| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
instead of char *, which matches what samba4 has.
Fix all the callers to prevent compiler warnings.
This essentially ports r22001 from SAMBA_3_0 to SAMBA_3_0_26.
There are a few additional type cast corrections.
|
| |
|
|
| |
replace all data_blob(NULL, 0) calls.
|
| |
|
|
|
|
|
|
| |
The background behind this patch is that we're using ntlm_auth with
Wine. Windows allows us to pass in a NULL domain and a username of the
form of "user@domain" and this is converted into an NTLMSSP_AUTH packet
with a NULL domain name and a username of the same form.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
|
|
| |
stable branch
* Also include pam_winbind changes for multiple groups in the
require-membership-of parameter
|
| | |
|
| |
|
|
|
|
|
| |
the username by forcing it to be specified. Still
split out domain \ user for the ones that do use
it.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
| |
domain and user args. if only given a parameter of the
form --username DOMAIN\user. When called by firefox
or other user apps they may not know what the domain
is (and they don't care). They just want to pass the
contents of $USERNAME without having to parse it
or guess a domain.
Jeremy.
|
| |
|
|
|
| |
call ntlmssp_end on a null pointer ! (Doh !).
Jeremy.
|
| | |
|
| |
|
|
| |
winbindd server
|
| |
|
|
|
|
| |
kerberos_kinit_password_ext provides access to more options.
Guenther
|
| | |
|
| |
|
|
| |
macro which sets the freed pointer to NULL.
|
| |
|
|
| |
Sync with trunk as off r13315
|
| |
|
|
|
|
|
|
|
|
|
|
| |
lp_load() could not be called multiple times to modify parameter settings based
on reading from multiple configuration settings. Each time, it initialized all
of the settings back to their defaults before reading the specified
configuration file.
This patch adds a parameter to lp_load() specifying whether the settings should
be initialized. It does, however, still force the settings to be initialized
the first time, even if the request was to not initialize them. (Not doing so
could wreak havoc due to uninitialized values.)
|
| |
|
|
|
| |
What I'd give for a global constructor...
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
x86_64 box.
Jeremy.
|
| |
|
|
|
|
|
| |
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
|
| |
|
|
| |
Volker
|
| |
|
|
|
|
| |
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
|
| |
|
|
|
|
|
| |
* add synonym for idmap_rid in better lining with
other idmap backend names
* remove old debug messages when idmap {uid|gid} options
are not defined
|
| | |
|
| |
|
|
|
|
|
|
|
| |
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
|
| |
|
|
|
|
|
|
|
| |
<nalin@redhat.com>
for bug #1717.The rest of the code needed to call this patch has not yet been
checked in (that's my next task). This has not yet been tested - I'll do this
once the rest of the patch is integrated.
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
'..' from all #include preprocessor commands. This fixes bugzilla #1880
where OpenVMS gets confused about the '.' characters.
|
| |
|
|
|
|
|
| |
naming of the require_membership_of parameter in pam_winbind and fix
the error code for 'you didn't specify a domain' in ntlm_auth.
Andrew Bartlett
|
| |
|
|
| |
Andrew Bartlett
|
| |
|
|
| |
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork().
For other systems, we now only re-seed after a fork, and on startup.
No need to do it per-operation. This removes the 'need_reseed'
parameter from generate_random_buffer().
Andrew Bartlett
|
| |
|
|
|
|
| |
DEBUG() about it.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
client now falls back to NTLMSSP, and the server allows the client to
start, without first asking for a mech list.
Andrew Bartlett
|
| |
|
|
|
|
| |
jwilk@alumni.cse.ucsc.edu
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
| |
there is SYS_utimes syscall defined at compile time in glibc-kernheaders but
it is available on 2.6 kernels only. Therefore, we can't rely on syscall at
compile time but have to check that behaviour during program execution. An easy
workaround is to have replacement for utimes() implemented within our wrapper and
do not rely on syscall at all. Thus, if REPLACE_UTIME is defined already (by packager),
skip these syscall shortcuts.
|
| |
|
|
|
|
|
|
| |
there is now a public patch that uses it, make it always available.
(It was #ifdef DEVELOPER)
Andrew Bartlett
|
| |
|
|
|
|
| |
(allow the use of base64 encoded strings, LM or NT passwords)
Andrew Bartlett
|
| |
|
|
|
|
| |
server had said something (such as an error).
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This protocol looks rather like SMTP headers/LDAP:
NT-Domain: TESTWG
Username: abartlet
...
Password: foo
Challenge-response passwords are in hexideciaml, while any 'plain'
string can be base64 encoded when like this:
Password:: Zm9vCg==
(the :: indicates it, just like LDAP - I hope)
The protocol is not final, so it is #ifdef DEVELOPER for now (so
nobody starts to rely on it until I'm happy), but we may as well get
this into subversion.
My intention is to use this to power the next version of my
PPP/ntlm_auth plugin, and hopefully entice a FreeRadius plugin out of
the woods.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
the main ntlm_auth program.
It quite possibly should belong in smbtorture, but relies on the
winbind client for now.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
this variable to 'user_session_key', where possible. The command line
parameter is currently unchanged).
Andrew Bartlett
|
| |
|
|
| |
Andrew Bartlett
|
| |
|
|
|
|
|
| |
*ANYTHING* in
unless you have done a make clean; make.
Jeremy.
|
| |
|
|
|
|
|
|
|
| |
all authentication to members of this particular group.
Also implement an option to allow ntlm_auth to get 'squashed' error codes,
which are safer to communicate to remote network clients.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
|
| |
|
|
|
|
|
|
| |
to checkout try this:
svn co svn+ssh://svn.samba.org/home/svn/samba/branches/SAMBA_3_0 samba-3_0-work
metze
|
|
|
metze
|
