Age | Commit message (Collapse) | Author | Files | Lines |
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
(in other words, don't do commits in airports)
|
|
|
|
plugfest in Redmond
|
|
UTF-16 input
The input checking is important, as otherwise we could set the wrong
password.
Andrew Bartlett
|
|
(This used to be commit 842ab594124198453fc88f46ab83b712a7d34dc1)
|
|
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.
Andrew Bartlett
(This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
|
|
(This used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074)
|
|
Andrew Bartlett
(This used to be commit ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e)
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
|
|
Guenther
(This used to be commit 7a10be2ac77124a78fcc4ddda5e05c036ed920fa)
|
|
Guenther
(This used to be commit 31980e03faedaa44317f64d940c458d38a103627)
|
|
torture test, as I see little reason to implement these RPCs).
Add information regarding the importance of the LogonGetDomainInfo calls
Andrew Bartlett
(This used to be commit 9cd3a76c25019f4d8d7b41d75e1f7efb4475e86a)
|
|
Guenther
(This used to be commit 7aa34b48795d303ba600f34a4b1bc916007aee44)
|
|
(This used to be commit 2d61e7c96e249d7031b709e9f727626a78e435f1)
|
|
(This used to be commit 6fd0d9d3b75546d08c24c513e05b1843d5777608)
|
|
(This used to be commit 9d806da113b5f0688b6193dfdee9b8765e18b38f)
|
|
samdb before we start writing entries into it.
In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).
We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.
When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works. This required some ejs
glue.
Andrew Bartlett
(This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
|
|
(This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860)
|
|
Guenther
(This used to be commit 231fe8826b7d8b0f4307ffbb3cd71b4c7723a290)
|
|
Guenther
(This used to be commit d64244cfe871cd549a991ac2a708263fc77d2fef)
|
|
netr_NetrEnumerateTurstedDomainsEx().
Guenther
(This used to be commit 32a189e85026f5b54f82df88306005d9a9f50beb)
|
|
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
|
|
(This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc)
|
|
up the call stack.
(This used to be commit ba75f1613a9aac69dd5df94dd8a2b37820acd166)
|
|
further up the call stack.
(This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
|
|
(This used to be commit a9a9634df8f3137ecb308adb90a755f12af94972)
|
|
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
|
|
Guenther
(This used to be commit 2f8b8c046010c54d708a8e109b78fbd6e1958f40)
|
|
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
machine accounts are not subject to password policy in Win2k3 R2 (at
least in terms of password quality).
In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.
Andrew Bartlett
(This used to be commit 417ea885b41cc097a0bb3a10ffbffb31f234f25d)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
will now control the auth methods, but an override is still available,
ex:
auth methods:domain controller = <methods>
Andrew Bartlett
(This used to be commit b7e727186ed8eda6a68c873e089f655dc24fe8ae)
|
|
Guenther
(This used to be commit 82477b311e2a7a51906d0c00d8714f545b12b0bd)
|
|
WERROR_DOMAIN_CONTROLLER_NOT_FOUND from
SAMBA_3_0.
Guenther
(This used to be commit 841ad140a34648ff52d5e44a6642f346ef9eee02)
|
|
Guenther
(This used to be commit 9c2b9642336ed954c8f9fc0ccce95547d7c18aa8)
|
|
* netr_DsRGetDCName_flags, netr_DsRGetDCNameInfo_AddressType and netr_DsR_DcFlags
* the mask in netr_DsRGetDCNameEx2 turns out to be samr_AcctFlags
Guenther
(This used to be commit 9cdd6d9782a7a70f01d748228beb80c454d1468b)
|
|
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"
Note: you need to reprovision after this change!
metze
(This used to be commit dc4242c09c0402cbfdba912f82892df3153456ad)
|
|
(This used to be commit 76c78b0339cd88c61a13745f7f4e037f400db21b)
|
|
- ldb_dn_get_linearized
returns a const string
- ldb_dn_alloc_linearized
allocs astring with the linearized dn
(This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
|
|
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
|
|
Remove references to dnsDomain, replace with references to dnsRoot
Andrew Bartlett
(This used to be commit e09dd33379c79982dffadd69d7a4e9e24be7c248)
|
|
This commit cleans up a number of aspects of the LSA interface.
Firstly, we do 2 simple searches on opening the LSA policy, to obtain
the basic information we need. This also avoids us searching for
dnsDomain (an invented attribute).
While I was at it, I added and tested new LSA calls, including the
enumTrustedDomainsEx call. I have also merged the identical structures
lsa_DomainInformation and lsa_DomainList.
Also in this commit: Fix netlogon use of uninitialised variables.
Andrew Bartlett
(This used to be commit 3f3fa7f466df56612064029143fbae8effb668aa)
|
|
(This used to be commit 09007b0907662a0d147e8eb21d5bdfc90dbffefc)
|
|
needed in searches
(This used to be commit a5ea749f0ac63bf495a55ee8d9d002208ab93572)
|