IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This changes pycredentials to use talloc.BaseObject() just like the PIDL output
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We can call pytalloc_reference() and avoid having this in the header file
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This type should not be used directly, it should have been made private
to pytalloc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This is necessary because it has public headers.
Signed-off-by: Jelmer Vernooij <jelmer@jelmer.uk>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Jan 13 07:47:04 CET 2016 on sn-devel-144
We don't need the full power of NTSTATUS here. This was the only
NTSTATUS in asn1.h, so I think it's worth removing it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 25 21:45:18 CEST 2015 on sn-devel-104
We should always pass down the saltPrincipal to smb_krb5_update_keytab()
function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When dealing with Kerberos, we cannot consider credentials anonymous
if credentials were obtained properly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11265
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Jul 15 16:32:55 CEST 2015 on sn-devel-104
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
These make use of gss_[un]wrap_iov[_length]() where required and support
header signing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/rpc_server/dcerpc_server.c:dcesrv_request() calls gensec_have_feature().
Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.
An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11341
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 19 13:42:32 CEST 2015 on sn-devel-104
On a host without a talloc.h, this caused the build to fail
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 19 18:01:09 CET 2015 on sn-devel-104
Packet traces showing such servers are found in the bug this fixes:
https://bugzilla.samba.org/show_bug.cgi?id=10016
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
This is required to set the previous trust account password.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
The machine and trust accounts it's important to retry
netr_Authenticate3() with the previous (old) nt_hash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This ensures that if an enterprise principal is used, we do the
comparison properly
This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.
Otherwise, we get errors like:
Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Different gcc versions complain at different places
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 26 19:56:57 CET 2015 on sn-devel-104
We need a way to initialize the cli_credentials from the raw utf16 blob,
which might not be completely valid utf16, which means the conversion
from CH_UTF16MUNGED to CH_UTF8 might loose information.
This would result in an invalid nt_hash, when we convert back
from CH_UTF8 to CH_UTF16LE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.
With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Otherwise, we try and kinit as host$@DOMAIN and that will not work.
Andrew Bartlett
Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()
Andrew Bartlett
Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.
Andrew Bartlett
Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
