Günther Deschner
b0ea179734
s3-kerberos: use KRB5_KT_KEY compat macro.
...
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
3367812df6
s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.
...
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
1318fe8c60
Revert "fix for commit d96248a9b4
which broke Heimdal builds"
...
This does not build.
This reverts commit af736923a5
.
2009-02-03 15:32:47 +01:00
Björn Jacke
af736923a5
fix for commit d96248a9b4
which broke Heimdal builds
2009-02-02 09:41:01 -08:00
Dan Sledz
d96248a9b4
Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerberos_keytab parameter.
...
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
2009-02-01 20:23:31 -08:00
Michael Adam
27408de533
s3: fix bug #6073 : prevent ads_connect() from using SSL unless explicitly requested
...
This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with ads.
Michael
2009-01-29 13:23:06 +01:00
Gerald (Jerry) Carter
073e9f42f0
ads_connect: Return immediately on a failed GC connection.
...
ads_connect_gc() feeds an explicit server to ads_connect(). However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection. This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.
The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().
2009-01-16 12:15:33 -06:00
Michael Adam
0b87f210f1
s3:libads: use lock_path for creating paths to local krb5.conf files
...
instead of manually doing an asprintf with lp_lockdir()
Michael
squash
2009-01-16 01:02:22 +01:00
Michael Adam
37c77643f9
s3:libads: give create_local_private_krb5_conf_for_domain() a common exit point
...
Michael
2009-01-16 01:02:22 +01:00
Volker Lendecke
19b783cce9
Async wrapper for open_socket_out_send/recv
2009-01-04 16:42:40 +01:00
Volker Lendecke
fafb9ecc61
open_socket_out is always used with SOCK_STREAM, remove argument "type"
2009-01-03 19:22:06 +01:00
Volker Lendecke
d99aeed50f
Replace a static variable and alarm() calls by using sys_select()
...
Günther, please check!
2008-12-31 19:33:26 +01:00
Volker Lendecke
608910d40b
Fix some nonempty blank lines
2008-12-31 19:33:26 +01:00
Jeremy Allison
9eab2bfaf1
Fix more "ignore return value" warnings from gcc 4.3.
...
Jeremy
2008-12-30 18:24:39 -08:00
Jeremy Allison
d0eeb9aa8d
Fix more asprintf warnings and some error path errors.
...
Jeremy.
2008-12-23 12:11:12 -08:00
Jeremy Allison
1966a947d3
More asprintf warning fixes.
...
Jeremy.
2008-12-23 11:56:48 -08:00
Jeremy Allison
94df767f21
More asprintf warning fixes.
...
Jeremy.
2008-12-23 11:45:26 -08:00
Jeremy Allison
b143938b8a
Fix more asprintf errors and error code paths.
...
Jeremy.
2008-12-23 11:27:19 -08:00
Stefan Metzmacher
17efebde11
s3:libads/ldap.c: store the dc name in the saf cache as in all other places
...
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 543fa85a71
)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
a8040d5965
s3:libads/ldap.c: if the client belongs to no site at all any dc is the closest
...
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f86ef9b53a
)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
2f27ffc4a2
s3:libads/ldap.c: pass the real workgroup name to get_dc_name()
...
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit c2d4a84abe
)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
7f779450cb
s3: libads: use get_dc_name() instead of get_sorted_dc_list() in the LDAP case
...
We use get_dc_name() for LDAP because it generates the selfwritten
krb5.conf with the correct kdc addresses and sets KRB5_CONFIG.
For CLDAP we need to use get_sorted_dc_list() to avoid recursion.
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d2f7f81f4d
)
2008-12-13 11:42:34 +01:00
Stefan Metzmacher
588f5aae66
s3: correctly detect if the current dc is the closest one
...
ads->config.tried_closest_dc was never set.
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit dfe5b00db3
)
2008-12-13 11:42:22 +01:00
Tim Prouty
1eb743ab8e
s3: Change sockaddr util function names for consistency
...
Also eliminates name conflicts with OneFS system libraries
2008-12-03 10:40:20 -08:00
Günther Deschner
c554080dd9
s3-net: allow to list a keytab generated using net rpc vampire.
...
Guenther
2008-12-02 12:59:22 +01:00
Stefan Metzmacher
26461a72da
s3:libads/ldap.c: return an error instead of crashing when no realm is given
...
The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't ex
and "disable netbios = yes".
metze
Signed-off-by: Michael Adam <obnox@samba.org>
2008-11-24 15:23:50 +01:00
Steven Danneman
6d59be1e6d
Fix extended DN parse error when AD object does not have a SID.
...
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute. This patch adds more granular return
errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.
I updated all callers to ignore SIDless objects when appropriate.
Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18 13:02:21 -08:00
Steven Danneman
9a7900fb38
Whitespace and >80 column cleanups.
2008-11-18 13:02:20 -08:00
Jelmer Vernooij
ddcab787c4
Rename dos_errstr() to win_errstr() for consistency with Samba 4.
2008-11-01 17:19:26 +01:00
Jelmer Vernooij
d6a5476ee7
Use sockaddr_storage only where we rely on the size, use sockaddr
...
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
2008-10-23 19:53:15 +02:00
Günther Deschner
c0cf457c85
s3-asn1: make all of s3 asn1 code do a proper asn1_init() first.
...
Guenther
2008-10-22 21:37:36 +02:00
Günther Deschner
d9f1fff5b3
s3: use shared asn1 code.
...
Guenther
2008-10-22 21:37:36 +02:00
Günther Deschner
4b59ecb903
s3-build: no need to duplicate generated ndr_ prototypes.
...
Guenther
2008-10-20 19:47:00 +02:00
Jelmer Vernooij
7275952568
Add TALLOC_CTX pointer to generate_random_str(), for consistency with
...
Samba 4.
2008-10-19 10:05:48 +02:00
Günther Deschner
e9e1246021
kerberos: fix some heimdal build warnings.
...
Guenther
2008-10-15 21:43:50 +02:00
Jelmer Vernooij
1f3e4f39c5
Use GUID_string rather than smb_uuid_string().
2008-10-14 02:26:18 +02:00
Günther Deschner
d5a11f9679
fix build warnings.
...
Guenther
2008-10-13 00:40:57 +02:00
Jelmer Vernooij
218f482fbf
Use common strlist implementation in Samba 3 and Samba 4.
