mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:auth: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
parent
01c31c8f6d
commit
795e464cfa
@ -343,7 +343,7 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
|
||||
DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
|
||||
return NT_STATUS_TIME_DIFFERENCE_AT_DC;
|
||||
default:
|
||||
DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
|
||||
DEBUG(1, ("Acquiring initiator credentials failed: %s\n", error_string));
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
@ -1511,7 +1511,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
&pac_blob);
|
||||
|
||||
/* IF we have the PAC - otherwise we need to get this
|
||||
* data from elsewere - local ldb, or (TODO) lookup of some
|
||||
* data from elsewhere - local ldb, or (TODO) lookup of some
|
||||
* kind...
|
||||
*/
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
|
@ -296,7 +296,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
|
||||
DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
|
||||
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
|
||||
default:
|
||||
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
|
||||
DEBUG(1, ("gensec_krb5_start: Acquiring initiator credentials failed: %s\n", error_string));
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
@ -612,7 +612,7 @@ static NTSTATUS gensec_krb5_update_internal(struct gensec_security *gensec_secur
|
||||
server_in_keytab = NULL;
|
||||
}
|
||||
|
||||
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
|
||||
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omitted) */
|
||||
if (gensec_krb5_state->gssapi
|
||||
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
|
||||
inbuf.data = (char *)unwrapped_in.data;
|
||||
|
@ -13,7 +13,7 @@ hbd-samba4.c is the biggest piece of samba-to-krb glue layer, so the main
|
||||
part of the port to MIT is to replace hdb-samba4 with a similar glue layer
|
||||
that's designed for MIT's code.
|
||||
|
||||
PAC requirements are implemeneted in source4/kdc/pac-glue.c
|
||||
PAC requirements are implemented in source4/kdc/pac-glue.c
|
||||
|
||||
The plugins (both of the above are Heimdal plugins) for the above are loaded
|
||||
in source4/kdc/kdc.c
|
||||
@ -142,9 +142,9 @@ just gssapi.
|
||||
there's two kinds of name-canonicalization that can occur:
|
||||
* lower-to-upper case conversion, because Windows domain names are
|
||||
usually in upper case;
|
||||
* an unrecognizable subsitution of names, such as might happen when
|
||||
* an unrecognizable substitution of names, such as might happen when
|
||||
a user requests a ticket for a NetBIOS domain name, but gets back
|
||||
a ticket for the corresponging FQDN.
|
||||
a ticket for the corresponding FQDN.
|
||||
|
||||
As developers, we should test if the AD KDC's name-canonicalisation
|
||||
can be turned off with the KDCOption flags in the AS-REQ or TGS-REQ;
|
||||
@ -410,7 +410,7 @@ IO handling, and run other events in the meantime. This uses a
|
||||
library might be called again, while still in the send_to_kdc hook).
|
||||
|
||||
Heimdal has this 'state machine safety' in parts, and we have modified
|
||||
the lorikeet branch to improve this behviour, when using a new,
|
||||
the lorikeet branch to improve this behaviour, when using a new,
|
||||
non-standard API to tunnelling a ccache (containing a set of tickets)
|
||||
through the gssapi, by temporarily casting the ccache pointer to a
|
||||
gss credential pointer.
|
||||
@ -434,7 +434,7 @@ allows the caller to specify a keytab and ccache, for use by the
|
||||
GSSAPI code. Therefore there is no need to use global variables to
|
||||
communicate this information about keytab & ccache.
|
||||
|
||||
At a more theoritical level (simply counting static and global
|
||||
At a more theoretical level (simply counting static and global
|
||||
variables) Heimdal is not state machine safe for the GSSAPI layer.
|
||||
(Heimdal is now (6/09) much more nearly free of globals.)
|
||||
The Krb5 layer alone is much closer, as far as I can tell, blocking
|
||||
@ -479,7 +479,7 @@ the kerberos libraries
|
||||
- gsskrb5_get_initiator_subkey() (return the exact key that Samba3
|
||||
has always asked for. gsskrb5_get_subkey() might do what we need
|
||||
anyway). This is necessary, because in some spots, Microsoft uses
|
||||
raw Kerberos keys, outside the Kerberos protocls, and not using Kerberos
|
||||
raw Kerberos keys, outside the Kerberos protocols, and not using Kerberos
|
||||
wrappings etc. Ie, as a direct input to MD5 and ARCFOUR, without using
|
||||
the make_priv() or make_safe() calls.
|
||||
|
||||
@ -626,13 +626,13 @@ We currently define 3 classes:
|
||||
- server (tgt)
|
||||
- krbtgt (kinit, tgt) the kdc's own ldap record
|
||||
|
||||
I also now specify the kerberos principal as an explict parameter to LDB_fetch(),
|
||||
I also now specify the kerberos principal as an explicit parameter to LDB_fetch(),
|
||||
not an in/out value on the struct hdb_entry parameter itself.
