1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

375 Commits

Author SHA1 Message Date
Jelmer Vernooij
9ffb6d2d9e Add allow_badcharcnv argument to all conversion function, for
consistency with Samba 3.
2009-03-01 06:33:40 +01:00
Andrew Bartlett
71632a1697 Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.

This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.

Andrew Bartlett
2009-02-13 10:24:16 +11:00
Stefan Metzmacher
d9c30894a1 s4:service_stream: s/private/private_data
metze
2009-02-02 13:09:00 +01:00
Stefan Metzmacher
5f13710ced s4:irpc: avoid c++ reserved word 'private'
metze
2009-02-01 00:17:20 +01:00
Stefan Metzmacher
15239f742c s4:kdc: avoid c++ reserved word 'private'
metze
2009-02-01 00:17:19 +01:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Stefan Metzmacher
f271469931 s4:kdc: pass down event_context explicit
metze
2008-12-29 09:46:38 +01:00
Jelmer Vernooij
928fd47c3d s4: Fix subsystem for various services in samba daemon. 2008-12-22 19:04:55 +01:00
Stefan Metzmacher
180245fce0 s4:kdc: allow a trusted domain to get kerberos tickets
metze
2008-12-04 15:45:16 +01:00
Jelmer Vernooij
b034c519f5 Add gensec_settings structure. This wraps loadparm_context for now, but
should in the future only contain some settings required for gensec.
2008-11-02 02:05:48 +01:00
Jelmer Vernooij
23302413b3 Remove unused include param/param.h. 2008-10-24 16:37:56 +02:00
Jelmer Vernooij
37d885c51a Remove iconv_convenience argument from convert_string{,talloc}() but
make them wrappers around convert_string{,talloc}_convenience().
2008-10-24 14:26:46 +02:00
Jelmer Vernooij
922a29992e Remove iconv_convenience parameter from simple string push/pull
functions.
2008-10-24 03:40:09 +02:00
Andrew Bartlett
c41cc67722 Ensure the hdb_method structure is not on the stack.
We supply this to krb5 as a plugin, so we must keep it around as long
as the krb5_context.

Andrew Bartlett
2008-10-20 20:07:09 +11:00
Jelmer Vernooij
6a89b59ca6 Add TALLOC_CTX pointer to strhex_to_data_blob for consistency with Samba
3.
2008-10-18 18:09:04 +02:00
Andrew Bartlett
7c88ea8aad Create a 'straight paper path' for UTF16 passwords.
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password.  This ensures we do no
validation or filtering of the password before we get a chance to MD4
it.  We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.

All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.

This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.

The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.

Andrew Bartlett
2008-10-16 12:48:16 +11:00
Jelmer Vernooij
9565999755 Fix include paths to new location of libutil. 2008-10-11 21:31:42 +02:00
Andrew Bartlett
e0a4d7f467 Set default trust kvno to -1 2008-10-06 14:28:27 -07:00
Andrew Bartlett
c3b28c7a81 Fix cross-realm authentication in Samba4's KDC. 2008-10-06 14:28:27 -07:00
Andrew Bartlett
912209ac84 Use the trust password version as kvno for trusts in Kerberos. 2008-10-06 14:28:26 -07:00
Andrew Bartlett
6ad78f01a5 Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.
This avoids one more custom patch to the Heimdal code, and provides a
more standard way to produce hdb plugins in future.

I've renamed from hdb_ldb to hdb_samba4 as it really is not generic
ldb.

Andrew Bartlett
2008-09-29 22:34:35 -07:00
Matthias Dieter Wallnöfer
57edd24ca0 Cosmetic corrections for the KERBEROS library
This commit applies some cosmetic corrections for the KERBEROS library.
2008-09-24 19:40:03 +02:00
Jelmer Vernooij
6925202bde Move source4/lib/crypto to lib/crypto. 2008-09-24 15:30:23 +02:00
Jelmer Vernooij
6a689c23e8 Rename smbd -> samba.
This reverts commit 05ea5e23cf.

Conflicts:

	source4/smbd/server.c
2008-09-24 03:16:15 +02:00
Simo Sorce
508527890a Merge ldb_search() and ldb_search_exp_fmt() into a simgle function.
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
2008-09-23 18:17:46 -04:00
Andrew Bartlett
cebd9a9013 This torture test and skipping of the server-side check was bogus.
The IDL is declared to force the MessageType to 3 on output, so we
instead checked the same thing 255 times...