2008-10-12 00:56:56 +02:00
Jelmer Vernooij
cb78d4593b
Cope with changed signature of http_timestring().
2008-10-11 23:57:44 +02:00
Volker Lendecke
80665a0b5a
Fix an unlikely memleak found by the IBM checker
2008-10-04 22:19:11 +02:00
Volker Lendecke
9eea6929e3
Fix an uninitialized variable found by the IBM Checker
2008-10-04 22:15:03 +02:00
Volker Lendecke
af1c802791
The IRIX compiler does not like embedded unnamed unions
2008-10-02 08:09:25 +02:00
Günther Deschner
f07431f5ba
s3-nbt: use the new generated nbt.
...
Guenther
2008-09-24 03:34:23 +02:00
Günther Deschner
de54bac54c
s3: fix NETLOGON_NT_VERSION version flags.
...
Guenther
2008-09-23 23:20:10 +02:00
Günther Deschner
c48186f507
s3: use samba4 prototype for ndr_push/pull_struct_blob.
...
Guenther
2008-09-23 09:37:23 +02:00
Gerald (Jerry) Carter
28d2683903
* Allow an admin to define the "uid" attribute for a RFC2307
...
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers❌ 10000:coffeedude
2008-09-16 10:35:21 -07:00
Günther Deschner
862ff66da9
kerberos: fix indent of enc type lines in generated krb5.conf files.
...
Guenther
(This used to be commit 18a26f08b6
)
2008-09-04 15:17:57 +02:00
Günther Deschner
bff20e14c3
kerberos: use KRB5_KT_KEY macro where appropriate.
...
Guenther
(This used to be commit a042dffd71
)
2008-08-29 11:01:34 +02:00
Günther Deschner
825f06c3f9
libads: remove unused vars.
...
Guenther
(This used to be commit ea9fc3bea3
)
2008-08-20 22:07:40 +02:00
Jeremy Allison
d701d23b60
Fix uninitialized variables.
...
Jeremy.
(This used to be commit 1db7e00a54
)
2008-07-30 16:06:30 -07:00
Günther Deschner
c11fb13864
kerberos: make smb_krb5_kt_add_entry() static.
...
Guenther
(This used to be commit 04b1847f87
)
2008-07-18 16:42:55 +02:00
Volker Lendecke
d3def9a18c
Revert "Pass NULL to gencache_get when we are not interested in the timeout value"
...
This reverts commit 16062dfc3d
.
(This used to be commit 114ca85775
)
2008-07-11 17:53:25 +02:00
Volker Lendecke
962beb2872
Pass NULL to gencache_get when we are not interested in the timeout value
...
(This used to be commit 16062dfc3d
)
2008-07-03 15:17:58 +02:00
Günther Deschner
16e44ee112
kerberos: allow to keep entries with old kvno's while creating keytab.
...
Guenther
(This used to be commit 6194244bd9
)
2008-06-30 12:38:40 +02:00
Günther Deschner
52635c6f58
kerberos: rename smb_krb5_kt_add_entry to smb_krb5_kt_add_entry_ext.
...
Guenther
(This used to be commit 48600a0019
)
2008-06-30 12:38:32 +02:00
Gerald W. Carter
893e3522fc
Return NULL in sitename_fetch() if gencache_init() fails. Not false
...
(This used to be commit 8704c2ab37
)
2008-06-28 09:36:30 -04:00
Gerald W. Carter
9ff1ffcbee
libads: Add API call to connect to a global catalog server.
...
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389. Also makes ads_try_connect() static and
only used internally to ldap.c
(This used to be commit f4c37dbe2c
)
2008-06-27 10:26:11 -04:00
Günther Deschner
7b1f015675
libads: add ads_connect_user_creds() that won't overwrite given user creds.
...
Guenther
(This used to be commit 026018c9f1
)
2008-06-24 23:37:49 +02:00
Günther Deschner
6b4b76c40e
libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.
...
Guenther
(This used to be commit b5aaf5aa0f
)
2008-06-24 23:37:40 +02:00
Günther Deschner
0ac8c5d49a
kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
...
Guenther
(This used to be commit 7c4da23be1
)
2008-06-24 23:34:05 +02:00
Günther Deschner
0447e6a0a7
libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.
...
Guenther
(This used to be commit cb7ace209c
)
2008-06-17 19:54:09 +02:00
Günther Deschner
3688eeafa3
libads: fix logic error in ads_get_kvno().
...
Guenther
(This used to be commit 132b038581
)
2008-06-17 19:51:14 +02:00
Volker Lendecke
aaa2a4f447
Revert "Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails"
...
This reverts commit df8d089bc6
.
(This used to be commit 342f885820
)
2008-06-17 12:20:54 +02:00
Günther Deschner
21e759ef64
mailslot: always pull a command 25 type reply.
...
Guenther
(This used to be commit 1ce726b951
)
2008-06-05 19:09:30 +02:00
Volker Lendecke
d261e16cfd
Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails
...
This is really not a proper place to fix this, but as get_gc_list() and friends
are about to be replaced anyway, just work around the broken existing API
(This used to be commit df8d089bc6
)
2008-06-05 10:56:18 +02:00
Marc VanHeyningen
ad00ecd358
Tiny memory leak
...
(This used to be commit e7f76a0c65
)
2008-05-29 14:26:50 -07:00
Jeremy Allison
d5d4a9511d
Memory leak fixes from Chere Zhou <czhou@isilon.com>.
...
Jeremy.
(This used to be commit 201bcc8ed2
)
2008-05-27 12:27:57 -07:00
Tim Prouty
fb37f15600
Cleanup size_t return values in callers of convert_string_allocate
...
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc5
)
2008-05-20 22:40:13 +02:00
root
fc3e6851d3
Fix some comments to match get_kdc_ip_string()'s behaviour
...
(This used to be commit 30956c784f
)
2008-05-19 12:08:52 +02:00
Günther Deschner
eeb126a379
libads/cldap: store client sitename also keyed by dns domain name.
...
Guenther
(This used to be commit 0388b2f0cc
)
2008-05-15 16:38:32 +02:00
Günther Deschner
847d385f7b
Fix Bug #5465 (joining with createcomputer=ou1/ou2/ou3).
...
