summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2012-01-12Revert "make paranoia check less paranoid" - check that key types strictly matchAndrew Bartlett1-1/+1
This reverts commit c25af51232616061bb08eea86aae595b4f029490 because otherwise we could attempt to check a CKSUMTYPE_HMAC_SHA1_96_AES_256 key with a KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 key. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Thu Jan 12 09:43:07 CET 2012 on sn-devel-104
2012-01-12make hmac-md5 the keyed checksum type for arcfour-hmac-md5Andrew Bartlett1-1/+1
2012-01-12use ETYPE_DES3_CBC_SHA1 for the verify step in verify_mic_des3Andrew Bartlett1-0/+8
This allows a strict link between checksum types and key types to be enforced. Andrew Bartlett
2012-01-12heimdal: remove checking of KDC PAC signature, delegate to wdc pluginAndrew Bartlett1-12/+2
The checking of the KDC signature is more complex than it looks, it may be of a different enc type to that which the ticket is encrypted with, and may even be prefixed with the RODC number. This is better handled in the plugin which can easily look up the DB for the correct key to verify this with, and can also quickly determine if this is an interdomain trust, which we cannot verify the PAC for. Andrew Bartlett
2012-01-12auth/kerberos: Remove unused TALLOC_CTX argument to check_pac_checksumAndrew Bartlett1-1/+1
2012-01-12s4-kdc Do the KDC PAC checksum validation in the Samba pluginAndrew Bartlett6-44/+152
Here we can fetch the right key, and check if the PAC is likely to be signed by a key that we know. We cannot check the KDC signature on incoming trusts. Andrew Bartlett
2012-01-12s4-kdc: use IDL constant NETLOGON_GENERIC_KRB5_PAC_VALIDATEAndrew Bartlett1-1/+1
2012-01-12samba-tool:dns: DNS names are case insensitiveAmitay Isaacs1-3/+3
Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Thu Jan 12 06:43:01 CET 2012 on sn-devel-104
2012-01-12s4-rpc:dnsserver: DNS names are case insensitiveAmitay Isaacs3-17/+17
2012-01-11s4:auth: Make sure to check the optional auth_context hooks before using themAndrew Bartlett1-18/+26
These are optional to supply - some callers only provide an auth_context for the other plugin functions, and so we need to deal with this cleanly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 11 10:49:13 CET 2012 on sn-devel-104
2012-01-11gensec: Rename want_flags and got_flags in gensec_gssapiAndrew Bartlett1-26/+26
This make it clearer what type of flags these are. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: make gensec_gssapi.h commonAndrew Bartlett1-67/+0
This will make it easier to share elements of the GSSAPI gensec mechs, in much the same way elements of the NTLMSSP mech are shared. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11gensec: move gensec_util.c to the top levelAndrew Bartlett3-104/+1
To do this some defines need to move to common_auth.h Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11auth: make auth4_context common to provide access to generate_session_info_pac()Andrew Bartlett1-52/+0
By providing this context, a function pointer for generate_session_info_pac() can be inserted into gensec, allowing the s3 PAC processing in an otherwise more generic gensec module. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-10krb5: Require krb5_set_real_time is available to build with krb5Andrew Bartlett1-4/+0
