IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
This does a length-limited check, and so avoids reading beyond the
allocated memory if the server sends less than 16 bytes.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This reduces the manual marshalling of these structures by removing
the duplication here.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
This patch is to fix bug 7099. It stores the current password in the
previous password key when the password is changed. It also check the
user ticket against previous password.
Signed-off-by: Günther Deschner <gd@samba.org>
This ensures the results can't be easily left to leak.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
The code is not yet in common, but I hope to fix that soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
in just the kdc_name if we have it and let the krb5 lib figure out the
appropriate ipv6 address
ipv6 gurus, please check.
Guenther
All the callers just want the PAC_LOGON_INFO, so search for that in
ads_verify_ticket(), and don't bother the callers with the rest of the
PAC.
This change makes sense on it's own (removing boilerplate wrappers
that just confuse the code), but it also makes it much easier to
implement a matching ads_verify_ticket() function in Samba4 for the
s3compat proposal.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time
as follows:
ccache build w/o patch
real 4m21.529s
ccache build with patch
real 3m6.402s
pch build w/o patch
real 4m26.318s
pch build with patch
real 3m6.932s
Guenther
If server requires LDAP signing we're getting LDAP_STRONG_AUTH_REQUIRED,
if "client ldap sasl wrapping = plain", instead of failing we now
autoupgrade to "client ldap sasl wrapping = sign" for the given connection.
metze
While there also use ldap_exploded_dn instead of ldb_dn_validate()
so we can remove a huge dependency that is hanging there only for one very
minor marginal use.
Signed-off-by: Günther Deschner <gd@samba.org>
Passing NULL as dest_realm for cli_session_setup_spnego() was
always using our own realm (as for a NetBIOS name). Change this
to look for the mapped realm using krb5_get_host_realm() if
the destination machine name is a DNS name (contains a '.').
Could get fancier with DNS name detection (length, etc.) but
this will do for now.
Jeremy.
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.
The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.
Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
gencache_get/set/del/iterate call gencache_init() internally anyway. And we've
been very lazy calling gencache_shutdown, so this seems not really required.
run over IPv4/IPv6, even though some of the netlogon messages are IPv4 specific.
Fix the new ads_cldap_netlogon() to be IPv6/IPv4 agnostic. This compiles but
I don't have a good test env. for this (although as the previous code was
*completely* broken over IPv6 this will expose previously hidden bugs if it's broken :-).
Jeremy.
* ldb_dn_new() now takes an initial DN string
* ldb_dn_string_compose() -> ldb_dn_new_fmt()
* dummy ldb_dn_validate(), since LDB DNs in the current implementation
are always valid if they could be created.
This argument is ignored (Samba3's LDB is synchronous) but having it
there is useful for API compatibility with the LDB used by Samba 4 and
available on some systems.
This removes calls to push_*_allocate() and pull_*_allocate(), as well
as convert_string_allocate, as they are not in the common API
To allow transition to a common charcnv in future, provide Samba4-like
strupper functions in source3/lib/charcnv.c
(the actual implementation remains distinct, but the API is now shared)
Andrew Bartlett
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with ads.
Michael
ads_connect_gc() feeds an explicit server to ads_connect(). However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection. This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.
The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().
