| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
hardcoded into it.
This didn't matter, as we only use it for 'member' so far...
Andrew Bartlett
|
|
|
|
|
|
| |
memory keytab code which has no effect. Driven by bug report from
"Rob J. Caskey" <rcaskey@uga.edu>.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
| |
but security=ADS, we would attempt to free the principal name that krb5
never allocated.
Also fix the dump_data() of the session key, now that we use a data_blob to
store that.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
could reproduce it, I would fix it, but for now just make sure we always
SAFE_FREE() and set our starting pointers to NULL.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces range retrieval of ADS attributes.
VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
|
|
|
|
|
|
| |
function with one that compiles.
Andrew Bartlett
|
|
|
|
| |
Andrew Bartlett
|
|
|
|
| |
Volker
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
|
|
|
|
|
| |
re-used, rather than created from scratch.
Jeremy.
|
|
|
|
| |
Volker
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
|
|
|
|
|
|
| |
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
|
| |
|
|
|
|
| |
down; bug 437
|
|
|
|
|
|
| |
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
|
|
|
|
|
|
|
| |
already have ads_search_retry() for this. However, neither
domain_sid() nor sequence_nunber() used this function. So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
|
|
|
|
|
|
|
| |
keytab support code, but it won't be enabled until we add that to smb.conf.
Adapted from the work of Guenther Deschner (gd@suse.com).
Please hammer on this...
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
|
|
|
|
|
|
|
| |
auth.realm. So directly pass that instead of setting up and tearing
down the ADS_STRUCT.
Volker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
Jeremy
|
|
|
|
|
| |
is not multi-process safe.
Jeremy.
|
|
|
|
|
|
|
| |
KRB5_BAD_ENCTYPE.
Heimdal has the latter, not the former.
Jeremy.
|
|
|
|
|
|
|
| |
it's a different rc than KRB5_BAD_ENCTYPE (which exists on both MIT and
Heimdal). This will just make the debug show up at level 3 always.
Jeremy, you may want to revisit this, but it's probably not worth the hassle.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
|
|
|
| |
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
|
| |
|
| |
|
|
|
|
|
| |
the incoming addresses....
Jeremy.
|
| |
|
|
|
|
| |
treating the returned message id as an error code.
|
|
|
|
|
|
|
| |
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
|
|
|
|
|
|
|
|
|
| |
published printers.
At the moment we don't search using any parameters but this can be
fixed by changing the LDAP search string. Also we should contact
the global catalog at SRV _gc._tcp instead of the ldap server we
get back from ads_startup().
|
| |
|
| |
|
|
|
|
|
| |
* check negative connection cache before ads_try_connect()
in ads_find_dc()
|