2012-01-10krb5: Require krb5_get_renewed_creds be available to build with krb5Andrew Bartlett1-1/+0
2012-01-10krb5: Remove now unused checks for krb5_verify_checksumAndrew Bartlett1-2/+0
2012-01-10krb5: Require krb5_c_enctype_compare is available to build with krb5Andrew Bartlett1-1/+0
2012-01-10s4:provision: add "+dns" to server services if the dns backend is SAMBA_INTERNALMichael Adam1-2/+7
Signed-off-by: Kai Blin <kai@samba.org> Autobuild-User: Kai Blin <kai@samba.org> Autobuild-Date: Tue Jan 10 21:17:45 CET 2012 on sn-devel-104
2012-01-10s4:provision: add a server services line to the smb.conf template for the dcMichael Adam1-0/+2
Signed-off-by: Kai Blin <kai@samba.org>
2012-01-10s4:provision: add the possibility to provision "server services" in smb.confMichael Adam1-2/+9
Signed-off-by: Kai Blin <kai@samba.org>
2012-01-10s4:provision: improve a messageMichael Adam1-1/+1
Signed-off-by: Kai Blin <kai@samba.org>
2012-01-10samba: check for AES encryption type defines.Günther Deschner1-0/+2
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Tue Jan 10 15:05:38 CET 2012 on sn-devel-104
2012-01-10s4:python tests __init__.py - do not depend on "subprocess.check_call()"Matthias Dieter Wallnöfer1-1/+4
Method not present in Python 2.4 Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Jan 10 00:41:59 CET 2012 on sn-devel-104
2012-01-09s4:python tests __init__.py - do not depend on "subprocess.CalledProcessError"Matthias Dieter Wallnöfer1-6/+11
The class is not present in Python 2.4 Reviewed-by: Jelmer
2012-01-09s4:scripting/devel: add repl_cleartext_pwd.py scriptStefan Metzmacher1-0/+377
This is useful to sync passwords from an AD domain. $ $ source4/scripting/devel/repl_cleartext_pwd.py \ -Uadministrator%A1b2C3d4 \ 172.31.9.219 DC=bla,DC=base /tmp/cookie cleartext_utf8 131085 displayName # starting at usn[0] dn: CN=Test User1,CN=Users,DC=bla,DC=base cleartext_utf8: A1b2C3d4 displayName:: VABlAHMAdAAgAFUAcwBlAHIAMQA= # up to usn[16449] $ $ source4/scripting/devel/repl_cleartext_pwd.py \ -Uadministrator%A1b2C3d4 172.31.9.219 DC=bla,DC=base /tmp/cookie cleartext_utf8 131085 displayName # starting at usn[16449] # up to usn[16449] $ metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jan 9 19:06:06 CET 2012 on sn-devel-104
2012-01-09s4-kerberos: remove some unused prototypes.Günther Deschner1-22/+0
These are defined in the krb5 abstraction headers elsewhere. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Jan 9 14:32:08 CET 2012 on sn-devel-104
2012-01-09s4:python/samba/ndr.py: add an optional 'allow_remaining' to ndr_unpack()Stefan Metzmacher1-2/+3
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jan 9 10:28:30 CET 2012 on sn-devel-104
2012-01-06ntlmssp: merge initial packet implementationsAndrew Bartlett1-6/+25
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06samba-tool:dns: Check through all the DNS records for a matchAmitay Isaacs1-16/+16
There can be multiple dns records for a specified record type. Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Fri Jan 6 02:41:22 CET 2012 on sn-devel-104
2012-01-06s4-rpc:dnsserver: Do not replace @ with zone_name in update operationAmitay Isaacs1-1/+6
This fixes the problem when updating DNS record for '@' or domain name.
