Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
|
|
- Correctly use samdb_search_string to do a 'base' search
(this needs a NULL, not a "" argument for the format string)
- There is no need (and it caused a security hole) to use
talloc_asprintf() with the only argument being the string to
duplicate.
Andrew Bartlett
|
|
This addresses bug #4888 and #6596 in SAMBA 4 Bugzilla
- It implements the call in the complete form as specified in the MSPP/WSPP docs
and on the discussion on the "cifs-protocol" list
- Therefore client informations (OS name, OS version, "servicePrincipalName"...)
are now saved in the AD each time the client invokes the call
|
|
|
|
In the SAMBA 4 DCE/RPC NETLOGON server the SAM context references have generally
the type "void *". But we know that those context objects are based on the "struct
ldb_context" type. We've always to cast for using a SAM/LDB call.
This I didn't find very appealing and so I assigned the right (detailed) type to each "sam_ctx".
Therefore, the casts could disappear.
Also this change is only cosmetic.
|
|
Guenther
|
|
Patch for bug #4939
This refactors the NETLOGON code related to this bug:
- Introduces a new "SYNCSTATE" enum required by the "DatabaseSync2" call (acc.
to WSPP)
- Make "DatabaseSync" dependant from "DatabaseSync2" (acc. to WSPP)
- Let "DatabaseSync2" return NT_STATUS_NOT_IMPLEMENTED (I'm not sure if this is
also true when a domain is running in mixed mode)
- Make "LogonControl" and "LogonControl2" dependant form "LogonControl2Ex"
(acc. to WSPP)
- Let "LogonControl2Ex" return WERR_NOT_SUPPORTED for now
|
|
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
|
|
|
|
In particular, this is the rename from creds_ to netlogon_creds_, as
well as other links to use the new common crypto.
Andrew Bartlett
|
|
Thanks to Andrew Kroeger <andrew@id10ts.net> for reporting this. This
fix just for the release. A better fix will make it into the master
branch soon.
Andrew Bartlett
|
|
|
|
dcesrv_netr_ServerAuthenticate()
metze
|
|
This hopefully fixes bug #6109.
metze
|
|
metze
|
|
Win7-beta.
The first problem is that we removed the dnsDomain attribute a while
back, so we were returning NULL for two fields. We now return the
realm.
The second problem is that Win7-beta sends the domain in the form the
user typed it, so it may be in either the short or long form. We check
for the short form and convert if needed.
|
|
metze
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
Guenther
|
|
netr_GetDcName()
metze
|
|
metze
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
(in other words, don't do commits in airports)
|
|
|
|
plugfest in Redmond
|
|
UTF-16 input
The input checking is important, as otherwise we could set the wrong
password.
Andrew Bartlett
|
|
(This used to be commit 842ab594124198453fc88f46ab83b712a7d34dc1)
|
|
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.
Andrew Bartlett
(This used to be commit 82fcd7941f5c54da2d994c8bd99dd8d86299a296)
|
|
(This used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074)
|
|
Andrew Bartlett
(This used to be commit ea58b650a81b48b0477edbcda1e4e26a3b2a9b9e)
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
|
|
Guenther
(This used to be commit 7a10be2ac77124a78fcc4ddda5e05c036ed920fa)
|
|
Guenther
(This used to be commit 31980e03faedaa44317f64d940c458d38a103627)
|
|
torture test, as I see little reason to implement these RPCs).
Add information regarding the importance of the LogonGetDomainInfo calls
Andrew Bartlett
(This used to be commit 9cd3a76c25019f4d8d7b41d75e1f7efb4475e86a)
|
|
Guenther
(This used to be commit 7aa34b48795d303ba600f34a4b1bc916007aee44)
|
|
(This used to be commit 2d61e7c96e249d7031b709e9f727626a78e435f1)
|
|
(This used to be commit 6fd0d9d3b75546d08c24c513e05b1843d5777608)
|
|
(This used to be commit 9d806da113b5f0688b6193dfdee9b8765e18b38f)
|
|
samdb before we start writing entries into it.
In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).
We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.
When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works. This required some ejs
glue.
Andrew Bartlett
(This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
|