IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address. It seems easiser not to. (Found by testing with NetAPP at
plugfest)
Andrew Bartlett
This overloads the 'name' part of the keytab name to supply a context
pointer, and so avoids 3 global variables!
To do this, we had to stop putting the entry for kpasswd into the
secrets.ldb. (I don't consider this a big loss, and any entry left
there by an upgrade will be harmless).
Andrew Bartlett
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
We shoule avoid using the private heimdal function
_krb5_principalname2krb5_principal()
metze
(This used to be commit 10db07c69addce6e90851fb55738d5f9e142946b)
where the password change came from, to determine if policy should be
applied. We discriminate on if the account is a trust account.
Andrew Bartlett
(This used to be commit 48fd2889571b10a6057b9e271860e4951fc85c8b)
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
- ldb_dn_get_linearized
returns a const string
- ldb_dn_alloc_linearized
allocs astring with the linearized dn
(This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.
This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted: we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code. We have adapted to upstream's choice of API in these cases.
In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC. This matches windows behavour. We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).
This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.
Andrew Bartlett
(This used to be commit 4826f1735197c2a471d771495e6d4c1051b4c471)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
Make kpasswdd use the new prototype for
_krb5_principalname2krb5_principal()
Andrew Bartlett
(This used to be commit 989f40ea027328cdaa31dc89ce52b2243b4aad76)
reject reason code while password changing: SAMR_REJECT_IN_HISTORY which
is different from SAMR_REJECT_COMPLEXITY.
torture test to follow as well.
Guenther
(This used to be commit 7513748208214339e764cc990aa1dbbcf864975a)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
with clients compiled against the MIT Kerberos implementation. (Which
checks for address in KRB-PRIV packets, hence my comments on socket
functions earlier today).
It also fixes the 'set password' operation to behave correctly (it was
previously a no-op).
This allows Samba3 to join Samba4. Some winbindd operations even work,
which I think is a good step forward. There is naturally a lot of work
to do, but I wanted at least the very basics of Samba3 domain membership
to be available for the tech preview.
Andrew Bartlett
(This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
