1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

54 Commits

Author SHA1 Message Date
Volker Lendecke
f5033a1e62 r23953: Some C++ warnings
(This used to be commit 8716edf157)
2007-10-10 12:28:49 -05:00
Stefan Metzmacher
14e81b3009 r23948: add gsskrb5 sign and seal support for LDAP connections
NOTE: only for the "GSSAPI" SASL mech yet

metze
(This used to be commit a079b66384)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
ea3c3b9272 r23946: add support for NTLMSSP sign and seal
NOTE: windows servers are broken with sign only...

metze
(This used to be commit 408bb2e6e2)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
07c034f7c4 r23945: add infrastructure to select plain, sign or seal LDAP connection
metze
(This used to be commit 2075c05b3d)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
809c9d4d31 r23888: move elements belonging to the current ldap connection to a
substructure.

metze
(This used to be commit 00909194a6)
2007-10-10 12:28:38 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Stefan Metzmacher
78c57f59ac r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't critical
because we try "GSS-SPNEGO" first and all windows version support
that.

metze
(This used to be commit 34a5badbde)
2007-10-10 12:19:17 -05:00
Stefan Metzmacher
eceb926df9 r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f9)
2007-10-10 12:19:10 -05:00
Jeremy Allison
4899c6b806 r22079: Tsk, tsk, Metze didn't compile before check-in :-).
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
(This used to be commit ab3150fe4e)
2007-10-10 12:19:09 -05:00
Stefan Metzmacher
98c300ab90 r22078: fix memory leak in not often used code, we only use it if the server
doesn't support GSS-SPNEGO in SASL

can someone please review this, maybe it's also for 3.0.25

metze
(This used to be commit 8c6930b701)
2007-10-10 12:19:09 -05:00
Jeremy Allison
b74cb6740f r21850: After Jerry explained to me the HORRIBLE way in which
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
(This used to be commit 1a2be06d4a)
2007-10-10 12:18:38 -05:00
Jeremy Allison
7d77dd9db6 r21847: Fix memory leaks in error paths (and in main code path in one case...)
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
(This used to be commit 89bdd30e4b)
2007-10-10 12:18:37 -05:00
Gerald Carter
763a553046 r21273: * Protect the sasl bind against a NULL principal string
in the SPNEGO negTokenInit
(This used to be commit fe70c22496)
2007-10-10 12:17:53 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b722)
2007-10-10 12:17:50 -05:00
Gerald Carter
594ab518a5 r21046: Backing out svn r20403 (Andrew's krb5 ticket cleanup
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).

We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
(This used to be commit 4fb57bce87)
2007-10-10 12:17:29 -05:00
Andrew Bartlett
76cdf68ee9 r20403: Cleaning out my Samba 3.0 tree:
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults.  We suggest leaving this up to the defaults from the
libraries anyway.

Andrew Bartlett
(This used to be commit 0b72c04906)
2007-10-10 12:16:47 -05:00
Herb Lewis
dc06fda6c7 r20132: get rid of defined but not used warning - static function only used
inside the #ifdef HAVE_KRB5
(This used to be commit c6cdf76c58)
2007-10-10 12:16:26 -05:00
Volker Lendecke
f8a17bd8bd r18047: More C++ stuff
(This used to be commit 86f4ca84f2)
2007-10-10 11:43:24 -05:00
Volker Lendecke
ee0e397d6f r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.

Volker
(This used to be commit b2ff9680eb)
2007-10-10 11:39:49 -05:00
Jeremy Allison
0362fde476 r17899: Fix Stanford checker bug - possible null deref.
Jeremy.
(This used to be commit e779491751)
2007-10-10 11:38:57 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Jeremy Allison
b68b05854f r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc)
2007-10-10 11:16:28 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Simo Sorce
14b16baf69 r13137: make cleare where long ifdefs ends
(This used to be commit 58e48fef45)
2007-10-10 11:06:15 -05:00
Jeremy Allison
97ecce03de r11504: Added Andrew Bartletts removal of another NTLMSSP implementation
patch.
Jeremy.
(This used to be commit 4591984176)
2007-10-10 11:05:18 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Volker Lendecke
4dec112b8a r8989: Fix a warning
(This used to be commit 3d491ebf9c)
2007-10-10 11:00:23 -05:00
Gerald Carter
f24d88cf9d r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1
(This used to be commit 9727d05241)
2007-10-10 10:57:02 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Gerald Carter
4b831f8e16 r5952: BUG 2469: patch from Jason Mader to cleanup compiler warning when not using krb5
(This used to be commit 19a639ac46)
2007-10-10 10:56:11 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Jeremy Allison
bd1fbdbd8a r1378: Better debugging so I don't get confused what principal we mean.
Jeremy.
(This used to be commit de80e8b169)
2007-10-10 10:52:08 -05:00
Gerald Carter
63378d6f0e r541: fixing segfault in winbindd caused -r527 -- looks like a bug in heimdal; also initialize some pointers
(This used to be commit be74e88d9a)
2007-10-10 10:51:28 -05:00
Jeremy Allison
13aa693f35 r533: More memory leak fixes from kawasa_r@itg.hitachi.co.jp. I need to
valgrind winbindd with these in....
Jeremy.
(This used to be commit fa4774b73d)
2007-10-10 10:51:27 -05:00
Andrew Bartlett
7d068355aa This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096)
2004-01-08 08:19:18 +00:00
Gerald Carter
c904740e95 s/OM_uint32//uint32/g
(This used to be commit f8a092e7b4)
2003-08-15 21:19:34 +00:00
Herb Lewis
aa39cc37da get rid of more compiler warnings
(This used to be commit 398bd14fc6)
2003-08-15 04:42:05 +00:00
Jeremy Allison
4632786cfb W00t! Client smb signing is now working correctly with krb5 and w2k server.
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b6070)
2003-07-25 23:15:30 +00:00
Andrew Tridgell
2cfc19f899 added an auth flag that indicates if we should be allowed to fallback
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c)
2003-06-10 03:47:42 +00:00
Andrew Bartlett
7041e295eb Revert patch - we need to try the NTLMSSP code below...
Andrew Bartlett
(This used to be commit 317158972e)
2003-04-24 14:07:13 +00:00
Andrew Bartlett
77ced5915d Use the kerberos error from ads_kinit_password() in the return value from
our SASL code - help in printing a useful error message.

Andrew Bartlett
(This used to be commit 984321bfab)
2003-04-24 14:02:02 +00:00
Andrew Bartlett
d1221c9b6c Merge from HEAD client-side authentication changes:
- new kerberos code, allowing the account to change it's own password
   without special SD settings required
 - NTLMSSP client code, now seperated from cliconnect.c
 - NTLMv2 client code
 - SMB signing fixes

Andrew Bartlett
(This used to be commit 837680ca51)
2003-02-24 02:55:00 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Jeremy Allison
f48a8615d6 After the lord mayors parade......
Janitor for tridge :-).
Jeremy.
(This used to be commit 76cdfbd510)
2002-11-10 03:07:19 +00:00
Gerald Carter
f2d1f19a66 syncing up with HEAD. Seems to be a lot of differences creeping in
(i ignored the new SAMBA stuff, but the rest of this looks like it should
have been merged already).
(This used to be commit 3de09e5cf1)
2002-10-01 18:26:00 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00