Stefan Metzmacher [Fri, 1 Aug 2008 16:15:11 +0000 (18:15 +0200)]
heimdal: add experimental --enable-external-heimdal
This should only be used for testing and when you're
absolutly sure the installed heimdal libraries
support the features we need.
(E.g. heimdal-1.2 or lower should NOT work)
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:30:16 +0000 (19:30 +0200)]
libreplace: include <krb5.h> and <com_err.h> and no heimdal specific headers
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:29:08 +0000 (19:29 +0200)]
auth/kerberos: remove dependencies to internal heimdal
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:24:09 +0000 (19:24 +0200)]
heimdal_build/internal: add some useful defines
metze
Stefan Metzmacher [Fri, 1 Aug 2008 18:27:38 +0000 (20:27 +0200)]
heimdal: fix dependency
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:23:29 +0000 (19:23 +0200)]
lib/crypto: remove dependency to internal heimdal
metze
Stefan Metzmacher [Fri, 1 Aug 2008 18:15:52 +0000 (20:15 +0200)]
build: remove warning about missing generated include file
metze
Jelmer Vernooij [Fri, 1 Aug 2008 18:47:22 +0000 (20:47 +0200)]
Move domain DN determination out of newuser function.
Jelmer Vernooij [Fri, 1 Aug 2008 18:47:03 +0000 (20:47 +0200)]
Actually fix missing substitution variables.
Jelmer Vernooij [Fri, 1 Aug 2008 18:17:56 +0000 (20:17 +0200)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into manpage
Jelmer Vernooij [Fri, 1 Aug 2008 18:17:29 +0000 (20:17 +0200)]
Fix some forgotten substitute variables in provision, add check to prevent this sort of regression in the future.
Stefan Metzmacher [Fri, 1 Aug 2008 15:24:24 +0000 (17:24 +0200)]
kdc: use mostly only public kerberos headers
We shoule avoid using the private heimdal function
_krb5_principalname2krb5_principal()
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:59:40 +0000 (16:59 +0200)]
auth/kerberos: we don't need to include heimdal private headers
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:58:01 +0000 (16:58 +0200)]
gensec_gssapi: include <gssapi/gssapi.h>
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:57:00 +0000 (16:57 +0200)]
heimdal_build: we should only use PRIVATE_DEPENDENCIES
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:53:52 +0000 (16:53 +0200)]
build: autogenerate heimdal basics
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:52:12 +0000 (16:52 +0200)]
build: autogenarate VPATH by configure
metze
Stefan Metzmacher [Fri, 1 Aug 2008 15:49:07 +0000 (17:49 +0200)]
heimdal: add missing files
metze
Stefan Metzmacher [Fri, 1 Aug 2008 15:22:54 +0000 (17:22 +0200)]
auth_server: set the workstation name
metze
Stefan Metzmacher [Fri, 1 Aug 2008 15:21:57 +0000 (17:21 +0200)]
heimdal: add missing file heimdal/lib/gssapi/mech/gss_pseudo_random.c
metze
Stefan Metzmacher [Fri, 1 Aug 2008 09:17:48 +0000 (11:17 +0200)]
build with the new heimdal version
Stefan Metzmacher [Fri, 1 Aug 2008 05:08:51 +0000 (07:08 +0200)]
heimdal: update to lorikeet-heimdal rev 801
metze
Stefan Metzmacher [Fri, 1 Aug 2008 09:16:14 +0000 (11:16 +0200)]
build: allow flex-2.34 together with bison-2.3
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:10:06 +0000 (16:10 +0200)]
auth/ntlmssp: don't crash when the backend give no challenge
metze
Stefan Metzmacher [Fri, 1 Aug 2008 13:53:01 +0000 (15:53 +0200)]
auth_server: fix the logic of server_get_challenge()
metze
Stefan Metzmacher [Fri, 1 Aug 2008 13:19:27 +0000 (15:19 +0200)]
auth_server: fix segfault reported by Julien Kerihuel <j.kerihuel@openchange.org>
metze
Stefan Metzmacher [Fri, 1 Aug 2008 07:20:46 +0000 (09:20 +0200)]
Revert "Start implementind domain trusts in our KDC."
This reverts commit
736ce50afd9da9b5fbc3db777fd5341dfa4b721a.
