Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2012-07-17 | s4-auth: Make sure we use the correct credential state. | Andreas Schneider | 1 | -1/+6 | |
If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4-librpc: Add capabilities check for AES encrypted connections. | Andreas Schneider | 1 | -1/+110 | |
Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4-torture: Improve samlogon test. | Andreas Schneider | 1 | -0/+8 | |
2012-07-17 | s4-torture: Add DCERPC_SCHANNEL_AES tests. | Andreas Schneider | 1 | -1/+5 | |
Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:rpc_server/netlogon: add support for AES based netlogon schannel | Stefan Metzmacher | 1 | -0/+4 | |
metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:librpc/rpc: add DCERPC_SCHANNEL_AES support | Stefan Metzmacher | 1 | -2/+15 | |
metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for it | Stefan Metzmacher | 1 | -26/+31 | |
metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:rpc_server/netlogon: implement netr_LogonGetCapabilities | Stefan Metzmacher | 1 | -2/+20 | |
This is also needed to support AES. metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodc | Stefan Metzmacher | 1 | -4/+5 | |
The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-17 | s4:librpc/rpc/dcerpc_schannel: rework downgrade logic | Stefan Metzmacher | 1 | -5/+38 | |
metze Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2012-07-15 | s4-param: Use a unique header name | Andrew Bartlett | 1 | -3/+3 | |
2012-07-13 | s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrs | Geza Gemes | 3 | -2/+536 | |
When provisioning with --use_rfc2307=yes populate the subtree: CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it possible to manipulate the posix attributes via ADUC (commit message adjusted by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org> | |||||
2012-07-13 | s4:registry:regdiff: use existing talloc context for the event context | Michael Adam | 1 | -1/+1 | |
Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104 | |||||
2012-07-13 | s4:registry:regdiff: add TALLOC_CTX * argument to open_backend() | Michael Adam | 1 | -6/+7 | |
2012-07-13 | s4:registry: add a TALLOC_CTX argument to reg_open_remote() | Michael Adam | 4 | -5/+7 | |
2012-07-06 | s4-torture: add ntprinting ndr operations testsuite. | Günther Deschner | 3 | -1/+442 | |
Guenther Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Jul 6 20:55:26 CEST 2012 on sn-devel-104 | |||||
2012-07-06 | s4-selftest: do a dbcheck on our two vampire DCs | Andrew Bartlett | 1 | -1/+1 | |
However, due to using --domain-critical-only we have to knownfail the vampire DC here, as we do not fill in the backlinks on non-critical objects correctly. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 16:54:10 CEST 2012 on sn-devel-104 | |||||
2012-07-06 | s4-dbcheck: Check for an object without a parent | Andrew Bartlett | 1 | -0/+44 | |
Such objects are then moved to the appropriate LostAndFound container, just as they would be if replicated. Andrew Bartlett | |||||
2012-07-06 | s4-dsdb: Remove unused variables in py_dsdb_get_partitions_dn | Andrew Bartlett | 1 | -3/+0 | |
2012-07-06 | pydsdb: Add bindings for dsdb_wellknown_dn() | Andrew Bartlett | 2 | -0/+38 | |
2012-07-06 | s4-pydsdb: Add bindings for dsdb_find_nc_root() | Andrew Bartlett | 2 | -0/+26 | |
2012-07-06 | s4-pydsdb: Improve PyErr_LDB_{DN,}_OR_RAISE to use py_check_dcerpc_type | Andrew Bartlett | 1 | -2/+9 | |
This checks the type rather than just dereferencing the pointer. Andrew Bartlett | |||||
2012-07-06 | auth: Common function for retrieving PAC_LOGIN_INFO from PAC | Christof Schmitt | 2 | -45/+0 | |
Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org> | |||||
