| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
|
| |
|
|
| |
3.2.0pre1
|
| | |
|
| |
|
|
|
|
|
|
|
| |
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
|
| |
|
|
|
|
|
|
| |
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
- make it more clear what the different min and max fields mean
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
|
| |
|
|
|
|
| |
fix double free in error path
metze
|
| |
|
|
|
|
|
| |
add some useful debug messages, as not all LDAP
libraries support wrapping hooks...
metze
|
| |
|
|
|
|
|
|
|
| |
- make use of the ads_service_principal abstraction
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
|
| |
|
|
|
|
|
| |
add one more fallback alternative to
construct the principal
metze
|
| |
|
|
|
|
| |
move gssapi/krb5 principal handling into a function
metze
|
| |
|
|
|
|
|
| |
fix logic for broken krb5 libs which always force
sign and seal...
metze
|
| |
|
|
|
|
| |
add support for krb5 sign and seal in LDAP via "GSS-SPNEGO"
metze
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
- send also the correct OID_KERBEROS5 not only the broken
OID_KERBEROS_OLD one.
metze
|
| |
|
|
|
|
| |
only setup sasl wrapping after a successful bind
metze
|
| | |
|
| |
|
|
|
|
|
|
| |
add gsskrb5 sign and seal support for LDAP connections
NOTE: only for the "GSSAPI" SASL mech yet
metze
|
| |
|
|
|
|
|
|
| |
add support for NTLMSSP sign and seal
NOTE: windows servers are broken with sign only...
metze
|
| |
|
|
|
|
|
| |
- always provide ads_setup_sasl_wrapping() function
- read/write returning 0 means EOF and we need to return direct
metze
|
| |
|
|
|
|
|
| |
move elements belonging to the current ldap connection to a
substructure.
metze
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
* A little const
* Metze's fix for GSS-SPNEGO against Win2k3
|
| |
|
|
| |
replace all data_blob(NULL, 0) calls.
|
| |
|
|
|
| |
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
|
| |
|
|
|
|
|
|
| |
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
|
| |
|
|
|
| |
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
|
| |
|
|
| |
in the SPNEGO negTokenInit
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
| |
inside the #ifdef HAVE_KRB5
|
| | |
|
| |
|
|
|
|
|
| |
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
| |
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
|
| |
|
|
|
|
|
| |
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
|
| |
|
|
| |
Sync with trunk as off r13315
|
| | |
|
| |
|
|
|
| |
patch.
Jeremy.
|
| |
|
|
|
|
|
| |
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
|
| | |
|
| |
|
|
| |
version to 3.0.20pre1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
|
| |
|
|
| |
using krb5
|
| |
|
|
|
|
|
|
|
| |
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
heimdal; also initialize some pointers
|
| |
|
|
|
| |
valgrind winbindd with these in....
Jeremy.
|
|
|
metze
|