|
||||
|
||||
Private Data pointer (and windc hooks) (see above):
|
||||
In addition, I have added a new interface hdb_fetch_ex(), which
|
||||
returns a structure including a private data-pointer, which may be used
|
||||
by the windc plugin inferface functions. The windc plugin provides
|
||||
by the windc plugin interface functions. The windc plugin provides
|
||||
the hook for the PAC, as well as a function for the main access control routines.
|
||||
|
||||
A new windc plugin function should be added to increment the bad password counter
|
||||
@ -659,7 +659,7 @@ See also the discussion about state machine safety above)
|
||||
An important detail in the use of libkdc is that we use samba4's own socket
|
||||
lib. This allows the KDC code to be as portable as the rest of samba
|
||||
(this cuts both ways), but far more importantly it ensures a
|
||||
consistancy in the handling of requests, binding to sockets etc.
|
||||
consistency in the handling of requests, binding to sockets etc.
|
||||
|
||||
To handle TCP, we use of our socket layer in much the same way as
|
||||
we deal with TCP for CIFS. Tridge created a generic packet handling
|
||||
|
@ -77,7 +77,7 @@ source code, as follows:
|
||||
glue layer, so the main part of the port to MIT is
|
||||
to replace hdb-samba4 with a similar glue layer
|
||||
that's designed for MIT's code.
|
||||
* Samba4's PAC requirements are implemeneted in
|
||||
* Samba4's PAC requirements are implemented in
|
||||
source4/kdc/pac-glue.c
|
||||
* Both of the above two layers are Heimdal plugins, and
|
||||
both get loaded in source4/kdc/kdc.c
|
||||
@ -115,9 +115,9 @@ source code, as follows:
|
||||
occur on Windows:
|
||||
* Lower-to-upper case conversion, because Windows domain
|
||||
names are usually in upper case;
|
||||
* An unrecognizable subsitution of names, such as might
|
||||
* An unrecognizable substitution of names, such as might
|
||||
happen when a user requests a ticket for a NetBIOS domain
|
||||
name, but gets back a ticket for the corresponging FQDN.
|
||||
name, but gets back a ticket for the corresponding FQDN.
|
||||
As developers, we should test if the AD KDC's name-canonical-
|
||||
isation can be turned off with the KDCOption flags in the
|
||||
AS-REQ or TGS-REQ; Windows clients always send the
|
||||
@ -280,11 +280,11 @@ source code, as follows:
|
||||
c. Turn on MIT-krb 1.7'sPAC handling.
|
||||
In addition, I have added a new interface hdb_fetch_ex(),
|
||||
which returns a structure including a private data-pointer,
|
||||
which may be used by the windc plugin inferface functions.
|
||||
which may be used by the windc plugin interface functions.
|
||||
The windc plugin provides the hook for the PAC.
|
||||
d. Samba4 needsaccess control hooks in the Heimdal& MIT
|
||||
KDCs. We need to lockout accounts (eg, after 10 failed PW-
|
||||
attemps), and perform other controls. This is standard
|
||||
attempts), and perform other controls. This is standard
|
||||
AD behavior, that Samba4 needs to get right, whether
|
||||
Heimdal or MIT-krb is doing the ticket work.
|
||||
- If PADL doesn't publish their patch for this,
|
||||
@ -413,7 +413,7 @@ when using Kerberos and GSSAPI libraries
|
||||
c. Make sure Samba4'sportable socket API works:
|
||||
* An important detail in the use of libkdc is that we use samba4's
|
||||
own socket lib. This allows the KDC code to be as portable as
|
||||
the rest of samba, but more importantly it ensures consistancy
|
||||
the rest of samba, but more importantly it ensures consistency
|
||||
in the handling of requests, binding to sockets etc.
|
||||
* To handle TCP, we use of our socket layer in much the same way as
|
||||
we deal with TCP for CIFS. Tridge created a generic packet handling
|
||||
|
@ -305,7 +305,7 @@ static krb5_error_code smb_krb5_send_and_recv_func_int(struct smb_krb5_context *
|
||||
* from the start (otherwise we may miss a socket
|
||||
* drop) and mark as AUTOCLOSE along with the fde */
|
||||
|
||||
/* Ths is equivilant to EVENT_FD_READABLE(smb_krb5->fde) */
|
||||
/* This is equivalent to EVENT_FD_READABLE(smb_krb5->fde) */
|
||||
smb_krb5->fde = tevent_add_fd(ev, smb_krb5->sock,
|
||||
socket_get_fd(smb_krb5->sock),
|
||||
TEVENT_FD_READ,
|
||||
|
@ -99,7 +99,7 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
|
||||
*
|
||||
* @param auth_ctx Supplies the challenges and some other data.