Andrew Bartlett
2008-09-22 14:23:22 -07:00
Stefan Metzmacher
1d92b2211c s4: allways initialize the process model before it's used
metze
2008-09-22 18:16:09 +02:00
Jelmer Vernooij
05ea5e23cf Revert "Rename smbd -> samba."
This reverts commit 0e9008be35.
2008-09-21 21:32:40 +02:00
Jelmer Vernooij
0e9008be35 Rename smbd -> samba. 2008-09-21 21:26:40 +02:00
Andrew Bartlett
2c2fde57fa Update copyright
(This used to be commit edea162a0e)
2008-09-05 16:45:58 +10:00
Andrew Bartlett
a35263e1ab Implement NETLOGON PAC verfication on the server-side
This is implemented by means of a message to the KDC, to avoid having
to link most of the KDC into netlogon.

Andrew Bartlett
(This used to be commit 82fcd7941f)
2008-09-03 15:30:17 +10:00
Andrew Bartlett
c79dff2e9b Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the:
 - LOCAL-PAC test
 - gensec_gssapi server
 - KDC (where is was already used, the support code refactored from here)

In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.

Andrew Bartlett
(This used to be commit 418b440a7b)
2008-08-28 16:28:47 +10:00
Stefan Metzmacher
d3265b01e5 kdc: move references to heimdal internals into heimdal_build/kpasswd-glue.h
metze
(This used to be commit 65057f17b0)
2008-08-26 12:30:03 +02:00
Andrew Bartlett
7f86b26a35 Only allow the trust in the correct direction (per the flags).
(This used to be commit 2c71954294)
2008-08-26 10:27:00 +10:00
Andrew Bartlett
9eacc3a8f3 Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
(This used to be commit a555334db6)
2008-08-25 08:27:06 +10:00
Stefan Metzmacher
d0a8c05cb2 kdc/pac-glue: pull/push the logon_info via the PAC_INFO union
This prepares the next commit...

metze
(This used to be commit 7d297f7fb7)
2008-08-20 15:23:02 +02:00
Andrew Bartlett
fe95409de7 Trusted domains implementation for the KDC.
At this stage, only arcfour-hmac-md5 trusts are used, and all trusts
are presumed bi-directional.  Much more work still to be done.

Andrew Bartlett
(This used to be commit 3e9f5c2816)
2008-08-15 21:16:20 +10:00
Andrew Bartlett
5f873a4d8f More work towards trusted domain support in the KDC.
(This used to be commit c87d732b23)
2008-08-08 10:35:57 +10:00
Andrew Bartlett
8930a2159d Start implementind domain trusts in our KDC.
Andrew Bartlett
(This used to be commit 8aba7c3623)
2008-08-05 12:46:57 +10:00
Stefan Metzmacher
5fd1c5445b libreplace: include <krb5.h> and <com_err.h> and no heimdal specific headers
metze
(This used to be commit cffed8e19e)
2008-08-01 21:10:40 +02:00
Stefan Metzmacher
f2ac351d6e kdc: use mostly only public kerberos headers
We shoule avoid using the private heimdal function
_krb5_principalname2krb5_principal()

metze
(This used to be commit 10db07c69a)
2008-08-01 17:54:34 +02:00
Stefan Metzmacher
7b4081da8f Revert "Start implementind domain trusts in our KDC."
This reverts commit 736ce50afd.

This breaks the build...

metze
(This used to be commit afd07073b9)
2008-08-01 15:22:25 +02:00
Andrew Bartlett
2a0677e514 Start implementind domain trusts in our KDC.
Andrew Bartlett
(This used to be commit 736ce50afd)
2008-07-31 07:47:01 +10:00
Stefan Metzmacher
79657f78e8 hdb-ldb: fix the callers after drsblobs.idl changes
metze
(This used to be commit 1223cd17c7)
2008-07-24 08:24:10 +02:00
Stefan Metzmacher
0842eb25a1 hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute

metze
(This used to be commit 8300259f10)
2008-07-23 14:46:11 +02:00
Stefan Metzmacher
fa40b0709a hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
(This used to be commit 7219740ef4)
2008-07-23 14:46:08 +02:00
Stefan Metzmacher
b4e9e8954a hdb-ldb: fix comment about padding
metze
(This used to be commit ca28d05b11)
2008-07-23 14:46:06 +02:00
Stefan Metzmacher
75cdaa4c84 hdb-ldb: fix crash bug in the error path
metze
(This used to be commit ac02d6a0f7)
2008-07-23 14:46:06 +02:00
Stefan Metzmacher
71ce9975fa kdc: we don't need any *_locl.h header from heimdal in the kdc
metze
(This used to be commit feca16dd6d)
2008-06-04 15:39:17 +02:00
Andrew Bartlett
be14efbdf9 Revert Jelmer's CFLAGS commit e2b71a0ecb
This commit broke the build, because not all files (libreplace, popt)
were updated.

