| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
|
| |
|
|
|
|
|
|
| |
Not the correct fix for the specific issue, but a general fix to
make sure this can never happen again.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 26 04:07:57 CEST 2012 on sn-devel-104
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
|
| |
|
|
| |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The free is however a talloc_free(), which has additional protection against
freeing the wrong thing.
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Mar 2 01:45:19 CET 2012 on sn-devel-104
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Found by Codenomicon at the SNIA plugfest. Don't keep going
in the loop when reading the OIDs fail.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Sep 21 05:24:59 CEST 2011 on sn-devel-104
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
This is needed in order to suppress warnings.
|
| |
|
|
|
|
| |
squashed: add michlistMIC signature checks
Signed-off-by: Günther Deschner <gd@samba.org>
|
| | |
|
| |
|
|
|
|
| |
contexts.
Jeremy.
|
| |
|
|
|
|
| |
context tallocs.
Jeremy.
|
| |
|
|
|
|
| |
use of malloc, and data_blob().
Jeremy.
|
| |
|
|
|
|
| |
as this correctly describes what this function does.
Jeremy.
|
| |
|
|
|
|
|
|
| |
but a TokenInit one.
Move to using spnego_gen_negTokenInit() instead.
Jeremy
|
| |
|
|
|
|
| |
returned to caller. Remove unneeded asn1_tag_remaining() calls.
Jeremy.
|
| |
|
|
|
|
|
| |
We now have one function to do this in all calling code. More rationalization
to follow.
Jeremy.
|
| |
|
|
|
|
|
|
| |
into negprot_spnego() where it belongs (it's not an SPNEGO operation).
Add a TALLOC_CTX for callers of negprot_spnego(). Closer to unifying all
the gen_negTokenXXX calls.
Jeremy.
|
| |
|
|
|
|
| |
negTokenInit's here. Use common code in spnego_parse_negTokenInit().
Jeremy.
|
| |
|
|
|
|
|
| |
Live Sign-in Assistant
Based on code from <david.kondrad@legrand.us>. Cope with every NegTokenInit ::= SEQUENCE value.
Jeremy.
|
| |
|
|
|
|
|
| |
This seems to be the only way to deal with mixed heimdal/MIT setups during
merged build.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
When parsing a SPNEGO session setup retry (falling back from KRB5 to NTLMSSP),
we failed to parse the ASN1_ENUMERATED negResult in the negTokenTarg, thus
failing spnego_parse_auth() completely.
By just using the shared spnego/asn1 code, we get the parsing the correct way.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
X.690 uses "BIT STRING" not "BIT FIELD".
|
| |
|
|
|
| |
so we at least know when we're using a long-lived context.
Jeremy.
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
Ignore optional req_flags. Use the Kerberos mechanism OID negotiated
with the client rather than hardcoding OID_KERBEROS5_OLD.
(This used to be commit 59a2bcf30fef14ecc826271862b645dd3a61cb48)
|
| |
|
|
|
| |
Jeremy.
(This used to be commit e3e08c6e7d270e1be7a9d3042b1f36f5a291f90a)
|
| |
|
|
|
|
|
|
| |
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
| |
|
|
|
|
|
| |
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c)
|
| |
|
|
|
| |
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-
We ran across a bug joining our Samba server to a Win2K domain with LDAP
signing turned on. Upon investigation I discovered that there is a bug
in Win2K server which returns a duplicated responseToken in the LDAP
bindResponse packet. This blob is placed in the optional mechListMIC
field which is unsupported in both Win2K and Win2K3. You can see RFC
2478 for the proper packet construction. I've worked with metze on this
to confirm all these finding.
This patch properly parses then discards the mechListMIC field if it
exists in the packet, so we don't produce a malformed packet error,
causing LDAP signed joins to fail. Also attached is a sniff of the
domain join, exposing Win2Ks bad behavior (packet 21).
-
(I've just changed the scope of the DATA_BLOB mechList)
metze
(This used to be commit 200b5bfb8180af09446762e915eac63d14c6c7b0)
|
| |
|
|
| |
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
| |
|
|
|
| |
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
| |
|
|
|
| |
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
| |
|
|
|
|
|
| |
OID_KERBEROS_OLD one.
metze
(This used to be commit 294c69334fce1cbb74ae9eb5a06e17b397f994df)
|
| |
|
|
|
|
|
|
|
|
| |
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
patch some
weeks ago.
We have some work before us, when in AD mode Vista sends
"not_defined_in_RFC4178@please_ignore" as the principal.....
Volker
(This used to be commit af85d8ec02b36b765ceadf0a342c7eda2410034b)
|
| |
|
|
| |
(This used to be commit 1c18ebe67500a59d4bf08c7e2e2c2af416bfa084)
|
| |
|
|
|
|
|
|
| |
class of memory leak bugs on error found by Klocwork (#123).
Many of these functions didn't free allocated memory on
error exit.
Jeremy.
(This used to be commit 8ef11a7c6de74024b7d535d959db2d462662a86f)
|
| |
|
|
|
| |
Volker
(This used to be commit 7674a4f8361d3f3b649245118b82d8a074a2760e)
|
| |
|
|
|
| |
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
| |
|
|
| |
(This used to be commit a3f102f6c3ada10e74d72944e767b9b263fe83dd)
|
