| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
We never expose creds to the caller in schannel_update().
metze
|
| |
|
|
|
| |
If we don't include Python.h first then we get a pile of warnings due
to broken redefines of XOPEN_SOURCE in the Python includes.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
|
| |
|
|
|
|
| |
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
a memory leak
|
| | |
|
| |
|
|
| |
This should fix bug #6755.
|
| |
|
|
|
|
| |
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
|
| |
|
|
|
| |
I'll need help from Andrew on how to get gensec to initialise it's ops
element
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If we only do signing we can pass down a const data buffer.
metze
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Günther Deschner <gd@samba.org>
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
This prepares support for HMAC-SHA256/AES.
metze
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
The purpose of admin_session is to be able to execute parts of provisioning
as the user Administrator in order to have the correct group and owner in the
security descriptors. To be used for provisioning and tests only.
|
| |
|
|
|
|
|
| |
We have not only to expand the additional groups but *also* the primary group to
gain all rights of a user account.
Also, remove an unneeded context (tmp_ctx) and "talloc_steal".
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
| |
This is a small start on (ie, the only trivial part of) the work shown in:
http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port#Samba.27s_use_of_Heimdal_symbols.2C_with_MIT_differences
(a table of all Kerberos symbols used in Samba4, and notes on where
they differ from those provided with MIT Kerberos)
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This library intercepts seteuid and related calls, and simulates them
in a manner similar to the nss_wrapper and socket_wrapper
libraries. This allows us to enable the vfs_unixuid NTVFS module in
the build farm, which means we are more likely to catch errors in the
token manipulation.
The simulation is not complete, but it is enough for Samba4 for
now. The major areas of incompleteness are:
- no emulation of setreuid, setresuid or saved uids. These would be
needed for use in Samba3
- no emulation of ruid changing. That would also be needed for Samba3
- no attempt to emulate file ownership changing, so code that (for
example) tests whether st.st_uid matches geteuid() needs special
handling
|
| |
|
|
| |
"groupSID"s structure
|
| | |
|
| |
|
|
|
|
| |
authsam_expand_nested_groups()
metze
|
| |
|
|
|
|
|
|
|
| |
This patch adds a function "authsam_expand_nested_groups" (calculation of rights
through expanding groups of a certain SID) which basically collects all
memberships through "memberOf" attributes. It works with either user or group SIDs.
For avoiding loops it tests on each call if the SID hasn't been added yet (through
the helper function "sids_contains_sid").
The function itself is called by "authsam_make_server_info".
|
| |
|
|
|
|
| |
This fixes the ntvfs.cifs tests.
metze
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit a40ce5d0d9d06f592a8885162bbaf644006b9f0f.
This breaks the build...
Andrew, please repush it, when it's fixed:-)
metze
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is much easier to do decryption with wireshark when the keytab is
available for every host in the domain. Running 'net export keytab
<keytab name>' will export the current (as pointed to by the supplied
smb.conf) local Samba4 doamin.
(This uses Heimdal's 'hdb' keytab and then the existing hdb-samba4,
and so has a good chance of keeping working in the long term).
Andrew Bartlett
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
|
| |
to the peer
We should even do this if the submech has no more data to send.
metze
|
| |
|
|
|
|
|
|
|
| |
Each attribute we request from LDB comes with a small cost, so don't
lookup any more than we must for the (very) frequent krbtgt lookup
case. Similarly, we don't need to build a PAC for a server (as a
target), so don't ask for the PAC attributes here either.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
When emulating Samba3 (which we do to ensure we don't break
compatability), don't do mutual authentication by default, as it
breaks the session key with AES and isn't what Samba3 does anyway.
Andrew Bartlett
|