Guenther
(This used to be commit f3251ba03a
)
2008-05-14 23:53:23 +02:00
Günther Deschner
d59cf703ba
dsgetdcname: make use of nbt_cldap_netlogon_15.
...
Guenther
(This used to be commit 5b0eda98f3
)
2008-05-09 17:41:50 +02:00
Günther Deschner
4bd94c8338
cldap: move out cldap object to fix the build.
...
Guenther
(This used to be commit 56be9c98d2
)
2008-05-09 14:59:19 +02:00
Günther Deschner
cdd9913c4a
cldap: let ads_cldap_netlogon() return all possible cldap replies.
...
Guenther
(This used to be commit 6f9d5e1cc9
)
2008-05-09 14:59:18 +02:00
Günther Deschner
1f6065765c
mailslot/cldap: use nt_version bits in queries.
...
Guenther
(This used to be commit b261f06312
)
2008-05-06 09:41:41 +02:00
Gerald W. Carter
43c079ef26
BUG 5107: Fix handling of large DNS replies on AIX and Solaris.
...
On AIX, Solaris, and possibly some older glibc systems (e.g. SLES8)
truncated replies never give back a resp_len > buflen
which ends up causing DNS resolve failures on large tcp DNS replies.
Also add more debug lines about processing the DNS reply.
(This used to be commit 5ed9b92097
)
2008-04-30 09:57:15 -05:00
Steven Danneman
778a5414b1
Fix bug 5419: memory leak in ads_do_search_all_args() when enumerating 1000s of entries
...
The ads_do_search_all_args() function attempts to string together several
LDAPMessage structures, returned across several paged ldap requests, into a
single LDAPMessage structure. It does this by pulling entries off the second
LDAPMessage structure and appending them to the first via the OpenLDAP specific
ldap_add_result_entry() call.
The problem with this approach is it skips non-entry messages such as the
result, and controls. These messages are leaked.
The short term solution as suggested by Volker is to replace the ads_*_entry()
calls with ads_*_message() calls so we don't leak any messages.
This fixes the leak but doesn't remove the dependence on the OpenLDAP specific
implementation of ldap_add_result_entry().
(This used to be commit f1a5405409
)
2008-04-26 08:11:20 -07:00
Volker Lendecke
862d7e32b9
Move user/domain from rpc_pipe_client to cli_pipe_auth_data
...
(This used to be commit 42de50d2cd
)
2008-04-25 11:12:50 +02:00
Günther Deschner
bcbac69d1a
cldap: avoid duplicate definitions so remove ads_cldap.h.
...
Guenther
(This used to be commit 538eefe22a
)
2008-04-21 20:21:40 +02:00
Günther Deschner
1dd7ab38e7
cldap: add talloc context to ads_cldap_netlogon().
...
Guenther
(This used to be commit 4cee7b1bd5
)
2008-04-21 20:21:40 +02:00
Günther Deschner
ba98dd4989
libads: Use libnbt for CLDAP reply parsing.
...
Guenther
(This used to be commit 751f3064a5
)
2008-04-21 20:21:39 +02:00
Volker Lendecke
cf2442bdcb
Use rpc_pipe_client->user_name instead of rpc_pipe_client->cli->user_name
...
Also make sure that rpc_pipe_client->user_name is always talloced.
(This used to be commit 3f6c5b9966
)
2008-04-20 00:14:40 +02:00
Volker Lendecke
4c857010e7
Fix two "ignoring asprintf result" warnings
...
(This used to be commit 1d261e78b3
)
2008-04-20 00:13:39 +02:00
Volker Lendecke
2a2188591b
Add "desthost" to rpc_pipe_client
...
This reduces the dependency on cli_state
(This used to be commit 783afab9c8
)
2008-04-20 00:13:09 +02:00
Karolin Seeger
8d7c7c674a
Fix typo.
...
Karolin
(This used to be commit 42fbbeb1ca
)
2008-04-10 08:38:54 +02:00
Karolin Seeger
a8124367b4
Fix typos.
...
Karolin
(This used to be commit 6cee347035
)
2008-04-09 16:14:04 +02:00
Günther Deschner
33a3766f03
Add ads_check_ou_dn().
...
Guenther
(This used to be commit 380e9d26db
)
2008-03-28 16:43:59 +01:00
Volker Lendecke
1b26a7ea6d
Fix Coverity ID 488
...
"status" was used uninitialized on success -- metze, please check
(This used to be commit a0859529c8
)
2008-03-23 19:44:55 +01:00
Volker Lendecke
561fb9daa4
Fix Coverity ID 487
...
(This used to be commit 22cee9c1af
)
2008-03-23 19:44:55 +01:00
Marc VanHeyningen
e06aa46b9f
Coverity fixes
...
(This used to be commit 3fc85d2259
)
2008-03-17 20:52:25 +01:00
Volker Lendecke
1ebfc66b2c
Use a separate tdb for mutexes
...
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not
provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC
mutex is needed per-node anyway, so it is perfectly fine to use a local mutex
only.
(This used to be commit f94a63cd8f
)
2008-03-10 21:08:45 +01:00
Volker Lendecke
87805819f1
Fix Coverity ID 551
...
Correctly return if we can't create the temporary krb5.conf
Jeremy, please check!
(This used to be commit c2401811aa
)
2008-03-08 23:48:12 +01:00
Günther Deschner
7269a504fd
Add my copyright.
...
Guenther
(This used to be commit d078a87571
)
2008-02-27 19:38:48 +01:00
Volker Lendecke
3176392878
Fix some warnings
...
warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result
(This used to be commit ad37b7b0ae
)
2008-02-25 16:09:26 +01:00
Günther Deschner
965774fa8f
Fix some more callers of PAC_DATA.
...
Guenther
(This used to be commit ea609d1b0e
)
2008-02-17 02:12:00 +01:00
Günther Deschner
3ea40eda94
Some more cleanup in authdata.c.
...
Guenther
(This used to be commit 5483f5fb44
)
2008-02-17 02:11:59 +01:00
Günther Deschner
86843631a2
Align our krb5 PAC decoding routines to the samba4 ones.
...
(while keeping all the trans krb5 lib support)
Guenther
(This used to be commit c06e507737
)
2008-02-17 02:11:59 +01:00
Volker Lendecke
b361956942
str_list_free is not needed anymore
...
(This used to be commit feddc1447d
)
2008-02-04 21:05:41 +01:00
Volker Lendecke
2762b9a975
Always pass a TALLOC_CTX to str_list_make and str_list_copy
...
