1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1039 Commits

Author SHA1 Message Date
Günther Deschner
b0ea179734 s3-kerberos: use KRB5_KT_KEY compat macro.
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
3367812df6 s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.
Guenther
2009-02-03 15:32:47 +01:00
Günther Deschner
1318fe8c60 Revert "fix for commit d96248a9b4 which broke Heimdal builds"
This does not build.

This reverts commit af736923a5.
2009-02-03 15:32:47 +01:00
Björn Jacke
af736923a5 fix for commit d96248a9b4 which broke Heimdal builds 2009-02-02 09:41:01 -08:00
Dan Sledz
d96248a9b4 Add two new parameters to control how we verify kerberos tickets. Removes lp_use_kerberos_keytab parameter.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum.  Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab

For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only

The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.

The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode.  This keytab is only used in
ads_verify_ticket.
2009-02-01 20:23:31 -08:00
Michael Adam
27408de533 s3: fix bug #6073: prevent ads_connect() from using SSL unless explicitly requested
This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with  ads.

Michael
2009-01-29 13:23:06 +01:00
Gerald (Jerry) Carter
073e9f42f0 ads_connect: Return immediately on a failed GC connection.
ads_connect_gc() feeds an explicit server to ads_connect().  However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection.  This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.

The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().
2009-01-16 12:15:33 -06:00
Michael Adam
0b87f210f1 s3:libads: use lock_path for creating paths to local krb5.conf files
instead of manually doing an asprintf with lp_lockdir()

Michael

squash
2009-01-16 01:02:22 +01:00
Michael Adam
37c77643f9 s3:libads: give create_local_private_krb5_conf_for_domain() a common exit point
Michael
2009-01-16 01:02:22 +01:00
Volker Lendecke
19b783cce9 Async wrapper for open_socket_out_send/recv 2009-01-04 16:42:40 +01:00
Volker Lendecke
fafb9ecc61 open_socket_out is always used with SOCK_STREAM, remove argument "type" 2009-01-03 19:22:06 +01:00
Volker Lendecke
d99aeed50f Replace a static variable and alarm() calls by using sys_select()
Günther, please check!
2008-12-31 19:33:26 +01:00
Volker Lendecke
608910d40b Fix some nonempty blank lines 2008-12-31 19:33:26 +01:00
Jeremy Allison
9eab2bfaf1 Fix more "ignore return value" warnings from gcc 4.3.
Jeremy
2008-12-30 18:24:39 -08:00
Jeremy Allison
d0eeb9aa8d Fix more asprintf warnings and some error path errors.
Jeremy.
2008-12-23 12:11:12 -08:00
Jeremy Allison
1966a947d3 More asprintf warning fixes.
Jeremy.
2008-12-23 11:56:48 -08:00
Jeremy Allison
94df767f21 More asprintf warning fixes.
Jeremy.
2008-12-23 11:45:26 -08:00
Jeremy Allison
b143938b8a Fix more asprintf errors and error code paths.
Jeremy.
2008-12-23 11:27:19 -08:00
Stefan Metzmacher
17efebde11 s3:libads/ldap.c: store the dc name in the saf cache as in all other places
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 543fa85a71)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
a8040d5965 s3:libads/ldap.c: if the client belongs to no site at all any dc is the closest
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f86ef9b53a)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
2f27ffc4a2 s3:libads/ldap.c: pass the real workgroup name to get_dc_name()
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit c2d4a84abe)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
7f779450cb s3: libads: use get_dc_name() instead of get_sorted_dc_list() in the LDAP case
We use get_dc_name() for LDAP because it generates the selfwritten
krb5.conf with the correct kdc addresses and sets KRB5_CONFIG.

For CLDAP we need to use get_sorted_dc_list() to avoid recursion.

metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d2f7f81f4d)
2008-12-13 11:42:34 +01:00
Stefan Metzmacher
588f5aae66 s3: correctly detect if the current dc is the closest one
ads->config.tried_closest_dc was never set.

metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit dfe5b00db3)
2008-12-13 11:42:22 +01:00
Tim Prouty
1eb743ab8e s3: Change sockaddr util function names for consistency
Also eliminates name conflicts with OneFS system libraries
2008-12-03 10:40:20 -08:00
Günther Deschner
c554080dd9 s3-net: allow to list a keytab generated using net rpc vampire.
Guenther
2008-12-02 12:59:22 +01:00
Stefan Metzmacher
26461a72da s3:libads/ldap.c: return an error instead of crashing when no realm is given
The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't ex
and "disable netbios = yes".

metze

Signed-off-by: Michael Adam <obnox@samba.org>
2008-11-24 15:23:50 +01:00
Steven Danneman
6d59be1e6d Fix extended DN parse error when AD object does not have a SID.
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute.  This patch adds more granular return
errors to ads_get_sid_from_extended_dn().  Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.

I updated all callers to ignore SIDless objects when appropriate.

Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18 13:02:21 -08:00
Steven Danneman
9a7900fb38 Whitespace and >80 column cleanups. 2008-11-18 13:02:20 -08:00
Jelmer Vernooij
ddcab787c4 Rename dos_errstr() to win_errstr() for consistency with Samba 4. 2008-11-01 17:19:26 +01:00
Jelmer Vernooij
d6a5476ee7 Use sockaddr_storage only where we rely on the size, use sockaddr
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
2008-10-23 19:53:15 +02:00
Günther Deschner
c0cf457c85 s3-asn1: make all of s3 asn1 code do a proper asn1_init() first.
Guenther
2008-10-22 21:37:36 +02:00
Günther Deschner
d9f1fff5b3 s3: use shared asn1 code.
Guenther
2008-10-22 21:37:36 +02:00
Günther Deschner
4b59ecb903 s3-build: no need to duplicate generated ndr_ prototypes.
Guenther
2008-10-20 19:47:00 +02:00
Jelmer Vernooij
7275952568 Add TALLOC_CTX pointer to generate_random_str(), for consistency with
Samba 4.
2008-10-19 10:05:48 +02:00
Günther Deschner
e9e1246021 kerberos: fix some heimdal build warnings.
Guenther
2008-10-15 21:43:50 +02:00
Jelmer Vernooij
1f3e4f39c5 Use GUID_string rather than smb_uuid_string(). 2008-10-14 02:26:18 +02:00
Günther Deschner
d5a11f9679 fix build warnings.
Guenther
2008-10-13 00:40:57 +02:00
Jelmer Vernooij
218f482fbf Use common strlist implementation in Samba 3 and Samba 4. 2008-10-12 00:56:56 +02:00
Jelmer Vernooij
cb78d4593b Cope with changed signature of http_timestring(). 2008-10-11 23:57:44 +02:00
Volker Lendecke
80665a0b5a Fix an unlikely memleak found by the IBM checker 2008-10-04 22:19:11 +02:00
Volker Lendecke
9eea6929e3 Fix an uninitialized variable found by the IBM Checker 2008-10-04 22:15:03 +02:00
Volker Lendecke
af1c802791 The IRIX compiler does not like embedded unnamed unions 2008-10-02 08:09:25 +02:00
Günther Deschner
f07431f5ba s3-nbt: use the new generated nbt.
Guenther
2008-09-24 03:34:23 +02:00
Günther Deschner
de54bac54c s3: fix NETLOGON_NT_VERSION version flags.
Guenther
2008-09-23 23:20:10 +02:00
Günther Deschner
c48186f507 s3: use samba4 prototype for ndr_push/pull_struct_blob.
Guenther
2008-09-23 09:37:23 +02:00
Gerald (Jerry) Carter
28d2683903 * Allow an admin to define the "uid" attribute for a RFC2307
user object in AD to be the username alias.

For example:

  $ net ads search "(uid=coffeedude)"
  distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
  sAMAccountName: gcarter
  memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
  memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
  memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
  memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
  uid: coffeedude
  uidNumber: 10000
  gidNumber: 10000
  unixHomeDirectory: /home/gcarter
  loginShell: /bin/bash

  $ ssh coffeedude@192.168.56.91
  Password:

  coffeedude@orville:~$ id
  uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)

  $ getent passwd PINK\\gcarter
  coffeedude:*:10000:10000::/home/gcarter:/bin/bash

  $ getent passwd coffeedude
  coffeedude:*:10000:10000::/home/gcarter:/bin/bash

  $ getent group PINK\\Unixusers
  PINK\unixusers10000:coffeedude
2008-09-16 10:35:21 -07:00
Günther Deschner
862ff66da9 kerberos: fix indent of enc type lines in generated krb5.conf files.
Guenther
(This used to be commit 18a26f08b6)
2008-09-04 15:17:57 +02:00
Günther Deschner
bff20e14c3 kerberos: use KRB5_KT_KEY macro where appropriate.
Guenther
(This used to be commit a042dffd71)
2008-08-29 11:01:34 +02:00
Günther Deschner
825f06c3f9 libads: remove unused vars.
Guenther
(This used to be commit ea9fc3bea3)
2008-08-20 22:07:40 +02:00
Jeremy Allison
d701d23b60 Fix uninitialized variables.
Jeremy.
(This used to be commit 1db7e00a54)
2008-07-30 16:06:30 -07:00
Günther Deschner
c11fb13864 kerberos: make smb_krb5_kt_add_entry() static.
Guenther
(This used to be commit 04b1847f87)
2008-07-18 16:42:55 +02:00
Volker Lendecke
d3def9a18c Revert "Pass NULL to gencache_get when we are not interested in the timeout value"
This reverts commit 16062dfc3d.
(This used to be commit 114ca85775)
2008-07-11 17:53:25 +02:00
Volker Lendecke
962beb2872 Pass NULL to gencache_get when we are not interested in the timeout value
(This used to be commit 16062dfc3d)
2008-07-03 15:17:58 +02:00
Günther Deschner
16e44ee112 kerberos: allow to keep entries with old kvno's while creating keytab.
Guenther
(This used to be commit 6194244bd9)
2008-06-30 12:38:40 +02:00
Günther Deschner
52635c6f58 kerberos: rename smb_krb5_kt_add_entry to smb_krb5_kt_add_entry_ext.
Guenther
(This used to be commit 48600a0019)
2008-06-30 12:38:32 +02:00
Gerald W. Carter
893e3522fc Return NULL in sitename_fetch() if gencache_init() fails. Not false
(This used to be commit 8704c2ab37)
2008-06-28 09:36:30 -04:00
Gerald W. Carter
9ff1ffcbee libads: Add API call to connect to a global catalog server.
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389.  Also makes ads_try_connect() static and
only used internally to ldap.c
(This used to be commit f4c37dbe2c)
2008-06-27 10:26:11 -04:00
Günther Deschner
7b1f015675 libads: add ads_connect_user_creds() that won't overwrite given user creds.
Guenther
(This used to be commit 026018c9f1)
2008-06-24 23:37:49 +02:00
Günther Deschner
6b4b76c40e libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.
Guenther
(This used to be commit b5aaf5aa0f)
2008-06-24 23:37:40 +02:00
Günther Deschner
0ac8c5d49a kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without salting them.
Guenther
(This used to be commit 7c4da23be1)
2008-06-24 23:34:05 +02:00
Günther Deschner
0447e6a0a7 libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.
Guenther
(This used to be commit cb7ace209c)
2008-06-17 19:54:09 +02:00
Günther Deschner
3688eeafa3 libads: fix logic error in ads_get_kvno().
Guenther
(This used to be commit 132b038581)
2008-06-17 19:51:14 +02:00
Volker Lendecke
aaa2a4f447 Revert "Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails"
This reverts commit df8d089bc6.
(This used to be commit 342f885820)
2008-06-17 12:20:54 +02:00
Günther Deschner
21e759ef64 mailslot: always pull a command 25 type reply.
Guenther
(This used to be commit 1ce726b951)
2008-06-05 19:09:30 +02:00
Volker Lendecke
d261e16cfd Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails
This is really not a proper place to fix this, but as get_gc_list() and friends
are about to be replaced anyway, just work around the broken existing API
(This used to be commit df8d089bc6)
2008-06-05 10:56:18 +02:00
Marc VanHeyningen
ad00ecd358 Tiny memory leak
(This used to be commit e7f76a0c65)
2008-05-29 14:26:50 -07:00
Jeremy Allison
d5d4a9511d Memory leak fixes from Chere Zhou <czhou@isilon.com>.
Jeremy.
(This used to be commit 201bcc8ed2)
2008-05-27 12:27:57 -07:00
Tim Prouty
fb37f15600 Cleanup size_t return values in callers of convert_string_allocate
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc5)
2008-05-20 22:40:13 +02:00
root
fc3e6851d3 Fix some comments to match get_kdc_ip_string()'s behaviour
(This used to be commit 30956c784f)
2008-05-19 12:08:52 +02:00
Günther Deschner
eeb126a379 libads/cldap: store client sitename also keyed by dns domain name.
Guenther
(This used to be commit 0388b2f0cc)
2008-05-15 16:38:32 +02:00
Günther Deschner
847d385f7b Fix Bug #5465 (joining with createcomputer=ou1/ou2/ou3).
Guenther
(This used to be commit f3251ba03a)
2008-05-14 23:53:23 +02:00
Günther Deschner
d59cf703ba dsgetdcname: make use of nbt_cldap_netlogon_15.
Guenther
(This used to be commit 5b0eda98f3)
2008-05-09 17:41:50 +02:00
Günther Deschner
4bd94c8338 cldap: move out cldap object to fix the build.
Guenther
(This used to be commit 56be9c98d2)
2008-05-09 14:59:19 +02:00
Günther Deschner
cdd9913c4a cldap: let ads_cldap_netlogon() return all possible cldap replies.
Guenther
(This used to be commit 6f9d5e1cc9)
2008-05-09 14:59:18 +02:00
Günther Deschner
1f6065765c mailslot/cldap: use nt_version bits in queries.
Guenther
(This used to be commit b261f06312)
2008-05-06 09:41:41 +02:00
Gerald W. Carter
43c079ef26 BUG 5107: Fix handling of large DNS replies on AIX and Solaris.
On AIX, Solaris, and possibly some older glibc systems (e.g. SLES8)
truncated replies never give back a resp_len > buflen
which ends up causing DNS resolve failures on large tcp DNS replies.

