IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
credentials. This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.
Needed for kpasswdd work.
Andrew Bartlett
(This used to be commit cc9d167bab280eaeb793a5e7dfdf1f31be47fbf5)
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
(This used to be commit a7fe3078a65f958499779f381731b408f3e6fb1f)
I'm also worried this might cause loops, if we get a 'force password
change', and the prompter tries to 'deal with it'.
Andrew Bartlett
(This used to be commit 5bc10c4e472b45c5b5b0ea0c3dd100be6f4dabca)
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
the client doesn't guess correctly on the mech to use. It must back
off and try the mech the server selected from the list.
I'm not particularly attached to our SPNEGO parser, so while I can't
easily use the SPNEGO application logic in Heimdal, I'm going to look
closely at using the asn1 routines to avoid some pain here.
Andrew Bartlett
(This used to be commit 929217387449270b60c3f825dca3b3cae5a4f9d1)
initial NTLMSSP negotiate blob of only 16 bytes - no strings
added ! (So don't try parsing them).
Jeremy.
(This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
NTLMSSP client and domain strings as Unicode, even when setting
flags as OEM. Cope with this.
Jeremy.
(This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
authentication out of the various callers and into the kitchen
sink.. err, credentials subsystem.
This should ensure consistant logic, as well as get us one step closer
to security=server operation in future.
Andrew Bartlett
(This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
most of the changes are fixes to make all the ldb code compile without
warnings on gcc4. Unfortunately That required a lot of casts :-(
I have also added the start of an 'operational' module, which will
replace the timestamp module, plus add support for some other
operational attributes
In ldb_msg_*() I added some new utility functions to make the
operational module sane, and remove the 'ldb' argument from the
ldb_msg_add_*() functions. That argument was only needed back in the
early days of ldb when we didn't use the hierarchical talloc and thus
needed a place to get the allocation function from. Now its just a
pain to pass around everywhere.
Also added a ldb_debug_set() function that calls ldb_debug() plus sets
the result using ldb_set_errstring(). That saves on some awkward
coding in a few places.
(This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f70f6654d08387fc28def67229bb06a)
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
I also think the method of getting rid of pstring isn't the right
one. I certainly do want to get rid of pstring/fstring, but the reason
for removing them is the use of arbitrary sized fixed length strings
on the stack and in structures. Changing to another fixed length stack
string format isn't really a win, and moving to use strncpy() is
actually worse than pstrcpy() as strncpy() has the absolutely awful
semantics of always zeroing all remaining bytes, so it ends up taking
a lot of cpu doing pointless memory writes.
I'd rather move to more use of asprintf()/talloc_asprintf() and
similar functions for dynamic string allocation.
You also have to be very careful about some of these system defined
string limits. One some systems PATH_MAX could be 64k or even larger,
which can quickly blow the stack out when you allocate a few of them.
(This used to be commit 194efd26e42d621b239052ed1fec8da916bd2144)
This disables it for 'localhost' as well as for any host our KDC does
not recognise.
Andrew Bartlett
(This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548)
at the Samba4 socket layer.
The intention here is to ensure that other events may be processed while
heimdal is waiting on the KDC. The interface is designed to be
sufficiently flexible, so that the plugin may choose how to time
communication with the KDC (ie multiple outstanding requests, looking
for a functional KDC).
I've hacked the socket layer out of cldap.c to handle this very
specific case of one udp packet and reply. Likewise I also handle
TCP, stolen from the winbind code.
This same plugin system might also be useful for a self-contained
testing mode in Heimdal, in conjunction with libkdc. I would suggest
using socket-wrapper instead however.
Andrew Bartlett
(This used to be commit 3b09f9e8f9f6f645cd03073ef833c8d0fb0d84e2)
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
use raw krb5, not GSSAPI. I still keep the 'fake GSSAPI' code, but
under the module name 'fake_gssapi_krb5'.
Andrew Bartlett
(This used to be commit 99efec2758ad6c996db65dd42cb72a81077c9b2b)