(This used to be commit e2c9fc4cf5
)
2008-02-04 20:57:49 +01:00
Günther Deschner
6c764172e5
When running with debug level > 10, dump ads_struct in ads_connect().
...
Guenther
(This used to be commit 2dd7c64fa8
)
2008-01-31 11:05:25 +01:00
Günther Deschner
7cab0f5c0c
Fix the build. Avoid unrequired ndr_print_ads_struct dependencies.
...
Guenther
(This used to be commit c832882e49
)
2008-01-29 15:17:02 +01:00
Gerald W. Carter
c0c93dc2ba
Restrict the enctypes in the generated krb5.conf files to Win2003 types.
...
This fixes the failure observed on FC8 when joining a Windows 2008 RC1
domain. We currently do not handle user session keys correctly
when the KDC uses AES in the ticket replies.
(This used to be commit 8039a2518c
)
2008-01-28 11:32:09 -06:00
Volker Lendecke
587cf54c61
strtok -> strtok_r
...
(This used to be commit fd34ce4370
)
2008-01-23 15:08:04 +01:00
Günther Deschner
a92eb76688
Finally enable pidl generated SAMR & NETLOGON headers and clients.
...
Guenther
(This used to be commit f7100156a7
)
2008-01-17 16:54:46 +01:00
Jeremy Allison
70426bdd30
Tidy up code and debug for non-default krb5 IPv6 port.
...
Jeremy.
(This used to be commit 79b7972de4
)
2008-01-16 13:28:24 -08:00
Jeremy Allison
bd8abea49f
Fix IPv6 bug #5204 , which caused krb5 DNS lookups
...
for a name '[<ipv6 addr>'.
Jeremy.
(This used to be commit f2aa921505
)
2008-01-16 13:21:46 -08:00
Günther Deschner
fbcc7820c6
Fix memleak in ads_build_path().
...
Guenther
(This used to be commit b7a06b54e0
)
2008-01-16 16:06:15 +01:00
Günther Deschner
a32cca7f37
Print principal in debug statement in kerberos_kinit_password() as well.
...
Guenther
(This used to be commit 44d67e8462
)
2008-01-14 18:39:08 +01:00
Jeremy Allison
43717a16e2
Fix CID 476. Ensure a valid pac_data pointer is always passed to
...
ads_verify_ticket as it's always derefed.
Jeremy.
(This used to be commit 0599d57eff
)
2008-01-11 23:53:27 -08:00
Jeremy Allison
866af9a800
Coverity 512, uninitialized var.
...
Jeremy.
(This used to be commit 1b7cc80c61
)
2008-01-11 23:43:33 -08:00
Günther Deschner
f89fa0a6f8
Do not ignore provided machine_name in ads_get_upn().
...
Guenther
(This used to be commit ddc1307844
)
2008-01-08 14:07:01 +01:00
Michael Adam
4aba7475ef
Re-Indent function ldap_open_with_timeout().
...
This reverts commit #cafda34783f0961c9b463803c19cfcb69f836e3f .
I just learned (the hard way) that these indeted functions
are not indented by accident but that the intention of this
is to not include the prototype into proto.h.
Michael
(This used to be commit 2e5d01b214
)
2008-01-04 22:56:10 +01:00
Michael Adam
b54310cbaa
Add a debug message (when the LDAP server has really been connected).
...
Michael
(This used to be commit 7d9d2de390
)
2008-01-04 22:09:36 +01:00
Michael Adam
2cb68e3898
Untangle assignment and result check.
...
Michael
(This used to be commit 465a3b356c
)
2008-01-04 22:09:36 +01:00
Michael Adam
34e579fce5
Enhance DEBUG-verbosity of ldap_open_with_timeout().
...
Michael
(This used to be commit 9e70d1f24d
)
2008-01-04 22:09:36 +01:00
Michael Adam
4ad3464fb9
Unindent function header.
...
Michael
(This used to be commit cafda34783
)
2008-01-04 22:09:35 +01:00
Michael Adam
3f42428f9b
Fix a misleading DEBUG message.
...
At this stage, the (tcp) connection to the LDAP server has not
been established, this is what is about to be attempted. What
has been succesfully done, is a CLDAP netlogon query.
Michael
(This used to be commit 71c3c8ad4c
)
2008-01-04 22:09:35 +01:00
Günther Deschner
b076a7e802
Add ads_get_joinable_ous().
...
Guenther
(This used to be commit 5bbceac881
)
2008-01-03 18:15:59 +01:00
Volker Lendecke
240391be53
Make use of [un]marshall_sec_desc
...
(This used to be commit 54576733d6
)
2007-12-29 23:13:03 +01:00
Jeremy Allison
afc93255d1
Add SMB encryption. Still fixing client decrypt but
...
negotiation works.
Jeremy.
(This used to be commit d78045601a
)
2007-12-26 17:12:36 -08:00
Simo Sorce
4869ccfed6
While 'data' is usually 0 terminated, nothing in the spec requires that. The correct way is to copy only 'length' bytes.
...
Simo.
(This used to be commit 814c1b0e00
)
2007-12-17 15:26:08 -05:00
Volker Lendecke
d365a43785
make use of unmarshall_sec_desc
...
(This used to be commit ced0c42f05
)
2007-12-16 14:15:16 +01:00
Jeremy Allison
8e86b7bb65
Doh, fix typo in error exit.
...
Jeremy.
(This used to be commit 44918f39c0
)
2007-12-15 23:32:28 -08:00
Jeremy Allison
5dbc4a23bc
Added patch originally by Andreas Schneider <anschneider@suse.de>
...
to cause us to behave like Vista when looking for remote
machine principal. Modified by me.
Jeremy.
(This used to be commit d0e33840fb
)
2007-12-15 23:22:25 -08:00
Volker Lendecke
2e07c2ade8
s/sid_to_string/sid_to_fstring/
...
least surprise for callers
(This used to be commit eb523ba776
)
2007-12-15 22:47:30 +01:00
Volker Lendecke
14ef4cdec1
Replace sid_string_static with sid_to_string
...
This adds 28 fstrings on the stack, but I think an fstring on the stack is
still far better than a static one.
(This used to be commit c7c885078b
)
2007-12-15 22:09:37 +01:00
Volker Lendecke
54ae9dfcbc
Use sid_string_talloc where we have a tmp talloc ctx
...
