summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-01-30s3: check that a user in a bogus domain name is mapped to the localnetbios ↵Matthieu Patou1-0/+1
name of a domain member This means that if we authentify for BOGUS\administrator in AD domain FOREST with samba being domain member with the netbiosname MEMBER then BOGUS\administrator will be mapped to MEMBER\administrator if the password match.
2012-01-30gensec: inline gensec_generate_session_info() into only callerAndrew Bartlett2-9/+27
This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30s4-auth: Return NT_STATUS_NOT_IMPLEMENTED if the challenge cannot be obtainedAndrew Bartlett1-1/+1
2012-01-30auth: Make check_password and generate_session_info hook genericAndrew Bartlett3-21/+51
gensec_ntlmssp does not need to know the internal form of the struct user_info_dc or auth_serversupplied_info. This will allow the calling logic to be put in common. Andrew Bartlett
2012-01-30samdb: use compat wrappers for tdb_fetch().Rusty Russell1-6/+6
TDB2's tdb_fetch() returns an error code; use tdb_fetch_compat() for now. Similarly, tdb_errorstr() -> tdb_errorstr_compat(). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-01-29auth: provide private pointer and do not return original PAC signaturesAndrew Bartlett1-34/+40
There is no need to return the PAC signatures via the special-purpose torture element. Instead, use a private pointer on the auth_context in conjunction with the private PAC processing method. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sun Jan 29 23:52:50 CET 2012 on sn-devel-104
2012-01-26s4-rpc_server: Fix search for existing trust to actually look for the dns nameAndrew Bartlett1-1/+1
Found by a eagle-eyed user. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Jan 26 08:39:47 CET 2012 on sn-devel-104
2012-01-25s3:build: require gss_krb5_export_lucid_sec_context() for ads supportStefan Metzmacher1-0/+1
This is needed to detect krb5 with aes for GENSEC_FEATURE_NEW_SPNEGO at runtime. metze
2012-01-25s4-torture: For authenticated users, add AUTHENTICATED USERS sidAmitay Isaacs1-0/+4
Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Wed Jan 25 01:36:02 CET 2012 on sn-devel-104
2012-01-25dlz_bind9: for authenticated user, set the AUTHENTICATED USERS sid in tokenAmitay Isaacs1-0/+5
2012-01-24dsdb: Allow DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID to be specified as a flagAndrew Bartlett2-0/+8
2012-01-24python: Change except: statement to except Exception:Amitay Isaacs9-15/+15
This way we only catch true exceptions and keyboard interrupts are not caught here. Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Tue Jan 24 03:32:40 CET 2012 on sn-devel-104
2012-01-23WERROR type variable being incorrectly checked with a NT_STATUS_IS_XDavid Disseldorp1-1/+1
type macro.
2012-01-21Log short_princ instead of uninitialised filter.Michael Wood1-5/+6
Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Jan 21 13:06:35 CET 2012 on sn-devel-104
2012-01-20s4:auth/gensec: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAGStefan Metzmacher1-0/+1
metze
2012-01-20torture: add spoolss overlapping driver deletion testsDavid Disseldorp1-1/+118
Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User: David Disseldorp <ddiss@samba.org> Autobuild-Date: Fri Jan 20 18:20:14 CET 2012 on sn-devel-104
2012-01-20torture: confirm printer driver file removalDavid Disseldorp1-1/+81
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-01-20torture: add spoolss del printer driver testDavid Disseldorp1-0/+63
Test handling of DeletePrinterDriverEx when the DPD_DELETE_ALL_FILES flag is set. Signed-off-by: Andreas Schneider <asn@samba.org>
2012-01-16s4:dsdb/password_hash: require a "Primary:Kerberos" blob in ↵Stefan Metzmacher1-0/+16
supplementalCredentials If this is missing a w2k8r2 server will reboot, when someone tries to change a password. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jan 16 17:10:07 CET 2012 on sn-devel-104
2012-01-14KCC importldif/exportldif and intersite topologyDave Craft2-376/+2429
Add options for extracting an LDIF file from a database and reimporting the LDIF into a schema-less database for subsequent topology test/debug. Add intersite topology generation with computation of ISTG and bridgehead servers Signed-off-by: Andrew Tridgell <tridge@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sat Jan 14 07:45:11 CET 2012 on sn-devel-104
