IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
what svn is for.
The idea is that we fall back to a pure unix user with S-1-22 SIDs in the
token in case anything weird is going on with the 'force user'.
Volker
(This used to be commit 9ec5ccfe85)
closer at the wins server code. Firstly, it needs
to do the searches on the SELF_NAMES correctly,
secondly it needs to flush the in-memory cache
out before returning the 1b names - else it might
get duplicates returned if many 1b queries are
done in quick succession. Jerry, I hate to say
this but you might want to consider this for 3.0.23....
Jeremy.
(This used to be commit b36b9befbb)
think this can happen in real life but the code is
too complicated to be sure....
Jerry please merge this for 3.0.23.
Jeremy.
(This used to be commit 1e5042d4c0)
are set in a winbindd request it might overwrite existing
state->response.extra_data.data values without freeing.
Jeremy.
(This used to be commit 4e7262c81a)
get duplicate OID's returned in the oids_out list it is
still good programming practice to clear out a malloc'ed
string before re-writing it (especially in a loop).
Jeremy
(This used to be commit ae02c05bfc)
you're passing a BOOL parameter, don't use "clever"
code in while statement - make things easier and
clearer to understand when triggering something
with an if.
Jeremy.
(This used to be commit b1fc2d8b99)
Added a next_token_no_ltrim() function which does not strip leading separator
characters. The new function is used only where really necessary, even though
it could reasonably be used in many more places, to avoid superfluous code
changes.
Derrell
(This used to be commit d90061aa93)
Although I've never met a computer or compiler that produced pointers to
functions which are a different size than pointers to data, I suppose they
probably exist. Assigning a pointer to a function is technically illegal in C
anyway.
Change casts of the option_value based on the option_name to use of variable
argument lists.
For binary compatibility, I've maintained but deprecated the old behavior of
debug_stderr (which expected to be passed a NULL or non-NULL pointer) and
added a new option debug_to_stderr which properly expects a boolean (int)
parameter.
Derrell
(This used to be commit c1b4c51053)
being deleted when hide unreadable set to true.
Here's the scoop.
This one is really interesting. The pattern of deleting a directory is to do a
findfirst to get the first part of the list, then for each name returned it
does a open/set delete on close/close -> thus deleting the file. Then it does a
findnext with the last file name THAT IT JUST DELETED ! Now we can handle this
in the findnext in the case where hide unreadable is set to false as we look
back in our cache of names and just seek to the right point. The bug is
actually fixed in the first hunk of this patch - the one that removes the
is_visible_file() check after SearchDir returns false. We don't actually need
it and in this case it's causing the delete to be aborted because it can't find
the name (doh ! it was just deleted). We don't need it as SearchDir is only
ever called from findnext, and findnext should only ever be returning names we
gave it.
The rest of the patch are the debugs I used to find
the problem but they're generically useful.
Phew - that one took a while to track down.....
Jerry, please merge for 3.0.23 final.
Jeremy.
(This used to be commit cd048cb775)
When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.
Guenther
(This used to be commit 5853525f11)
cannot put saf_name in the failed conn cache as it's uninitialized.
Store saf_servername (the ip) in that case.
Volker, please check.
Guenther
(This used to be commit 098a87f492)
