IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.
These previously had to be re-created on the server side of the pipe
each time.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
These functions provide conversions between some netlogon.idl and
auth.idl structures
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
This is not only a useful way to encode stuff, it also allows python
to handle the structures, and natrually allows them to be NDR encoded.
Andrew Bartlett
This patch has been commited by request of Jelmer.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Jan 30 19:07:57 CET 2011 on sn-devel-104
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
I've examined the code paths involved, and it appears an alternative
fix has been made in the ldap_server/ldap_bind.c code, and there is no
code path that uses this behaviour.
Andrew Bartlett
This now tests a real GENSEC exchange, including wrap and unwrap,
using GSSAPI. Therefore, it now needs to access a KDC.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Jan 18 11:41:26 CET 2011 on sn-devel-104
This should obviously point to the wrapper not the call itself.
Found out by Tru64 host build warning.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 18:05:59 CET 2011 on sn-devel-104
This allows the session key, security_token and credentials to be
manipulated from python.
Andrew Bartlett
Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.
(this meant moving some parts out of the auth_sam code into the
containing library)
Andrew Bartlett
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.
Andrew Bartlett
And remove the now obsolete one for "struct tevent_context"
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Dec 21 11:17:34 CET 2010 on sn-devel-104
Even if we can't calculate the local groups (because we don't have a
local SAM to do it with) we still need to include the domain groups in
the session_info token.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
We now just do or do not call into LDB based on some flags.
This means there may be some more link time dependencies, but we seem
to deal with those better now.
Andrew Bartlett
As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.
If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
This is consistent with the test names used by selftest, should
make the names less confusing and easier to integrate with other tools.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
this is only set when rpath is used on install. It ensures that
applications that link against Samba libraries get the rpath right
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Dec 8 12:46:00 CET 2010 on sn-devel-104
The precision (maximum numbers of characters) should be enough.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 3 10:26:39 CET 2010 on sn-devel-104
This can be expected (think at a membership of a "groupOfNames" group) and we
shouldn't blame about it.
This fixes a bug reported on the technical mailing list.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec 2 17:17:56 CET 2010 on sn-devel-104
connect_samdb() functino will correctly handle things like:
- session_info param - it will create system_session() using supplied
LoadParm parameter and thus avoiding creation of multiple LoadParm
instances (LoadParm() will mask certain command line supplied options)
- host url will be prefixed with ldap:// automatically
Autobuild-User: Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date: Sun Nov 28 03:00:41 CET 2010 on sn-devel-104
we were continually trying the first address returned, instead of
moving to the next address
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Nov 14 04:11:28 UTC 2010 on sn-devel-104
The test now binds with user@realm, domain\user, user dn, computer dn
Autobuild-User: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Autobuild-Date: Thu Nov 11 16:15:30 UTC 2010 on sn-devel-104
The practice of returning only NT_STATUS_INVALID_PARAMETER hasn't
helped our users to debug problems effectivly, and so we now return
more errors and try and give a more useful debug message when then
happen.
Andrew Bartlett
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.
Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov 5 06:32:43 UTC 2010 on sn-devel-104
this helps with the gentoo build. The problem is that without the
depenency, we don't add the cflags from the pkgconfig for com_err to
the build of auth/gensec. That really reflects a more general problem
with propogation of include dependencies, but this simple fix should
be enough for now.
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Oct 31 13:13:33 UTC 2010 on sn-devel-104
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
this fixes some double linking. The name 'KERBEROS' was also a bit
confusing, as it sounded like a base kerberos library, when it is in
fact part of auth
This extra code isn't used at the moment, but I noticed the old API
was rather supprising in it's behaviour, and might catch someone out
at some later time.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Oct 27 05:24:22 UTC 2010 on sn-devel-104
Only link to nss_wrapper when it is enabled.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Oct 23 23:05:44 UTC 2010 on sn-devel-104
We need to ask the library how much data to pass in at any time.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 19 08:37:45 UTC 2010 on sn-devel-104
The issue here is that when props.max_ssf = UINT_MAX was always set,
as was the maxbufsize, and the connection would always be upgraded,
regardless of the callers wishes.
Andrew Bartlett
This reverts commit 8a2ce5c47c.
Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
They're only in use by SAMDB code.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This includes dom_sid.h and security_token.h and will be moved
to the top level shortly.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
By setting the event context to use for this operation (only) onto
the krb5_context just before we call that operation, we can try
and emulate the specification of an event context to the actual send_to_kdc()
This eliminates the specification of an event context to many other
cli_credentials calls, and the last use of event_context_find()
Special care is taken to restore the event context in the event of
nesting in the send_to_kdc function.
Andrew Bartlett
A new event context is constructed by LDB when required for secrets.ldb
This will be essentially unused, as LDB on TDB will only trigger 'fake'
events, and blocks on transactions and lock operations anyway.
Andrew Bartlett
The spengo code won't set this unless it is allowed to by this
same option, but other callers may need it.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct 2 02:27:39 UTC 2010 on sn-devel-104
Instead, store the same key value under the multiple alias names.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct 2 00:16:52 UTC 2010 on sn-devel-104
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.
Andrew Bartlett
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
This code never really belonged in the credentials layer, and
is easier done with direct access to the ldb_message that is
in secrets.ldb.
Andrew Bartlett
Fixed a bug that affected mismatched negotiation between the GSSAPI
layer and the SASL SSF subsequent negotiation. This caused some ldap
clients to hang when trying to authentication with a Samba LDAP
server. The client thought the connection should be signed, the server
thought it should be in plain text
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
