summaryrefslogtreecommitdiffstats
path: root/source/libads
Commit message (Collapse)AuthorAgeFilesLines
* Fix bug #7669.Jeremy Allison2010-09-151-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4). CVE-2010-3069: =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection). (cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
* s3-kerberos: do not include authdata headers before including krb5 headers.Günther Deschner2009-12-021-0/+1
| | | | Guenther
* s3-kerberos: only use krb5 headers where required.Günther Deschner2009-12-027-0/+8
| | | | | | | This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther
* s3-kerberos: fix some build warnings when building against heimdal.Günther Deschner2009-12-021-2/+2
| | | | Guenther
* kerberos: fix some heimdal build warnings.Günther Deschner2009-12-021-4/+4
| | | | Guenther
* Add comment explaining the previous fix.Jeremy Allison2009-04-221-0/+6
| | | | Jeremy.
* Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning ↵Jeremy Allison2009-04-221-0/+4
| | | | | | LDAP_SUCCESS but not returning a result. Jeremy
* s3-krb5: Fix Coverity #762 (REVERSE_INULL).Günther Deschner2009-03-201-6/+6
| | | | | Guenther (cherry picked from commit 97190ae184dff6450b1390c854f7426e2ee3f980)
* fix build on old Heimdal based systemsBjörn Jacke2009-03-191-5/+3
| | | | | Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit 011ad7245d53a716c4c766f5ef8d317bb3a53d0f)
* Fix bug #6098 - When the DNS server is invalid, the ads_find_dc() does not ↵Yasuma Takeda2009-02-111-2/+2
| | | | | | | | | | | work correctly with "security = domain" 1. If DNS server is invalid, the get_sorted_dc_list() is called with realm(FQDN) and it fails. 2. On the next step, the get_sorted_dc_list() is called with realm(FQDN) again. I think "again" is wrong place. On the 2nd step, get_sorted_dc_list() should be called with realm(WORKGROUP).
* s3-spoolss: fix memleak in get_remote_printer_publishing_data().Günther Deschner2009-02-101-2/+8
| | | | Guenther
* s3/libads: Change "ldap ssl:ads" parameter to "ldap ssl ads".Karolin Seeger2009-02-051-1/+1
| | | | | | This used to be commit 3f9daf43. Karolin
* fix bug #6073: prevent ads_connect() from using SSL unless explicitly requestedMichael Adam2009-01-291-3/+5
| | | | | | | | | This fixes "net ads join". It copes with the changed default "ldap ssl = start tls". A new boolean option "ldap ssl : ads" is added to allow for explicitly requesting ssl with ads. Michael
* ads_connect: Return immediately on a failed GC connection.Gerald (Jerry) Carter2009-01-161-3/+14
| | | | | | | | | | | | | ads_connect_gc() feeds an explicit server to ads_connect(). However, if the resulting connection fails, the latter function was attempting to find a DC on its own and continuing the connection. This resulting in GC searches being sent over a connection using port 389 which would fail when using the base search suffix outside of the domain naming context. The fix is to fail immediately in ads_connect() since the GC lookup ordering is handled already in ads_connect_gc(). (was commit 073e9f42f0c5f5de5d736ec7843d80a274c891ce in master)
* Fix more "ignore return value" warnings from gcc 4.3.Jeremy Allison2008-12-301-9/+22
| | | | Jeremy
* Fix more asprintf warnings and some error path errors.Jeremy Allison2008-12-231-2/+10
| | | | Jeremy.
* More asprintf warning fixes.Jeremy Allison2008-12-233-8/+28
| | | | Jeremy.
* More asprintf warning fixes.Jeremy Allison2008-12-231-9/+18
| | | | Jeremy.
* Fix more asprintf errors and error code paths.Jeremy Allison2008-12-232-9/+31
| | | | Jeremy.
