| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jason,
Jason Haar wrote:
> Patched 3.0.28, compiled, installed and here's the log file.
>
> Hope it helps. BTW I don't think it matters, but this is on 32bit
> CentOS4.5 systems.
yes, it helps. Thanks for that.
Very interesting, there are two auth data structures where the first one
is a PAC and the second something unknown (yet).
Can you please try the attached fix ? It should make it work again.
Guenther
- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHX9ZESOk3aI7hFogRAivSAJ9bMcD+PcsIzjYYLtAUoLNfVVEl1QCfV/Qd
MPsZW4G31VOVu64SPjgnJiI=
=Co+H
-----END PGP SIGNATURE-----
|
| |
|
|
|
| |
No more temptations to use static length strings.
Jeremy.
|
| |
|
|
|
|
|
| |
This is the last obvious change I can see. At
this point we can start claiming IPv6 support
(Hurrah !:-).
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
|
| |
|
|
|
|
|
| |
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
Thanks Volker for the pointer hint :)
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
| |
the tgt
string ourselves.
Guenther
|
| |
|
|
|
|
|
| |
We were incorrectly using the renew_till timestamp instead of the renewed
ticket's endtime to calculate the next refreshing date.
Guenther
|
| | |
|
| |
|
|
|
|
|
|
| |
NTSTATUS
codes directly out of the krb5_error edata.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
call as smb_krb5_locate_kdc to prevent incorrect linking
and crashes on Solaris.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
| |
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
|
| |
|
|
|
| |
calling convention in the latest MIT changes. Apparantly Heimdal
is also changing to this calling convention.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
| |
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).
We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
|
| |
|
|
|
|
|
|
|
| |
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults. We suggest leaving this up to the defaults from the
libraries anyway.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
| |
x, so we can't get at them even if we wanted to.
Kerberos experts, please take a look to make sure I've done the
right thing!
|
| |
|
|
| |
metze
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
This patch is mainly based on the work of Todd Stecher
<tstecher@isilon.com> and has been reviewed by Jeremy.
I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal
0.7.2 and 0.6.1rc3.
Guenther
|
| |
|
|
|
|
|
| |
* Fix the build without kerberos headers
* Fix memleak in the krb5_address handling
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
| |
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
| |
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
|
| |
|
|
| |
Guenther
|
| | |
|
| |
|
|
| |
Sync with trunk as off r13315
|
| |
|
|
|
|
| |
area of code needs to be reworked later on.
Guenther
|
| |
|
|
|
|
|
|
|
| |
does an implicit open/read/close and blows away an
open keytab handle - so make sure we use a new
handle.
Wonderful analysis from Luke <ldeller@xplantechnology.com>
helped fix this.
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
ticket was encrypted using a DES key (and the Windows KDC still puts
CKSUMTYPE_HMAC_MD5_ARCFOUR in the PAC).
In that case, return to old behaviour and ignore the PAC.
Thanks to Chengjie Liu <chengjie.liu@datadomain.com>.
Guenther
|
