1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

4374 Commits

Author SHA1 Message Date
Andrew Bartlett
1d0e2b9569 r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. This
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.

Andrew Bartlett
(This used to be commit a7e2ecfac9)
2007-10-10 13:16:45 -05:00
Andrew Tridgell
03435f5de1 r6802: - fixed CFLAGS
- don't fail if we don't have xsltproc
(This used to be commit 235f5c510b)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
c71a11c7ad r6801: It appears that krb5_make_principal, while convenient, is not portable.
Andrew Bartlett
(This used to be commit c8e8fa129e)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
5c6dd5e800 r6800: A big GENSEC update:
Finally remove the distinction between 'krb5' and 'ms_krb5'.  We now
don't do kerberos stuff twice on failure.  The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process.  All modules have been updated to supply a
NULL-terminated list of OIDs.

In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.

Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.

The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line.  It will soon loose the
requirement for a on-disk keytab too.

The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.

Andrew Bartlett
(This used to be commit 0101728d8e)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
8f96c42027 r6799: Remove a rudundent variable from the context structure - we can figure
this out by asking GENSEC, just like everybody else.

Andrew Bartlett
(This used to be commit 0268d6c46b)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
ffb8ba8cd3 r6798: Valgrind pain is not something I look forward to - if we ever fall
back to the 'not /dev/urandom' method of random number generation, I
don't want to be chasing down 'use of uninitialised value' though all
the crypto code.

Andrew Bartlett
(This used to be commit 31ff2cd8e1)
2007-10-10 13:16:44 -05:00
Rafal Szczesniak
2c08639e02 r6797: Typo fix.
rafal
(This used to be commit 0f9a2aef6c)
2007-10-10 13:16:44 -05:00
Andrew Bartlett
50da9ed856 r6796: Remove the gensec_gsskrb5 module, which had had all of it's special
features merged back into gensec_gssapi.

(Removed because I've made some API changes, and it isn't worth
'fixing' the rudundent code to cope with changes)

Andrew Bartlett
(This used to be commit e8cf3d58ec)
2007-10-10 13:16:44 -05:00
Jelmer Vernooij
5b18cf2268 r6795: Make some functions static and remove some unused ones.
(This used to be commit 46509eb899)
2007-10-10 13:16:44 -05:00
Simo Sorce
51b0f62b8f r6794: spellfix
(This used to be commit f5956d1501)
2007-10-10 13:16:44 -05:00
Andrew Bartlett
ae0cf9c240 r6793: Move auth_sam to use the dnsDomain rather than the
soon-to-be-depricated 'realm'.

Add torture test for this behaviour.

Andrew Bartlet
(This used to be commit 6b9020661a)
2007-10-10 13:16:44 -05:00
Andrew Bartlett
c0c1b26a76 r6792: Allow a mech to fail on the first pass at the packet, and still fall
back to the other options.

Andrew Bartlett
(This used to be commit 9153d73061)
2007-10-10 13:16:43 -05:00
Andrew Bartlett
4f9fa5a81d r6791: My early notes on the particular things I have discovered as I learn
kerberos, and how Microsoft constructs their kerberos implementation.

Andrew Bartlett
(This used to be commit 5fa9be75d9)
2007-10-10 13:16:43 -05:00
Jelmer Vernooij
e5a3ec0e5b r6790: Use config.h file for ldb and add test for stdint.h
(This used to be commit c1f1b5a945)
2007-10-10 13:16:43 -05:00
Jelmer Vernooij
770b47415d r6787: Use debhelper for the debian packages
(This used to be commit 9f1b15832d)
2007-10-10 13:16:43 -05:00
Stefan Metzmacher
6f76065690 r6781: -add some comments on how attributes and objectClasses are identified in DRSUAPI
-and some comments on what the attribute syntaxes matches what internal datatypes

