IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Samba continues to query a broken DC while the DC did not finish to
rebuild Sysvol (after a Windows crash, for example). It causes end users
to received strange codes while trying to authenticate, even if there is
a secondary DC available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
We don't resolve our own "Domain Local" groups since bug #7843 has been
fixed. So we need to add the add resource groups to the sid list too.
Before bug #7843 the "Domain Local" groups were added with a
lookupuseraliases call, but this isn't done anymore for our domain
so we need to resolve resource groups here.
When to use Resource Groups:
http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
This ensures that we have some check on the session keys being returned
as the RC4 cipher is not checksumed.
The check comes from the fact that the credentials chain is tied to
the session key, and so if the credentials check passes then the
netlogon session key will be correct, and so the user session key
will be correctly decrypted.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104
If not the child process would hang for quite a long time up to the
moment when the connection is cleaned by the kernel (took ~ 20 minutes)
in my tests.
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Feb 27 23:10:03 CET 2012 on sn-devel-104
This could cause that we authenticate a user with a bogus domain to
winbind's domain if the password supplied for the PAM_AUTH match.
The problem was reported by Jeff Venable (jvenable@juniper.net).
Patch from Andrew Bartlett (abartlett@samba.org).
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
Change some misleading variable names to reflect the actual function.
Add missing field name/types previously marked as unkown.
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.
Andrew Bartlett
Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration.
Autobuild-User: Jim McDonough <jmcd@samba.org>
Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104
Most fault codes have a NTSTATUS representation, so use that.
This brings the fault handling in common with the source4/librpc/rpc code,
which make it possible to share more highlevel code, between source3 and
source4 as the error checking can be the same now.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104
The benefit of this that it makes us more robust to secure channel resets
triggered from tools outside the winbind process. Long term we need to have a
shared tdb secure channel store though as well.
Guenther
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Feb 4 18:11:04 CET 2011 on sn-devel-104
After failing the netr_LogonSamLogonEx, we failed to retry with
netr_LogonSamLogon.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Jan 24 12:35:42 CET 2011 on sn-devel-104
This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.
We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.
Andrew Bartlett
This prints the security token including the privileges as strings
instead of just a bitmap.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This removes conversions to and from the source3 varient of the
server_info structure when replaced in s3compat, and presents a tidier
interface to winbindd in any case.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
All the callers just want the PAC_LOGON_INFO, so search for that in
ads_verify_ticket(), and don't bother the callers with the rest of the
PAC.
This change makes sense on it's own (removing boilerplate wrappers
that just confuse the code), but it also makes it much easier to
implement a matching ads_verify_ticket() function in Samba4 for the
s3compat proposal.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time
as follows:
ccache build w/o patch
real 4m21.529s
ccache build with patch
real 3m6.402s
pch build w/o patch
real 4m26.318s
pch build with patch
real 3m6.932s
Guenther
We're in a child, the parent already has chosen the domain by
picking the right child to connect to.
Metze, you've done work on winbind lately, so it goes to you:
Please check :-)
