1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

7185 Commits

Author SHA1 Message Date
Andrew Bartlett
cc99c7bbeb r11537: Make the authsam_account_ok routine callable by external users (the KDC).
Andrew Bartlett
(This used to be commit 1643ad169c)
2007-10-10 13:45:51 -05:00
Andrew Bartlett
fb2394d309 r11536: Add a hook for client-principal access control to hdb-ldb, re-using
the code in auth/auth_sam.c for consistancy.  This will also allow us
to have one place for a backend directory hook.

I will use a very similar hook to add the PAC.

Andrew Bartlett
(This used to be commit 4315836cd8)
2007-10-10 13:45:50 -05:00
Jelmer Vernooij
df5b70db2c r11535: Support void functions when generating templates.
(This used to be commit e8926a4e17)
2007-10-10 13:45:50 -05:00
Jelmer Vernooij
72c28b3c1e r11534: Consider ntvfs as a library
(This used to be commit f9bbc83f53)
2007-10-10 13:45:50 -05:00
Volker Lendecke
0ed6a35f00 r11533: Be a bit less intrusive
(This used to be commit f341c8b4c8)
2007-10-10 13:45:50 -05:00
Volker Lendecke
08964b9de8 r11532: Enable kerberos session setup for winbind smb connections
(This used to be commit f0e4075db5)
2007-10-10 13:45:50 -05:00
Andrew Bartlett
512f5ae881 r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted.  There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name.  Likewise, the name may be a netbios, not DNS name.

This should avoid some nasty DNS lookups.

Andrew Bartlett
(This used to be commit da0ff19856)
2007-10-10 13:45:49 -05:00
Volker Lendecke
69307693dc r11528: Separate finding dcs from initializing a domain. Makes it easier to possibly
support cldap and other stuff in the future.

This temporarily disables wbinfo -t, but that will come back soon.

Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.

Volker
(This used to be commit d14948fdf6)
2007-10-10 13:45:49 -05:00
Volker Lendecke
f792c4f8f2 r11527: Has this ever been run?
(This used to be commit 419b28d02d)
2007-10-10 13:45:49 -05:00
Volker Lendecke
51597d8780 r11526: And another warning...
(This used to be commit 16467008c6)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
2dcb73aed8 r11525: Move lookups (including the attribute search) for users from
kdc/hdb-ldb.c to share the routines used for auth/

This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).

Andrew Bartlett
(This used to be commit da38bcefa7)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
b5ae5ac69c r11524: More work on our hdb backend in the KDC.
The aim here is to restructure the queries to match the queries we do
in auth, then to share the code that does the actual query (at least
for user logins).

Then we can generate the PAC from that shared query, rather than a
seperate query.

Andrew Bartlett
(This used to be commit 4395d087e1)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
75ec65597c r11523: Working towards having Samba3 join Samba4, this allows the SASL
credentials to be NULL, where the client is requesting a CIFS style
server-first negTokenInit.

Andrew Bartlett
(This used to be commit eba652ecc8)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
df9af34876 r11522: Add support for delegated credentials and machine account credentials
to ldb, based on the sessionInfo we now pass around.

Andrew Bartlett
(This used to be commit 84e16e4ea7)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
72820aaf92 r11521: Add in client support for checking supportedSASLmechanisms, and then
determining a mechanism to use.

Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).

This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).

Also make the similar function used for OIDs in SPNEGO do the same.

This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...

Andrew Bartlett
(This used to be commit 130eb9bb9a)
2007-10-10 13:45:48 -05:00
Andrew Bartlett
6ac2585e87 r11520: indent
(This used to be commit ce611eb5f3)
2007-10-10 13:45:47 -05:00
Volker Lendecke
892e1a60a8 r11519: And an uninitialized variable...
(This used to be commit dc0e9f8d1a)
2007-10-10 13:45:47 -05:00
Volker Lendecke
f7d8ba6279 r11518: Fix a warning
(This used to be commit 4a32df49e6)
2007-10-10 13:45:47 -05:00
Volker Lendecke
6b6a739eca r11517: Cleanup time, this looks larger than it is. This mainly gets rid of
wb_domain_request, now that we have queued rpc requests.

