1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

221 Commits

Author SHA1 Message Date
Jeremy Allison
bfd099e148 r20857: Silence gives assent :-). Checking in the fix for
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89a)
2007-10-10 12:17:14 -05:00
Günther Deschner
2ad8c705b2 r18512: Add krb5conf file environment to debug statement.
Guenther
(This used to be commit 398f368c8a)
2007-10-10 11:51:45 -05:00
Jeremy Allison
6cfe7be80e r18241: If replacing the krb5.conf, ensure it's readable.
Jeremy.
(This used to be commit dfd93a3031)
2007-10-10 11:51:18 -05:00
Jeremy Allison
34a25efad2 r18226: Ensure we only do this evil thing if it's our realm.
Jeremy.
(This used to be commit 0a89b37b1a)
2007-10-10 11:51:16 -05:00
Jeremy Allison
80052bcf13 r18225: If we're going to overwrite krb5.conf, at least
be polite enough to make a backup.
Jeremy.
(This used to be commit c82aac594f)
2007-10-10 11:51:16 -05:00
Jeremy Allison
253c01f29e r18201: Make explicit what's going on here.
Jeremy.
(This used to be commit 38b8a2b527)
2007-10-10 11:51:16 -05:00
Jeremy Allison
6d4c7b1345 r18200: Experimental code to allow system /etc/krb5.conf to be
overwritten by winbindd. Don't enable this :-).
Jeremy.
(This used to be commit 88e11ee91a)
2007-10-10 11:51:16 -05:00
Jeremy Allison
fea5d59b84 r18010: Ensure we don't timeout twice to the same
server in winbindd when it's down and listed
in the -ve connection cache. Fix memory leak,
reduce timeout for cldap calls - minimum 3 secs.
Jeremy.
(This used to be commit 10b32cb6de)
2007-10-10 11:39:48 -05:00
Jeremy Allison
0f1bc28744 r18006: Actually a smaller change than it looks. Leverage
the get_dc_list code to get the _kerberos. names
for site support. This way we don't depend on one
KDC to do ticket refresh. Even though we know it's
up when we add it, it may go down when we're trying
to refresh.
Jeremy.
(This used to be commit 77fe2a3d74)
2007-10-10 11:39:47 -05:00
Jeremy Allison
d0bbe3751a r18004: If you're writing out a krb5.conf, at least
get the syntax right... :-).
Jeremy.
(This used to be commit ecca467e46)
2007-10-10 11:39:46 -05:00
Jeremy Allison
b05c81a184 r18003: Creating a directory and getting EEXIST isn't an error.
Jeremy.
(This used to be commit 515f86167b)
2007-10-10 11:39:46 -05:00
Jeremy Allison
0a847b4111 r18002: Improved debug.
Jeremy.
(This used to be commit 5f84c8c815)
2007-10-10 11:39:46 -05:00
Jeremy Allison
d31ee84d88 r18001: Proper error reporting on write/close fail.
Jeremy.
(This used to be commit ba311ac4ea)
2007-10-10 11:39:46 -05:00
Jeremy Allison
e05728b669 r18000: Get nelem/size args right for x_fwrite.
Jeremy.
(This used to be commit f1c5409b9f)
2007-10-10 11:39:46 -05:00
Jeremy Allison
1bd715d915 r17999: No need to prevent others from reading. Use 755 instead
of 700, and 644 instead of 600. Reading might help
debugging.
Jeremy.
(This used to be commit 99f100cfec)
2007-10-10 11:39:46 -05:00
Jeremy Allison
d62c3cff51 r17997: Ensure lockdir exists for winbindd. Store tmp
krb5.conf files under lockdir, not privatedir.
Jeremy.
(This used to be commit c59eff3e53)
2007-10-10 11:39:46 -05:00
Jeremy Allison
ef92f91cd7 r17996: Don't talloc free the memory then reference it. Doh !
Jeremy.
(This used to be commit 188eb9794d)
2007-10-10 11:39:45 -05:00
Jeremy Allison
fc6bce6d9c r17995: Ensure we create the domain-specific krb5 files in a
separate directory.
Jeremy.
(This used to be commit 541594153b)
2007-10-10 11:39:45 -05:00
Jeremy Allison
0c9ca3fe19 r17994: Add debugs that showed me why my site code wasn't
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c)
2007-10-10 11:39:45 -05:00
Jeremy Allison
a78c61b9cd r17946: Fix couple of typos...
Jeremy.
(This used to be commit 638d53e2ad)
2007-10-10 11:39:01 -05:00
Jeremy Allison
2fcd113f55 r17945: Store the server and client sitenames in the ADS
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b)
2007-10-10 11:39:01 -05:00
Jeremy Allison
cceb492250 r17944: Handle locking madness.
Jeremy.
(This used to be commit 408267a2d7)
2007-10-10 11:39:01 -05:00
Jeremy Allison
6fada7a82a r17943: The horror, the horror. Add KDC site support by
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d)
2007-10-10 11:39:01 -05:00
Volker Lendecke
fd8bae8b16 r17345: Some C++ warnings
(This used to be commit 21c8fa2fc8)
2007-10-10 11:38:26 -05:00
Jeremy Allison
de5d967505 r17003: Fix coverity #303 - possible null deref. Jerry please
check this is your new code.
Jeremy.
(This used to be commit 144067783d)
2007-10-10 11:19:17 -05:00
Gerald Carter
69f0c8aef1 r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense when fetching the DES salting principal
(This used to be commit baf554c793)
2007-10-10 11:19:15 -05:00
Volker Lendecke
361fef49c5 r16955: Fix an uninitialized var -- Jerry, please check.
(This used to be commit bf701f5129)
2007-10-10 11:19:15 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Günther Deschner
d4ad11ccd8 r16272: Fix memleak.
Guenther
(This used to be commit afdb118902)
2007-10-10 11:17:30 -05:00
Günther Deschner
351e749246 r15240: Correctly disallow unauthorized access when logging on with the
kerberized pam_winbind and workstation restrictions are in effect.