* s3:libads/ldap.c: store the dc name in the saf cache as in all other placesStefan Metzmacher2008-12-131-3/+2
| | | | | | | | | metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit 543fa85a711337e979c7b631bda5db95d109ef59) (cherry picked from commit 17efebde11eafd065c2cac39cdbe55b8d40d40be)
* s3:libads/ldap.c: if the client belongs to no site at all any dc is the closestStefan Metzmacher2008-12-131-0/+5
| | | | | | | | | metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit f86ef9b53a903485deba94febf90dd4e657cc02b) (cherry picked from commit a8040d59659e58c5cb92c1107a7ff012eff12729)
* s3:libads/ldap.c: pass the real workgroup name to get_dc_name()Stefan Metzmacher2008-12-131-1/+10
| | | | | | | | | metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit c2d4a84abe1b6cbf68d6e9f1bb1f8974d0b628fc) (cherry picked from commit 2f27ffc4a2ba745341a5961b8f04e62da3fb089a)
* s3: libads: use get_dc_name() instead of get_sorted_dc_list() in the LDAP caseStefan Metzmacher2008-12-131-1/+25
| | | | | | | | | | | | | | We use get_dc_name() for LDAP because it generates the selfwritten krb5.conf with the correct kdc addresses and sets KRB5_CONFIG. For CLDAP we need to use get_sorted_dc_list() to avoid recursion. metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit d2f7f81f4d61bae9c4be65cbc1bf962b6c24a31f) (cherry picked from commit 7f779450cb0b0d9f36665c56c4acd0950daaeab2)
* s3: correctly detect if the current dc is the closest oneStefan Metzmacher2008-12-131-1/+0
| | | | | | | | | | | ads->config.tried_closest_dc was never set. metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit dfe5b00db35e1e7c7bb3ba36729fc3f97eb48db3) (cherry picked from commit 588f5aae669910fee6da7f807f330163496b4170)
* Change sockaddr util function names for consistency and to eliminate name ↵Tim Prouty2008-12-031-3/+3
| | | | conflicts
* s3-net: allow to list a keytab generated using net rpc vampire.Günther Deschner2008-12-021-2/+5
| | | | | Guenther (cherry picked from commit c554080dd988791ec2db37c96ff7cc709b0ee6ab)
* libads/ldap.c: return an error instead of crashing when no realm is givenStefan Metzmacher2008-11-241-4/+4
| | | | | | | | | The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't exist) and "disable netbios = yes". metze Signed-off-by: Michael Adam <obnox@samba.org>
* The IRIX compiler does not like embedded unnamed unions.Günther Deschner2008-11-201-1/+1
|
* s3: fix all mailslot/nbt/cldap callers.Günther Deschner2008-11-202-100/+21
| | | | Guenther
* Fix extended DN parse error when AD object does not have a SID.Steven Danneman2008-11-181-24/+38
| | | | | | | | | | | Some AD objects, like Exchange Public Folders, can be members of Security Groups but do not have a SID attribute. This patch adds more granular return errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse error occured because of bad input, or the DN was valid but contained no SID. I updated all callers to ignore SIDless objects when appropriate. Also did some cleanup to the out paths of lookup_usergroups_memberof()
* Whitespace and >80 column cleanups.Steven Danneman2008-11-181-12/+12
|
* Fix an unlikely memleak found by the IBM checkerVolker Lendecke2008-10-041-0/+2
|
* Fix an uninitialized variable found by the IBM CheckerVolker Lendecke2008-10-041-0/+1
|
* * Allow an admin to define the "uid" attribute for a RFC2307Gerald (Jerry) Carter2008-09-161-3/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | user object in AD to be the username alias. For example: $ net ads search "(uid=coffeedude)" distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org sAMAccountName: gcarter memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org uid: coffeedude uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/gcarter loginShell: /bin/bash $ ssh coffeedude@192.168.56.91 Password: coffeedude@orville:~$ id uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers) $ getent passwd PINK\\gcarter coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent passwd coffeedude coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent group PINK\\Unixusers PINK\unixusers:x:10000:coffeedude
* kerberos: fix indent of enc type lines in generated krb5.conf files.Günther Deschner2008-09-041-3/+3
| | | | | Guenther (cherry picked from commit 18a26f08b6fab4119a1421a7ca59c32dde8bb8cb)
* kerberos: use KRB5_KT_KEY macro where appropriate.Günther Deschner2008-08-291-9/+2
| | | | | Guenther (cherry picked from commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22)
* libads: remove unused vars.Günther Deschner2008-08-201-3/+0
| | | | | Guenther (cherry picked from commit ea9fc3bea31b11e715d9524defc18b75e5943842)
* Fix uninitialized variables.Jeremy Allison2008-07-301-0/+1
| | | | Jeremy.
* kerberos: make smb_krb5_kt_add_entry() static.Günther Deschner2008-07-181-6/+6
| | | | Guenther
* Revert "Pass NULL to gencache_get when we are not interested in the timeout ↵Volker Lendecke2008-07-111-1/+2
| | | | | | value" This reverts commit 16062dfc3dcc8f1ca0024a3ae21effb889c7ffc0.
* Pass NULL to gencache_get when we are not interested in the timeout valueVolker Lendecke2008-07-031-2/+1
|
* kerberos: allow to keep entries with old kvno's while creating keytab.Günther Deschner2008-06-301-2/+4
| | | | Guenther
* kerberos: rename smb_krb5_kt_add_entry to smb_krb5_kt_add_entry_ext.Günther Deschner2008-06-301-25/+39
| | | | Guenther
* Return NULL in sitename_fetch() if gencache_init() fails. Not falseGerald W. Carter2008-06-281-1/+1
|
* libads: Add API call to connect to a global catalog server.Gerald W. Carter2008-06-271-5/+140
| | | | | | Extends ads_connect() to a new call ads_connect_gc() which connects on port 3268 rather than port 389. Also makes ads_try_connect() static and only used internally to ldap.c
* libads: add ads_connect_user_creds() that won't overwrite given user creds.Günther Deschner2008-06-241-0/+12
| | | | Guenther
* libads: add ADS_AUTH_USER_CREDS to avoid magic overwriting of usernames.Günther Deschner2008-06-241-0/+6
| | | | Guenther
* kerberos: make smb_krb5_kt_add_entry public, allow to pass keys without ↵Günther Deschner2008-06-242-7/+11
| | | | | | salting them. Guenther
* libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.Günther Deschner2008-06-172-12/+34
| | | | Guenther
* libads: fix logic error in ads_get_kvno().Günther Deschner2008-06-171-1/+1
| | | | Guenther
generated by cgit (git 2.34.1) at 2025-08-29 00:39:32 +0000