IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62a)
to allow client to fragment large SPNEGO blobs (large krb5
tickets). Tested against W2K3R2. Should fix bug #4400.
Jeremy.
(This used to be commit b81c5c6adc)
proto should be required before creating any binary from now on.
Remove proto_exists from the all, pam_smbpass, and pam_bindind rule.
(This used to be commit 95d2297974)
them. It just does not make sense to do a querydispinfo on an alias handle...
This fixes a memleak: Every samr_connect*() call leaked a DISP_INFO for the
(NULL) sid.
More cleanup pending: Essentially, we only need the DISP_INFO cache for the
get_global_sam_sid() domain. BUILTIN is fixed and small enough, and there are
no other domains around where enumerations could happen.
This also removes the explicit builtin_domain flags. I don't think this is
worth it. If this makes a significant difference, then we have a *VERY* tuned
RPC layer...
Jeremy, please check this. If it's ok, we might want to merge it across.
Volker
(This used to be commit 0aceda68a8)
others don't get stuck with the winbindd hang.
Still waiting on additional confirmation from Guenther
that this fixes thes issues he was observing as well.
But it's been running in my local tree for a day without
problems.
(This used to be commit 0d2b80c6c4)
post 3.0.23.
This implementation considers spaces in ldapsam configs. Such configs
are trunkated after the closing quote.
(This used to be commit 5cd9a2e258)
changed a password via pam_chauthtok. Only do this if
a) a user logs on using an expired password (or a password that needs to
be changed immediately) or
b) the user itself changes his password.
Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).
Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).
Guenther
(This used to be commit c3005c48cd)
see this as a design flaw in data_blob() and it made me look in that routine.
Jeremy, revert or merge please :-)
Volker
(This used to be commit e7e6b8b5e0)
fragmented into "max xmit" size security blob
chunks. Bug #4400. Needs limits adding, and also
a client-side version.
Jeremy.
(This used to be commit aa69f2481a)