IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
ntcancel also needs to have AS_USER
- move the SIGNING_NO_REPLY logic as global option, because this needs to be set
for the error replies too.
- as we currently don't know how to generate signatures for ntcancel replies
we just skip the sending of the reply
- w2k3 first checks the VUID and then the TID, so we do now
- ntcreateX also uses ERRbaduid when getting a wrong VUID
metze
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
user_info strcture in auth/
This moves it to a pattern much like that found in ntvfs, with
functions to migrate between PAIN, HASH and RESPONSE passwords.
Instead of make_user_info*() functions, we simply fill in the control
block in the callers, per recent dicussions on the lists. This
removed a lot of data copies as well as error paths, as we can grab
much of it with talloc.
Andrew Bartlett
setup. Andrew, please check over this.
What happens is this:
- run the BASE-SECLEAK test
- with each failed session setup using spnego a gensec ctx is leaked into the smb_conn structure
- after the client disconnects these are finally cleaned up as they
are all children of the connection structure
- the cleanup of the millions of memory objects takes long enough
that the next operation in test_posix.sh sometimes fails with a timeout
Andrew, can you also look at the talloc_reference() on line 332 of
sesssetup.c ? I suspect it isn't needed (I don't think it does any
actual harm though)
set to the internal ldap server over loopback. The following happened:
- DCERPC_AUTH3 request
- auth requests calls ldb
- ldb calls ldap
- ldap calls our internal ldap server, triggering events
- samrConnect from client
- connect refused
- SMBclose from client
- causes dcerpc_pipe to be destroyed
- AUTH3 continues
- dies on freed pipe
I chose this solution as it provides a guarantee that backends only have to think about
async issues when they mark a request async. When they don't, this code guarantees that
a second request won't happen on the same connection while processing the first one
replay attacks under SMB signing, where the session key is a fixed
derivitive of the user's password.
This removes the VID offset, but I'm not worried about random client
bytes mattering here, given the space (and the fact that it applies to
very, very old clients).
Andrew Bartlett
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
amazingly, I have seen w2k do a session setup followed by an immediate
attempted opening of \netlogon, with no tconx to ipc$ first. So this
error code can matter.