metze
(This used to be commit 58c6887da4)
2007-10-10 13:16:43 -05:00
Andrew Tridgell
0b8b29f070 r6776: make the cldap torture test not dependent on the realm being set
correctly - it gets the realm from an initial no-attribute search
(This used to be commit 52d10c8d99)
2007-10-10 13:16:43 -05:00
Simo Sorce
9d81592be3 r6768: Fix wrong comment
(This used to be commit 2f80b2070f)
2007-10-10 13:16:42 -05:00
Tim Potter
8aa0aec431 r6767: Fix compiler warning.
(This used to be commit 45a0692be1)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
6f36f7cd25 r6766: some more cldap tests ...
my best guess now is that w2k3 converts the & in the cldap query to an |
for the ldap search. at least it behaves roughly like that.
(This used to be commit 1d6ab9aaef)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
a90c731ec5 r6765: expanded the cldap test suite to test the usage of the DomainGuid,
AAC, and User attributes in cldap netlogon queries

interestingly, while WinXP generated cldap filters with these set, the
w2k3 cldap server seems to completely ignore them, so I didn't need to
alter our cldap server at all to pass the test :-)
(This used to be commit 177c8becd2)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
06869ce014 r6764: added support for DomainGuid, DomainSid, AAC, and User attributes in
cldap netlogon queries
(This used to be commit 7c1d0f449d)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
4029df5e60 r6763: added functions in libcli/ldap/ to binary encode some NDR structures into
ldap friendly filter strings
(This used to be commit 8890dd3ac3)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
2f315e94f8 r6762: with the zone right we don't need a fully qualified site name at all
(This used to be commit 6f4ad382d4)
2007-10-10 13:16:42 -05:00
Andrew Tridgell
04ecea3b1c r6761: - not everyone is in my domain :-)
- started adding support for the other cldap attributes that XP uses
(This used to be commit 1537558039)
2007-10-10 13:16:41 -05:00
Jelmer Vernooij
f8a955f7ce r6760: Update debian packages
(This used to be commit 39c8acdaa5)
2007-10-10 13:16:41 -05:00
Simo Sorce
62ccaf2d86 r6759: let us have a wildcard attribute so that we can set a default for all attributes
example:

*: CASE_INSENSITIVE

by placing it in the @ATTRIBUTES object you make all the matching be case insensitive
to make an excepion to the general rule now you just need to create an entry like:

name: CASE_SENSITIVE

the key CASE_SENSITIVE currently does not exist but has the effect of making the code
ignore the wildcard default flag and being ldb case sensitive by default it let the
"name" attribute be case sensitive again

Tridge, can you look at this commit?
Should we introduce a CASE_SENSITVE/BINARY flag and handle it in the code ?

Simo.
(This used to be commit 5f10707e8a)
2007-10-10 13:16:41 -05:00
Jelmer Vernooij
15a8f0ff0a r6752: Patch by Steven Edwards to improve portability to mingw32
(This used to be commit 8d63cd33a2)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
51a3cfe35e r6751: dnsDomain should be CASE_INSENSITIVE (winxp will sometimes do a cldap query with this
in uppercase)
(This used to be commit f0c37555ff)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
0b5fe8f7e1 r6750: some minor tweaks to the cldapd server
I can now join winxp -> samba4 DC using long name, and login. The nice
thing is there are no delays now, as the client likes the replies it gets
(This used to be commit 5aff7d36f3)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
2279d1ebfb r6747: first working version of cldapd server. It is missing 'sites' support, and
filling in some of the returned parameters is quite rough, but it seems to work OK
(This used to be commit e564e3e596)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
59f415c0ed r6746: added ndr_push_union_blob() for pushing IDL unions into a DATA_BLOB
(This used to be commit dc25be9d69)
2007-10-10 13:16:40 -05:00
Andrew Tridgell
c956f4f982 r6745: - escape spaces in binary ldap blobs
- expose the ldap filter string parsing outside of ldap.c
(This used to be commit b644ff6fe1)
2007-10-10 13:16:40 -05:00
Andrew Tridgell
ea6943ec79 r6744: added support for reply packets in libcli/cldap/
(This used to be commit 992858e1b9)
2007-10-10 13:16:40 -05:00
Andrew Tridgell
9add53863f r6741: prevent talloc_strndup() from reading one byte past the end of a buffer,
giving valgrind errors
(This used to be commit 7af0c547e0)
2007-10-10 13:16:40 -05:00
Andrew Tridgell
3da16200e9 r6740: make gensec_gssapi.c compile again
(This used to be commit 6d15e95111)
2007-10-10 13:16:40 -05:00
Andrew Bartlett
c64ac2fc5a r6738: My version of the patch by metze that I just reverted (-r 6734).
This also includes other changes to reduce memory use by GENSEC when
not being used for sign/seal operations.  This should lower tridge's K
'per connection' benchmark further.

