summaryrefslogtreecommitdiff
path: root/source4
AgeCommit message (Collapse)AuthorFilesLines
2011-06-28s4:kdc/mit_samba: disable mit_samba_check_s4u2proxy()Stefan Metzmacher1-0/+9
As mit_samba_update_pac_data() doesn't support adding S4U_DELEGATION_INFO to the pac (and I have no clue how to add that) we should disable S4U2Proxy until this is implemented. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jun 28 20:35:19 CEST 2011 on sn-devel-104
2011-06-28s4:kdc: generate the S4U_DELEGATION_INFO in the regenerated pacStefan Metzmacher5-11/+157
metze
2011-06-28s4:kdc: use KRB5_WINDC_PLUGIN_MINOR define instead of KRB5_WINDC_PLUGING_MINORStefan Metzmacher1-1/+1
metze
2011-06-28HEIMDAL:kdc: pass down the delegated_proxy_principal to the verify_pac()Stefan Metzmacher3-20/+41
function This is needed in order to add the S4U_DELEGATION_INFO to the pac. metze
2011-06-28HEIMDAL:kdc/windc_plugin.h: KRB5_WINDC_PLUGIN_MINOR 4 => 5Stefan Metzmacher1-2/+2
commit "heimdal Add support for extracting a particular KVNO from the database" (f469fc6d4922d796f5c61bf43e3efc018e37b680 in heimdal/master and 9b5e304ccedc8f0f7ce2342e4d9c621417dd1c1e in samba/master) changed the windc_plugin interface, so we need to change the version number. metze
2011-06-24s4:selftest: test ntvfs.cifs with s4u2proxyStefan Metzmacher1-1/+7
Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Jun 24 20:35:30 CEST 2011 on sn-devel-104
2011-06-24s4:selftest: use wildcards for ntvfs.cifs tests in knownfail and skip filesStefan Metzmacher2-36/+20
metze
2011-06-24s4:kdc: implement samba_kdc_check_s4u2proxy()Stefan Metzmacher2-0/+106
metze
2011-06-24s4:samba-tool: add "delegation" subcommands for S4U2Proxy and related stuffStefan Metzmacher2-0/+269
For now this only works on the local sam.ldb, but it shouldn't be hard to improve it to talk to remove servers. Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze
2011-06-24s4:python/samba/samdb: add toggle_userAccountFlags() helper functionStefan Metzmacher1-10/+35
And let enable_account() use it. Pair-Programmed-With: Björn Baumbach <bb@sernet.de> metze
2011-06-24HEIMDAL:kdc: don't allow self delegation if a backend ↵Stefan Metzmacher1-4/+4
check_constrained_delegation() hook is given A service should use S4U2Self instead of S4U2Proxy. Windows servers allow S4U2Proxy only to explicitly configured target principals. metze
2011-06-24HEIMDAL:kdc: pass down the server hdb_entry_ex to check_constrained_delegation()Stefan Metzmacher1-5/+19
This way we can compare the already canonicalized principals, while still passing the client specified target principal down to the backend specific constrained_delegation() hook. metze
2011-06-24HEIMDAL:kdc: use the correct client realm in the EncTicketPartStefan Metzmacher1-1/+1
With S4U2Proxy tgt->crealm might be different from tgt_name->realm. metze
2011-06-24s4-lsa: Fix typoSumit Bose1-1/+1
Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Fri Jun 24 16:19:36 CEST 2011 on sn-devel-104
2011-06-24param: Remove remaining references to announce as and announce versionAndrew Bartlett2-7/+0
2011-06-23param: Remove "announce as" parameterAndrew Bartlett3-34/+2
2011-06-23lib/util/charset: Remove 'display charset'Andrew Bartlett2-3/+0
As discussed in 'CH_DISPLAY and gettext' on the samba-technical list: http://lists.samba.org/archive/samba-technical/2011-June/078190.html Setting this to a value other than 'unix charset' does not make sense, as any system where the filesytem charset does not equal the terminal charset will already have problems with programs as simple as 'ls'. It also means that our output could not be pasted as our input in interactive programs or onto our command line, as we never did translate in the DISPLAY -> UNIX direction. The d_printf() calls are retained in case we need to revisit this, and to support display_set_stderr(). Andrew Bartlett
2011-06-23dfsreferral: search client's site and use itMatthieu Patou1-2/+2
Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104
2011-06-22s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatchMatthieu Patou1-2/+3
Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104
2011-06-22s4-dbcheck: remove unused includeMatthieu Patou1-1/+1
2011-06-22s4-schema: avoid segfaulting if id3.guid is NULLMatthieu Patou1-2/+1
2011-06-22s4-samba_dnsupdate: set environment via the env parameterMatthieu Patou1-1/+1
