| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
to restructure libsmb/smb_signing.c so it isn't in
the base libs path but lives in libsmb instead (like
smb_seal.c does).
Jeremy.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
|
|
|
| |
doesn't
make sense as long as it doesn't work as an lp_unload().
Guenther
|
|
|
|
|
|
|
|
| |
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
|
|
|
|
|
| |
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
|
|
|
|
|
|
|
|
|
|
|
| |
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
|
|
|
|
| |
Volker
|
|
|
|
|
|
|
|
|
| |
Not used
yet, the next step will be a secrets_fetch_machine_account() function that
also pulls the account name to be used in the appropriate places.
Volker
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a starting point and may get changed. Basically we need follow the
exact same path to detect (K)DCs like other Samba tools/winbind do. In
particular with regard to the server affinity cache and the site-awarness for
DNS SRV lookups.
To compile just call "make bin/smb_krb5_locator.so", copy to
/usr/lib/plugin/krb5/ (Heimdal HEAD) or /usr/lib/krb5/plugins/libkrb5/ (MIT)
and you should immediately be able to kinit to your AD domain without having
your REALM with kdc or kpasswd directives defined in /etc/krb5.conf at all.
Tested with todays Heimdal HEAD and MIT krb5 1.5.
Guenther
|
| |
|
|
|
|
|
| |
calling convention in the latest MIT changes. Apparantly Heimdal
is also changing to this calling convention.
|
|
|
|
| |
Jeremy.
|
|
|
|
|
| |
Coverity finds them :-)
Jeremy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
|
|
|
|
|
|
| |
directly after another.
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
in the SPNEGO negTokenInit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
|
|
|
|
| |
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).
We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
|
|
|
|
|
|
|
| |
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
|
|
|
|
|
| |
close Guenther, then you forgot to use "key" :-) :-).
Jeremy.
|
|
|
|
|
|
|
| |
the stored client sitename with the sitename from each sucessfull CLDAP
connection.
Guenther
|
|
|
|
|
|
| |
less DNS query. This speeds up offline detection slightly.
Guenther
|
|
|
|
|
|
| |
ask for the list of DCs twice.
Guenther
|
|
|
|
|
|
|
|
|
| |
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
|
|
|
|
|
|
| |
non-existing krb5 credential cache should not generate an error.
Guenther
|
| |
|
|
|
|
| |
so apps will know which one to look for,
|
|
|
|
|
|
|
|
|
| |
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults. We suggest leaving this up to the defaults from the
libraries anyway.
Andrew Bartlett
|
|
|
|
|
|
|
| |
This gives much nicer error messages when failing to join due to clock
skew.
Guenther
|
|
|
|
|
|
|
|
|
| |
* Fix DNS updates for multi-homed hosts
* Child domains often don't have an NS record in
DNS so we have to fall back to looking up the the NS
records for the forest root.
* Fix compile warning caused by mismatched 'struct in_addr'
and 'in_addr_t' parameters called to DoDNSUpdate()
|
|
|
|
| |
inside the #ifdef HAVE_KRB5
|
|
|
|
| |
Volker
|
|
|
|
|
|
|
|
|
|
|
| |
Directory:
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.
Guenther
|
|
|
|
|
|
| |
<david.hu@hp.com>. Fixes #4212.
Guenther
|
|
|
|
|
|
| |
along with some memleaks.
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
|
|
| |
statement.
Guenther
|
|
|
|
|
|
| |
does not exist.
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|
|
|
|
| |
Guenther
|