This breaks the build...
metze
Andrew Bartlett [Thu, 31 Jul 2008 13:17:20 +0000 (23:17 +1000)]
Update to a working trustAuthIncoming and trustAuthOutgoing parser.
This is based on the docs, as well as testing against a domain trust
in windows.
Clearly it needs to be more general - perhaps a non IDL parser?
Andrew Bartlett
Andrew Bartlett [Thu, 31 Jul 2008 11:23:48 +0000 (21:23 +1000)]
Print trustAuthOutgoing and trustAuthIncoming in RPC-DSSYNC
Andrew Bartlett [Thu, 31 Jul 2008 00:51:59 +0000 (10:51 +1000)]
Use the cldap reply to avoid segfaulting in RPC-DSSYNC
Also don't fail the test if the server does not implement the NT4
changelog.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 23:07:57 +0000 (09:07 +1000)]
Don't fail if the domain has a trust already.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 21:48:16 +0000 (07:48 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Wed, 30 Jul 2008 21:47:01 +0000 (07:47 +1000)]
Start implementind domain trusts in our KDC.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 21:45:30 +0000 (07:45 +1000)]
Update trustAuthInOutBlob in line with MS-ADTS 7.1.6.8.1
Jelmer Vernooij [Wed, 30 Jul 2008 11:29:29 +0000 (13:29 +0200)]
Be more pythonic.
Stefan Metzmacher [Mon, 28 Jul 2008 15:59:17 +0000 (17:59 +0200)]
Revert "gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work"
This reverts commit
73964f069056f46f2f27fc690e42e5c91ae1fe19.
This breaks more than it gains:-( It seems to break the ncacn_np session key
metze
Stefan Metzmacher [Mon, 28 Jul 2008 14:40:21 +0000 (16:40 +0200)]
rpc_server: remove unused variable
metze
Stefan Metzmacher [Mon, 28 Jul 2008 14:11:30 +0000 (16:11 +0200)]
gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work
SMB signing with aes doesn't work, but still works with
arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc.
metze
Stefan Metzmacher [Mon, 28 Jul 2008 13:49:46 +0000 (15:49 +0200)]
libcli/smb2: the session key for SMB2 signing is truncated to 16 bytes
To make that work (as a client) with aes128 and aes256 krb5 keys
we need to use gsskrb5_get_subkey().
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:57:05 +0000 (21:57 +0200)]
smb2srv: sign SMB2 Logoff replies
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:45:19 +0000 (21:45 +0200)]
smb2srv: correctly hold the signing state per session
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:57:41 +0000 (21:57 +0200)]
libcli/smb2: fix per session signing state
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:41:55 +0000 (21:41 +0200)]
SMB2-CONNECT: remove reference to req->session before calling smb2_logoff_recv() on the invalid session
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:41:06 +0000 (21:41 +0200)]
libcli/smb2: sign SMB2 Logoff requests
metze
Andrew Bartlett [Mon, 28 Jul 2008 10:51:02 +0000 (20:51 +1000)]
We don't use EXTENSIBLEOBJECT any more.
Andrew Bartlett [Mon, 28 Jul 2008 10:26:14 +0000 (20:26 +1000)]
Make it even clearer what to do next in the LDAP backend setup
Andrew Bartlett [Mon, 28 Jul 2008 10:18:17 +0000 (20:18 +1000)]
Always print the slapd startup command
Andrew Bartlett [Mon, 28 Jul 2008 08:39:37 +0000 (18:39 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Stefan Metzmacher [Mon, 28 Jul 2008 07:29:42 +0000 (09:29 +0200)]
auth/credentials: explain why we need to the enctypes for the gssapi layer
metze
Andrew Bartlett [Sun, 27 Jul 2008 22:04:43 +0000 (08:04 +1000)]
Remove unused variable
Andrew Bartlett [Sun, 27 Jul 2008 22:04:15 +0000 (08:04 +1000)]
Remove unused function and make sensitive directories private.
Andrew Bartlett [Sun, 27 Jul 2008 22:02:18 +0000 (08:02 +1000)]
Fix warnings in new prefixMap code
Jelmer Vernooij [Sun, 27 Jul 2008 17:57:27 +0000 (19:57 +0200)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into manpage
Jelmer Vernooij [Sun, 27 Jul 2008 17:56:20 +0000 (19:56 +0200)]
Fix location of manpages.