|
||||
* Must be created with auth_context_create(), and the challenges should be
|
||||
* filled in, either at creation or by calling the challenge geneation
|
||||
* filled in, either at creation or by calling the challenge generation
|
||||
* function auth_get_challenge().
|
||||
*
|
||||
* @param user_info Contains the user supplied components, including the passwords.
|
||||
@ -542,7 +542,7 @@ static NTSTATUS auth_check_password_wrapper_recv(struct tevent_req *req,
|
||||
|
||||
/* Wrapper because we don't want to expose all callers to needing to
|
||||
* know that session_info is generated from the main ldb, and because
|
||||
* we need to break a depenency loop between the DCE/RPC layer and the
|
||||
* we need to break a dependency loop between the DCE/RPC layer and the
|
||||
* generation of unix tokens via IRPC */
|
||||
static NTSTATUS auth_generate_session_info_wrapper(struct auth4_context *auth_context,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
Anonymous Authentification
|
||||
Anonymous Authentication
|
||||
|
||||
Copyright (C) Stefan Metzmacher 2004-2005
|
||||
|
||||
|
@ -43,7 +43,7 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
|
||||
/**
|
||||
* Return an error based on username
|
||||
*
|
||||
* This function allows the testing of obsure errors, as well as the generation
|
||||
* This function allows the testing of obscure errors, as well as the generation
|
||||
* of NT_STATUS -> DOS error mapping tables.
|
||||
*
|
||||
* This module is of no value to end-users.
|
||||
|
@ -494,7 +494,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
|
||||
* samdb_result_passwords_from_history() currently
|
||||
* does not fail for missing attributes, it only sets
|
||||
* nt_history_pwd = NULL, so "break" and fall down to
|
||||
* the bad password count upate if this happens
|
||||
* the bad password count update if this happens
|
||||
*/
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
break;
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
Winbind authentication mechnism
|
||||
Winbind authentication mechanism
|
||||
|
||||
Copyright (C) Tim Potter 2000
|
||||
Copyright (C) Andrew Bartlett 2001 - 2002
|
||||
|
@ -88,7 +88,7 @@ const char *user_attrs[] = {
|
||||
* This ordering (having msDS-ResultantPSO first) is
|
||||
* important. By processing this attribute first it is
|
||||
* available in the operational module for the other PSO
|
||||
* attribute calcuations to use.
|
||||
* attribute calculations to use.
|
||||
*/
|
||||
"msDS-ResultantPSO",
|
||||
|
||||
@ -1387,7 +1387,7 @@ error:
|
||||
* level is raised to DS_BEHAVIOR_WIN2003 or higher, is calculated as
|
||||
* 14 days minus a random percentage of 5 days", but we aren't doing
|
||||
* that. The blogosphere seems to think that this randomised update
|
||||
* happens everytime, but [MS-ADA1] doesn't agree.
|
||||
* happens every time, but [MS-ADA1] doesn't agree.
|
||||
*
|
||||
* Dochelp referred us to the following blog post:
|
||||
* http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
|
||||
|
@ -20,7 +20,7 @@
|
||||
*/
|
||||
|
||||
/* This code sets up GENSEC in the way that all Samba servers want
|
||||
* (becaue they have presumed access to the sam.ldb etc */
|
||||
* (because they have presumed access to the sam.ldb etc */
|
||||
|
||||
#include "includes.h"
|
||||
#include "auth/auth.h"
|
||||
|
@ -270,7 +270,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
/* Fill out the auth_session_info with a cli_credentials based on the
|
||||
* auth_session_info we were forwarded over named pipe forwarding.
|
||||
*
|
||||
* NOTE: The stucture members of session_info_transport are stolen
|
||||
* NOTE: The structure members of session_info_transport are stolen
|
||||
* with talloc_move() into auth_session_info for long term use
|
||||
*/
|
||||
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
|
||||
@ -409,7 +409,7 @@ NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
|
||||
/* Produce a session_info for an arbitary DN or principal in the local
|
||||
/* Produce a session_info for an arbitrary DN or principal in the local
|
||||
* DB, assuming the local DB holds all the groups
|
||||
*
|
||||
* Supply either a principal or a DN
|
||||
|
@ -61,7 +61,7 @@ NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
|
||||
struct loadparm_context *lp_ctx,
|
||||
struct auth_session_info_transport **transport_out);
|
||||
|
||||
/* Produce a session_info for an arbitary DN or principal in the local
|
||||
/* Produce a session_info for an arbitrary DN or principal in the local
|
||||
* DB, assuming the local DB holds all the groups
|
||||
*
|
||||
* Supply either a principal or a DN
|
||||
|
Loading…
Reference in New Issue
Block a user