Andrew Bartlett
(This used to be commit 3faacf4351)
2008-05-31 08:35:55 +10:00
Jelmer Vernooij
39f50afc57 Move CFLAGS handling out of smb_build.
(This used to be commit e2b71a0ecb)
2008-05-30 02:07:28 +02:00
Jelmer Vernooij
4c70cda986 Fix a couple (well, little more than that..) of typos.
(This used to be commit a6b5211994)
2008-05-18 23:02:47 +02:00
Jelmer Vernooij
4c8756f147 Create prototype headers from Makefile directory, without smb_build in the middle.
(This used to be commit f4a77b96f9)
2008-05-18 22:30:08 +02:00
Jelmer Vernooij
4f0db42958 Use variables for source directory in a couple more places.
(This used to be commit 56bb2907c6)
2008-05-18 19:41:33 +02:00
Jelmer Vernooij
cc9c4aaa8d Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-gmake3
Conflicts:

	source/Makefile
	source/auth/config.mk
	source/auth/gensec/config.mk
	source/build/m4/public.m4
	source/build/make/python.mk
	source/build/make/rules.mk
	source/build/smb_build/header.pm
	source/build/smb_build/main.pl
	source/build/smb_build/makefile.pm
	source/dsdb/config.mk
	source/dsdb/samdb/ldb_modules/config.mk
	source/kdc/config.mk
	source/lib/events/config.mk
	source/lib/events/events.c
	source/lib/ldb/config.mk
	source/lib/nss_wrapper/config.mk
	source/lib/policy/config.mk
	source/lib/util/config.mk
	source/libcli/smb2/config.mk
	source/libnet/config.mk
	source/librpc/config.mk
	source/nbt_server/config.mk
	source/ntptr/ntptr_base.c
	source/ntvfs/posix/config.mk
	source/ntvfs/sysdep/config.mk
	source/param/config.mk
	source/rpc_server/config.mk
	source/rpc_server/service_rpc.c
	source/scripting/ejs/config.mk
	source/scripting/python/config.mk
	source/smb_server/config.mk
	source/smbd/server.c
	source/torture/config.mk
	source/torture/smb2/config.mk
	source/wrepl_server/config.mk
(This used to be commit 13bbd42068)
2008-04-25 10:04:20 +01:00
Jelmer Vernooij
21fc767378 Specify event_context to ldb_wrap_connect explicitly.
(This used to be commit b4e1ae07a2)
2008-04-17 12:23:44 +02:00
Jelmer Vernooij
1efbd5fbf6 Remove event context tracking from the credentials struct.
(This used to be commit 4d7fc946b2)
2008-04-17 01:03:18 +02:00
Jelmer Vernooij
ffc5cbfe80 Move object files lists to makefile rather than smb_build.
(This used to be commit 5628d58990)
2008-04-14 16:53:00 +02:00
Jelmer Vernooij
18d80bdf1f Merge v4.0-test
(This used to be commit 977dbdeaf3)
2008-03-28 00:44:14 +01:00
Andrew Bartlett
dc49ae599e Remove useless extra argument to samdb_result_account_expires().
Andrew Bartlett
(This used to be commit bc607c334f)
2008-03-25 15:25:13 +11:00
Andrew Bartlett
a08e951eb8 Remove unused variable.
(This used to be commit 1de21f5fdd)
2008-03-19 11:15:04 +11:00
Andrew Bartlett
aaf62085dd Merge branch 'v4-0-logon' of git://git.id10ts.net/samba into 4-0-local
(This used to be commit 8252b51850)
2008-03-19 11:04:42 +11:00
Andrew Bartlett
9e6b0c2871 Merge lorikeet-heimdal -r 787 into Samba4 tree.
Andrew Bartlett
(This used to be commit d88b530522)
2008-03-19 10:17:42 +11:00
Andrew Kroeger
131111f166 kdc: Provide extended error information in AS-REP error replies.
This change utilizes the addition of the e_data parameter to the windc_plugin in
the heimdal code to pass extended information back to the client.  The extended
information is provided in an e-data block as part of the kerberos error
message, and allows the client to determine which specific error condition
occurred.
(This used to be commit 502466ba95)
2008-03-13 01:17:48 -05:00
Jelmer Vernooij
fb6fdfce37 Fix the build.
(This used to be commit f2e4974471)
2008-03-08 17:02:40 +01:00
Jelmer Vernooij
fc2cd5ed63 Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-gmake3
(This used to be commit e4da851bd7)
2008-03-07 18:03:54 +01:00
Andrew Kroeger
e9171397ec Enhance mappings of NTSTATUS to KRB5KDC errors.
The enhanced mappings allow the Windows client to determine whether a user's
password needs to be changed (and allows them to change it), or if they cannot
logon at all.