(This used to be commit 0a911d38b8
)
2007-12-15 22:09:36 +01:00
Volker Lendecke
900288a2b8
Replace sid_string_static by sid_string_dbg in DEBUGs
...
(This used to be commit bb35e794ec
)
2007-12-15 22:09:36 +01:00
Michael Adam
d8ac0cecae
Remove an incredible amount of whitespace.
...
Sorry - could not resist. Michael
(This used to be commit 1000c98eae
)
2007-12-06 14:08:54 +01:00
Stefan Metzmacher
8fd3a7c43e
libads: fix typo
...
metze
(This used to be commit b55b19190d
)
2007-12-06 09:54:19 +01:00
Volker Lendecke
78c6ee0090
Remove some globals
...
(This used to be commit 31d0a846db
)
2007-12-05 14:39:07 +01:00
Jeremy Allison
6f46f75dfc
Make strhex_to_str clear on string limits. Remove pstring from web/*.c
...
Jeremy.
(This used to be commit f9c8d62389
)
2007-12-03 17:17:05 -08:00
Volker Lendecke
1011b32678
Remove some statics
...
(This used to be commit 1fab16ffb8
)
2007-11-27 14:18:47 +01:00
Volker Lendecke
d5b2325fcd
Remove a global
...
(This used to be commit 3088bc76f1
)
2007-11-26 17:48:40 +01:00
Jeremy Allison
de51d3dd5f
More pstring removal....
...
Jeremy.
(This used to be commit 809f5ab4c5
)
2007-11-20 18:55:36 -08:00
Jeremy Allison
acb829ecc3
Add MAX_DNS_NAME_LENGTH, remove more pstrings.
...
Jeremy.
(This used to be commit a1725f4ff7
)
2007-11-15 18:27:26 -08:00
Jeremy Allison
32dd016353
Fix the setup_kaddr() call to cope with IPv6.
...
This is the last obvious change I can see. At
this point we can start claiming IPv6 support
(Hurrah !:-).
Jeremy.
(This used to be commit bda8c0bf57
)
2007-10-29 15:03:36 -07:00
Jeremy Allison
e2d0526c97
Change our DNS code to cope with AAAA records. A6 records
...
look like a nightmare to use, so ignore them for now.
Jeremy.
(This used to be commit 814daded90
)
2007-10-29 13:34:00 -07:00
Jeremy Allison
f88b7a076b
This is a large patch (sorry). Migrate from struct in_addr
...
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c312
)
2007-10-24 14:16:54 -07:00
Jeremy Allison
30191d1a57
RIP BOOL. Convert BOOL -> bool. I found a few interesting
...
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c
)
2007-10-18 17:40:25 -07:00
Gerald (Jerry) Carter
e5a951325a
[GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch.
...
(This used to be commit 5c6c8e1fe9
)
2007-10-10 15:34:30 -05:00
Michael Adam
b12e11f29f
r25422: Get rid of some cast warnings.
...
(This used to be commit 3e155b249e
)
2007-10-10 12:31:04 -05:00
Gerald Carter
5221ebb299
r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.
...
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336
)
2007-10-10 12:31:03 -05:00
Gerald Carter
3529156971
r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,
...
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba73
)
2007-10-10 12:31:02 -05:00
Günther Deschner
3309aacc99
r25328: When using ldap sasl wrapping with gssapi it's important to receive warnings
...
for clock-skew errors.
Guenther
(This used to be commit 53c99d415d
)
2007-10-10 12:31:00 -05:00
Jeremy Allison
ab9d7bf4f9
r25165: Use talloc_asprintf_append_buffer with an unmodified
...
string.
Jeremy.
(This used to be commit fe30a523df
)
2007-10-10 12:30:47 -05:00
Günther Deschner
1874c564db
r25133: Fix sasl wrapping (for ldap sign&seal).
...
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
(This used to be commit cb2dc715e3
)
2007-10-10 12:30:43 -05:00
Günther Deschner
1ef2464451
r25109: Remove obsolete argument from ads_guess_service_principal().
...
Guenther
(This used to be commit 2dea9464bb
)
2007-10-10 12:30:41 -05:00
Günther Deschner
dc58b03517
r25108: Make ifdef labyrinth in sasl code a bit more readable.
...
Guenther
(This used to be commit f31949ec34
)
2007-10-10 12:30:40 -05:00
Günther Deschner
cd45a258a7
r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or
...
no longer valid) there is no point to bother the keytab routines.
Guenther
(This used to be commit 7e4dcf8e7e
)
2007-10-10 12:30:38 -05:00
Lars Müller
9fa56b9ae9
r25030: ip_srv_nonsite and count_nonsite are initialized in get_kdc_list() in any
...
case.
(This used to be commit 287604a1c7
)
2007-10-10 12:30:36 -05:00
Michael Adam
b202692875
r24836: Initialize some uninitialized variables.
...
This prevents a segfault when get_kdc_ip_string() is called
with sitename == NULL.
Michael
(This used to be commit 58d31e057b
)
2007-10-10 12:30:26 -05:00
Günther Deschner
55b59eb80b
r24833: Move locator to nsswitch (does not belong to libads anymore).
...
Guenther
(This used to be commit af90c6949c
)
2007-10-10 12:30:26 -05:00
Günther Deschner
dbdc0fecb6
r24832: In the winbind-locator recursion case, try to pick up the kdc from the
...
environment.
Guenther
(This used to be commit 7f42fe4e08
)
2007-10-10 12:30:26 -05:00
Günther Deschner
647abf0a7b
r24804: As a temporary workaround, also try to guess the server's principal in the
...
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
(This used to be commit f5b3de4d30
)
2007-10-10 12:30:23 -05:00
Günther Deschner
60fb367fd9
r24769: Merge error handling for locator plugin.
...
Guenther
(This used to be commit b83626676c
)
2007-10-10 12:30:19 -05:00
Günther Deschner
6227abc043
r24752: Make sure to return properly when the locator is called from within winbindd.
...
Guenther
(This used to be commit 6cf7187e88
)
2007-10-10 12:30:18 -05:00
Günther Deschner
49e92d0d56
r24748: Remove all dependencies to samba internals and convert the krb5 locator plugin
...
into a tiny winbindd DsGetDcName client. This still does not solve the case of
using the locator from within winbindd itself but at least gencache.tdb and
others are no longer corrupted.
