ac56ca8ac4d601f512149ca7283)
|
|
memory checks
- move to handmodified pull/push code for PAC_BUFFER
to get the _ndr_size field and the subcontext size right
- after looking closely to the sample w2k3 PAC in our torture test (and some more in my archive)
I found out that the first uint32 before the netr_SamInfo3 was also a pointer,
(and we passed a NULL pointer there before, so I think that was the reason why the windows clients doesn't want our PAC)
w2k3 uses this for unique pointers:
ptr = ndr->ptr_count * 4;
ptr |= 0x00020000;
ndr->ptr_count;
- do one more pull/push round with the sample PAC
metze
(This used to be commit 0eee17941595e9842a264bf89ac73ca66cea7ed5)
|
|
much closer.
This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary. This is the only way I can explain
the 4 trainling zeros in the signature struct.
Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.
I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.
Andrew Bartlett
(This used to be commit 50a54bf4e9bf04d2a8e0aebb3482a2ff655c8bbb)
|
|
checksum in the right place...
Andrew Bartlett
(This used to be commit 90d0f502da20add6784c883b2085cde519604933)
|
|
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
|
|
The main difference in this new version is the extra data structure generated
between the IDL data structure and the NDR parser:
IDL -> NDR -> { ndr_parser, ndr_header, eparser, etc }
This makes the ndr_parser.pm internals much more sane.
Other changes include:
- Remove unnecessary calls with NDR_BUFFERS (for example, GUID doesn't have any buffers, just scalars) as well as some (unnecessary) nested setting of flags.
- Parse array loops in the C code rather then calling ndr_pull_array(). This allows us to have, for example, arrays of pointers or arrays of pointers to arrays, etc..
- Use if() {} rather then if () goto foo; everywhere
- NDR_IN no longer implies LIBNDR_FLAG_REF_ALLOC
- By default, top level pointers are now "ref" (as is the default in
most other IDL compilers). This can be overridden using the
default_pointer_top() property.
- initial work on new ethereal parser generators by Alan DeKok and me
- pidl now writes errors in the standard format used by compilers, which
is parsable by most editors
- ability to warn about the fact that pidl extension(s) have been used,
useful for making sure IDL files work with other IDL compilers.
oh, and there's probably some other things I can't think of right now..
(This used to be commit 13cf227615f6b9e0e5fa62e59197024410254f01)
|
|
Fill out the group list for the SamLogon reply, so clients get the
supplementary groups.
Andrew Bartlett
(This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
|
|
array can now only be :
type *name[];
rather then :
type *name;
which was supported in the past. Warnings will be given when the first
syntax is used. Reasons for this change in behaviour include improved
readability and the fact that the second format makes dealing with multiple
levels of pointers harder.
(This used to be commit a416de5825c540fd3741731c4be05e9a659a6fdb)
|
|
that simplifies the code a lot...
also add a note: we should fail the krb5 auth if there's no
PAC present (when heimdal is ready for that:-)
metze
(This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
|
|
- move dom_sid, security_descriptor, security_* funtions to one place
and rename some of them
metze
(This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
|
|
This concludes the proper fixes.
Andrew Bartlett
(This used to be commit c1d025793f2994c8f1cab304c3394ab186654071)
|
|
metze
(This used to be commit 08b26ed7ec41f0575da79858ccd0bf0f9a27b2b2)
|
|
the build on systems like solaris with the SunPRO compiler
(This used to be commit fe913ad11bf1c5e9fe04ed769a93b0ea16aa0a34)
|
|
(we should fix pidl to handle NDR_ALIGN8 correct as a real fix for this problem)
metze
(This used to be commit ab7a26a95052cfd8bac1d03b534b5b516b409f61)
|
|
metze
(This used to be commit 6e6bfd6dd290b5e1cd3e90ebf20cd2207f94342e)
|
|
metze
(This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
|
|
there're some cleanups needed and we need to verify the PAC correctly
and create the auth_session_info correctly...
metze
(This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
|
|
the EXTRA_SIDS idl isn't verified to be correct yet
metze
(This used to be commit 43fd611593af030a3d86d2640be6b1de959939c7)
|
|
(This used to be commit c33bf6f935025b5623f21cca50664ba70f886b49)
|
|
the account_name is a 'nstring'
metze
(This used to be commit bb906e5e9e566e7ed931436956ba8323503875f9)
|
|
NOTE: there a lot of work todo, maybe we need to extent pidl
metze
(This used to be commit b94a09d461291d9dd47c5859537d6025f02a80ff)
|