Changes still need to be made to allow additional data to be returned.  Windows
uses that additional data to display more detailed dialogs to the user.  The
additional information is returned in an e-data struct of type PA-PW-SALT that
contains the more-detailed NTSTATUS error code.
(This used to be commit 6a98e5a7aa)
2008-03-07 05:59:56 -06:00
Andrew Kroeger
20c7014009 Update account expiration to use new samdb_result_account_expires() function.
(This used to be commit 2b6b4e5a16)
2008-03-07 05:59:56 -06:00
Jelmer Vernooij
6cf92e604d Fix the build.
(This used to be commit 49ef8d0c19)
2008-03-04 13:06:08 +01:00
Jelmer Vernooij
b29d47edcf Move object file lists to the Makefile.
(This used to be commit a7e6d2a183)
2008-03-03 18:25:28 +01:00
Jelmer Vernooij
c38c2765d1 Remove yet more uses of global_loadparm.
(This used to be commit e01c1e87c0)
2008-02-21 17:17:37 +01:00
Jelmer Vernooij
263a77c561 Remove more uses of global_loadparm.
(This used to be commit a1715b1f48)
2008-02-21 15:45:32 +01:00
Jelmer Vernooij
d9f8232c34 Remove more uses of global_loadparm.
(This used to be commit 230355d2e6)
2008-02-21 15:21:45 +01:00
Jelmer Vernooij
921b176484 Remove more uses of global_loadparm.
(This used to be commit 47d05ecf6f)
2008-02-21 14:50:57 +01:00
Jelmer Vernooij
37deca2d41 Avoid use of global_loadparm.
(This used to be commit c5a95bbe0c)
2008-02-21 14:16:02 +01:00
Jelmer Vernooij
3f63d2fe4d Fix unresolved symbols.
(This used to be commit dbcecb6d8f)
2008-02-18 17:24:29 +01:00
Andrew Bartlett
0f8eeb81ec Remove useless layer of indirection, where every service called
task_service_init() manually.  Now this is called from service.c for
all services.

Andrew Bartlett
(This used to be commit 9c9a4731ca)
2008-02-04 21:58:29 +11:00
Andrew Bartlett
23d681caf9 Rework service init functions to pass down service name. This is
needed to change prefork behaviour based on what service is being
started.

