IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
where the password change came from, to determine if policy should be
applied. We discriminate on if the account is a trust account.
Andrew Bartlett
(This used to be commit 48fd288957)
context. We now have an event context on the torture_context, and we
can also get one from the cli_credentials structure
(This used to be commit c0f65eb656)
* Change license to LGPL, so it can be used by non-Samba users of
LDB (cleared with Martin as well).
* Include ldb_map in standalone build.
* Move ldb_map to its own directory
(This used to be commit a90202abca)
- use "sambaPassword" only as virtual attribute for passing
the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
exacly how longhorn stores them. use password_hash:create_aes_key=yes
to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
if configured
TODO:
- find out how longhorn stores aes keys
- find out how the Primary:WDigest blob needs to be constructed
(not supported by w2k)
metze
(This used to be commit e20b53f6fe)
which contrusts the keys...
later we need to get the key version number from the
"replPropertyMetaData" attribute entry to the (I assume)
the "unicodePwd" attribute.
msDs-KeyVersionNumber is a constructed attribute,
and is "1" when no "supplementalCredentials" is present.
we need to make some tests with a password change function
which don't give a cleartext to the server...
metze
(This used to be commit 9e43242217)
of KDC behaviour. This should allow PKINIT to be turned on and
managed with reasonable sanity.
This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.
Andrew Bartlett
(This used to be commit a50bbde81b)
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.
We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk. This is much easier than
listing every generated .o file individually.
This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts. I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.
The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller. In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.
(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).
Andrew Bartlett
(This used to be commit 75fddbbc08)
The reason is long and complex, but is due to forwardable tickets:
We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.
However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm. Heimdal is
case sensitive for realms, and bails out. (It should just not store
the forwarded ticket).
We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.
Andrew Bartlett
(This used to be commit be4c1a36b0)
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3)
