IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
(This used to be commit cb2dc715e3)
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
(This used to be commit f5b3de4d30)
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
(This used to be commit f783b32b65)
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
(This used to be commit d0ec732387)
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
(This used to be commit cbaf44de1e)
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f9)
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
(This used to be commit 1a2be06d4a)
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b722)
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).
We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
(This used to be commit 4fb57bce87)
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults. We suggest leaving this up to the defaults from the
libraries anyway.
Andrew Bartlett
(This used to be commit 0b72c04906)
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680eb)
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f2)
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
