summaryrefslogtreecommitdiffstats
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
...
* s4-auth: Make sure we use the correct credential state.Andreas Schneider2012-07-171-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we create a copy of the credential state we miss updates to the credentials. To establish a netlogon schannel connection we create client credentials and authenticate with them using dcerpc_netr_ServerAuthenticate2() For this we call netlogon_creds_client_authenticator() which increases the sequence number and steps the credentials. Lets assume the sequence number is 1002. After a successful authentication we get the server credentials and we send bind a auth request with the received creds. This sets up gensec and the gensec schannel module created a copy of the client creds and stores it in the schannel auth state. So the creds stored in gensec have the sequence number 1002. After that we continue and need the client credentials to call dcerpc_netr_LogonGetCapabilities() to verify the connection. So we need to increase the sequence number of the credentials to 1004 and step the credentials to the next state. The server always does the same and everything is just fine here. The connection is established and we want to do another netlogon call. So we get the creds from gensec and want to do a netlogon call e.g. dcerpc_netr_SamLogonWithFlags. We get the needed creds from gensec. The sequence number is 1002 and we talk to the server. The server is already ahead cause we are already at sequence number 1004 and the server expects it to be 1006. So the server gives us ACCESS_DENIED cause we use a copy in gensec. Signed-off-by: Günther Deschner <gd@samba.org>
* s4-librpc: Add capabilities check for AES encrypted connections.Andreas Schneider2012-07-171-1/+110
| | | | Signed-off-by: Günther Deschner <gd@samba.org>
* s4-torture: Improve samlogon test.Andreas Schneider2012-07-171-0/+8
|
* s4-torture: Add DCERPC_SCHANNEL_AES tests.Andreas Schneider2012-07-171-1/+5
| | | | Signed-off-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/netlogon: add support for AES based netlogon schannelStefan Metzmacher2012-07-171-0/+4
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:librpc/rpc: add DCERPC_SCHANNEL_AES supportStefan Metzmacher2012-07-171-2/+15
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/netlogon: only return STRONG_KEYS if the client asked for itStefan Metzmacher2012-07-171-26/+31
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:rpc_server/netlogon: implement netr_LogonGetCapabilitiesStefan Metzmacher2012-07-171-2/+20
| | | | | | | | This is also needed to support AES. metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodcStefan Metzmacher2012-07-171-4/+5
| | | | | | | | The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4:librpc/rpc/dcerpc_schannel: rework downgrade logicStefan Metzmacher2012-07-171-5/+38
| | | | | | metze Signed-off-by: Günther Deschner <gd@samba.org>
* s4-param: Use a unique header nameAndrew Bartlett2012-07-151-3/+3
|
* s4-provision: Provide YP/NIS subtree to allow ADUC to see and set rfc2307 attrsGeza Gemes2012-07-133-2/+536
| | | | | | | | | | When provisioning with --use_rfc2307=yes populate the subtree: CN=ypServ30,CN=RpcServices,CN=System,${DOMAINDN} This makes it possible to manipulate the posix attributes via ADUC (commit message adjusted by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:registry:regdiff: use existing talloc context for the event contextMichael Adam2012-07-131-1/+1
| | | | | Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri Jul 13 02:51:44 CEST 2012 on sn-devel-104
* s4:registry:regdiff: add TALLOC_CTX * argument to open_backend()Michael Adam2012-07-131-6/+7
|
* s4:registry: add a TALLOC_CTX argument to reg_open_remote()Michael Adam2012-07-134-5/+7
|
* s4-torture: add ntprinting ndr operations testsuite.Günther Deschner2012-07-063-1/+442
| | | | | | | Guenther Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Fri Jul 6 20:55:26 CEST 2012 on sn-devel-104
* s4-selftest: do a dbcheck on our two vampire DCsAndrew Bartlett2012-07-061-1/+1
| | | | | | | | | | | However, due to using --domain-critical-only we have to knownfail the vampire DC here, as we do not fill in the backlinks on non-critical objects correctly. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 16:54:10 CEST 2012 on sn-devel-104