Volker
(This used to be commit 848522d1b6)
2007-10-10 13:45:47 -05:00
Volker Lendecke
687dea8de6 r11516: Fix a valgrind bug I introduce with queued requests
(This used to be commit 3e4ab756f4)
2007-10-10 13:45:47 -05:00
Volker Lendecke
baff088fed r11515: Add some talloc_get_type
(This used to be commit 558c29971d)
2007-10-10 13:45:46 -05:00
Andrew Bartlett
694a8e7402 r11514: Fixup debug message
(This used to be commit b2372cad36)
2007-10-10 13:45:46 -05:00
Andrew Bartlett
79cb46c1af r11513: Add the ability to use the local machine account instead of a static
password or delegation.

Add the ability to delegate for RPC pipes on the RPC proxy backend
(the backend itself seems be having problems however).

Andrew Bartlett
(This used to be commit a7e946bc37)
2007-10-10 13:45:46 -05:00
Andrew Bartlett
d3b91ae169 r11512: fix typo
(This used to be commit 4143c22e30)
2007-10-10 13:45:46 -05:00
Stefan Metzmacher
819744cab2 r11503: be quite...
metze
(This used to be commit e992119bf3)
2007-10-10 13:45:46 -05:00
Stefan Metzmacher
5f653c1456 r11502: make sure we always use the 7 chars for the unix socket name.
this is to test if that works on irix 6.4 where we can only use 16 chars for the sun_path
of the unix sockets.

the plan is to make multiple interfaces possible with socket wrapper,
and the format will change to ("%c%02X%04X", type, iface, port),
which is also 7 char to the file name

metze
(This used to be commit e60d491864)
2007-10-10 13:45:46 -05:00
Andrew Tridgell
b00252c5b8 r11501: change provision code to use the new display specifiers
(This used to be commit 696fa87a21)
2007-10-10 13:45:45 -05:00
Andrew Tridgell
318ac84440 r11500: fixed a bug in the variable substition code using the new limit argument to split()
(This used to be commit 25131efea8)
2007-10-10 13:45:45 -05:00
Andrew Tridgell
40b1305996 r11499: added a minimal set of display specifiers for mmc to use to display
the core elements of a Samba4 domain
(This used to be commit bee45531ea)
2007-10-10 13:45:45 -05:00
Andrew Tridgell
218d306ece r11498: added an optional extra argument to split to limit the number of
pieces a string is split into. This allows for a fix in the variable
substitution used in provisioning
(This used to be commit be06785d48)
2007-10-10 13:45:45 -05:00
Andrew Bartlett
794386e5c4 r11497: Don't name parameters 'floor'. Rename fl and floor to epm_floor for
consistancy.

Andrew Bartlett
(This used to be commit 8787eb982f)
2007-10-10 13:45:45 -05:00
Andrew Tridgell
4764eb7a93 r11496: add a minimal ads-compatible schema into our sam.ldb setup. This is
needed for mmc management of Samba4.
(This used to be commit cbbce4fe40)
2007-10-10 13:45:45 -05:00
Stefan Metzmacher
4f78115d6d r11489: add the one replication cycle test to NBT-WINSREPLICATION-QUICK
metze
(This used to be commit fc53eab2f1)
2007-10-10 13:45:44 -05:00
Stefan Metzmacher
0a4de40a0b r11488: handle the stupid name release demand a windows there send...
metze
(This used to be commit 1b62959a3d)
2007-10-10 13:45:44 -05:00
Stefan Metzmacher
6dafef0301 r11487: thanks to make test I noticed a dead lock bug, in the last change,
this only happens with socket_wrapper as socket_connect() returns NT_STATUS_OK
instead of NT_STATUS_MORE_PROCESSING_REQUIRED, and we missed to replace the
fde event handler...