I faced a situation where the os.environ("KRB5CCNAME") = ... didn't seems to be effective
2011-06-22s4-upgradeprovision: Don't forget to populate the non replicated objects, ↵Matthieu Patou1-2/+4
and don't touch rIDPreviousAllocationPool
2011-06-22dbchecker: cope with a broken link to Deleted ObjectsAndrew Tridgell1-2/+9
if a DN link to Deleted Objects has a bad GUID, we need to use show_deleted
2011-06-22dbchecker: fixed argument error for -H and DNAndrew Tridgell1-1/+1
2011-06-22dbchecker: when fixing a bad GUID in a DN, search by the string DNAndrew Tridgell1-1/+1
2011-06-22samba-tool: added --attrs option to dbcheckAndrew Tridgell2-8/+15
this allows checking of a specific list of attributes
2011-06-22samba-tool: make the dbcheck class available outside of samba-toolAndrew Tridgell2-285/+324
this will be used in provision, and probably in upgradeprovision as well
2011-06-22samba-tool: added --quiet option to dbcheckAndrew Tridgell1-35/+43
this will be used to allow for other tools (such as provision) to call into dbcheck without generating a lot of noise
2011-06-22s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against ↵Stefan Metzmacher1-1/+1
w2k8r2 metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104
2011-06-22s4:ntvfs/cifs: add option to use S4U2ProxyStefan Metzmacher1-0/+49
Note: this doesn't work against a Samba4 KDC yet. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+48
If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze
2011-06-22s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()Stefan Metzmacher3-5/+134
For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze
2011-06-22s4-dsdb: bypass validation when relax setAndrew Tridgell1-1/+2
this allows dbcheck to fix bad attributes Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
2011-06-22samba-tool: allow for running dbcheck against a remove ldap serverAndrew Tridgell1-5/+14
this is useful for running it against a Windows server
2011-06-22samba-tool: expanded dbcheck DN checkingAndrew Tridgell1-21/+104
this now checks for bad GUID elements in DN links, and offers to fix them when possible Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22s4-dsdb: prioritise GUID in extended_dn_inAndrew Tridgell1-8/+11
if we search with a base DN that has both a GUID and a SID, then use the GUID first. This matters for the S-1-5-17 SID. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22s4-dsdb: catch duplicate matches in extended_dn_inAndrew Tridgell1-0/+12
When searching using extended DNs, if there are multiple matches then return an object not found error. This is needed for the case of a duplicate objectSid, which happens for S-1-5-17 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCsStefan Metzmacher1-1/+47
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
2011-06-22s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc()Stefan Metzmacher1-94/+99
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: reformat kerberos_kinit_password_cc()Stefan Metzmacher1-32/+41
In order to make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't mix s4u2self creds with machine account credsStefan Metzmacher1-24/+76
It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze
2011-06-22s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()Stefan Metzmacher1-27/+41
This will make the following changes easier to review. metze
2011-06-22s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()Stefan Metzmacher1-0/+2
metze
2011-06-22samba-tool: added missing GUID component checks to dbcheckAndrew Tridgell1-4/+93
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104
2011-06-22pyldb: added methods to get/set extended components on DNsAndrew Tridgell1-0/+51
this will be used by the dbcheck code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22pydsdb: added get_syntax_oid_from_lDAPDisplayName()Andrew Tridgell2-0/+45
this gives you access to the syntax oid of an attribute Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22ldb: added extended_str() method to pyldbAndrew Tridgell1-0/+16
this gives access to ldb_dn_get_extended_linearized() from python Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22ldb: expose syntax oids to pythonAndrew Tridgell1-0/+10
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-06-22samba-tool: try to keep dbcheck.py in a logical orderingAndrew Tridgell1-29/+38
keep individual error handlers together and separate from driver code