Also add more debug lines about processing the DNS reply.
(This used to be commit 5ed9b92097)
2008-04-30 09:57:15 -05:00
Steven Danneman
778a5414b1 Fix bug 5419: memory leak in ads_do_search_all_args() when enumerating 1000s of entries
The ads_do_search_all_args() function attempts to string together several
LDAPMessage structures, returned across several paged ldap requests, into a
single LDAPMessage structure.  It does this by pulling entries off the second
LDAPMessage structure and appending them to the first via the OpenLDAP specific
ldap_add_result_entry() call.

The problem with this approach is it skips non-entry messages such as the
result, and controls.  These messages are leaked.

The short term solution as suggested by Volker is to replace the ads_*_entry()
calls with ads_*_message() calls so we don't leak any messages.

This fixes the leak but doesn't remove the dependence on the OpenLDAP specific
implementation of ldap_add_result_entry().
(This used to be commit f1a5405409)
2008-04-26 08:11:20 -07:00
Volker Lendecke
862d7e32b9 Move user/domain from rpc_pipe_client to cli_pipe_auth_data
(This used to be commit 42de50d2cd)
2008-04-25 11:12:50 +02:00
Günther Deschner
bcbac69d1a cldap: avoid duplicate definitions so remove ads_cldap.h.
Guenther
(This used to be commit 538eefe22a)
2008-04-21 20:21:40 +02:00
Günther Deschner
1dd7ab38e7 cldap: add talloc context to ads_cldap_netlogon().
Guenther
(This used to be commit 4cee7b1bd5)
2008-04-21 20:21:40 +02:00
Günther Deschner
ba98dd4989 libads: Use libnbt for CLDAP reply parsing.
Guenther
(This used to be commit 751f3064a5)
2008-04-21 20:21:39 +02:00
Volker Lendecke
cf2442bdcb Use rpc_pipe_client->user_name instead of rpc_pipe_client->cli->user_name
Also make sure that rpc_pipe_client->user_name is always talloced.
(This used to be commit 3f6c5b9966)
2008-04-20 00:14:40 +02:00
Volker Lendecke
4c857010e7 Fix two "ignoring asprintf result" warnings
(This used to be commit 1d261e78b3)
2008-04-20 00:13:39 +02:00
Volker Lendecke
2a2188591b Add "desthost" to rpc_pipe_client
This reduces the dependency on cli_state
(This used to be commit 783afab9c8)
2008-04-20 00:13:09 +02:00
Karolin Seeger
8d7c7c674a Fix typo.
Karolin
(This used to be commit 42fbbeb1ca)
2008-04-10 08:38:54 +02:00
Karolin Seeger
a8124367b4 Fix typos.
Karolin
(This used to be commit 6cee347035)
2008-04-09 16:14:04 +02:00
Günther Deschner
33a3766f03 Add ads_check_ou_dn().
Guenther
(This used to be commit 380e9d26db)
2008-03-28 16:43:59 +01:00
Volker Lendecke
1b26a7ea6d Fix Coverity ID 488
"status" was used uninitialized on success -- metze, please check
(This used to be commit a0859529c8)
2008-03-23 19:44:55 +01:00
Volker Lendecke
561fb9daa4 Fix Coverity ID 487
(This used to be commit 22cee9c1af)
2008-03-23 19:44:55 +01:00
Marc VanHeyningen
e06aa46b9f Coverity fixes
(This used to be commit 3fc85d2259)
2008-03-17 20:52:25 +01:00
Volker Lendecke
1ebfc66b2c Use a separate tdb for mutexes
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not
provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC
mutex is needed per-node anyway, so it is perfectly fine to use a local mutex
only.
(This used to be commit f94a63cd8f)
2008-03-10 21:08:45 +01:00
Volker Lendecke
87805819f1 Fix Coverity ID 551
Correctly return if we can't create the temporary krb5.conf