The krb5 AS-REQ needs to add the host netbios-name in the address-list.

We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.

Guenther
(This used to be commit 8b2ba11508)
2007-10-10 11:16:29 -05:00
Jeremy Allison
b68b05854f r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc)
2007-10-10 11:16:28 -05:00
Günther Deschner
e4dc745434 r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:
We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.

Guenther
(This used to be commit bde4a4018e)
2007-10-10 11:15:39 -05:00
Günther Deschner
485a286a65 r14585: Tighten argument list of kerberos_kinit_password again,
kerberos_kinit_password_ext provides access to more options.

Guenther
(This used to be commit afc519530f)
2007-10-10 11:15:38 -05:00
Gerald Carter
0342db7e87 r14512: Guenther, This code breaks winbind with MIT krb1.3.
I'm disabling it for now until we have en effective
means of dealing with the ticket request flags for users
and computers.
(This used to be commit 635f0c9c01)
2007-10-10 11:15:35 -05:00
Günther Deschner
9fb55b5cb8 r14503: Fix principal in debug statement.
Guenther
(This used to be commit 7b1fcb75da)
2007-10-10 11:15:34 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
438d0ad451 r11651: After talking to Jeremy, commit my winbindd "Do the Right Thing" patch.
Still needs some more testing ni domains with multiple DCs. Coming next....
(This used to be commit aaed605206)
2007-10-10 11:05:22 -05:00
Volker Lendecke
f99b429446 r11551: Add a few more initialize_krb5_error_table
(This used to be commit d92c83aa42)
2007-10-10 11:05:20 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00
Gerald Carter
fed660877c r7415: * big change -- volker's new async winbindd from trunk
(This used to be commit a0ac9a8ffd)
2007-10-10 10:57:08 -05:00
Herb Lewis
1c4bbe0654 r6586: get rid of a few more compiler warnings
(This used to be commit 173375f8d8)
2007-10-10 10:56:46 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Derrell Lipman
934d41d239 r6127: Eliminated all compiler warnings pertaining to mismatched "qualifiers". The
whole of samba comiles warning-free with the default compiler flags.

Temporarily defined -Wall to locate other potential problems.  Found an
unused static function (#ifdefed out rather than deleted, in case it's
needed for something in progress).

There are also a number of uses of undeclared functions, mostly krb5_*.
Files with these problems need to have appropriate header files included,
but they are not fixed in this update.

oplock_linux.c.c has undefined functions capget() and capset(), which need
to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>,
but that could potentially have other side effects, so that remains uncorrected
as well.