Andrew Bartlett and David Disseldorp
(This used to be commit 0d830580e3)
2008-02-04 17:48:51 +11:00
Jelmer Vernooij
df408d056e r26672: Janitorial: Remove uses of global_loadparm.
(This used to be commit 18cd08623e)
2008-01-05 13:06:03 -06:00
Jelmer Vernooij
7d5f0e0893 r26639: librpc: Pass iconv convenience on from RPC connection to NDR library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07)
2008-01-01 16:12:15 -06:00
Jelmer Vernooij
86dc05e99f r26638: libndr: Require explicitly specifying iconv_convenience for ndr_struct_push_blob().
(This used to be commit 61ad78ac98)
2008-01-01 16:12:11 -06:00
Jelmer Vernooij
c260454229 r26504: Don't rely on system-provided kerberos headers.
(This used to be commit c4b1df0476)
2007-12-21 05:51:07 +01:00
Jelmer Vernooij
a2cea02584 r26430: require explicit specification of loadparm context.
(This used to be commit 1b947fe0e6)
2007-12-21 05:49:58 +01:00
Jelmer Vernooij
a5b8999f23 r26427: Avoid global_smb_iconv_convenience.
(This used to be commit bf072c6fb3)
2007-12-21 05:49:53 +01:00
Jelmer Vernooij
70f1f33af8 r26402: Require a talloc context in libnetif.
(This used to be commit a35e51871b)
2007-12-21 05:49:33 +01:00
Jelmer Vernooij
6f2252dace r26401: Don't cache interfaces context in libnetif.
(This used to be commit 9f975417cc)
2007-12-21 05:49:32 +01:00
Jelmer Vernooij
038c75c0cb r26357: Add separate subsystem for auth_sam_reply parsing.
(This used to be commit 2d61e7c96e)
2007-12-21 05:49:02 +01:00
Jelmer Vernooij
c5bf20c5fe r26325: Remove use of global_loadparm in netif.
(This used to be commit e452cb2859)
2007-12-21 05:48:37 +01:00
Jelmer Vernooij
39ee38d9c1 r26316: Use contexts for conversion functions.
(This used to be commit f6420d933b)
2007-12-21 05:48:30 +01:00
Jelmer Vernooij
548c3e5357 r26314: Eliminate use of global_loadparm.
(This used to be commit aa98a1781c)
2007-12-21 05:48:26 +01:00
Jelmer Vernooij
2f5ca872a8 r26313: Fix more uses of static loadparm.
(This used to be commit 6fd0d9d3b7)
2007-12-21 05:48:25 +01:00
Jelmer Vernooij
9ebcd7a0df r26277: Move loadparm context higher up the stack.
(This used to be commit 38fa08310c)
2007-12-21 05:48:03 +01:00
Jelmer Vernooij
fc2f06d31b r26274: Some syntax fixes, remove more global_loadparm instances.
(This used to be commit 3809113d86)
2007-12-21 05:47:58 +01:00
Jelmer Vernooij
ecea5ce245 r26260: Store loadparm context in gensec context.
(This used to be commit b9e3a4862e)
2007-12-21 05:47:34 +01:00
Jelmer Vernooij
43696d2752 r26252: Specify loadparm_context explicitly when creating sessions.
(This used to be commit 7280c1e941)
2007-12-21 05:47:29 +01:00
Jelmer Vernooij
291ddf4336 r26237: Add loadparm context to the server service interface.
(This used to be commit 1386c5c925)
2007-12-21 05:47:15 +01:00
Jelmer Vernooij
120ecdb5cb r26233: Pass loadparm context when creating krb5 contexts.
(This used to be commit 7780bf285f)
2007-12-21 05:47:11 +01:00
Jelmer Vernooij
cc04f143dc r26229: Set loadparm context as opaque pointer in ldb, remove more uses of global_loadparm.
(This used to be commit 37d05fdc7b)
2007-12-21 05:47:06 +01:00
Jelmer Vernooij
f4a1083cf9 r26227: Make loadparm_context part of a server task, move loadparm_contexts further up the call stack.
(This used to be commit 0721a07aad)
2007-12-21 05:47:04 +01:00
Jelmer Vernooij
ca0b72a1fd r26003: Split up DB_WRAP, as first step in an attempt to sanitize dependencies.
(This used to be commit 56dfcb4f2f)
2007-12-21 05:45:40 +01:00
Stefan Metzmacher
529763a9aa r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/

metze
(This used to be commit 6223c7fddc)
2007-12-21 05:45:02 +01:00
Stefan Metzmacher
8fc7df10fb r25789: print out what error happened...
metze
(This used to be commit cca080f530)
2007-12-21 05:44:00 +01:00
Jelmer Vernooij
2f1c0eca13 r25548: Convert to standard bool type.
(This used to be commit 190d73b44b)
2007-10-10 15:07:53 -05:00
Jelmer Vernooij
60a1046c5c r25430: Add the loadparm context to all parametric options.
(This used to be commit fd697d77c9)
2007-10-10 15:07:31 -05:00
Jelmer Vernooij
37d53832a4 r25398: Parse loadparm context to all lp_*() functions.
(This used to be commit 3fcc960839)
2007-10-10 15:07:25 -05:00
Jelmer Vernooij
98b57d5eb6 r25035: Fix some more warnings, use service pointer rather than service number in more places.
(This used to be commit df9cebcb97)
2007-10-10 15:05:43 -05:00
Jelmer Vernooij
ffeee68e4b r25026: Move param/param.h out of includes.h
(This used to be commit abe8349f9b)
2007-10-10 15:05:38 -05:00
Jelmer Vernooij
959915a8cb r25001: Fix more C++ and other warnings, fix some of the indentation with ts=4 lines that I accidently added earlier.
(This used to be commit 0bcb21ed74)
2007-10-10 15:05:28 -05:00
Jelmer Vernooij
cd962355ab r25000: Fix some more C++ compatibility warnings.
(This used to be commit 08bb1ef643)
2007-10-10 15:05:27 -05:00
Jelmer Vernooij
61ffa08f4c r24712: No longer expose the 'BOOL' data type in any interfaces.
(This used to be commit 1ce32673d9)
2007-10-10 15:02:54 -05:00
Andrew Bartlett
db24e606f1 r24613: Missed this in my recent commit -r 24611. We don't discriminate on
where the password change came from, to determine if policy should be
applied.  We discriminate on if the account is a trust account.

