Andrew Bartlett [Thu, 31 Jul 2008 00:51:59 +0000 (10:51 +1000)]
Use the cldap reply to avoid segfaulting in RPC-DSSYNC
Also don't fail the test if the server does not implement the NT4
changelog.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 23:07:57 +0000 (09:07 +1000)]
Don't fail if the domain has a trust already.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 21:48:16 +0000 (07:48 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Wed, 30 Jul 2008 21:47:01 +0000 (07:47 +1000)]
Start implementind domain trusts in our KDC.
Andrew Bartlett
Andrew Bartlett [Wed, 30 Jul 2008 21:45:30 +0000 (07:45 +1000)]
Update trustAuthInOutBlob in line with MS-ADTS 7.1.6.8.1
Stefan Metzmacher [Mon, 28 Jul 2008 15:59:17 +0000 (17:59 +0200)]
Revert "gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work"
This reverts commit
73964f069056f46f2f27fc690e42e5c91ae1fe19.
This breaks more than it gains:-( It seems to break the ncacn_np session key
metze
Stefan Metzmacher [Mon, 28 Jul 2008 14:40:21 +0000 (16:40 +0200)]
rpc_server: remove unused variable
metze
Stefan Metzmacher [Mon, 28 Jul 2008 14:11:30 +0000 (16:11 +0200)]
gensec_gssapi: use gsskrb5_get_subkey() to make smb2 signing with aes keys work
SMB signing with aes doesn't work, but still works with
arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc.
metze
Stefan Metzmacher [Mon, 28 Jul 2008 13:49:46 +0000 (15:49 +0200)]
libcli/smb2: the session key for SMB2 signing is truncated to 16 bytes
To make that work (as a client) with aes128 and aes256 krb5 keys
we need to use gsskrb5_get_subkey().
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:57:05 +0000 (21:57 +0200)]
smb2srv: sign SMB2 Logoff replies
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:45:19 +0000 (21:45 +0200)]
smb2srv: correctly hold the signing state per session
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:57:41 +0000 (21:57 +0200)]
libcli/smb2: fix per session signing state
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:41:55 +0000 (21:41 +0200)]
SMB2-CONNECT: remove reference to req->session before calling smb2_logoff_recv() on the invalid session
metze
Stefan Metzmacher [Mon, 9 Jun 2008 19:41:06 +0000 (21:41 +0200)]
libcli/smb2: sign SMB2 Logoff requests
metze
Andrew Bartlett [Mon, 28 Jul 2008 10:51:02 +0000 (20:51 +1000)]
We don't use EXTENSIBLEOBJECT any more.
Andrew Bartlett [Mon, 28 Jul 2008 10:26:14 +0000 (20:26 +1000)]
Make it even clearer what to do next in the LDAP backend setup
Andrew Bartlett [Mon, 28 Jul 2008 10:18:17 +0000 (20:18 +1000)]
Always print the slapd startup command
Andrew Bartlett [Mon, 28 Jul 2008 08:39:37 +0000 (18:39 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Stefan Metzmacher [Mon, 28 Jul 2008 07:29:42 +0000 (09:29 +0200)]
auth/credentials: explain why we need to the enctypes for the gssapi layer
metze
Andrew Bartlett [Sun, 27 Jul 2008 22:04:43 +0000 (08:04 +1000)]
Remove unused variable
Andrew Bartlett [Sun, 27 Jul 2008 22:04:15 +0000 (08:04 +1000)]
Remove unused function and make sensitive directories private.
Andrew Bartlett [Sun, 27 Jul 2008 22:02:18 +0000 (08:02 +1000)]
Fix warnings in new prefixMap code
Jelmer Vernooij [Sun, 27 Jul 2008 17:57:27 +0000 (19:57 +0200)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into manpage
Jelmer Vernooij [Sun, 27 Jul 2008 17:56:20 +0000 (19:56 +0200)]
Fix location of manpages.
Stefan Metzmacher [Fri, 25 Jul 2008 16:26:31 +0000 (18:26 +0200)]
gensec_gssapi: add support for signing RPC messages
metze
Stefan Metzmacher [Fri, 25 Jul 2008 14:02:29 +0000 (16:02 +0200)]
lib/ldb/tools: allow -W and --realm when build from samba4
metze
Stefan Metzmacher [Fri, 25 Jul 2008 14:00:50 +0000 (16:00 +0200)]
auth/credentials: use the same enctypes when getting a TGT and a TGS
metze
Stefan Metzmacher [Thu, 24 Jul 2008 08:00:20 +0000 (10:00 +0200)]
dsdb: add a comment about the parameter to DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:55:53 +0000 (09:55 +0200)]
dsdb/schema: make more clear where we create the value for the new prefix mapping
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:53:29 +0000 (09:53 +0200)]
dsdb/schema: dsdb_write_prefixes_to_ldb() should do the reverse of dsdb_read_prefixes_to_ldb()
metze
Stefan Metzmacher [Fri, 25 Jul 2008 19:26:28 +0000 (21:26 +0200)]
dcerpc.idl: add DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag
metze
Stefan Metzmacher [Sat, 26 Jul 2008 18:38:20 +0000 (20:38 +0200)]
mamachinepw: add better error handling
metze
Volker Lendecke [Mon, 19 May 2008 21:06:42 +0000 (23:06 +0200)]
Add "mymachinepw" to fetch our machine password out of secrets.ldb
Stefan Metzmacher [Wed, 14 May 2008 07:47:18 +0000 (09:47 +0200)]
smbtorture: add --extra-user option
This can we used to pass additional credentials to torture tests
(it can be used multiple times.
