IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Windows 2000 does strictly request header signing on some requests also if the
server doesn't provide it. But there is a small trick (don't reset the actual
session info) to make these special RPC operations work without a full header
signing implementation.
This fixes for example the list of domain groups in local groups when displayed
sing the local user/group management tool.
And this should finally fix bug #7113.
The patch was inspired by another one by tridge and abartlet: http://gitweb.samba.org/samba.git/?p=tridge/samba.git;a=commitdiff;h=2dc19e2878371264606575d3fc09176776be7729
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
Also ignore auth trailers in level connect on receive.
This fixes [krb5,connect] against windows.
TODO: maybe the gensec mech need to decide if signatures
are needed in level connect.
metze
(This used to be commit 2e3629719790e7631d9de383b565dc8a0997bcfb)
Note that the correct return for a failed alter_context is a fault,
not a bind_nak.
Andrew Bartlett
(This used to be commit 52cce94532edf1dd7f26e39bf3377f0077ea6792)
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
as well?
The server side change is needed to fix a valgrind error, which was
possibly exploitable if the client sent deliberately bad data
(This used to be commit e3c04cf165fe15739197b2713e78046399aa7653)
length, use the amount the wapped message expanded by.
This works, because GSSAPI doesn't do AEAD (signing of headers), and
so changing the signature length after the fact is valid.
Andrew Bartlett
(This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
