IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This avoids having the same check in 3 different parts of the code
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug 3 12:45:04 CEST 2011 on sn-devel-104
Since TDB2 functions return the error directly, tdb_errorstr() taken an
error code, not the tdb as it does in TDB1.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We change all the headers and wscript files to use tdb_compat; this
means we have one place to decide whether to use TDB1 or TDB2.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
The two error tables need to be combined, but for now seperate the names.
(As the common parts of the tree now use the _common function,
errmap_unix.c must be included in the s3 autoconf build).
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Mon Jun 20 08:12:03 CEST 2011 on sn-devel-104
Due to library link orders, this is already the function that is being
used. However we still need to sort out the duplicate symbol issues,
probably by renaming things.
Andrew Bartlett
talloc_stackframe() is used in other shared components already,
and if the stack is a talloc_pool, then in most cases, it should
also not be more expensive than directly using talloc_tos().
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu May 12 12:52:02 CEST 2011 on sn-devel-104
This #if _SAMBA_BUILD == 3 is very unfortunate, as it means that in
the top level build, these options are not available for these
databases. However, having two different tdb_wrap lists is a worse
fate, so this will do for now.
Andrew Bartlett
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.
We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.
Andrew Bartlett
By making the verification parameters optional, we can parse a PAC
that is already verified.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Apr 26 10:06:59 CEST 2011 on sn-devel-104
This uses the source3 PAC code (originally from Samba4) with some
small changes to restore functionality needed by the torture tests,
and to have a common API.
Andrew Bartlett
This requires a small rework of the build system to ensure that the
correct #define statements are made in both the s3 and top level
builds. We now define the various HAVE_ macros in config.h at all
times, using heimdal_build/wscript_configure when that is in use.
Andrew Bartlett
This allows us to know if the LM hash was built correctly or not.
NOTE: talloc_tos() is not available in the common code at this time.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
(waf-)god knows why, without this (fake) dependency, ./configure && make fails
while including replace.h while ./configure.developer && make succeeds...
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Fri Feb 11 23:50:40 CET 2011 on sn-devel-104
The new waf-based build system now has all the same functionality, and
the old build system has been broken for quite some time.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
The previous API was not clear as to who owned the returned session key.
This fixes a valgrind-found use-after-free in the NTLMSSP key derivation code,
and avoids making allocations - we steal and zero instead.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This happens all the time, particularly now that we don't keep the
db around after a reboot. Don't scare the admins with the level 0.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Initially, the schannel creds were talloc memduped, then, during the netlogon
creds client merge (baf7274fed) they were first
talloc_referenced and then later (53765c81f7)
talloc_moved.
The issue with using talloc_move here is that users of that function in winbind
will only be able to have two schanneled connections, as the cached schannel
credentials pointer from the netlogon pipe will be set to NULL. Do a deep copy
of the struct instead.
Guenther
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
By making this DB TDB_NOSYNC, and by making that safe with
TDB_CLEAR_IF_FIRST, we greatly reduce the fsync() load on the server.
This particularly helps the source4/ 'make test', which otherwise tries
to disable fsync() in ldb.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
The common code does not have a mem_ctx on ntlmssp_check_packet() and
ntlmssp_unseal_packet().
We do however need some internal working of the code exposed, so some
structures are moved to ntlmssp_sign.h
Andrew Bartlett
This needs a small re-arrangement of the supporting code.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
The code is not yet in common, but I hope to fix that soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
We should never be calling asn1_push_XXX functions inside an asn1
reading function. Change asn1_push_tag() -> asn1_start_tag() and
asn1_pop_tag() -> asn1_end_tag(). This allows us to connect to a
NetApp filer at the Microsoft plugfest.
Andrew PLEASE CHECK !
Jeremy.
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.
Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.
Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.
The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.
passing mem_ctx was causing creds->sid to be allocated on mem_ctx and not be
child of creds as expected. When later in schannel_check_creds_state() we
stole the creds on a different memory context the sid was left behind and the
memory it points to freed when the temporary context was freed.
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)
This is the same change applied to s3
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)
This corrects the issues reaised in bug #6129, and some others that were not
originally identified. It also accounts for some code that was in the original
bug report but appears to have since been made common between S3 and S4.
Thanks to Erik Hovland <erik@hovland.org> for the original bug report.
This makes constructor functions that return the allocated structure,
rather than having the caller pass them in, and makes the server init
function also check the first credential.
The rename of creds_ to netlogon_creds should make it more clear what
this code works with.
Andrew Bartlett
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
Also avoid still string conversions when trying to match NTLMSSP in
the header of the NTLMSSP packet.
This also changes a few things to avoid const warnings.
Andrew Bartlett