metze
Brad Hards [Fri, 25 Jul 2008 07:43:21 +0000 (17:43 +1000)]
Define HAVE_ASM_BYTEORDER at all times
Andrew Bartlett [Fri, 25 Jul 2008 04:15:22 +0000 (14:15 +1000)]
Per feedback, remove epoch and ldconfig requires.
See https://bugzilla.redhat.com/show_bug.cgi?id=453083
Andrew Bartlett [Fri, 25 Jul 2008 04:11:18 +0000 (14:11 +1000)]
Make a new define to ensure the accoc_group_id we use is always in common.
Andrew Bartlett [Fri, 25 Jul 2008 01:58:51 +0000 (11:58 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Fri, 25 Jul 2008 01:58:24 +0000 (11:58 +1000)]
Try to avoid a memory leak if we re-set the global schema
However, try also not to pull a schema out from under a running ldb
session.
Andrew Bartlett
Andrew Bartlett [Thu, 24 Jul 2008 22:45:16 +0000 (08:45 +1000)]
Complain if we are told to use an ldap backend, without the type
Andrew Bartlett [Thu, 24 Jul 2008 22:44:00 +0000 (08:44 +1000)]
Clarify how we are doing the 'this is a rootdse query' check.
Stefan Metzmacher [Thu, 24 Jul 2008 06:23:15 +0000 (08:23 +0200)]
hdb-ldb: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:22:23 +0000 (08:22 +0200)]
password_hash: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:20:06 +0000 (08:20 +0200)]
drsblobs.idl: unify the Primary:Kerberos and Primary:Kerberos-Newer-Keys structs
metze
Stefan Metzmacher [Thu, 24 Jul 2008 05:53:55 +0000 (07:53 +0200)]
drsblobs.idl: give some unknowns a meaning
metze
Andrew Tridgell [Thu, 24 Jul 2008 04:26:30 +0000 (14:26 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-test
Andrew Tridgell [Thu, 24 Jul 2008 04:21:52 +0000 (14:21 +1000)]
we can't query the ACL on a new file till it exists!
Andrew Tridgell [Thu, 24 Jul 2008 04:21:31 +0000 (14:21 +1000)]
initialise query_maximal_access here too
Andrew Tridgell [Thu, 24 Jul 2008 04:20:02 +0000 (14:20 +1000)]
make sure we initialise query_maximal_access
Andrew Tridgell [Thu, 24 Jul 2008 04:19:49 +0000 (14:19 +1000)]
fixed spelling error
Anatoliy Atanasov [Mon, 21 Jul 2008 14:04:49 +0000 (17:04 +0300)]
dsdb_create_prefix_mapping() implementation checks for existing prefix maping in ldb.
if one not found it creates a mapping for it and updates the prefixMap schema attribute in ldb.
Anatoliy Atanasov [Wed, 23 Jul 2008 06:59:17 +0000 (09:59 +0300)]
Handle schema reloading request.
The ldif for that operation looks like this:
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
It uses the rootdse's object functional attribute schemaUpdateNow.
In rootdse_modify() this command is being recognized and it is send as extended operation with DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID.
In the partition module its dispatched to the schema_fsmo module.
The request is processed in the schema_fsmo module by schema_fsmo_extended().
Andrew Tridgell [Thu, 24 Jul 2008 01:48:27 +0000 (11:48 +1000)]
fixd a bug in the signal handling code - we could get phantom signals
(signum 64)
Michael Adam [Wed, 23 Jul 2008 14:23:31 +0000 (16:23 +0200)]
libnet_become_dc: send msDS_Behavior_Version == 3 (win2k8) in DsAddEntry
instead of version 2 (win2k3).
This makes the NET-API-BECOME-DC test work against windows 2003 and 2008.
Michael
Michael Adam [Wed, 23 Jul 2008 15:54:25 +0000 (17:54 +0200)]
libnet_become_cd: add boolean option "become_dc:force krb5" to control krb5 auth.
This allows controlling whether krb5 auth is forced for the rpc bind in
libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges
only krb5 auth works due to a bug in Windows (it returns garbage - a
positive object count is returned along with first object == NULL).
