Age | Commit message (Collapse) | Author | Files | Lines |
|
As mit_samba_update_pac_data() doesn't support adding
S4U_DELEGATION_INFO to the pac (and I have no clue how to add that)
we should disable S4U2Proxy until this is implemented.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
|
|
metze
|
|
metze
|
|
function
This is needed in order to add the S4U_DELEGATION_INFO to the pac.
metze
|
|
commit "heimdal Add support for extracting a particular KVNO from the database"
(f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master
and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master)
changed the windc_plugin interface, so we need to change the
version number.
metze
|
|
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
|
|
metze
|
|
metze
|
|
For now this only works on the local sam.ldb, but it shouldn't be hard
to improve it to talk to remove servers.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
metze
|
|
And let enable_account() use it.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
metze
|
|
check_constrained_delegation() hook is given
A service should use S4U2Self instead of S4U2Proxy.
Windows servers allow S4U2Proxy only to explicitly configured
target principals.
metze
|
|
This way we can compare the already canonicalized principals,
while still passing the client specified target principal down
to the backend specific constrained_delegation() hook.
metze
|
|
With S4U2Proxy tgt->crealm might be different from tgt_name->realm.
metze
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri Jun 24 16:19:36 CEST 2011 on sn-devel-104
|
|
|
|
|
|
As discussed in 'CH_DISPLAY and gettext' on the samba-technical list:
http://lists.samba.org/archive/samba-technical/2011-June/078190.html
Setting this to a value other than 'unix charset' does not make sense,
as any system where the filesytem charset does not equal the terminal
charset will already have problems with programs as simple as 'ls'.
It also means that our output could not be pasted as our input in
interactive programs or onto our command line, as we never did
translate in the DISPLAY -> UNIX direction.
The d_printf() calls are retained in case we need to revisit this, and
to support display_set_stderr().
Andrew Bartlett
|
|
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104
|
|
|
|
|
|
I faced a situation where the os.environ("KRB5CCNAME") = ... didn't
seems to be effective
|
|
and don't touch rIDPreviousAllocationPool
|
|
if a DN link to Deleted Objects has a bad GUID, we need to use
show_deleted
|
|
|
|
|
|
this allows checking of a specific list of attributes
|
|
this will be used in provision, and probably in upgradeprovision as
well
|
|
this will be used to allow for other tools (such as provision) to call
into dbcheck without generating a lot of noise
|
|
w2k8r2
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104
|
|
Note: this doesn't work against a Samba4 KDC yet.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104
|
|
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.
metze
|
|
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.
metze
|
|
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
|
|
this is useful for running it against a Windows server
|
|
this now checks for bad GUID elements in DN links, and offers to fix
them when possible
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
|
|
This will make the following changes easier to review.
metze
|
|
In order to make the following changes easier to review.
metze
|
|
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
|
|
This will make the following changes easier to review.
metze
|
|
metze
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104
|
|
this will be used by the dbcheck code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this gives you access to the syntax oid of an attribute
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this gives access to ldb_dn_get_extended_linearized() from python
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
keep individual error handlers together and separate from driver code
|