IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
All gensec backends support GENSEC_FEATURE_SIGN_PKT_HEADER, so there's
no point in negotiating header signing based on the
auth context used during the DCERPC Bind.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It's not per auth_context_id, currently there's no difference
but that will change in future...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
That was a long way, but now we're cli_credentials/gensec only :-)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This reconnect is only useful for long running connections (e.g. in winbindd)
and there we'll make use of it...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There's no reason to pass the LDAP servers time to the kerberos
libraries, as we may talk to a KDC different than the LDAP server!
Also Heimdal handles AS-REQ with KRB5KRB_AP_ERR_SKEW fine and
retries with the time from the krb-error.
MIT records the time from the KDC_ERR_PREAUTH_REQUIRED response
in order to use the KDCs time.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The lifetime of a service ticket is never longer than
the lifetime of the TGT...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
That's better then using !ADS_AUTH_NO_BIND. And it allows callers
to be more flexible in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This means we may call kinit multiple times for now,
but we'll remove the kinit from the callers soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Currently we rely on a valid default credential cache being available
and don't make use of the password.
In future we'll do a kinit on demand, but that's for another day.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Using 'Sockbuf_IO_Desc' in idl implicitly means pidl will use
'struct Sockbuf_IO_Desc', which doesn't exist!
Using 'struct sockbuf_io_desc' which is used in OpenLDAP to
typedef Sockbuf_IO_Desc, we won't need to cast the assign the
'sbiod' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().
The result are corrupted domain values in the debug output.
Valgrind shows this:
Invalid read of size 1
at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Block was alloc'd at
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will be used for rpcd_witness_registration_updateB messages
in 'net witness [client-move,...]' commands later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
A rpcd_witness_registration.tdb will be added shortly in order to
implement useful 'net witness [list,client-move,...]' commands
in the end.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This is useful for some scripting examples and debugging...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is very useful for debugging...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.
Update the NDR 4.0.0 ABI.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The important factor to distribute connection to workers
should be the number of used association group slots instead
of the raw number of connections. If one worker has a lot of
association groups with just one connection each, but another
with few association groups, but multiple connections per
association group. The one with less association groups should
get the connection. Note each worker is only able to allocate
UINT16_MAX allocation groups, but the number of connections
is only limited by RAM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We already limit the per worker portion of the association
group id to UINT16_MAX, so we can also use 16-bit instead
of just 8-bit to encode the worker index.
While there we should actually ensure that the max worker
index is UINT16_MAX.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This reflects what we're using in the C code already...
Note this is an incompatible change, but we also changed
from named_pipe_auth_req_info7 to named_pipe_auth_req_info8
in master...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is because commit f893cf85cc387b66c496661e11073b1215270022
changed the security token in secuirty.idl, and bumping the version
was missed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
