| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
"status" was used uninitialized on success -- metze, please check
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
| |
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
|
| | |
|
| |
|
|
|
|
| |
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
|
| |
|
|
| |
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
|
| |
|
|
|
|
|
|
| |
warnings
for clock-skew errors.
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The gss_import_name() broke as we switched from the internal MIT OID
"gss_nt_krb5_principal" to "GSS_KRB5_NT_PRINCIPAL_NAME" and didn't switch from
passing the krb5_principal (or better: a pointer to that, see MIT's "*HORRIBLE*
bug") to pass the string principal directly.
Jerry, Jeremy, neither I could figure out the need of passing in a
krb5_principal at all nor could I reproduce the crash you were seeing.
I sucessfully tested the code (now importing a string) with MIT 1.2.7, 1.3.6,
1.4.3, 1.5.1, 1.6.1 and Heimdal 0.7.2, 1.0, 1.0.1.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
| |
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
|
| |
|
|
|
|
|
|
| |
Heimdal doesn't accept all OIDs and gss_import_name() fails with
GSS_S_BAD_NAMETYPE using this one. Use the GSS_KRB5_NT_PRINCIPAL_NAME OID
instead (which works with at least MIT 1.6.1 and Heimdal 1.0.1).
Guenther
|
| |
|
|
|
|
|
|
|
| |
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
| |
libraries support wrapping hooks...
metze
|
| |
|
|
|
|
|
|
| |
also for the "GSSAPI" sasl mech.
- also use the ads_kinit_password() fallback logic
from the "GSS-SPNEGO" sasl mech.
metze
|
| |
|
|
|
|
| |
construct the principal
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
| |
sign and seal...
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| | |
|
| |
|
|
|
|
| |
NOTE: only for the "GSSAPI" SASL mech yet
metze
|
| |
|
|
|
|
| |
NOTE: windows servers are broken with sign only...
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
| |
substructure.
metze
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
replace all data_blob(NULL, 0) calls.
|
| |
|
|
|
|
|
| |
because we try "GSS-SPNEGO" first and all windows version support
that.
metze
|
| |
|
|
|
|
|
|
|
| |
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
|
| |
|
|
|
| |
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
|
| |
|
|
|
|
|
|
| |
doesn't support GSS-SPNEGO in SASL
can someone please review this, maybe it's also for 3.0.25
metze
|
| |
|
|
|
|
|
|
| |
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
|
| |
|
|
|
| |
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
|
| |
|
|
| |
in the SPNEGO negTokenInit
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
|
|
|
|
| |
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).
We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
|
| |
|
|
|
|
|
|
|
| |
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults. We suggest leaving this up to the defaults from the
libraries anyway.
Andrew Bartlett
|
| |
|
|
| |
inside the #ifdef HAVE_KRB5
|
| | |
|
| |
|
|
|
|
|
| |
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
| |
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
|
| |
|
|
|
|
|
| |
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
|
| |
|
|
| |
Sync with trunk as off r13315
|
| | |
|
| |
|
|
|
| |
patch.
Jeremy.
|
| |
|
|
|
|
|
| |
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
|