Guenther
(This used to be commit 908e7963b8
)
2007-10-10 12:30:17 -05:00
Günther Deschner
22cf5a3f80
r24739: With resolve_ads() allow to query for PDCs as well.
...
Also add dns query functions to find GCs and DCs by GUID.
Guenther
(This used to be commit cc469157f6
)
2007-10-10 12:30:16 -05:00
Günther Deschner
d61c180e49
r24654: Adapt to coding conventions.
...
Guenther
(This used to be commit a669ac2bc4
)
2007-10-10 12:30:13 -05:00
Günther Deschner
201f0e1ce4
r24432: Expand kerberos_return_pac() so that it can be used in winbindd.
...
Guenther
(This used to be commit e70bf0ecc3
)
2007-10-10 12:29:46 -05:00
Günther Deschner
3e00e2e9ce
r24424: Fix the build.
...
Guenther
(This used to be commit 029bf26f8a
)
2007-10-10 12:29:45 -05:00
Günther Deschner
6ba2d944a0
r24252: Dump guid of msExchMailboxGuid when returned.
...
Guenther
(This used to be commit 1142f3df54
)
2007-10-10 12:29:21 -05:00
Günther Deschner
bed0ea0693
r24251: Neverending fun:
...
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
(This used to be commit f783b32b65
)
2007-10-10 12:29:21 -05:00
Volker Lendecke
8476d072d3
r24166: Fix Coverity ID 391
...
(This used to be commit 461974d2cc
)
2007-10-10 12:29:17 -05:00
Gerald Carter
cdd140fe27
r24158: SE_GROUP_RESOURCE in the other_sids list apparently means a
...
domain local group.
Fix a typo in the PAC debugging routine
(This used to be commit b0b66b2e7a
)
2007-10-10 12:29:15 -05:00
Stefan Metzmacher
cc8d700364
r24131: - make it more clear what the different min and max fields mean
...
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
(This used to be commit d0ec732387
)
2007-10-10 12:29:09 -05:00
Stefan Metzmacher
d2900ddf11
r24128: fix double free in error path
...
metze
(This used to be commit 29e2d8e044
)
2007-10-10 12:29:09 -05:00
Stefan Metzmacher
e1b1177196
r24104: fix the build, sorry...
...
metze
(This used to be commit a5e1f9fd29
)
2007-10-10 12:29:07 -05:00
Stefan Metzmacher
56766b1f3e
r24103: add some useful debug messages, as not all LDAP
...
libraries support wrapping hooks...
metze
(This used to be commit 581a1d3a20
)
2007-10-10 12:29:07 -05:00
Stefan Metzmacher
3edc6088aa
r24098: - make use of the ads_service_principal abstraction
...
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
(This used to be commit cbaf44de1e
)
2007-10-10 12:29:06 -05:00
Stefan Metzmacher
db718085fd
r24095: add one more fallback alternative to
...
construct the principal
metze
(This used to be commit b545667d2a
)
2007-10-10 12:29:05 -05:00
Stefan Metzmacher
062bca6675
r24093: move gssapi/krb5 principal handling into a function
...
metze
(This used to be commit 83de27968d
)
2007-10-10 12:29:05 -05:00
Stefan Metzmacher
31dc9126c1
r24072: Add "client ldap sasl wrapping" parameter.
...
Possible values are "plain" (default), "sign" or "seal".
metze
(This used to be commit 26ccbad721
)
2007-10-10 12:29:02 -05:00
Günther Deschner
3ec8b1702c
r24066: Fix memleak found by Volker. We don't leak keys now with MIT and Heimdal.
...
Guenther
(This used to be commit 7755ad750f
)
2007-10-10 12:29:01 -05:00
Volker Lendecke
bf27a77c05
r24065: According to gd, this breaks heimdal. Thanks for checking!
...
(This used to be commit ea5f53eac8
)
2007-10-10 12:29:01 -05:00
Stefan Metzmacher
b4f6db40ab
r24062: fix logic for broken krb5 libs which always force
...
sign and seal...
metze
(This used to be commit 4a4fc8cccb
)
2007-10-10 12:29:00 -05:00
Volker Lendecke
d44063715a
r24058: Fix some memory leaks in ads_secrets_verify_ticket.
...
Jeremy, Günther, please review!
Thanks,
Volker
(This used to be commit 000e096c27
)
2007-10-10 12:29:00 -05:00
Stefan Metzmacher
75ae998b99
r24042: add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"
...
metze
(This used to be commit 34ab84aceb
)
2007-10-10 12:28:59 -05:00
Stefan Metzmacher
6b5c55b0f0
r24037: only setup sasl wrapping after a successful bind
...
metze
(This used to be commit 85d6cd3dfb
)
2007-10-10 12:28:58 -05:00
Günther Deschner
2349acdd43
r23973: For debugging, add (undocumented) net ads kerberos commands (kinit, renew,
...
pac).
Guenther
(This used to be commit 4cada7c148
)
2007-10-10 12:28:51 -05:00
Günther Deschner
f659ffc0ee
r23970: Allow to set the debuglevel at which to dump the PAC logon info.
...
Guenther
(This used to be commit 7d321aad83
)
2007-10-10 12:28:50 -05:00
Günther Deschner
fce64f6833
r23969: Some helper routines to retrieve a PAC and PAC elements.
...
Guenther
(This used to be commit d4c87c792a
)
2007-10-10 12:28:50 -05:00
Volker Lendecke
f5033a1e62
r23953: Some C++ warnings
...
(This used to be commit 8716edf157
)
2007-10-10 12:28:49 -05:00
Günther Deschner
e6875b1b45
r23951: Fix segfault.
...
Guenther
(This used to be commit 1a5c8780ae
)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
14e81b3009
r23948: add gsskrb5 sign and seal support for LDAP connections
...
NOTE: only for the "GSSAPI" SASL mech yet
metze
(This used to be commit a079b66384
)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
ea3c3b9272
r23946: add support for NTLMSSP sign and seal
...
NOTE: windows servers are broken with sign only...
metze
(This used to be commit 408bb2e6e2
)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
07c034f7c4
r23945: add infrastructure to select plain, sign or seal LDAP connection
...
metze
(This used to be commit 2075c05b3d
)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
e0c4034393
r23943: - always provide ads_setup_sasl_wrapping() function
...