Jeremy, please check!
(This used to be commit c2401811aa)
2008-03-08 23:48:12 +01:00
Günther Deschner
7269a504fd Add my copyright.
Guenther
(This used to be commit d078a87571)
2008-02-27 19:38:48 +01:00
Volker Lendecke
3176392878 Fix some warnings
warning: ignoring return value of 'asprintf', declared with attribute warn_unused_result
(This used to be commit ad37b7b0ae)
2008-02-25 16:09:26 +01:00
Günther Deschner
965774fa8f Fix some more callers of PAC_DATA.
Guenther
(This used to be commit ea609d1b0e)
2008-02-17 02:12:00 +01:00
Günther Deschner
3ea40eda94 Some more cleanup in authdata.c.
Guenther
(This used to be commit 5483f5fb44)
2008-02-17 02:11:59 +01:00
Günther Deschner
86843631a2 Align our krb5 PAC decoding routines to the samba4 ones.
(while keeping all the trans krb5 lib support)

Guenther
(This used to be commit c06e507737)
2008-02-17 02:11:59 +01:00
Volker Lendecke
b361956942 str_list_free is not needed anymore
(This used to be commit feddc1447d)
2008-02-04 21:05:41 +01:00
Volker Lendecke
2762b9a975 Always pass a TALLOC_CTX to str_list_make and str_list_copy
(This used to be commit e2c9fc4cf5)
2008-02-04 20:57:49 +01:00
Günther Deschner
6c764172e5 When running with debug level > 10, dump ads_struct in ads_connect().
Guenther
(This used to be commit 2dd7c64fa8)
2008-01-31 11:05:25 +01:00
Günther Deschner
7cab0f5c0c Fix the build. Avoid unrequired ndr_print_ads_struct dependencies.
Guenther
(This used to be commit c832882e49)
2008-01-29 15:17:02 +01:00
Gerald W. Carter
c0c93dc2ba Restrict the enctypes in the generated krb5.conf files to Win2003 types.
This fixes the failure observed on FC8 when joining a Windows 2008 RC1
domain.  We currently do not handle user session keys correctly
when the KDC uses AES in the ticket replies.
(This used to be commit 8039a2518c)
2008-01-28 11:32:09 -06:00
Volker Lendecke
587cf54c61 strtok -> strtok_r
(This used to be commit fd34ce4370)
2008-01-23 15:08:04 +01:00
Günther Deschner
a92eb76688 Finally enable pidl generated SAMR & NETLOGON headers and clients.
Guenther
(This used to be commit f7100156a7)
2008-01-17 16:54:46 +01:00
Jeremy Allison
70426bdd30 Tidy up code and debug for non-default krb5 IPv6 port.
Jeremy.
(This used to be commit 79b7972de4)
2008-01-16 13:28:24 -08:00
Jeremy Allison
bd8abea49f Fix IPv6 bug #5204, which caused krb5 DNS lookups
for a name '[<ipv6 addr>'.
Jeremy.
(This used to be commit f2aa921505)
2008-01-16 13:21:46 -08:00
Günther Deschner
fbcc7820c6 Fix memleak in ads_build_path().
Guenther
(This used to be commit b7a06b54e0)
2008-01-16 16:06:15 +01:00
Günther Deschner
a32cca7f37 Print principal in debug statement in kerberos_kinit_password() as well.
Guenther
(This used to be commit 44d67e8462)
2008-01-14 18:39:08 +01:00
Jeremy Allison
43717a16e2 Fix CID 476. Ensure a valid pac_data pointer is always passed to
ads_verify_ticket as it's always derefed.
Jeremy.
(This used to be commit 0599d57eff)
2008-01-11 23:53:27 -08:00
Jeremy Allison
866af9a800 Coverity 512, uninitialized var.
Jeremy.
(This used to be commit 1b7cc80c61)
2008-01-11 23:43:33 -08:00
Günther Deschner
f89fa0a6f8 Do not ignore provided machine_name in ads_get_upn().
Guenther
(This used to be commit ddc1307844)
2008-01-08 14:07:01 +01:00
Michael Adam
4aba7475ef Re-Indent function ldap_open_with_timeout().
This reverts commit #cafda34783f0961c9b463803c19cfcb69f836e3f .

I just learned (the hard way) that these indeted functions
are not indented by accident but that the intention of this
is to not include the prototype into proto.h.

Michael
(This used to be commit 2e5d01b214)
2008-01-04 22:56:10 +01:00
Michael Adam
b54310cbaa Add a debug message (when the LDAP server has really been connected).
Michael
(This used to be commit 7d9d2de390)
2008-01-04 22:09:36 +01:00
Michael Adam
2cb68e3898 Untangle assignment and result check.
Michael
(This used to be commit 465a3b356c)
2008-01-04 22:09:36 +01:00
Michael Adam
34e579fce5 Enhance DEBUG-verbosity of ldap_open_with_timeout().
Michael
(This used to be commit 9e70d1f24d)
2008-01-04 22:09:36 +01:00
Michael Adam
4ad3464fb9 Unindent function header.
Michael
(This used to be commit cafda34783)
2008-01-04 22:09:35 +01:00
Michael Adam
3f42428f9b Fix a misleading DEBUG message.
At this stage, the (tcp) connection to the LDAP server has not
been established, this is what is about to be attempted. What
has been succesfully done, is a CLDAP netlogon query.