Andrew Bartlett
(This used to be commit 4a5829401b)
2007-10-10 13:16:40 -05:00
Andrew Bartlett
0aef77698e r6737: Explain these error returns a bit better.
Andrew Bartlett
(This used to be commit 77d054c65a)
2007-10-10 13:16:40 -05:00
Andrew Bartlett
d4d4d66828 r6736: Revert metze's -r 6734, as metze and I made the same changes at the
same time, but with different names.  This just helps me avoid
conflicts when I merge up my other changes.

Andrew Bartlett
(This used to be commit 27e6a853a5)
2007-10-10 13:16:39 -05:00
Stefan Metzmacher
3bdd579f55 r6734: most compiler don't like struct elements without a name...
metze
(This used to be commit 0c1cd40bce)
2007-10-10 13:16:39 -05:00
Stefan Metzmacher
470f14ece2 r6733: GSS_C_DCE_STYLE is not available for most builds
metze
(This used to be commit 3536029e8f)
2007-10-10 13:16:39 -05:00
Stefan Metzmacher
2542d54e93 r6732: - move sasl send recv code to the ldap lib
- support 'modrdn' ldif

metze
(This used to be commit b6a1734699)
2007-10-10 13:16:39 -05:00
Stefan Metzmacher
dd02669187 r6731: add a useful function for getting a guid with all bits to 0
metze
(This used to be commit 161ecce744)
2007-10-10 13:16:39 -05:00
Stefan Metzmacher
15e84f47c5 r6730: register gensec_krb5 also with the drcrpc auth type
metze
(This used to be commit 491d7804f5)
2007-10-10 13:16:39 -05:00
Andrew Bartlett
976fc6f76a r6729: Fix silly copy-paste bug spotted by metze.
Andrew Bartlett
(This used to be commit 400899995b)
2007-10-10 13:16:39 -05:00
Andrew Bartlett
dc3cb69a09 r6728: Microsoft relies very strongly on getting the OIDs it expects, so we
must register the 'MS' OID for the domain join to progress.

Andrew Bartlett
(This used to be commit c8fbda6bfd)
2007-10-10 13:16:38 -05:00
Andrew Bartlett
8b2eb02d15 r6727: One more step down the long march to the 'Kerberos domain join'.
This patch allows a suitably patched Heimdal GSSAPI library (detected
in configure) to supply to us the session keys, and further compleats
the gensec_gssapi module.  This is tested for CIFS, but fails for LDAP
at this point (that is what I'll work on next).

We currently fill out the 'session info' from the SAM, like
gensec_krb5 does, but both will need to use the PAC extraction
functions in the near future.

Andrew Bartlett
(This used to be commit 937ee36161)
2007-10-10 13:16:38 -05:00
Andrew Tridgell
49304e965f r6726: support binary search elements in ldap_decode()
(This used to be commit 2b36f1dfdd)
2007-10-10 13:16:38 -05:00
Andrew Tridgell
7b18fcd847 r6725: the beginnings of a cldap server
(This used to be commit e51e0dffa8)
2007-10-10 13:16:38 -05:00
Andrew Tridgell
a8c26fa4ac r6724: added "cldap port" smb.conf parameter
(This used to be commit 04af0e7c5d)
2007-10-10 13:16:37 -05:00