Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
When we revamp the idmap layer, we will end up just following the s3
options, and this option is not used there either.
Andrew Bartlett
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
|
|
This makes it easier to interpret failing output.
Andrew Bartlett
|
|
This compares only the domain SIDs betwen the two servers, rather than
the full token, as well known and other SIDs may be added locally
in both cases.
This also expands the test environments this is run against to verify
this between our AD server and domain members.
Andrew Bartlett
|
|
|
|
|
|
This works around an artificial limitation in socket_wrapper that breaks
some versions of GnuTLS when we return a short write.
Instead, keep pushing until the OS will not take it.
The correct solution will be to use tls_tstream, but the client code
for this is not yet tested and needs the ldap client layer changed
to use it.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
|
|
gensec_update()
This avoids a situation where we could destroy pointers on the stack due to
a nested event loop.
This is certainly not a final, generic solution, but it is a minimal change
while we work to make gensec and gensec_gssapi async.
Andrew Bartlett
|
|
|
|
Normally this would be a very bad idea, but the specific case of fixing the instanceType
is the only case where this makes sense.
Andrew Bartlett
|
|
|
|
We should prevent this much further up the stack, but at least add a choke
at this point for now.
Additionally, this avoids administrator-forced replications causing
considerable damange to the directory.
Andrew Bartlett
|
|
We need a stackframe to call lp_load().
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Jul 18 09:31:07 CEST 2012 on sn-devel-104
|
|
If we create a copy of the credential state we miss updates to the
credentials.
To establish a netlogon schannel connection we create client credentials
and authenticate with them using
dcerpc_netr_ServerAuthenticate2()
For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.
After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.
After that we continue and need the client credentials to call
dcerpc_netr_LogonGetCapabilities()
to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.
The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.
dcerpc_netr_SamLogonWithFlags.
We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This is also needed to support AES.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
The RODC stuff doesn't depend on the schannel algorithm.
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
When provisioning with --use_rfc2307=yes populate the subtree:
CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it
possible to manipulate the posix attributes via ADUC
(commit message adjusted by abartlet)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104
|
|
|
|
|
|
Guenther
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Jul 6 20:55:26 CEST 2012 on sn-devel-104
|
|
However, due to using --domain-critical-only we have to knownfail the
vampire DC here, as we do not fill in the backlinks on non-critical
objects correctly.
Andrew Bartlett
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 6 16:54:10 CEST 2012 on sn-devel-104
|
|
Such objects are then moved to the appropriate LostAndFound container,
just as they would be if replicated.
Andrew Bartlett
|
|
|
|
|
|
|
|
This checks the type rather than just dereferencing the pointer.
Andrew Bartlett
|
|
Several functions use the same logic as kerberos_pac_logon_info. Move
kerberos_pac_logon_info to common code and reuse it to remove the code
duplication.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 6 11:50:40 CEST 2012 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
|
|
These will only work over a named pipe or ncalrpc.
|
|
|
|
|
|
|
|
|
|
|