2012-01-14Intersite KCC flags for pythonDave Craft1-0/+5
Add NTDSSITELINK options to dsdb class for use in python samba_kcc Signed-off-by: Andrew Tridgell <tridge@samba.org>
2012-01-13s4-smbtorture: tweak spoolss_OpenPrinterEx devmodeDavid Disseldorp1-2/+2
Flip some bits after the null terminator in the spoolss device mode character arrays to trigger bug 8606. Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-13auth/gensec: move spnego.c to the toplevelStefan Metzmacher2-1411/+0
metze
2012-01-13auth/gensec: common helper functions should be in gensec_util.cStefan Metzmacher1-107/+0
This makes the dependencies easier to handle. metze
2012-01-13s4:auth/gensec: inline packet_full_request_u32()Stefan Metzmacher1-1/+9
This removes the dependency to s4 specific code. metze
2012-01-13s4:auth/gensec: fix compiler warnings in spnego.cStefan Metzmacher1-3/+0
metze
2012-01-12s4:repl_cleartext_pwd.py: add optional 'clear_utf16_name' parameterStefan Metzmacher1-7/+17
Not all cleartext password (machine passwords) can be converted to utf8, let's export the raw uint16_t array. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 23:58:12 CET 2012 on sn-devel-104
2012-01-12s4:repl_cleartext_pwd.py: add 'attmode' parameter to convert the attname to utf8Stefan Metzmacher1-5/+22
metze
2012-01-12s4:repl_cleartext_pwd.py: correctly compare attids as uint32_t valuesStefan Metzmacher1-5/+10
metze
2012-01-12s4:pygensec/tests: add test for gensec_set_max_update_size()Stefan Metzmacher1-0/+54
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jan 12 14:47:05 CET 2012 on sn-devel-104
2012-01-12s4:auth/gensec/spnego: add support for fragmented spnego messagesStefan Metzmacher1-3/+205
metze
2012-01-12s4:pygensec: add set_max_update_size() and max_update_size() functionsStefan Metzmacher1-0/+25
metze
2012-01-12Revert "make paranoia check less paranoid" - check that key types strictly matchAndrew Bartlett1-1/+1
This reverts commit c25af51232616061bb08eea86aae595b4f029490 because otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Jan 12 09:43:07 CET 2012 on sn-devel-104
2012-01-12make hmac-md5 the keyed checksum type for arcfour-hmac-md5Andrew Bartlett1-1/+1
2012-01-12use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3Andrew Bartlett1-0/+8
This allows a strict link between checksum types and key types to be enforced. Andrew Bartlett
2012-01-12heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett1-12/+2
The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett1-1/+1
2012-01-12s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett6-44/+152
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett
2012-01-12s4-kdc: use IDL constant NETLOGON_GENERIC_KRB5_PAC_VALIDATEAndrew Bartlett1-1/+1
2012-01-12samba-tool:dns: DNS names are case insensitiveAmitay Isaacs1-3/+3
Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Thu Jan 12 06:43:01 CET 2012 on sn-devel-104
2012-01-12s4-rpc:dnsserver: DNS names are case insensitiveAmitay Isaacs3-17/+17
2012-01-11s4:auth: Make sure to check the optional auth_context hooks before using themAndrew Bartlett1-18/+26
These are optional to supply - some callers only provide an auth_context for the other plugin functions, and so we need to deal with this cleanly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 11 10:49:13 CET 2012 on sn-devel-104
2012-01-11gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett1-26/+26
This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: make gensec_gssapi.h commonAndrew Bartlett1-67/+0
This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: move gensec_util.c to the top levelAndrew Bartlett3-104/+1
To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11auth: make auth4_context common to provide access to generate_session_info_pac()Andrew Bartlett1-52/+0
By providing this context, a function pointer for generate_session_info_pac() can be inserted into gensec, allowing the s3 PAC processing in an otherwise more generic gensec module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-10krb5: Require krb5_set_real_time is available to build with krb5Andrew Bartlett1-4/+0
2012-01-10krb5: Require krb5_get_renewed_creds be available to build with krb5Andrew Bartlett1-1/+0
2012-01-10krb5: Remove now unused checks for krb5_verify_checksumAndrew Bartlett1-2/+0
2012-01-10krb5: Require krb5_c_enctype_compare is available to build with krb5Andrew Bartlett1-1/+0