IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
where the password change came from, to determine if policy should be
applied. We discriminate on if the account is a trust account.
Andrew Bartlett
(This used to be commit 48fd288957)
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f17351)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0)
reject reason code while password changing: SAMR_REJECT_IN_HISTORY which
is different from SAMR_REJECT_COMPLEXITY.
torture test to follow as well.
Guenther
(This used to be commit 7513748208)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77)
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa)
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881)
with clients compiled against the MIT Kerberos implementation. (Which
checks for address in KRB-PRIV packets, hence my comments on socket
functions earlier today).
It also fixes the 'set password' operation to behave correctly (it was
previously a no-op).
This allows Samba3 to join Samba4. Some winbindd operations even work,
which I think is a good step forward. There is naturally a lot of work
to do, but I wanted at least the very basics of Samba3 domain membership
to be available for the tech preview.
Andrew Bartlett
(This used to be commit 4e80a557f9)
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a)