Michael
(This used to be commit 71c3c8ad4c)
2008-01-04 22:09:35 +01:00
Günther Deschner
b076a7e802 Add ads_get_joinable_ous().
Guenther
(This used to be commit 5bbceac881)
2008-01-03 18:15:59 +01:00
Volker Lendecke
240391be53 Make use of [un]marshall_sec_desc
(This used to be commit 54576733d6)
2007-12-29 23:13:03 +01:00
Jeremy Allison
afc93255d1 Add SMB encryption. Still fixing client decrypt but
negotiation works.
Jeremy.
(This used to be commit d78045601a)
2007-12-26 17:12:36 -08:00
Simo Sorce
4869ccfed6 While 'data' is usually 0 terminated, nothing in the spec requires that. The correct way is to copy only 'length' bytes.
Simo.
(This used to be commit 814c1b0e00)
2007-12-17 15:26:08 -05:00
Volker Lendecke
d365a43785 make use of unmarshall_sec_desc
(This used to be commit ced0c42f05)
2007-12-16 14:15:16 +01:00
Jeremy Allison
8e86b7bb65 Doh, fix typo in error exit.
Jeremy.
(This used to be commit 44918f39c0)
2007-12-15 23:32:28 -08:00
Jeremy Allison
5dbc4a23bc Added patch originally by Andreas Schneider <anschneider@suse.de>
to cause us to behave like Vista when looking for remote
machine principal. Modified by me.
Jeremy.
(This used to be commit d0e33840fb)
2007-12-15 23:22:25 -08:00
Volker Lendecke
2e07c2ade8 s/sid_to_string/sid_to_fstring/
least surprise for callers
(This used to be commit eb523ba776)
2007-12-15 22:47:30 +01:00
Volker Lendecke
14ef4cdec1 Replace sid_string_static with sid_to_string
This adds 28 fstrings on the stack, but I think an fstring on the stack is
still far better than a static one.
(This used to be commit c7c885078b)
2007-12-15 22:09:37 +01:00
Volker Lendecke
54ae9dfcbc Use sid_string_talloc where we have a tmp talloc ctx
(This used to be commit 0a911d38b8)
2007-12-15 22:09:36 +01:00
Volker Lendecke
900288a2b8 Replace sid_string_static by sid_string_dbg in DEBUGs
(This used to be commit bb35e794ec)
2007-12-15 22:09:36 +01:00
Michael Adam
d8ac0cecae Remove an incredible amount of whitespace.
Sorry - could not resist. Michael
(This used to be commit 1000c98eae)
2007-12-06 14:08:54 +01:00
Stefan Metzmacher
8fd3a7c43e libads: fix typo
metze
(This used to be commit b55b19190d)
2007-12-06 09:54:19 +01:00
Volker Lendecke
78c6ee0090 Remove some globals
(This used to be commit 31d0a846db)
2007-12-05 14:39:07 +01:00
Jeremy Allison
6f46f75dfc Make strhex_to_str clear on string limits. Remove pstring from web/*.c
Jeremy.
(This used to be commit f9c8d62389)
2007-12-03 17:17:05 -08:00
Volker Lendecke
1011b32678 Remove some statics
(This used to be commit 1fab16ffb8)
2007-11-27 14:18:47 +01:00
Volker Lendecke
d5b2325fcd Remove a global
(This used to be commit 3088bc76f1)
2007-11-26 17:48:40 +01:00
Jeremy Allison
de51d3dd5f More pstring removal....
Jeremy.
(This used to be commit 809f5ab4c5)
2007-11-20 18:55:36 -08:00
Jeremy Allison
acb829ecc3 Add MAX_DNS_NAME_LENGTH, remove more pstrings.
Jeremy.
(This used to be commit a1725f4ff7)
2007-11-15 18:27:26 -08:00
Jeremy Allison
32dd016353 Fix the setup_kaddr() call to cope with IPv6.
This is the last obvious change I can see. At
this point we can start claiming IPv6 support
(Hurrah !:-).
Jeremy.
(This used to be commit bda8c0bf57)
2007-10-29 15:03:36 -07:00
Jeremy Allison
e2d0526c97 Change our DNS code to cope with AAAA records. A6 records
look like a nightmare to use, so ignore them for now.
Jeremy.
(This used to be commit 814daded90)
2007-10-29 13:34:00 -07:00
Jeremy Allison
f88b7a076b This is a large patch (sorry). Migrate from struct in_addr
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c312)
2007-10-24 14:16:54 -07:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Gerald (Jerry) Carter
e5a951325a [GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch.
(This used to be commit 5c6c8e1fe9)
2007-10-10 15:34:30 -05:00
Michael Adam
b12e11f29f r25422: Get rid of some cast warnings.
(This used to be commit 3e155b249e)
2007-10-10 12:31:04 -05:00
Gerald Carter
5221ebb299 r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336)
2007-10-10 12:31:03 -05:00
Gerald Carter
3529156971 r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,
and client fixes.  Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba73)
2007-10-10 12:31:02 -05:00
Günther Deschner
3309aacc99 r25328: When using ldap sasl wrapping with gssapi it's important to receive warnings
for clock-skew errors.

Guenther
(This used to be commit 53c99d415d)
2007-10-10 12:31:00 -05:00
Jeremy Allison
ab9d7bf4f9 r25165: Use talloc_asprintf_append_buffer with an unmodified
string.
Jeremy.
(This used to be commit fe30a523df)
2007-10-10 12:30:47 -05:00
Günther Deschner
1874c564db r25133: Fix sasl wrapping (for ldap sign&seal).
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.

Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.

I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.

Guenther
(This used to be commit cb2dc715e3)
2007-10-10 12:30:43 -05:00
Günther Deschner
1ef2464451 r25109: Remove obsolete argument from ads_guess_service_principal().
Guenther
(This used to be commit 2dea9464bb)
2007-10-10 12:30:41 -05:00
Günther Deschner
dc58b03517 r25108: Make ifdef labyrinth in sasl code a bit more readable.
Guenther
(This used to be commit f31949ec34)
2007-10-10 12:30:40 -05:00
Günther Deschner
cd45a258a7 r25080: Once we decrypted the packet but have timing problems (closkew, tkt not yet or
no longer valid) there is no point to bother the keytab routines.

Guenther
(This used to be commit 7e4dcf8e7e)
2007-10-10 12:30:38 -05:00
Lars Müller
9fa56b9ae9 r25030: ip_srv_nonsite and count_nonsite are initialized in get_kdc_list() in any
case.
(This used to be commit 287604a1c7)
2007-10-10 12:30:36 -05:00
Michael Adam
b202692875 r24836: Initialize some uninitialized variables.
This prevents a segfault when get_kdc_ip_string() is called
with sitename == NULL.

Michael
(This used to be commit 58d31e057b)
2007-10-10 12:30:26 -05:00
Günther Deschner
55b59eb80b r24833: Move locator to nsswitch (does not belong to libads anymore).
Guenther
(This used to be commit af90c6949c)
2007-10-10 12:30:26 -05:00
Günther Deschner
dbdc0fecb6 r24832: In the winbind-locator recursion case, try to pick up the kdc from the
environment.