- read/write returning 0 means EOF and we need to return direct
metze
(This used to be commit 885d557ae7
)
2007-10-10 12:28:48 -05:00
Günther Deschner
9e0c550922
r23937: Use ads_config_path() when we need to know the configration context.
...
Guenther
(This used to be commit 1a62c731c6
)
2007-10-10 12:28:46 -05:00
Stefan Metzmacher
00b27d2d69
r23933: - implement ctrl SASL wrapping hook
...
- pass down sign or seal hooks
- some sasl wrapping fixes
metze
(This used to be commit 8c64ca3394
)
2007-10-10 12:28:46 -05:00
Stefan Metzmacher
307e51ed14
r23926: implement output buffer handling for the SASL write wrapper
...
metze
(This used to be commit 65ce6fa21a
)
2007-10-10 12:28:45 -05:00
Stefan Metzmacher
7bef162aeb
r23922: implement input buffer handling for the SASL read wrapper
...
metze
(This used to be commit 7d8518ebd9
)
2007-10-10 12:28:42 -05:00
Stefan Metzmacher
8cd89a20ce
r23918: not all ldap libraries support debugging
...
metze
(This used to be commit 3f68189c9a
)
2007-10-10 12:28:41 -05:00
Stefan Metzmacher
d48dbc8bad
r23916: use the correct io operations for debugging
...
metze
(This used to be commit d745a1a719
)
2007-10-10 12:28:41 -05:00
Stefan Metzmacher
77619f37a0
r23898: rename HAVE_ADS_SASL_WRAPPING -> HAVE_LDAP_SASL_WRAPPING
...
metze
(This used to be commit 873eaff8fe
)
2007-10-10 12:28:39 -05:00
Stefan Metzmacher
57dd25cccb
r23893: add dummy callbacks for LDAP SASL wrapping,
...
they're not used yet...
metze
(This used to be commit a3b97cdce7
)
2007-10-10 12:28:39 -05:00
Stefan Metzmacher
809c9d4d31
r23888: move elements belonging to the current ldap connection to a
...
substructure.
metze
(This used to be commit 00909194a6
)
2007-10-10 12:28:38 -05:00
Stefan Metzmacher
2fc53c947b
r23886: add ads_disconnect() function
...
metze
(This used to be commit ba70737b70
)
2007-10-10 12:28:38 -05:00
Günther Deschner
28041b6064
r23869: Protect against partial security descriptors.
...
Guenther
(This used to be commit 0a96a11f01
)
2007-10-10 12:28:36 -05:00
Günther Deschner
ed0ffc5cef
r23861: Fix return code in ads_find_samaccount().
...
Guenther
(This used to be commit 684fcf39dc
)
2007-10-10 12:28:35 -05:00
Günther Deschner
8d786a4e2b
r23842: Attempt to fix the build with LDAP.
...
Guenther
(This used to be commit efd817ae11
)
2007-10-10 12:28:33 -05:00
Günther Deschner
34d091f1c6
r23839: Try to get the attribute name from schema GUIDs or the display name from
...
extended rights GUID from ad while dumping the security descriptors's aces.
This would perform much better with a guid cache, but for the rare cases where
it is used
net ads search cn=mymachine ntSecurityDescriptor -U user%pass
it should be ok for now.
Guenther
(This used to be commit b36913433e
)
2007-10-10 12:28:33 -05:00
Günther Deschner
b62ade20d0
r23838: Allow to store schema and config path in ADS_STRUCT config.
...
Guenther
(This used to be commit 1d5b08326f
)
2007-10-10 12:28:33 -05:00
Günther Deschner
9d6f8ed5e7
r23837: Pass ADS_STRUCT and TALLOC_CTX down to ads_disp_sd.
...
Guenther
(This used to be commit ad0a6d5703
)
2007-10-10 12:28:32 -05:00
Günther Deschner
f05dcab9bf
r23836: Add ads_config_path() and ads_get_extended_right_name_by_guid().
...
Guenther
(This used to be commit 4d62f1191b
)
2007-10-10 12:28:32 -05:00
Günther Deschner
fd8dc4b561
r23835: Pass down a struct GUID to ads_get_attrname_by_guid() directly.
...
Guenther
(This used to be commit a4d5206d0b
)
2007-10-10 12:28:32 -05:00
Günther Deschner
c252b04abf
r23834: Allow to pass an ADS_STRUCT pointer down to the dump function callback in
...
libads.
Guenther
(This used to be commit 311bbbafa6
)
2007-10-10 12:28:32 -05:00
Günther Deschner
c8e23e4091
r23833: Document ads_find_samaccount().
...
Guenther
(This used to be commit 3effd1c346
)
2007-10-10 12:28:31 -05:00
Günther Deschner
e7705f9eb9
r23829: Add ads_get_attrname_by_guid().
...
Guenther
(This used to be commit a84fd83006
)
2007-10-10 12:28:31 -05:00
Günther Deschner
1c957f9559
r23826: Fix gpo security filtering by matching the security descriptor ace's for the
...
extended apply group policy right.
Guenther
(This used to be commit d832014a6f
)
2007-10-10 12:28:31 -05:00
Günther Deschner
6d0141c17e
r23820: Display security_ace_object in LDAP security descriptors for debugging.
...
Guenther
(This used to be commit 3925e85812
)
2007-10-10 12:28:30 -05:00
Andrew Tridgell
153cfb9c83
r23801: The FSF has moved around a lot. This fixes their Mass Ave address.
...
(This used to be commit 87c91e4362
)
2007-10-10 12:28:27 -05:00
Andrew Tridgell
5e54558c6d
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
...
(This used to be commit b0132e94fc
)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80
r23779: Change from v2 or later to v3 or later.
...
Jeremy.
(This used to be commit 407e6e695b
)
2007-10-10 12:28:20 -05:00
Günther Deschner
221d06d6f3
r23772: Add ads_find_samaccount() helper function.
...
Guenther
(This used to be commit 6fafa64bea
)
2007-10-10 12:23:55 -05:00
Günther Deschner
8ead92f06d
r23654: Remove misleading inline comment.
...
Guenther
(This used to be commit a3441c22b3
)
2007-10-10 12:23:42 -05:00
Günther Deschner
110e420196
r23651: Always, always, always compile before commit...