Andrew Bartlett
(This used to be commit 48fd288957)
2007-10-10 15:02:24 -05:00
Andrew Bartlett
06a6194ead r24061: Anther part of bug #4823, which is that until now Samba4 didn't parse
the logon hours, even if set.

This code happily stolen from the great work in Samba3 :-)

Andrew Bartlett
(This used to be commit a4939ab629)
2007-10-10 15:01:21 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
d02d0301be r23503: use hdb_dbc not hdb_openp.
Andrew Bartlett
(This used to be commit 3a21304de0)
2007-10-10 14:53:22 -05:00
Stefan Metzmacher
5f76f986ff r23488: hdb_openp has changed from void * to int...
lha: what is the reason for this? it's really bad to use
     an int for storing a pointer value...

metze
(This used to be commit 625a659856)
2007-10-10 14:53:19 -05:00
Andrew Bartlett
91adebe749 r23456: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit ae0f81ab23)
2007-10-10 14:53:18 -05:00
Andrew Tridgell
c42219d735 r22969: fix some more places where we could end up with more than one event
context. We now have an event context on the torture_context, and we
can also get one from the cli_credentials structure
(This used to be commit c0f65eb656)
2007-10-10 14:52:34 -05:00
Jelmer Vernooij
cc26fe9b74 r22762: Some ldb_map changes:
* Change license to LGPL, so it can be used by non-Samba users of
LDB (cleared with Martin as well).

* Include ldb_map in standalone build.

* Move ldb_map to its own directory
(This used to be commit a90202abca)
2007-10-10 14:52:15 -05:00
Stefan Metzmacher
35ffca8932 r22403: this dependencies should be private
metze
(This used to be commit c3cc03ffb2)
2007-10-10 14:51:14 -05:00
Stefan Metzmacher
ad7e7249b6 r21441: create a union for the PrimaryKerberosBlob content
so that ndr_pull will fail if version isn't 3 and we notice
if the format changes...

metze
(This used to be commit 91f7a094cf)
2007-10-10 14:48:35 -05:00
Stefan Metzmacher
6e2d85e38b r21434: - get rid of "krb5Key"
- use "sambaPassword" only as virtual attribute for passing
  the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
  blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
  exacly how longhorn stores them. use password_hash:create_aes_key=yes
  to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
  if configured

TODO:
 - find out how longhorn stores aes keys
 - find out how the Primary:WDigest blob needs to be constructed
   (not supported by w2k)

metze
(This used to be commit e20b53f6fe)
2007-10-10 14:48:34 -05:00
Stefan Metzmacher
ac8669cf5c r21390: move fetching the key version number into the function
which contrusts the keys...

later we need to get the key version number from the
"replPropertyMetaData" attribute entry to the (I assume)
the "unicodePwd" attribute.

msDs-KeyVersionNumber is a constructed attribute,
and is "1" when no "supplementalCredentials" is present.

we need to make some tests with a password change function
which don't give a cleartext to the server...

metze
(This used to be commit 9e43242217)
2007-10-10 14:48:25 -05:00
Stefan Metzmacher
cdafaa15b5 r21363: fallback to fetch the KEYTYPE_ARCFOUR out of the "unicodePwd" attribute
when no krb5key attribute is present or it doesn't contain the KEYTYPE_ARCFOUR
key.

metze
(This used to be commit b4af29da70)
2007-10-10 14:48:20 -05:00
Stefan Metzmacher
bd3d88c69d r21330: move fetching of krb5 keys into its own function
metze
(This used to be commit 0f1eb00b41)
2007-10-10 14:48:13 -05:00
Andrew Bartlett
d5bbd817fe r20988: Call out to Heimdal's krb5.conf processing to configure many aspects
of KDC behaviour.  This should allow PKINIT to be turned on and
managed with reasonable sanity.