The flag -Wall should be added permanently to CFLAGS, and all warnings then
generated should be eliminated.
(This used to be commit 5b19ede88e)
2007-10-10 10:56:24 -05:00
Gerald Carter
c3ba8b9a53 r4736: small set of merges from rtunk to minimize the diffs
(This used to be commit 4b351f2fcc)
2007-10-10 10:53:52 -05:00
Jeremy Allison
44bac2bf7b r4334: Fix for bugid #2186 - from Buck Huppmann <buckh@pobox.com>
to prevent uninitialized creds being freed.
Jeremy.
(This used to be commit c3f9c81a8f)
2007-10-10 10:53:44 -05:00
Günther Deschner
c0e31dd4f5 r3495: Fix the build (recent kerberos-changes).
Guenther
(This used to be commit c7eab285d9)
2007-10-10 10:53:07 -05:00
Jeremy Allison
917a53cc58 r3492: Fixes from testing kerberos salted principal fix.
Jeremy.
(This used to be commit b356a8fdc5)
2007-10-10 10:53:07 -05:00
Günther Deschner
3688bb079e r3439: Finally fix build for platforms without kerberos.
Guenther
(This used to be commit 05619cfdbf)
2007-10-10 10:53:07 -05:00
Jeremy Allison
cf47845b1c r3379: More merging of kerberos keytab and salting fixes from Nalin Dahyabhai <nalin@redhat.com>
(bugid #1717).
Jeremy.
(This used to be commit 30b8807cf6)
2007-10-10 10:53:05 -05:00
Jeremy Allison
0772ddbae1 r3377: Merge in first part of modified patch from Nalin Dahyabhai <nalin@redhat.com>
for bug #1717.The rest of the code needed to call this patch has not yet been
checked in (that's my next task). This has not yet been tested - I'll do this
once the rest of the patch is integrated.
Jeremy.
(This used to be commit 7565019286)
2007-10-10 10:53:05 -05:00
Günther Deschner
f1fd211e80 r1967: Fix a couple of krb5-DEBUG-messages.
Guenther
(This used to be commit 86a61c86a4)
2007-10-10 10:52:25 -05:00
Jeremy Allison
41416f3876 r1245: I think the parameter for "password" and "data" was reversed.
CHECK THIS !
Jeremy.
(This used to be commit d4abeefe3e)
2007-10-10 10:52:02 -05:00
Gerald Carter
63378d6f0e r541: fixing segfault in winbindd caused -r527 -- looks like a bug in heimdal; also initialize some pointers
(This used to be commit be74e88d9a)
2007-10-10 10:51:28 -05:00
Jim McDonough
9a8e30d04b Fix bugzilla # 1208
Winbind tickets expired.  We now check the expiration time, and acquire
new tickets.  We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them.  Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway.   Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
(This used to be commit c2436c433a)
2004-03-24 17:32:55 +00:00
Jeremy Allison
515e6a268e Merge tridge's blank password fix from HEAD.
Jeremy.
(This used to be commit eadfd312ba)
2002-10-24 01:05:30 +00:00
Andrew Bartlett
ad8a22e570 Updates from Samba HEAD:
- Fix segfaults in the 'net ads' commands when no password is provided
 - Readd --with-ldapsam for 2.2 compatability.  This conditionally compiles the
   old options, but the actual code is available on all ldap systems.
 - Fix shadow passwords (as per work with vl)
 - Fix sending plaintext passwords to unicode servers (again vl)
 - Add a bit of const to secrets.c functions
 - Fix some spelling and grammer by vance.
 - Document the -r option in smbgroupedit.

There are more changes in HEAD, I'm only merging the changes I've been involved
with.

Andrew Bartlett
(This used to be commit 83973c3893)
2002-10-01 13:10:57 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Andrew Tridgell
6c7e9dfb29 net ads password and net ads chostpass commands from Remus Koos
(This used to be commit 412e79c448)
2001-12-20 03:54:52 +00:00
Andrew Tridgell
d58b1b5981 better error handling
(This used to be commit ed6279481b)
2001-12-13 11:30:13 +00:00
Andrew Tridgell
66d964c9fc allow overriding the local time in kerberos_kinit_password()
(This used to be commit cb9dbcef7c)
2001-12-11 05:15:52 +00:00
Andrew Tridgell
3d27d7b9f7 moved ccache location change into winbindd code
(This used to be commit be254eb13c)
2001-12-10 22:10:31 +00:00
Andrew Tridgell
bc26ea1e5c fixed used of string after free
(This used to be commit f7ead035eb)
2001-12-09 00:45:51 +00:00
Andrew Tridgell
5d378a280f added internal sasl/gssapi code. This means we are no longer dependent on cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a)
2001-12-08 11:18:56 +00:00
Andrew Tridgell
44384354d8 put the winbindd krb5 credentials cache in the lock directory
this prevents it clobbering the users cache
(This used to be commit 3de552f365)
2001-12-06 07:33:35 +00:00
Andrew Tridgell
d412f66cd8 added a propoer kerberos_kinit_password call
contribution from remus@snapserver.com

thanks!
(This used to be commit 3ace8f1fcc)
2001-12-06 05:41:53 +00:00
Andrew Tridgell
9421ad4a7a added a REALLY gross hack into kerberos_kinit_password so that
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b736)
2001-12-05 09:46:53 +00:00
Andrew Bartlett
fe64484824 Make better use of the ads_init() function to get the kerberos relam etc.
This allows us to use automagically obtained values in future, and the value
from krb5.conf now.

Also fix mem leaks etc.

Andrew Bartlett
(This used to be commit 8f9ce71781)
2001-11-29 06:21:56 +00:00
Andrew Tridgell
ad2974cd05 added "net join" command
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee90)
2001-11-24 14:16:41 +00:00