...
Guenther
(This used to be commit accb40446a
)
2007-10-10 12:23:41 -05:00
Günther Deschner
3b1956f9d2
r23650: Fix remaining callers of krb5_kt_default().
...
Guenther
(This used to be commit b9d7a2962a
)
2007-10-10 12:23:41 -05:00
Günther Deschner
a248672932
r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).
...
Guenther
(This used to be commit 19020d19dc
)
2007-10-10 12:23:41 -05:00
Günther Deschner
a2618aa8d5
r23648: Allow to list a custom krb5 keytab file with:
...
net ads keytab list /path/to/krb5.keytab
Guenther
(This used to be commit a2befee3f2
)
2007-10-10 12:23:41 -05:00
Günther Deschner
6fff735da0
r23647: Use smb_krb5_open_keytab() in smbd as well.
...
Guenther
(This used to be commit d22c0d291e
)
2007-10-10 12:23:41 -05:00
Günther Deschner
df63172ad9
r23646: Generalize our internal keytab handling to support a broader range of default
...
keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also
fixes keytab support with Heimdal (which supports the WRFILE pragma as well
now).
Guenther
(This used to be commit 7ca002f4cc
)
2007-10-10 12:23:40 -05:00
Günther Deschner
47bd42ab1c
r23607: Add legacy support for Services for Unix (SFU) 2.0.
...
Guenther
(This used to be commit 11b390309b
)
2007-10-10 12:23:35 -05:00
Jeremy Allison
5a80fa5c0c
r23514: Remove unused function ads_get_dn_from_extended_dn().
...
Jeremy.
(This used to be commit 03763bc528
)
2007-10-10 12:23:24 -05:00
Gerald Carter
b4a39dc10e
r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting context flags.
...
(This used to be commit 903145e957
)
2007-10-10 12:23:19 -05:00
Gerald Carter
4caefdf348
r23474: Here's a small patch that disables the libkrb5.so replay cache
...
when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.
There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator. Checked against MIT 1.5.1. Have not
researched how Heimdal does it.
My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f7
)
2007-10-10 12:23:19 -05:00
Gerald Carter
3272b1dd60
r23251: whoops! Fix compile error
...
(This used to be commit 22a3ea40ac
)
2007-10-10 12:22:59 -05:00
Jeremy Allison
ad5ff1b809
r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password data to krb5_prompter.
...
Jeremy.
(This used to be commit 232fc5d69d
)
2007-10-10 12:22:48 -05:00
Jeremy Allison
71ee55f98d
r23080: Fix bug #4637 - we hads missed some cases where
...
we were calling PRS_ALLOC_MEM with zero count.
Jeremy.
(This used to be commit 9a10736e6f
)
2007-10-10 12:22:43 -05:00
Michael Adam
2753d30cbe
r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.
...
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.
Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36
)
2007-10-10 12:22:05 -05:00
Volker Lendecke
b4a7b7a888
r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
...
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e
)
2007-10-10 12:22:01 -05:00
Günther Deschner
83564b43e3
r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
...
Guenther
(This used to be commit e4e8f84060
)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857
r22799: Fix the build.
...
Guenther
(This used to be commit 6e911c442b
)
2007-10-10 12:21:59 -05:00
Günther Deschner
46c5da2fd6
r22798: Add the "apply group policy" access bit (as seen in type 0x05 ALLOWED OBJECT
...
ACEs).
Guenther
(This used to be commit e138cbc876
)
2007-10-10 12:21:58 -05:00
Günther Deschner
9c170fce26
r22797: We are only interested in the DACL of the security descriptor, so search with
...
the SD_FLAGS control.
Guenther
(This used to be commit 648df57e53
)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc
r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
...
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59
)
2007-10-10 12:21:51 -05:00
Gerald Carter
89fd4444af
r22714: Prevent DNS lookup storms when the DNS servers are unreachable.
...
Helps when transitioning from offline to online mode.
Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
(This used to be commit 4f05c6fe26
)
2007-10-10 12:21:49 -05:00
Gerald Carter
8ff276fcb0
r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping
...
(This used to be commit 2ab617fbbf
)
2007-10-10 12:21:47 -05:00
Günther Deschner
e468268335
r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
...
winbindd's kerberized pam_auth use that.
Guenther
(This used to be commit 0f436eab5b
)
2007-10-10 12:19:54 -05:00
Günther Deschner
116c1532e7
r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
...
codes directly out of the krb5_error edata.
Guenther
(This used to be commit dcd902f24a
)
2007-10-10 12:19:53 -05:00
Günther Deschner
6288491e90
r22663: Restructure kerberos_kinit_password_ext() error path.
...
Guenther
(This used to be commit 997ded4e3f
)
2007-10-10 12:19:53 -05:00
Jeremy Allison
56a5d05b8b
r22590: Make TALLOC_ARRAY consistent across all uses.
...
That should be it....
Jeremy.
(This used to be commit 603233a98b
)
2007-10-10 12:19:49 -05:00
Jeremy Allison
be8b0685a5
r22589: Make TALLOC_ARRAY consistent across all uses.
...
Jeremy.
(This used to be commit 8968808c3b
)
2007-10-10 12:19:49 -05:00
Günther Deschner
1ee9650a1d
r22479: Add "net ads keytab list".
...
Guenther
(This used to be commit 9ec76c5427
)
2007-10-10 12:19:37 -05:00
Günther Deschner
56f6336fd4
r22460: Adding a generic ads_ranged_search() function.
...
Guenther
(This used to be commit b8828ea251
)
2007-10-10 12:19:35 -05:00
Günther Deschner
8040fec0ac
r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
...
queries more generic. Michael, feel free to overwrite these and the following.
Guenther
(This used to be commit 0475b8eea9
)
2007-10-10 12:19:35 -05:00
Stefan Metzmacher
78c57f59ac
r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't critical
...
because we try "GSS-SPNEGO" first and all windows version support
that.
metze
(This used to be commit 34a5badbde
)
2007-10-10 12:19:17 -05:00
Jeremy Allison
725fcf3461
r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
...
Jeremy.
(This used to be commit 7c45bd3a47
)
2007-10-10 12:19:14 -05:00
Stefan Metzmacher
eceb926df9
r22092: - make spnego_parse_auth_response() more generic and
...
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f9
)
2007-10-10 12:19:10 -05:00