Guenther
(This used to be commit 7f42fe4e08)
2007-10-10 12:30:26 -05:00
Günther Deschner
647abf0a7b r24804: As a temporary workaround, also try to guess the server's principal in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.

Guenther
(This used to be commit f5b3de4d30)
2007-10-10 12:30:23 -05:00
Günther Deschner
60fb367fd9 r24769: Merge error handling for locator plugin.
Guenther
(This used to be commit b83626676c)
2007-10-10 12:30:19 -05:00
Günther Deschner
6227abc043 r24752: Make sure to return properly when the locator is called from within winbindd.
Guenther
(This used to be commit 6cf7187e88)
2007-10-10 12:30:18 -05:00
Günther Deschner
49e92d0d56 r24748: Remove all dependencies to samba internals and convert the krb5 locator plugin
into a tiny winbindd DsGetDcName client. This still does not solve the case of
using the locator from within winbindd itself but at least gencache.tdb and
others are no longer corrupted.

Guenther
(This used to be commit 908e7963b8)
2007-10-10 12:30:17 -05:00
Günther Deschner
22cf5a3f80 r24739: With resolve_ads() allow to query for PDCs as well.
Also add dns query functions to find GCs and DCs by GUID.

Guenther
(This used to be commit cc469157f6)
2007-10-10 12:30:16 -05:00
Günther Deschner
d61c180e49 r24654: Adapt to coding conventions.
Guenther
(This used to be commit a669ac2bc4)
2007-10-10 12:30:13 -05:00
Günther Deschner
201f0e1ce4 r24432: Expand kerberos_return_pac() so that it can be used in winbindd.
Guenther
(This used to be commit e70bf0ecc3)
2007-10-10 12:29:46 -05:00
Günther Deschner
3e00e2e9ce r24424: Fix the build.
Guenther
(This used to be commit 029bf26f8a)
2007-10-10 12:29:45 -05:00
Günther Deschner
6ba2d944a0 r24252: Dump guid of msExchMailboxGuid when returned.
Guenther
(This used to be commit 1142f3df54)
2007-10-10 12:29:21 -05:00
Günther Deschner
bed0ea0693 r24251: Neverending fun:
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).

Guenther
(This used to be commit f783b32b65)
2007-10-10 12:29:21 -05:00
Volker Lendecke
8476d072d3 r24166: Fix Coverity ID 391
(This used to be commit 461974d2cc)
2007-10-10 12:29:17 -05:00
Gerald Carter
cdd140fe27 r24158: SE_GROUP_RESOURCE in the other_sids list apparently means a
domain local group.

Fix a typo in the PAC debugging routine
(This used to be commit b0b66b2e7a)
2007-10-10 12:29:15 -05:00
Stefan Metzmacher
cc8d700364 r24131: - make it more clear what the different min and max fields mean
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
  is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes

metze
(This used to be commit d0ec732387)
2007-10-10 12:29:09 -05:00
Stefan Metzmacher
d2900ddf11 r24128: fix double free in error path
metze
(This used to be commit 29e2d8e044)
2007-10-10 12:29:09 -05:00
Stefan Metzmacher
e1b1177196 r24104: fix the build, sorry...
metze
(This used to be commit a5e1f9fd29)
2007-10-10 12:29:07 -05:00
Stefan Metzmacher
56766b1f3e r24103: add some useful debug messages, as not all LDAP
libraries support wrapping hooks...

metze
(This used to be commit 581a1d3a20)
2007-10-10 12:29:07 -05:00
Stefan Metzmacher
3edc6088aa r24098: - make use of the ads_service_principal abstraction
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
  from the "GSS-SPNEGO" sasl mech.

metze
(This used to be commit cbaf44de1e)
2007-10-10 12:29:06 -05:00
Stefan Metzmacher
db718085fd r24095: add one more fallback alternative to
construct the principal

metze
(This used to be commit b545667d2a)
2007-10-10 12:29:05 -05:00
Stefan Metzmacher
062bca6675 r24093: move gssapi/krb5 principal handling into a function
metze
(This used to be commit 83de27968d)
2007-10-10 12:29:05 -05:00
Stefan Metzmacher
31dc9126c1 r24072: Add "client ldap sasl wrapping" parameter.
Possible values are "plain" (default), "sign" or "seal".

metze
(This used to be commit 26ccbad721)
2007-10-10 12:29:02 -05:00
Günther Deschner
3ec8b1702c r24066: Fix memleak found by Volker. We don't leak keys now with MIT and Heimdal.
Guenther
(This used to be commit 7755ad750f)
2007-10-10 12:29:01 -05:00
Volker Lendecke
bf27a77c05 r24065: According to gd, this breaks heimdal. Thanks for checking!
(This used to be commit ea5f53eac8)
2007-10-10 12:29:01 -05:00
Stefan Metzmacher
b4f6db40ab r24062: fix logic for broken krb5 libs which always force
sign and seal...

metze
(This used to be commit 4a4fc8cccb)
2007-10-10 12:29:00 -05:00
Volker Lendecke
d44063715a r24058: Fix some memory leaks in ads_secrets_verify_ticket.
Jeremy, Günther, please review!

Thanks,

Volker
(This used to be commit 000e096c27)
2007-10-10 12:29:00 -05:00
Stefan Metzmacher
75ae998b99 r24042: add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"
metze
(This used to be commit 34ab84aceb)
2007-10-10 12:28:59 -05:00
Stefan Metzmacher
6b5c55b0f0 r24037: only setup sasl wrapping after a successful bind
metze
(This used to be commit 85d6cd3dfb)
2007-10-10 12:28:58 -05:00
Günther Deschner
2349acdd43 r23973: For debugging, add (undocumented) net ads kerberos commands (kinit, renew,
pac).