2012-07-06 | s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for tcp | Andreas Schneider | 1 | -0/+10 | |
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jul 6 11:50:40 CEST 2012 on sn-devel-104 | |||||
2012-07-06 | s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for np | Andreas Schneider | 3 | -0/+45 | |
2012-07-06 | s4-lsarpc: Restrict LookupSids3 to crypto connections only. | Andreas Schneider | 1 | -0/+10 | |
2012-07-06 | s4-lsarpc: Restrict LookupNames4 to crypto connections only. | Andreas Schneider | 1 | -0/+10 | |
2012-07-06 | s4-lsarpc: Don't call lsa_OpenPolicy2 in lsa_LookupSids3. | Andreas Schneider | 1 | -46/+48 | |
2012-07-06 | s4-lsaprc: Don't call lsa_OpenPolicy2 in lsa_LookupNames4. | Andreas Schneider | 1 | -49/+53 | |
2012-07-06 | s4-selftest: Don't run lsarpc requiring a named pipe over tcpip. | Andreas Schneider | 1 | -1/+1 | |
2012-07-06 | s4-selftest: Don't plan lsa.secrets tests over tcpip. | Andreas Schneider | 1 | -4/+4 | |
These will only work over a named pipe or ncalrpc. | |||||
2012-07-06 | s4-libnet: Skip calling lsarpc functions over a wrong pipe. | Andreas Schneider | 1 | -0/+9 | |
2012-07-06 | s4-torture: Call lsarpc tests over the correct pipe. | Andreas Schneider | 1 | -0/+6 | |
2012-07-06 | s4-torture: Don't consider NONE_MAPPED an error in LookupSids3. | Andreas Schneider | 1 | -3/+19 | |
2012-07-06 | s4-torture: Don't consider NONE_MAPPED an error in LookupNames4. | Andreas Schneider | 1 | -3/+15 | |
2012-07-06 | s4-torture: Add a lsarpc test_GetUserName_fail function. | Andreas Schneider | 1 | -0/+59 | |
2012-07-06 | s4-torture: Add a lsarpc test_OpenPolicy2_fail function. | Andreas Schneider | 2 | -21/+74 | |
2012-07-06 | s4-torture: Add a lsarpc test_OpenPolicy_fail function. | Andreas Schneider | 1 | -17/+74 | |
2012-07-06 | s4-torture: Add a lsarpc test_LookupNames4_fail function. | Andreas Schneider | 1 | -23/+74 | |
2012-07-06 | s4-torture: Add a lsarpc test_LookupSids3_fail function. | Andreas Schneider | 1 | -15/+68 | |
2012-07-06 | s4-torture: Test LookupSids3/LookupNames4 over np and tcpip. | Andreas Schneider | 1 | -8/+26 | |
2012-07-06 | s4-torture: Make sure lsa_OpenPolicy2 fails over TCP/IP. | Andreas Schneider | 2 | -8/+16 | |
2012-07-06 | s4-torture: Make sure lsa_OpenPolicy fails over TCP/IP. | Andreas Schneider | 1 | -9/+20 | |
2012-07-06 | s4-torture: Make sure ncacn_np tests are only called over the a pipe. | Andreas Schneider | 2 | -1/+43 | |
2012-07-06 | s4-torture: Test LookupSids3 and LookupNames4 only over tcpip. | Andreas Schneider | 1 | -13/+36 | |
LookupSids3 and LookupNames4 are only available over tcpip and MUST fail over named pipes. | |||||
2012-07-06 | s4-torture: Use test_LookupSids3 function. | Andreas Schneider | 1 | -32/+1 | |
2012-07-06 | s4-torture: Fix build warnings in lsa test. | Andreas Schneider | 1 | -10/+2 | |
2012-07-06 | s4-classicupgrade: Demote any other 'BDC' accounts back to a member server ↵ | Andrew Bartlett | 1 | -2/+12 | |
during upgrade This makes it clear that they cannot be a DC until they are upgraded with samba-tool domain dcpromo. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 09:59:13 CEST 2012 on sn-devel-104 | |||||
2012-07-06 | s4-selftest: Test samba-tool domain dcpromo | Andrew Bartlett | 1 | -1/+2 | |
This needs a new environment to test it properly. This requires a raise in the number of socket wrapper interfaces. Andrew Bartlett | |||||
2012-07-06 | s4-samba-tool: Provide a samba-tool domain dcpromo that upgrades a member to ↵ | Andrew Bartlett | 2 | -10/+121 | |
a DC This command is like dcpromo in that it upgrades the existing workstation account to be a domain controller. The SID (and therefore any file ownerships) is preserved. Andrew Bartlett |