IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
Due to missing defines in modern kerberos libraries, this code was
not compiled and so this wasn't noticed.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
In the file rpc_server.c, function _winreg_QueryValue()
uint8_t *outbuf
Should be :
uint8_t *outbuf = NULL;
As it is later freed by
if (free_buf) SAFE_FREE(outbuf);
in some cases, this frees the unintialized outbuf, which causes a coredump.
some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)
If the parent is fast enough, the echo handler should not step in. When the
socket becomes readable, the echo handler goes to sleep for a second. If within
that second, the parent has picked up the SMB request from the net, the echo
handler will just go back to select().
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This allows for a future where the auth subsystem is async, and the
session key generation needs to happen in a callback.
This code is originally reworked into this style by metze for the
source4/ implementation.
The other change here is to introduce an 'out_mem_ctx', which makes
the API match that used in source4.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This code will, I hope, soon be merged in common, and the Samba4
use case does not currently support talloc_tos() properly. Use another
context for now.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This is another 'belts and braces' check to avoid the use of the
weak 'LM_KEY' encryption when the client has chosen NTLMv2.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This ensures the client isn't confused and we don't enter this
weaker authentication scheme when we don't really, really need to.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This may help to avoid a number of possible MITM attacks where LM_KEY is
spoofed into the session. If the login wasn't with lanman
(and so the user chose to disclose their lanman response),
don't disclose back anything based on their lanman password.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
We need to call setup_ntlmssp_server_info() if status==NT_STATUS_OK,
or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
as this can trigger map to guest.
Jeremy.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