Stefan Metzmacher [Fri, 25 Jul 2008 16:26:31 +0000 (18:26 +0200)]
gensec_gssapi: add support for signing RPC messages
metze
Stefan Metzmacher [Fri, 25 Jul 2008 14:02:29 +0000 (16:02 +0200)]
lib/ldb/tools: allow -W and --realm when build from samba4
metze
Stefan Metzmacher [Fri, 25 Jul 2008 14:00:50 +0000 (16:00 +0200)]
auth/credentials: use the same enctypes when getting a TGT and a TGS
metze
Stefan Metzmacher [Thu, 24 Jul 2008 08:00:20 +0000 (10:00 +0200)]
dsdb: add a comment about the parameter to DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:55:53 +0000 (09:55 +0200)]
dsdb/schema: make more clear where we create the value for the new prefix mapping
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:53:29 +0000 (09:53 +0200)]
dsdb/schema: dsdb_write_prefixes_to_ldb() should do the reverse of dsdb_read_prefixes_to_ldb()
metze
Stefan Metzmacher [Fri, 25 Jul 2008 19:26:28 +0000 (21:26 +0200)]
dcerpc.idl: add DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag
metze
Stefan Metzmacher [Sat, 26 Jul 2008 18:38:20 +0000 (20:38 +0200)]
mamachinepw: add better error handling
metze
Volker Lendecke [Mon, 19 May 2008 21:06:42 +0000 (23:06 +0200)]
Add "mymachinepw" to fetch our machine password out of secrets.ldb
Stefan Metzmacher [Wed, 14 May 2008 07:47:18 +0000 (09:47 +0200)]
smbtorture: add --extra-user option
This can we used to pass additional credentials to torture tests
(it can be used multiple times.
metze
Brad Hards [Fri, 25 Jul 2008 07:43:21 +0000 (17:43 +1000)]
Define HAVE_ASM_BYTEORDER at all times
Andrew Bartlett [Fri, 25 Jul 2008 04:15:22 +0000 (14:15 +1000)]
Per feedback, remove epoch and ldconfig requires.
See https://bugzilla.redhat.com/show_bug.cgi?id=453083
Andrew Bartlett [Fri, 25 Jul 2008 04:11:18 +0000 (14:11 +1000)]
Make a new define to ensure the accoc_group_id we use is always in common.
Andrew Bartlett [Fri, 25 Jul 2008 01:58:51 +0000 (11:58 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Fri, 25 Jul 2008 01:58:24 +0000 (11:58 +1000)]
Try to avoid a memory leak if we re-set the global schema
However, try also not to pull a schema out from under a running ldb
session.
Andrew Bartlett
Andrew Bartlett [Thu, 24 Jul 2008 22:45:16 +0000 (08:45 +1000)]
Complain if we are told to use an ldap backend, without the type
Andrew Bartlett [Thu, 24 Jul 2008 22:44:00 +0000 (08:44 +1000)]
Clarify how we are doing the 'this is a rootdse query' check.
Stefan Metzmacher [Thu, 24 Jul 2008 06:23:15 +0000 (08:23 +0200)]
hdb-ldb: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:22:23 +0000 (08:22 +0200)]
password_hash: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:20:06 +0000 (08:20 +0200)]
drsblobs.idl: unify the Primary:Kerberos and Primary:Kerberos-Newer-Keys structs
metze
Stefan Metzmacher [Thu, 24 Jul 2008 05:53:55 +0000 (07:53 +0200)]
drsblobs.idl: give some unknowns a meaning
metze
Andrew Tridgell [Thu, 24 Jul 2008 04:26:30 +0000 (14:26 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-test
Andrew Tridgell [Thu, 24 Jul 2008 04:21:52 +0000 (14:21 +1000)]
we can't query the ACL on a new file till it exists!
