| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
cache the printer_info_2 with the open printer handle.
cache is invalidated on a mod_a_printer() call **on that smbd**.
Yes, this means that the window for admins to step on each other
from different clients just got larger, but since handles a generally
short lived this is probably ok.
|
| |
|
|
| |
Andrew Bartlett
|
| |
|
|
|
|
| |
keys for kerberos authentication.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
| |
make x_fwrite() match fwrite() in returning a size_t.
Andrew Bartlett
|
| |
|
|
| |
modules/developer.c: init_module() should return an int
|
| | |
|
| |
|
|
| |
what I use in Midgard for past few years, modified for Samba needs.
|
| |
|
|
|
|
|
|
| |
(According to the manpages, you cannot put a stack variable into putenv()).
Yes, this leaks memory.
Andrew Bartlett
|
| |
|
|
| |
sucked into proto.h?
|
| |
|
|
|
|
|
|
|
|
|
| |
- Provide generic functions for
- get valid encryption types
- free encryption types
- Add encryption type parm to generic function create_kerberos_key_from_string()
- Try to merge the two versions (between HEAD and SAMBA_3_0) of kerberos_verify.c
I think this should work for both MIT and heimdal, in HEAD. If all goes smooth,
I'll move it over to 3.0 soon...
|
| |
|
|
|
|
|
|
|
| |
it can be used for 'net rpc join'.
Also fix a bug in our server-side NTLMSSP code - a client without any domain
trust links to us may calculate the NTLMv2 response with "" as the domain.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
* never save a pointer to an automatic variable (they go away)
implement a deep copy for SPOOLSS_NOTIFY_MSG to correct
messages being sent that have junk for strings;
fix in response to changes for CR 1504
|
| |
|
|
|
|
|
|
|
|
| |
relitivly useful external lib from this code, and to remove the dupicate
NTLMSSP code elsewhere in samba (RPC pipes, LDAP client).
The code I've replaced this with in cliconnect.c is relitivly ugly, and
I hope to replace it with a more general SPENGO layer at some later date.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
users w/o full administrative access on computer accounts to join a
computer into AD domain.
The patch and detailed changelog is available at:
http://www.itcollege.ee/~aandreim/samba
This is a list of changes in general:
1. When creating machine account do not fail if SD cannot be changed.
setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
username is specified (-U). Initial TGT will be requested in this case.
I've modified the patch to share the kinit code, rather than copying it,
and updated it to current CVS. The other change included in the original patch
(local realms) has been left out for now.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
Rafal
|
| |
|
|
|
| |
to lookup what SIDs have a particular privilege (that is how
privileges are stored).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Don't use pstrcpy into an allocated string - use safe_strcpy() directly
instead.
- Keep a copy of the 'server_info' attached to the vuid. In future use this
for things like the session key, homedir and full name instead of current
copies.
- Try to avoid memory leak/segfault on Realloc failure
- clear up #endif comments
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add NTLMv2 support to our client, used when so configured ('client use NTLMv2 =
yes') and only when 'client use spengo = no'. (A new option to allow the
client and server ends to chose spnego seperatly).
NTLMv2 signing doesn't yet work, and NTLMv2 is not done for NTLMSSP yet.
Also some parinoia checks in our input parsing.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
configure and config.h.in is now regenerated by the 'autogen.sh' script.
However, samba.org will run autoconf and autoheader to keep the anonyomous
rsync 'unpacked' areas intact (helping the build farm), and released will ship
with the genereated files.
Andrew Bartlett
|
| |
|
|
| |
what was requested.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This checking allows us to connect to Microsoft servers the use SMB signing,
within a few restrictions:
- I've not get the NTLMSSP stuff going - it appears to work, but if you break
the sig - say by writing a zero in it - it still passes...
- We don't currently verfiy the server's reply
- It works against one of my test servers, but not the other...
However, it provides an excellent basis to work from. Enable it with 'client
signing' in your smb.conf.
Doc to come (tomorrow) and this is not for 3.0, till we get it complete.
The CIFS Spec is misleading - the session key (for NTLMv1 at least) is the
standard session key, ie MD4(NT#).
Thanks to jra for the early work on this.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy
|
| |
|
|
|
|
|
|
|
|
| |
level 2 and a request for open with no oplock is received then the
smbd should send *synchronous* break messages, not asynchronous,
otherwise it spins very rapidly, releasing the lock, sending the
'break to none' messages and then re-acquiring the lock before
any other process has a chance to get the lock and remove it's own
oplock (at least on linux).
Jeremy.
|
| |
|
|
|
| |
this now gives us complete remove privileges control in the client
libs, so we are in good shape for starting on the server side.
|
| |
|
|
|
|
| |
lsa_add_acct_rights function.
This allows us to add privileges remotely to accounts using rpcclient.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The idea here is to seperate, as much as possible, the SPNEGO layer from the
NTLMSSP layer. This not only helps us with protocol correctness, but also
should allow further mechinisms to be added with relitive ease. I indend to
make the kerberos code use this shortly.
I've never seen the 'zero length blob' form of the anonymous login, so I've
removed that case.
Andrew Bartlett
|
| | |
|
| |
|
|
|
| |
getdirentries. We would also detect getdents if present. This has some
rudimentary support already.
|
| |
|
|
|
| |
if no kerberos selected. Noticed by Metze.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
| |
to add a function without an explicit #ifdef HEIMDAL which I'm trying
to avoid.
Jeremy.
|
| |
|
|
| |
for instructions.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
of the SWAT code, and adding a base64 encoder.
The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for
use with Squid. Unfortunetly the squid side doesn't quite support what we need
yet.
Changes to winbind to get us the info we need, and a couple of consequential
changes/cleanups in the rest of the code.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
| |
detect for now, I still have vague hopes of hiding the differences
between MIT and Heimdal with a compatibility layer....
Jeremy.
|
| | |
|
| |
|
|
|
|
|
| |
eliminate the dependency on the auth subsystem. The next step is to add
the required code to 'ntlm_auth', for export to Squid etc.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
| |
principal similar to the existing cli_lsa_enum_privsaccount() call,
except that cli_lsa_enum_account_rights() doesn't require a call to
open_account first. There is also the minor matter that
cli_lsa_enum_account_rights() works whereas
cli_lsa_enum_privsaccount() doesn't!
this call can be used to find what privileges an account or group
has. This is a first step towards proper privileges support in Samba.
|
| | |
|
| |
|
|
|
|
| |
We need to fix some 'overmalloc' cases before it can be enabled by default.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This tries to extract our server-side code out of sessetup.c, and into a more
general lib. I hope this is only a temporay resting place - I indend to
refactor it again into an auth-subsystem independent lib, using callbacks.
Move some of our our NTLMSSP #defines into a new file, and add two that I found
in the COMsource docs - we seem to have a double-up, but I've verified from
traces that the NTLMSSP_TARGET_TYPE_{DOMAIN,SERVER} is real.
This code also copes with ASCII clients - not that we will ever see any here,
but I hope to use this for HTTP, were we can get them. Win2k authenticates
fine under forced ASCII, btw.
Tested with Win2k, NTLMv2 and Samba's smbclient.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
becouse that is what it's input (reply_tcon_and_x) uses, and becouse we really
don't want supprises for service names.
Also remove a legacy #define, in favor of the lp_ equiv.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