This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.

Andrew Bartlett
(This used to be commit a50bbde81b)
2007-10-10 14:44:18 -05:00
Stefan Metzmacher
e73f1c2f2a r20661: the golden rule: "make things private if possible!"
fix 'make install' because no entry was in the headermap

metze
(This used to be commit 2a9d6d381d)
2007-10-10 14:37:28 -05:00
Andrew Bartlett
08976cb3d2 r20639: Commit part 1 of 2.
This patch updates our build system and glue to support a new snapshot
of lorikeet-heimdal.

We now procude a [SUBSYTEM] in the ans1_deps.pl script, and can depend
on that in the heimdal_build/config.mk.  This is much easier than
listing every generated .o file individually.

This required some small changes to the build system, due to the way
the parent directory was handled for the output of scripts.  I've also
cleaned up et_deps.pl to handle cleaning up it's generated files on
clean.

The PAC glue in Heimdal has changed significantly: we no longer have a
custom hack in the KDC, instead we have the windc plugin interface.
As such, pac-glue.c is much smaller.  In the future, when I'm
confident of the new code, we will also be able to 'downsize'
auth/kerberos/kerberos_pac.c.

(I'll include the updated copy of heimdal in the next chekin, to make
it clearer what's changed in Samba4 itself).

Andrew Bartlett
(This used to be commit 75fddbbc08)
2007-10-10 14:37:20 -05:00
Andrew Bartlett
cb785a891b r20406: Metze's change in -r 19662 broke Kerberos logins from Win2k3.
The reason is long and complex, but is due to forwardable tickets:

We would extract the forwardable ticket from the GSSAPI payload, and
look for the expiry time of the ticket for krbtgt/REALM@REALM.

However, with -r 19662 the ticket is given to the client as being for
krbtgt/realm@REALM, as it asked for a lower case realm.  Heimdal is
case sensitive for realms, and bails out.  (It should just not store
the forwarded ticket).

We need to co-ordinate changes in the KDC with relaxation of checks in
Heimdal, and a better kerberos behaviour testsuite.

Andrew Bartlett
(This used to be commit be4c1a36b0)
2007-10-10 14:30:24 -05:00
Andrew Bartlett
bddd8ed5c4 r20152: Commit missing files from last night's commit. We no longer maintain
a distinction between PDC and BDC in the configuration files, only as
an entry in the ldb.

Andrew Bartlett
(This used to be commit dc9eee7cb3)
2007-10-10 14:29:15 -05:00
Simo Sorce
ea212eb00f r20034: Start using ldb_search_exp_fmt()
(This used to be commit 4f07542143)
2007-10-10 14:28:51 -05:00
Simo Sorce
a9e31b33b5 r19832: better prototypes for the linearization functions:
- ldb_dn_get_linearized
  returns a const string

- ldb_dn_alloc_linearized
  allocs astring with the linearized dn
(This used to be commit 3929c086d5)
2007-10-10 14:28:22 -05:00
Simo Sorce
4889eb9f7a r19831: Big ldb_dn optimization and interfaces enhancement patch
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.

The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.

The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.

Simo.
(This used to be commit a580c871d3)
2007-10-10 14:28:22 -05:00
Stefan Metzmacher
c779270116 r19664: fix compiler warnings...
should _krb5_find_type_in_ad() also take a const?

metze
(This used to be commit addc31bd93)
2007-10-10 14:25:27 -05:00
Stefan Metzmacher
3ba2a9dfcf r19662: windows 2003 kdc's only rewrite the realm to the full form,
when the client is using the netbios domain name as realm.

we should match this and not rewrite the principal.

This matches what windows give:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./kinit administrator@SERNOXDOM4
administrator@SERNOXDOM4's Password:

metze@SERNOX:~/prefix/lorikeet-heimdal/bin> ./klist
Credentials cache: FILE:/tmp/krb5cc_10000
Principal: administrator@SERNOXDOM4.MX.BASE

Issued           Expires          Principal
Nov 11 13:37:52  Nov 11 23:37:52  krbtgt/SERNOXDOM4@SERNOXDOM4.MX.BASE

Note:
I need to disable the principal checks in heimdal's
_krb5_extract_ticket() for the kinit to work.