Andrew Tridgell [Thu, 24 Jul 2008 04:21:31 +0000 (14:21 +1000)]
initialise query_maximal_access here too
Andrew Tridgell [Thu, 24 Jul 2008 04:20:02 +0000 (14:20 +1000)]
make sure we initialise query_maximal_access
Andrew Tridgell [Thu, 24 Jul 2008 04:19:49 +0000 (14:19 +1000)]
fixed spelling error
Anatoliy Atanasov [Mon, 21 Jul 2008 14:04:49 +0000 (17:04 +0300)]
dsdb_create_prefix_mapping() implementation checks for existing prefix maping in ldb.
if one not found it creates a mapping for it and updates the prefixMap schema attribute in ldb.
Anatoliy Atanasov [Wed, 23 Jul 2008 06:59:17 +0000 (09:59 +0300)]
Handle schema reloading request.
The ldif for that operation looks like this:
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
It uses the rootdse's object functional attribute schemaUpdateNow.
In rootdse_modify() this command is being recognized and it is send as extended operation with DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID.
In the partition module its dispatched to the schema_fsmo module.
The request is processed in the schema_fsmo module by schema_fsmo_extended().
Andrew Tridgell [Thu, 24 Jul 2008 01:48:27 +0000 (11:48 +1000)]
fixd a bug in the signal handling code - we could get phantom signals
(signum 64)
Michael Adam [Wed, 23 Jul 2008 14:23:31 +0000 (16:23 +0200)]
libnet_become_dc: send msDS_Behavior_Version == 3 (win2k8) in DsAddEntry
instead of version 2 (win2k3).
This makes the NET-API-BECOME-DC test work against windows 2003 and 2008.
Michael
Michael Adam [Wed, 23 Jul 2008 15:54:25 +0000 (17:54 +0200)]
libnet_become_cd: add boolean option "become_dc:force krb5" to control krb5 auth.
This allows controlling whether krb5 auth is forced for the rpc bind in
libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges
only krb5 auth works due to a bug in Windows (it returns garbage - a
positive object count is returned along with first object == NULL).
For Windows 2008, on the other hand, krb5 auth does not work currently
due to the lack of support for AES keys. (Metze is working on that.)
Michael
Michael Adam [Wed, 23 Jul 2008 13:34:45 +0000 (15:34 +0200)]
drsuapi: always set the pid field of the outgoing DsBindInfo to 0.
This is for debugging and informational purposes only.
The assignment is implementation specific.
(WSPP docs, sec. 5.35).
Michael
Michael Adam [Wed, 23 Jul 2008 13:21:44 +0000 (15:21 +0200)]
libnet_unbecome_dc: teach unbecomeDC_drsuapi_bind_recv() DsBindInfo48.
..to work agains w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 13:18:57 +0000 (15:18 +0200)]
libnet_become_cd: teach becomeDC_drsuapi_bind_recv() DsBindInfo48.
To work with w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 12:07:06 +0000 (14:07 +0200)]
dsdb: teach dreplsrv_out_drsuapi_bind_recv() knowledge of DsBindInfo48.
To make it work against w2k8.
Michael
Stefan Metzmacher [Wed, 23 Jul 2008 07:35:19 +0000 (09:35 +0200)]
password_hash: add generation of the Primary:Kerberos-Newer-Keys blob
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:47:27 +0000 (18:47 +0200)]
hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute
metze
Stefan Metzmacher [Tue, 22 Jul 2008 10:28:07 +0000 (12:28 +0200)]
drsblobs.idl: add idl for Primary:Kerberos-Newer-Keys blob in supplementalCredentials
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:54:21 +0000 (18:54 +0200)]
password_hash: order the supplementalCredentials Packages in the same order like windows
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:27:36 +0000 (18:27 +0200)]
password_hash: split the generation of krb5 keys into a different function
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:32:49 +0000 (18:32 +0200)]
password_hash: simplify the logic if we have cleartext we always generate the hashes
metze
Stefan Metzmacher [Wed, 23 Jul 2008 08:05:43 +0000 (10:05 +0200)]
password_hash: fix callers after idl change for package_PrimaryKerberos
metze
Stefan Metzmacher [Wed, 23 Jul 2008 06:53:34 +0000 (08:53 +0200)]
drsblobs.idl: fix unknowns in package_PrimaryKerberos idl
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:41:51 +0000 (13:41 +0200)]
hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:31:14 +0000 (13:31 +0200)]
password_hash: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:06:32 +0000 (13:06 +0200)]
drsblobs.idl: fix idl for supplementalCredentialsSubBlob
metze