2012-01-05s3-librpc Use gsskrb5_get_subkey() where available to get the session keyAndrew Bartlett1-0/+1
This allows gse_get_session_key() to work against Heimdal. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s4:repl_meta_data LDB module - set "isRecycled" time correctlyMatthias Dieter Wallnöfer1-9/+8
"unix_to_nt_time()" which is based on "time_t" behaves differently for literals > 32 bit on 32 and 64 bit platforms. Reviewed-by: ekacnet Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Jan 5 11:59:20 CET 2012 on sn-devel-104
2012-01-04s4:pyrpc: add 'user_session_key' getter to the connection objectStefan Metzmacher2-1/+45
This gets the session key from gensec for usage in DRSUAPI. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 4 22:31:52 CET 2012 on sn-devel-104
2012-01-04s4:pygensec/tests: check that the client and server have the same session keyStefan Metzmacher1-1/+4
metze
2012-01-04s4:pygensec: add session_key() methodStefan Metzmacher1-0/+29
metze
2012-01-04LDAP-CLDAP: demonstrate that pdc name is not an unc pathStefan Metzmacher1-0/+9
For LOGON_SAM_LOGON_RESPONSE_EX and LOGON_SAM_LOGON_USER_UNKNOWN_EX, pdc name is not in unc path form. [MS-ADTS] 7.3.1.* uses UnicodeLogonServer, which seems to be in unc form, while NetbiosComputerName is not in unc form. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 4 20:06:14 CET 2012 on sn-devel-104
2012-01-04s4:torture/nbt/dgram.c - NBT samlogon requests don't return the PDC name as ↵Matthias Dieter Wallnöfer1-0/+5
UNC path Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-04s4:cldap_server/netlogon.c: it is wrong to specify "\\" in front of the hostnameStefan Metzmacher1-2/+6
For LOGON_SAM_LOGON_RESPONSE_EX and LOGON_SAM_LOGON_USER_UNKNOWN_EX, pdc name is not in unc path form. [MS-ADTS] 7.3.1.* uses UnicodeLogonServer, which seems to be in unc form, while NetbiosComputerName is not in unc form. Bases on a patch from Matthias Dieter Wallnöfer <mdw@samba.org>. metze
2012-01-04LDAP-CLDAP: demonstrate that pdc name is an unc pathStefan Metzmacher1-0/+6
For LOGON_SAM_LOGON_RESPONSE and LOGON_SAM_LOGON_USER_UNKNOWN, I assume all levels without _EX in the name, pdc name is in unc path form. [MS-ADTS] 7.3.1.* uses UnicodeLogonServer, which seems to be in unc form, while NetbiosComputerName is not in unc form. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jan 4 13:37:42 CET 2012 on sn-devel-104
2012-01-04s4:torture/nbt/dgram.c: NBT samlogon requests without _EX return the PDC ↵Stefan Metzmacher1-0/+22
name as UNC path metze
2012-01-04dlz_bind9: create session info from PAC using auth contextAmitay Isaacs1-7/+59
This fixes the creation of session info from PAC, after changes in gensec code. Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Wed Jan 4 01:59:09 CET 2012 on sn-devel-104
2012-01-03upgradeprovision: do not hold references to messageElementsMatthieu Patou1-10/+17
Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Tue Jan 3 08:20:02 CET 2012 on sn-devel-104
2012-01-03upgradeprovision: treat provision without oem attribute as quite recent, ↵Matthieu Patou1-1/+1
it's provision that comes from Windows replication
2012-01-03s4-provision: Fix the problem of DnsProperty values not being set correctlyAmitay Isaacs1-0/+7
DnsProperty can have empty 'data' member. To parse Dnsproperty with empty data, dnsp.idl has a hack as follows: [switch_is(wDataLength?id:DSPROPERTY_ZONE_EMPTY)] dnsPropertyData data; This implies, to set 'data' value, wDataLength has to be set to a non-zero value first. Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Tue Jan 3 05:26:32 CET 2012 on sn-devel-104
2012-01-02s4:torture/rpc/netlogon.c - enhance the "DsRGetDCName*" testsMatthias Dieter Wallnöfer1-0/+96
To check for the expected behaviour (DS_* flags). Always according to MS-NRPC 2.2.1.2.1. Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Jan 2 20:43:05 CET 2012 on sn-devel-104
2012-01-02s4-provision: Fix tdbdump path lookup in make test.Andreas Schneider1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-01s4: Happy New Year 2012Stefan Metzmacher1-1/+1
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Sun Jan 1 22:23:48 CET 2012 on sn-devel-104
2011-12-29pyregistry: Remove directory support.Jelmer Vernooij1-32/+0
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Thu Dec 29 19:59:57 CET 2011 on sn-devel-104
2011-12-29Remove the 'dir' registry backend.Jelmer Vernooij4-491/+1
This backend was incomplete, and we already have plenty of other backends.
generated by cgit (git 2.34.1) at 2024-11-09 23:42:19 +0000