IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
This removes a level of indirection via external binaries in the
provision-backend code, and also makes better use of our internal code
for loading schema from an LDIF file.
Remaining to do: Sort the output again, as the load from LDIF is
unsorted (also needed because the normal LDB load from sorted input is too slow
anyway, and is only needed here).
Andrew Bartlett
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
Separate again the public from the private headers.
Add a new header specific for modules.
Also add service function for modules as now ldb_context and ldb_module are
opaque structures for them.
The DC is now using smb signing, so testing for the old SMB versions
won't work.
Add a new test script to check 'net join' independent of
blackbox.smbclient.
Andrew Bartlett
(This used to be commit 44ff392ffe)
This merges the table once found in the oLschema2ldif tool (and moved
many times) with the table used for DRSUAPI.
The OpenLDAP schema map has been updated, to ensure that despite a
number of attributes being declared as OIDs, they are actually used as
strings (as they are actually LDAP class/attribute names).
Andrew Bartlett
(This used to be commit 61f2958c84)
This reads the schema from the in-memory structure, when the magic
attributes are requested. The code is a modified version of that used
in the ad2oLschema tool (now shared).
The schema_fsmo module handles the insertion of the generated result.
As such, this commit also removes these entries from the setup/schema.ldif
Metze's previous stub of this functionality is also removed.
Andrew Bartlett
(This used to be commit c7c32ec7b4)
Now that these are subroutines, we can factor them out into a file the
CN=Aggregate schema code can also use.
Andrew Bartlett
(This used to be commit e3591a6a35)
This will allow the kludge_acl and schema code to leverage the same
work. (We might even get schema validation soon! :-)
Andrew Bartlett
(This used to be commit cecd04ce1f)
LDB does not know about nor process the AD schema, so it makes no
sense to have this tool there. I've been changing it anyway, to use a
common schema manipulation library, and will enhance these links in
the future.
Andrew Bartlett
(This used to be commit c7704805b9)
specific debug function.
By default do not debug, this is the most appropriate action for a library
as we cannot assume what stderr is use for in the main app.
The main app is responsible to set ev_debug_stderr if they so desire.
(This used to be commit e566a2f308)
Make sure we pass around the event_context where we need it instead.
All test but a few python ones fail. Jelmer promised to fix them.
(This used to be commit 3045d39162)
This adds in the newly attached secrets handling, as well as an
interface to the command line 'net' tool.
Andrew Bartlett
(This used to be commit 1282e3c394)
2007-09-29 More higher-level passing around of lp_ctx.
2007-09-29 Fix warning.
2007-09-29 Pass loadparm contexts on a higher level.
2007-09-29 Avoid using global loadparm context.
(This used to be commit 3468952e77)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0)
This is the Samba4 version of the ntlm_auth patch that was committed
to Samba3 in revision 17216.
The purpose of this patch is to return session key information, as
well as NTLMSSP negotiated flags to ntlm_auth's caller. This allows
the bulk data signing and sealing to be handled in a library, supplied
by the caller.
This also allows the caller to ask for features, so that the right
flags get negotiated.
(This used to be commit eb28aff4e0)
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
Recursive dependencies are now forbidden (the build system
will bail out if there are any).
I've split up auth_sam.c into auth_sam.c and sam.c. Andrew,
please rename sam.c / move its contents to whatever/wherever you think suits
best.
(This used to be commit 6646384aaf)
but modules don't work yet..
(Run LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY MODULE_OUTPUT_TYPE=SHARED_LIBRARY ./config.status)
(This used to be commit ba74f24e42)
specifically ask for iface_n_bcast() and have to check if it returns
NULL, in which case it is a non-broadcast interface
(This used to be commit d004e250b6)
Previously, we had to know (or guess) the host and domain guid at the
provision stage. Now we query the database post-provision, to extract
the values and fill in the zone file.
This allows us to generate a correct zone file in the Windows migration case.
In an effort to make SWAT easier to use, I have removed and renamed
some of the provision options.
I have also fixed a nasty issue in my js code. I had implictly
declared a global variable of the name 'join', with disasterious
results for any subsequent user of the string utility function:
esp exception - ASSERT at lib/appweb/ejs/ejsParser.c:2064, 0
Backtrace:
[ 0] substitute_var:20 -> list[i] = join("", list2)
[ 1] setup_file:9 -> data = substitute_var(data, subobj)
Andrew Bartlett
(This used to be commit a38ceefd11)
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.
This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'. This should prevent it
being broken again.
Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.
The js credentials interface now handles the 'set machine account' flag.
New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).
Andrew Bartlett
(This used to be commit a5e7c17c34)
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959)
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.
For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:
password server = ncacn_np:mypdc
Andrew Bartlett
(This used to be commit 272013438f)
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579)
an ADS join, particularly as a DC. This represents the bulk of his
Google SOC work, and I'm very pleased to intergrate it into the tree.
(Metze will intergrate the DRSUAPI work later).
Both metze and myself have also put a lot of time into this patch, and
in mentoring Brad in general. In return, Brad has been a very good
student, and has taken the comments well.
Since it's last appearance on samba-technical@, I have made
correctness and valgrind fixups, as well as adding a new 'BINDING'
mode to the libnet_rpc routines. This allows the exact binding string
to be passed down from the torture code, including options and exact
target host.
Andrew Bartlett
(This used to be commit d6fa105fda)
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0)