Any ideas how to change heimdal to support this.

For the service principal we should use
the realm and principal in req->kdc_rep.enc_part
instead of the unencrypted req->kdc.ticket.sname
and req->kdc.ticket.realm to have a trusted value.

I'm not sure what we can do with the client realm...

metze
(This used to be commit cfee02143f)
2007-10-10 14:25:26 -05:00
Andrew Bartlett
3c1e780ec7 r19604: This is a massive commit, and I appologise in advance for it's size.
This merges Samba4 with lorikeet-heimdal, which itself has been
tracking Heimdal CVS for the past couple of weeks.

This is such a big change because Heimdal reorganised it's internal
structures, with the mechglue merge, and because many of our 'wishes' have been granted:  we now have DCE_STYLE GSSAPI, send_to_kdc hooks and many other features merged into the mainline code.  We have adapted to upstream's choice of API in these cases.

In gensec_gssapi and gensec_krb5, we either expect a valid PAC, or NO
PAC.  This matches windows behavour.  We also have an option to
require the PAC to be present (which allows us to automate the testing
of this code).

This also includes a restructure of how the kerberos dependencies are
handled, due to the fallout of the merge.

Andrew Bartlett
(This used to be commit 4826f17351)
2007-10-10 14:25:03 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Simo Sorce
59b66744f7 r19299: Fix possible memleaks
(This used to be commit 6fad80bb09)
2007-10-10 14:21:04 -05:00
Andrew Bartlett
390ece7f3d r18827: I forgot to commit this:
Make kpasswdd use the new prototype for
_krb5_principalname2krb5_principal()

Andrew Bartlett
(This used to be commit 989f40ea02)
2007-10-10 14:19:14 -05:00
Günther Deschner
8153859fb4 r18636: Excessive testing with pam_winbind within Samba3 revealed a new samr
reject reason code while password changing: SAMR_REJECT_IN_HISTORY which
is different from SAMR_REJECT_COMPLEXITY.

torture test to follow as well.

Guenther
(This used to be commit 7513748208)
2007-10-10 14:18:59 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Tridgell
b21b119cbc r17824: add a wrapper for the common partitions_basedn calculation
(This used to be commit 09007b0907)
2007-10-10 14:16:45 -05:00
Stefan Metzmacher
a2eca9174c r17586: merge lib/netif into lib/socket and use -lnsl -lsocket on the
configure check for the interfaces.

should fix the build on some old sun boxes

metze
(This used to be commit f20e251bfd)
2007-10-10 14:15:39 -05:00
Simo Sorce
a23b63a8e5 r17516: Change helper function names to make more clear what they are meant to do
(This used to be commit ad75cf8695)
2007-10-10 14:15:31 -05:00
Stefan Metzmacher
7a845bcb01 r17341: pass a messaging context to auth_context_create()
and gensec_server_start().

calling them with NULL for event context or messaging context
is no longer allowed!

metze
(This used to be commit 679ac74e71)
2007-10-10 14:15:17 -05:00
Andrew Bartlett
795c279462 r16964: Remove extra debugs no longer required in a working KDC
Implement the 'DES only' flag.

Andrew Bartlett
(This used to be commit 9d42bb4b3d)
2007-10-10 14:10:03 -05:00
Andrew Bartlett
da9a31b228 r16237: Use an appropriate basedn for these searches, so they occour into the
correct partition.

Andrew Bartlett
(This used to be commit f661dafe4e)
2007-10-10 14:09:07 -05:00
Andrew Bartlett
e0bb0e9f95 r16056: Fix errors found by trying to use our kpasswd server and the Apple client.
Andrew Bartlett
(This used to be commit ae2913898c)
2007-10-10 14:08:54 -05:00
Jim McDonough
64fe1e92a5 r15883: Make sure timegm() prototype is available (on systems where we've had to
replace it)
(This used to be commit eef117e445)
2007-10-10 14:08:37 -05:00
Andrew Tridgell
cdc64c448d r15853: started the process of removing the warnings now that
talloc_set_destructor() is type safe. The end result will be lots less
use of void*, and less calls to talloc_get_type()
(This used to be commit 6b4c085b86)
2007-10-10 14:08:32 -05:00
Andrew Tridgell
8d130005a1 r15830: fixed two kdc memory leaks
(This used to be commit cc290ece92)
2007-10-10 14:08:30 -05:00