summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-07-17s4-auth: Make sure we use the correct credential state.Andreas Schneider1-1/+6
If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4-librpc: Add capabilities check for AES encrypted connections.Andreas Schneider1-1/+110
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4-torture: Improve samlogon test.Andreas Schneider1-0/+8
2012-07-17s4-torture: Add DCERPC_SCHANNEL_AES tests.Andreas Schneider1-1/+5
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: add support for AES based netlogon schannelStefan Metzmacher1-0/+4
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc: add DCERPC_SCHANNEL_AES supportStefan Metzmacher1-2/+15
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for itStefan Metzmacher1-26/+31
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:rpc_server/netlogon: implement netr_LogonGetCapabilitiesStefan Metzmacher1-2/+20
This is also needed to support AES. metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodcStefan Metzmacher1-4/+5
The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: rework downgrade logicStefan Metzmacher1-5/+38
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-15s4-param: Use a unique header nameAndrew Bartlett1-3/+3
2012-07-13s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrsGeza Gemes3-2/+536
When provisioning with --use_rfc2307=yes populate the subtree: CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it possible to manipulate the posix attributes via ADUC (commit message adjusted by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-13s4:registry:regdiff: use existing talloc context for the event contextMichael Adam1-1/+1
Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104
2012-07-13s4:registry:regdiff: add TALLOC_CTX * argument to open_backend()Michael Adam1-6/+7
2012-07-13s4:registry: add a TALLOC_CTX argument to reg_open_remote()Michael Adam4-5/+7
2012-07-06s4-torture: add ntprinting ndr operations testsuite.Günther Deschner3-1/+442
Guenther Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Jul 6 20:55:26 CEST 2012 on sn-devel-104
2012-07-06s4-selftest: do a dbcheck on our two vampire DCsAndrew Bartlett1-1/+1
However, due to using --domain-critical-only we have to knownfail the vampire DC here, as we do not fill in the backlinks on non-critical objects correctly. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 16:54:10 CEST 2012 on sn-devel-104
2012-07-06s4-dbcheck: Check for an object without a parentAndrew Bartlett1-0/+44
Such objects are then moved to the appropriate LostAndFound container, just as they would be if replicated. Andrew Bartlett
2012-07-06s4-dsdb: Remove unused variables in py_dsdb_get_partitions_dnAndrew Bartlett1-3/+0
2012-07-06pydsdb: Add bindings for dsdb_wellknown_dn()Andrew Bartlett2-0/+38
2012-07-06s4-pydsdb: Add bindings for dsdb_find_nc_root()Andrew Bartlett2-0/+26
2012-07-06s4-pydsdb: Improve PyErr_LDB_{DN,}_OR_RAISE to use py_check_dcerpc_typeAndrew Bartlett1-2/+9
This checks the type rather than just dereferencing the pointer. Andrew Bartlett
2012-07-06auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2-45/+0
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-06s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for tcpAndreas Schneider1-0/+10
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jul 6 11:50:40 CEST 2012 on sn-devel-104
2012-07-06s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for npAndreas Schneider3-0/+45
2012-07-06s4-lsarpc: Restrict LookupSids3 to crypto connections only.Andreas Schneider1-0/+10
2012-07-06s4-lsarpc: Restrict LookupNames4 to crypto connections only.Andreas Schneider1-0/+10
2012-07-06s4-lsarpc: Don't call lsa_OpenPolicy2 in lsa_LookupSids3.Andreas Schneider1-46/+48
2012-07-06s4-lsaprc: Don't call lsa_OpenPolicy2 in lsa_LookupNames4.Andreas Schneider1-49/+53
2012-07-06s4-selftest: Don't run lsarpc requiring a named pipe over tcpip.Andreas Schneider1-1/+1
2012-07-06s4-selftest: Don't plan lsa.secrets tests over tcpip.Andreas Schneider1-4/+4
These will only work over a named pipe or ncalrpc.
2012-07-06s4-libnet: Skip calling lsarpc functions over a wrong pipe.Andreas Schneider1-0/+9
2012-07-06s4-torture: Call lsarpc tests over the correct pipe.Andreas Schneider1-0/+6
2012-07-06s4-torture: Don't consider NONE_MAPPED an error in LookupSids3.Andreas Schneider1-3/+19
2012-07-06s4-torture: Don't consider NONE_MAPPED an error in LookupNames4.Andreas Schneider1-3/+15
2012-07-06s4-torture: Add a lsarpc test_GetUserName_fail function.Andreas Schneider1-0/+59
2012-07-06s4-torture: Add a lsarpc test_OpenPolicy2_fail function.Andreas Schneider2-21/+74
2012-07-06s4-torture: Add a lsarpc test_OpenPolicy_fail function.Andreas Schneider1-17/+74
2012-07-06s4-torture: Add a lsarpc test_LookupNames4_fail function.Andreas Schneider1-23/+74
2012-07-06s4-torture: Add a lsarpc test_LookupSids3_fail function.Andreas Schneider1-15/+68
2012-07-06s4-torture: Test LookupSids3/LookupNames4 over np and tcpip.Andreas Schneider1-8/+26
2012-07-06s4-torture: Make sure lsa_OpenPolicy2 fails over TCP/IP.Andreas Schneider2-8/+16
2012-07-06s4-torture: Make sure lsa_OpenPolicy fails over TCP/IP.Andreas Schneider1-9/+20
2012-07-06s4-torture: Make sure ncacn_np tests are only called over the a pipe.Andreas Schneider2-1/+43
2012-07-06s4-torture: Test LookupSids3 and LookupNames4 only over tcpip.Andreas Schneider1-13/+36
LookupSids3 and LookupNames4 are only available over tcpip and MUST fail over named pipes.
2012-07-06s4-torture: Use test_LookupSids3 function.Andreas Schneider1-32/+1
2012-07-06s4-torture: Fix build warnings in lsa test.Andreas Schneider1-10/+2
2012-07-06s4-classicupgrade: Demote any other 'BDC' accounts back to a member server ↵Andrew Bartlett1-2/+12
during upgrade This makes it clear that they cannot be a DC until they are upgraded with samba-tool domain dcpromo. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 09:59:13 CEST 2012 on sn-devel-104
2012-07-06s4-selftest: Test samba-tool domain dcpromoAndrew Bartlett1-1/+2
This needs a new environment to test it properly. This requires a raise in the number of socket wrapper interfaces. Andrew Bartlett
2012-07-06s4-samba-tool: Provide a samba-tool domain dcpromo that upgrades a member to ↵Andrew Bartlett2-10/+121
a DC This command is like dcpromo in that it upgrades the existing workstation account to be a domain controller. The SID (and therefore any file ownerships) is preserved. Andrew Bartlett