* s4-dbcheck: Check for an object without a parentAndrew Bartlett2012-07-061-0/+44
| | | | | | | Such objects are then moved to the appropriate LostAndFound container, just as they would be if replicated. Andrew Bartlett
* s4-dsdb: Remove unused variables in py_dsdb_get_partitions_dnAndrew Bartlett2012-07-061-3/+0
|
* pydsdb: Add bindings for dsdb_wellknown_dn()Andrew Bartlett2012-07-062-0/+38
|
* s4-pydsdb: Add bindings for dsdb_find_nc_root()Andrew Bartlett2012-07-062-0/+26
|
* s4-pydsdb: Improve PyErr_LDB_{DN,}_OR_RAISE to use py_check_dcerpc_typeAndrew Bartlett2012-07-061-2/+9
| | | | | | This checks the type rather than just dereferencing the pointer. Andrew Bartlett
* auth: Common function for retrieving PAC_LOGIN_INFO from PACChristof Schmitt2012-07-062-45/+0
| | | | | | | | Several functions use the same logic as kerberos_pac_logon_info. Move kerberos_pac_logon_info to common code and reuse it to remove the code duplication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for tcpAndreas Schneider2012-07-061-0/+10
| | | | | Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Jul 6 11:50:40 CEST 2012 on sn-devel-104
* s4-lsarpc: DCERPC_FAULT_ACCESS_DENIED for npAndreas Schneider2012-07-063-0/+45
|
* s4-lsarpc: Restrict LookupSids3 to crypto connections only.Andreas Schneider2012-07-061-0/+10
|
* s4-lsarpc: Restrict LookupNames4 to crypto connections only.Andreas Schneider2012-07-061-0/+10
|
* s4-lsarpc: Don't call lsa_OpenPolicy2 in lsa_LookupSids3.Andreas Schneider2012-07-061-46/+48
|
* s4-lsaprc: Don't call lsa_OpenPolicy2 in lsa_LookupNames4.Andreas Schneider2012-07-061-49/+53
|
* s4-selftest: Don't run lsarpc requiring a named pipe over tcpip.Andreas Schneider2012-07-061-1/+1
|
* s4-selftest: Don't plan lsa.secrets tests over tcpip.Andreas Schneider2012-07-061-4/+4
| | | | These will only work over a named pipe or ncalrpc.
* s4-libnet: Skip calling lsarpc functions over a wrong pipe.Andreas Schneider2012-07-061-0/+9
|
* s4-torture: Call lsarpc tests over the correct pipe.Andreas Schneider2012-07-061-0/+6
|
* s4-torture: Don't consider NONE_MAPPED an error in LookupSids3.Andreas Schneider2012-07-061-3/+19
|
* s4-torture: Don't consider NONE_MAPPED an error in LookupNames4.Andreas Schneider2012-07-061-3/+15
|
* s4-torture: Add a lsarpc test_GetUserName_fail function.Andreas Schneider2012-07-061-0/+59
|
* s4-torture: Add a lsarpc test_OpenPolicy2_fail function.Andreas Schneider2012-07-062-21/+74
|
* s4-torture: Add a lsarpc test_OpenPolicy_fail function.Andreas Schneider2012-07-061-17/+74
|
* s4-torture: Add a lsarpc test_LookupNames4_fail function.Andreas Schneider2012-07-061-23/+74
|
* s4-torture: Add a lsarpc test_LookupSids3_fail function.Andreas Schneider2012-07-061-15/+68
|
* s4-torture: Test LookupSids3/LookupNames4 over np and tcpip.Andreas Schneider2012-07-061-8/+26
|
* s4-torture: Make sure lsa_OpenPolicy2 fails over TCP/IP.Andreas Schneider2012-07-062-8/+16
|
* s4-torture: Make sure lsa_OpenPolicy fails over TCP/IP.Andreas Schneider2012-07-061-9/+20
|
* s4-torture: Make sure ncacn_np tests are only called over the a pipe.Andreas Schneider2012-07-062-1/+43
|
* s4-torture: Test LookupSids3 and LookupNames4 only over tcpip.Andreas Schneider2012-07-061-13/+36
| | | | | LookupSids3 and LookupNames4 are only available over tcpip and MUST fail over named pipes.
* s4-torture: Use test_LookupSids3 function.Andreas Schneider2012-07-061-32/+1
|
* s4-torture: Fix build warnings in lsa test.Andreas Schneider2012-07-061-10/+2
|
* s4-classicupgrade: Demote any other 'BDC' accounts back to a member server ↵Andrew Bartlett2012-07-061-2/+12
| | | | | | | | | | | | during upgrade This makes it clear that they cannot be a DC until they are upgraded with samba-tool domain dcpromo. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 6 09:59:13 CEST 2012 on sn-devel-104
* s4-selftest: Test samba-tool domain dcpromoAndrew Bartlett2012-07-061-1/+2
| | | | | | | This needs a new environment to test it properly. This requires a raise in the number of socket wrapper interfaces. Andrew Bartlett
* s4-samba-tool: Provide a samba-tool domain dcpromo that upgrades a member to ↵Andrew Bartlett2012-07-062-10/+121
| | | | | | | | | | | a DC This command is like dcpromo in that it upgrades the existing workstation account to be a domain controller. The SID (and therefore any file ownerships) is preserved. Andrew Bartlett
generated by cgit (git 2.34.1) at 2025-09-27 03:41:08 +0000