Guenther
(This used to be commit 4cada7c148)
2007-10-10 12:28:51 -05:00
Günther Deschner
f659ffc0ee r23970: Allow to set the debuglevel at which to dump the PAC logon info.
Guenther
(This used to be commit 7d321aad83)
2007-10-10 12:28:50 -05:00
Günther Deschner
fce64f6833 r23969: Some helper routines to retrieve a PAC and PAC elements.
Guenther
(This used to be commit d4c87c792a)
2007-10-10 12:28:50 -05:00
Volker Lendecke
f5033a1e62 r23953: Some C++ warnings
(This used to be commit 8716edf157)
2007-10-10 12:28:49 -05:00
Günther Deschner
e6875b1b45 r23951: Fix segfault.
Guenther
(This used to be commit 1a5c8780ae)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
14e81b3009 r23948: add gsskrb5 sign and seal support for LDAP connections
NOTE: only for the "GSSAPI" SASL mech yet

metze
(This used to be commit a079b66384)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
ea3c3b9272 r23946: add support for NTLMSSP sign and seal
NOTE: windows servers are broken with sign only...

metze
(This used to be commit 408bb2e6e2)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
07c034f7c4 r23945: add infrastructure to select plain, sign or seal LDAP connection
metze
(This used to be commit 2075c05b3d)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
e0c4034393 r23943: - always provide ads_setup_sasl_wrapping() function
- read/write returning 0 means EOF and we need to return direct

metze
(This used to be commit 885d557ae7)
2007-10-10 12:28:48 -05:00
Günther Deschner
9e0c550922 r23937: Use ads_config_path() when we need to know the configration context.
Guenther
(This used to be commit 1a62c731c6)
2007-10-10 12:28:46 -05:00
Stefan Metzmacher
00b27d2d69 r23933: - implement ctrl SASL wrapping hook
- pass down sign or seal hooks
- some sasl wrapping fixes

metze
(This used to be commit 8c64ca3394)
2007-10-10 12:28:46 -05:00
Stefan Metzmacher
307e51ed14 r23926: implement output buffer handling for the SASL write wrapper
metze
(This used to be commit 65ce6fa21a)
2007-10-10 12:28:45 -05:00
Stefan Metzmacher
7bef162aeb r23922: implement input buffer handling for the SASL read wrapper
metze
(This used to be commit 7d8518ebd9)
2007-10-10 12:28:42 -05:00
Stefan Metzmacher
8cd89a20ce r23918: not all ldap libraries support debugging
metze
(This used to be commit 3f68189c9a)
2007-10-10 12:28:41 -05:00
Stefan Metzmacher
d48dbc8bad r23916: use the correct io operations for debugging
metze
(This used to be commit d745a1a719)
2007-10-10 12:28:41 -05:00
Stefan Metzmacher
77619f37a0 r23898: rename HAVE_ADS_SASL_WRAPPING -> HAVE_LDAP_SASL_WRAPPING
metze
(This used to be commit 873eaff8fe)
2007-10-10 12:28:39 -05:00
Stefan Metzmacher
57dd25cccb r23893: add dummy callbacks for LDAP SASL wrapping,
they're not used yet...

metze
(This used to be commit a3b97cdce7)
2007-10-10 12:28:39 -05:00
Stefan Metzmacher
809c9d4d31 r23888: move elements belonging to the current ldap connection to a
substructure.

metze
(This used to be commit 00909194a6)
2007-10-10 12:28:38 -05:00
Stefan Metzmacher
2fc53c947b r23886: add ads_disconnect() function
metze
(This used to be commit ba70737b70)
2007-10-10 12:28:38 -05:00
Günther Deschner
28041b6064 r23869: Protect against partial security descriptors.
Guenther
(This used to be commit 0a96a11f01)
2007-10-10 12:28:36 -05:00
Günther Deschner
ed0ffc5cef r23861: Fix return code in ads_find_samaccount().
Guenther
(This used to be commit 684fcf39dc)
2007-10-10 12:28:35 -05:00
Günther Deschner
8d786a4e2b r23842: Attempt to fix the build with LDAP.
Guenther
(This used to be commit efd817ae11)
2007-10-10 12:28:33 -05:00
Günther Deschner
34d091f1c6 r23839: Try to get the attribute name from schema GUIDs or the display name from
extended rights GUID from ad while dumping the security descriptors's aces.

This would perform much better with a guid cache, but for the rare cases where
it is used

	net ads search cn=mymachine ntSecurityDescriptor -U user%pass

it should be ok for now.

Guenther
(This used to be commit b36913433e)
2007-10-10 12:28:33 -05:00
Günther Deschner
b62ade20d0 r23838: Allow to store schema and config path in ADS_STRUCT config.
Guenther
(This used to be commit 1d5b08326f)
2007-10-10 12:28:33 -05:00
Günther Deschner
9d6f8ed5e7 r23837: Pass ADS_STRUCT and TALLOC_CTX down to ads_disp_sd.
Guenther
(This used to be commit ad0a6d5703)
2007-10-10 12:28:32 -05:00
Günther Deschner
f05dcab9bf r23836: Add ads_config_path() and ads_get_extended_right_name_by_guid().
Guenther
(This used to be commit 4d62f1191b)
2007-10-10 12:28:32 -05:00
Günther Deschner
fd8dc4b561 r23835: Pass down a struct GUID to ads_get_attrname_by_guid() directly.
Guenther
(This used to be commit a4d5206d0b)
2007-10-10 12:28:32 -05:00
Günther Deschner
c252b04abf r23834: Allow to pass an ADS_STRUCT pointer down to the dump function callback in
libads.

Guenther
(This used to be commit 311bbbafa6)
2007-10-10 12:28:32 -05:00
Günther Deschner
c8e23e4091 r23833: Document ads_find_samaccount().
Guenther
(This used to be commit 3effd1c346)
2007-10-10 12:28:31 -05:00
Günther Deschner
e7705f9eb9 r23829: Add ads_get_attrname_by_guid().
Guenther
(This used to be commit a84fd83006)
2007-10-10 12:28:31 -05:00
Günther Deschner
1c957f9559 r23826: Fix gpo security filtering by matching the security descriptor ace's for the
extended apply group policy right.