metze
(This used to be commit f04001f280)
2007-10-10 13:45:44 -05:00
Stefan Metzmacher
536e68dbee r11485: prevent us from calling the request handler recursiv when
the handler calls talloc_free(wrepl_socket)

metze
(This used to be commit bf0b96f057)
2007-10-10 13:45:43 -05:00
Stefan Metzmacher
b69e508381 r11484: test some multi homed record merging
metze
(This used to be commit 630f571934)
2007-10-10 13:45:43 -05:00
Jelmer Vernooij
ae57d5cd84 r11481: Disable pre-linking on VMS
(This used to be commit 2b3ad67b5d)
2007-10-10 13:45:43 -05:00
Stefan Metzmacher
36729384f3 r11480: demonstrate the only the positive name query response cares,
not the addresses that are returned in it

metze
(This used to be commit 82e19d6808)
2007-10-10 13:45:43 -05:00
Stefan Metzmacher
045e8ca574 r11479: fix compiler warning
metze
(This used to be commit 5f45d07020)
2007-10-10 13:45:42 -05:00
Stefan Metzmacher
580cfbb23a r11478: add owned,active,multi homed vs. * section
metze
(This used to be commit 0231926e0a)
2007-10-10 13:45:42 -05:00
Andrew Bartlett
1ab27b7fdf r11477: This seems really nasty, but as I understand it an attacker cannot
change this checksum, as it is inside the encrypted packets.

Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue.  We can't rid the world of all Samba3 and similar clients...

Andrew Bartlett
(This used to be commit e60cdb63fb)
2007-10-10 13:45:42 -05:00
Andrew Tridgell
d59807eba4 r11476: finally fixed the intermittent registry server bug! This has been
cropping up occasionally for ages. The problem was the generic reg
code setting up a backend_data value, which it has no business doing
(backend_data is for backends ...)
(This used to be commit 9d6d03fd1d)
2007-10-10 13:45:42 -05:00
Andrew Tridgell
917ca215bb r11475: removed a extraneous ldb_delete() call (i had it there for debugging)
(This used to be commit daa9dcd8f4)
2007-10-10 13:45:42 -05:00
Andrew Tridgell
c845ab1e60 r11474: - enable ldb transactions from ejs
- speed up provisioning a bit using a ldb transaction (also means you
  can't end up with a ldb being half done)
(This used to be commit 91dfe304cf)
2007-10-10 13:45:41 -05:00
Volker Lendecke
66d3ee9ccb r11473: Based on work by Jelmer, implement the [async] flag for rpc requests. If it's
not there (it's not yet on *any* call... :-)), the rpc client strictly
sequences calls to an rpc pipe. Might need some more work on the exact
sequencing semantics when a pipe with both sync and async calls is actually
deployed, but I want it in for winbind simplification.

Volker
(This used to be commit b8f324e4f0)
2007-10-10 13:45:41 -05:00
Andrew Tridgell
66caa3234d r11472: use talloc_get_type() to try to catch an intermittent failure I'm seeing in the ldb winreg backend
(This used to be commit a56a3696cc)
2007-10-10 13:45:41 -05:00
Andrew Bartlett
e3b42c55eb r11471: Describe how kerberos forwarding works with the ntvfs.
Andrew Bartlett
(This used to be commit 66d7a51394)
2007-10-10 13:45:41 -05:00
Andrew Bartlett
20debaa289 r11470: To a server trusted for delegation (checked for in the gss libs),
delegate by default.

Andrew Bartlett
(This used to be commit 49d489c81d)
2007-10-10 13:45:41 -05:00
Andrew Bartlett
3b213ca9a3 r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials.  This means we now delegate to windows correctly.

Andrew Bartlett
(This used to be commit d6928a3bf8)
2007-10-10 13:45:40 -05:00