Guenther
(This used to be commit d832014a6f)
2007-10-10 12:28:31 -05:00
Günther Deschner
6d0141c17e r23820: Display security_ace_object in LDAP security descriptors for debugging.
Guenther
(This used to be commit 3925e85812)
2007-10-10 12:28:30 -05:00
Andrew Tridgell
153cfb9c83 r23801: The FSF has moved around a lot. This fixes their Mass Ave address.
(This used to be commit 87c91e4362)
2007-10-10 12:28:27 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Günther Deschner
221d06d6f3 r23772: Add ads_find_samaccount() helper function.
Guenther
(This used to be commit 6fafa64bea)
2007-10-10 12:23:55 -05:00
Günther Deschner
8ead92f06d r23654: Remove misleading inline comment.
Guenther
(This used to be commit a3441c22b3)
2007-10-10 12:23:42 -05:00
Günther Deschner
110e420196 r23651: Always, always, always compile before commit...
Guenther
(This used to be commit accb40446a)
2007-10-10 12:23:41 -05:00
Günther Deschner
3b1956f9d2 r23650: Fix remaining callers of krb5_kt_default().
Guenther
(This used to be commit b9d7a2962a)
2007-10-10 12:23:41 -05:00
Günther Deschner
a248672932 r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).
Guenther
(This used to be commit 19020d19dc)
2007-10-10 12:23:41 -05:00
Günther Deschner
a2618aa8d5 r23648: Allow to list a custom krb5 keytab file with:
net ads keytab list /path/to/krb5.keytab

Guenther
(This used to be commit a2befee3f2)
2007-10-10 12:23:41 -05:00
Günther Deschner
6fff735da0 r23647: Use smb_krb5_open_keytab() in smbd as well.
Guenther
(This used to be commit d22c0d291e)
2007-10-10 12:23:41 -05:00
Günther Deschner
df63172ad9 r23646: Generalize our internal keytab handling to support a broader range of default
keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also
fixes keytab support with Heimdal (which supports the WRFILE pragma as well
now).

Guenther
(This used to be commit 7ca002f4cc)
2007-10-10 12:23:40 -05:00
Günther Deschner
47bd42ab1c r23607: Add legacy support for Services for Unix (SFU) 2.0.
Guenther
(This used to be commit 11b390309b)
2007-10-10 12:23:35 -05:00
Jeremy Allison
5a80fa5c0c r23514: Remove unused function ads_get_dn_from_extended_dn().
Jeremy.
(This used to be commit 03763bc528)
2007-10-10 12:23:24 -05:00
Gerald Carter
b4a39dc10e r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting context flags.
(This used to be commit 903145e957)
2007-10-10 12:23:19 -05:00
Gerald Carter
4caefdf348 r23474: Here's a small patch that disables the libkrb5.so replay cache
when verifying a ticket from winbindd_pam.c.

I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.

There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator.  Checked against MIT 1.5.1.  Have not
researched how Heimdal does it.

My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f7)
2007-10-10 12:23:19 -05:00
Gerald Carter
3272b1dd60 r23251: whoops! Fix compile error
(This used to be commit 22a3ea40ac)
2007-10-10 12:22:59 -05:00
Jeremy Allison
ad5ff1b809 r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password data to krb5_prompter.
Jeremy.
(This used to be commit 232fc5d69d)
2007-10-10 12:22:48 -05:00
Jeremy Allison
71ee55f98d r23080: Fix bug #4637 - we hads missed some cases where
we were calling PRS_ALLOC_MEM with zero count.
Jeremy.
(This used to be commit 9a10736e6f)
2007-10-10 12:22:43 -05:00
Michael Adam
2753d30cbe r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.

Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36)
2007-10-10 12:22:05 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Günther Deschner
83564b43e3 r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
Guenther
(This used to be commit e4e8f84060)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857 r22799: Fix the build.
Guenther
(This used to be commit 6e911c442b)
2007-10-10 12:21:59 -05:00
Günther Deschner
46c5da2fd6 r22798: Add the "apply group policy" access bit (as seen in type 0x05 ALLOWED OBJECT
ACEs).

Guenther
(This used to be commit e138cbc876)
2007-10-10 12:21:58 -05:00
Günther Deschner
9c170fce26 r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control.

Guenther
(This used to be commit 648df57e53)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
2007-10-10 12:21:51 -05:00
Gerald Carter
89fd4444af r22714: Prevent DNS lookup storms when the DNS servers are unreachable.
Helps when transitioning from offline to online mode.

Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
(This used to be commit 4f05c6fe26)
2007-10-10 12:21:49 -05:00
Gerald Carter
8ff276fcb0 r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping
(This used to be commit 2ab617fbbf)
2007-10-10 12:21:47 -05:00
Günther Deschner
e468268335 r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
winbindd's kerberized pam_auth use that.

Guenther
(This used to be commit 0f436eab5b)
2007-10-10 12:19:54 -05:00
Günther Deschner
116c1532e7 r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
codes directly out of the krb5_error edata.

Guenther
(This used to be commit dcd902f24a)
2007-10-10 12:19:53 -05:00
Günther Deschner
6288491e90 r22663: Restructure kerberos_kinit_password_ext() error path.
Guenther
(This used to be commit 997ded4e3f)
2007-10-10 12:19:53 -05:00
Jeremy Allison
56a5d05b8b r22590: Make TALLOC_ARRAY consistent across all uses.
That should be it....
Jeremy.
(This used to be commit 603233a98b)
2007-10-10 12:19:49 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b)
2007-10-10 12:19:49 -05:00
Günther Deschner
1ee9650a1d r22479: Add "net ads keytab list".
Guenther
(This used to be commit 9ec76c5427)
2007-10-10 12:19:37 -05:00
Günther Deschner
56f6336fd4 r22460: Adding a generic ads_ranged_search() function.
Guenther
(This used to be commit b8828ea251)
2007-10-10 12:19:35 -05:00
Günther Deschner
8040fec0ac r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
queries more generic. Michael, feel free to overwrite these and the following.

Guenther
(This used to be commit 0475b8eea9)
2007-10-10 12:19:35 -05:00
Stefan Metzmacher
78c57f59ac r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't critical
because we try "GSS-SPNEGO" first and all windows version support
that.

metze
(This used to be commit 34a5badbde)
2007-10-10 12:19:17 -05:00
Jeremy Allison
725fcf3461 r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
Jeremy.
(This used to be commit 7c45bd3a47)
2007-10-10 12:19:14 -05:00
Stefan Metzmacher
eceb926df9 r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f9)
2007-10-10 12:19:10 -05:00