For Windows 2008, on the other hand, krb5 auth does not work currently
due to the lack of support for AES keys. (Metze is working on that.)
Michael
Michael Adam [Wed, 23 Jul 2008 13:34:45 +0000 (15:34 +0200)]
drsuapi: always set the pid field of the outgoing DsBindInfo to 0.
This is for debugging and informational purposes only.
The assignment is implementation specific.
(WSPP docs, sec. 5.35).
Michael
Michael Adam [Wed, 23 Jul 2008 13:21:44 +0000 (15:21 +0200)]
libnet_unbecome_dc: teach unbecomeDC_drsuapi_bind_recv() DsBindInfo48.
..to work agains w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 13:18:57 +0000 (15:18 +0200)]
libnet_become_cd: teach becomeDC_drsuapi_bind_recv() DsBindInfo48.
To work with w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 12:07:06 +0000 (14:07 +0200)]
dsdb: teach dreplsrv_out_drsuapi_bind_recv() knowledge of DsBindInfo48.
To make it work against w2k8.
Michael
Stefan Metzmacher [Wed, 23 Jul 2008 07:35:19 +0000 (09:35 +0200)]
password_hash: add generation of the Primary:Kerberos-Newer-Keys blob
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:47:27 +0000 (18:47 +0200)]
hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute
metze
Stefan Metzmacher [Tue, 22 Jul 2008 10:28:07 +0000 (12:28 +0200)]
drsblobs.idl: add idl for Primary:Kerberos-Newer-Keys blob in supplementalCredentials
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:54:21 +0000 (18:54 +0200)]
password_hash: order the supplementalCredentials Packages in the same order like windows
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:27:36 +0000 (18:27 +0200)]
password_hash: split the generation of krb5 keys into a different function
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:32:49 +0000 (18:32 +0200)]
password_hash: simplify the logic if we have cleartext we always generate the hashes
metze
Stefan Metzmacher [Wed, 23 Jul 2008 08:05:43 +0000 (10:05 +0200)]
password_hash: fix callers after idl change for package_PrimaryKerberos
metze
Stefan Metzmacher [Wed, 23 Jul 2008 06:53:34 +0000 (08:53 +0200)]
drsblobs.idl: fix unknowns in package_PrimaryKerberos idl
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:41:51 +0000 (13:41 +0200)]
hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:31:14 +0000 (13:31 +0200)]
password_hash: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:06:32 +0000 (13:06 +0200)]
drsblobs.idl: fix idl for supplementalCredentialsSubBlob
metze
Stefan Metzmacher [Wed, 23 Jul 2008 10:00:42 +0000 (12:00 +0200)]
password_hash: ignore reserved value, but still set it like windows does
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:53:03 +0000 (13:53 +0200)]
drsblobs.idl: rename unknown1 -> reserved
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:31:45 +0000 (18:31 +0200)]
password_hash: don't add zero padding as w2k8 also don't add it
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:46:24 +0000 (18:46 +0200)]
hdb-ldb: fix comment about padding
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:34:14 +0000 (18:34 +0200)]
hdb-ldb: fix crash bug in the error path
metze
Stefan Metzmacher [Tue, 22 Jul 2008 12:06:36 +0000 (14:06 +0200)]
RPC-DSSYNC: print 'supplementalCredentials' more verbosely
metze
Stefan Metzmacher [Wed, 23 Jul 2008 12:41:16 +0000 (14:41 +0200)]
rpc_server: be more strict with the incoming assoc_group_id
Allow 0 and 0x12345678 only.
This fixes the RPC-HANDLES test.
metze
Michael Adam [Wed, 23 Jul 2008 09:06:50 +0000 (11:06 +0200)]
smbtorture: add a warning for unknown BindInfo length to the RPC-DSSYNC test
Michael
Michael Adam [Wed, 23 Jul 2008 09:05:24 +0000 (11:05 +0200)]
smbtorture: add support for the DSBindInfo48 to the RPC-DSSYNC test.
Michael
Stefan Metzmacher [Thu, 17 Jul 2008 11:36:59 +0000 (13:36 +0200)]
libnet/become_dc: add a comment and explain why it's important to specify krb5
metze
Andrew Bartlett [Wed, 23 Jul 2008 06:20:07 +0000 (16:20 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Wed, 23 Jul 2008 06:19:54 +0000 (16:19 +1000)]
The SMB session key must not be more than 16 bytes in SAMR (and
presumably LSA).
Tests show that Vista requires the sesion key to be truncated for a
domain join.
Andrew Bartlett
Andrew Bartlett [Wed, 23 Jul 2008 06:15:46 +0000 (16:15 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Wed, 23 Jul 2008 06:15:43 +0000 (16:15 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Wed, 23 Jul 2008 06:14:20 +0000 (16:14 +1000)]
Remove the 'accoc_group_id' check in the RPC server.
This check breaks more than it fixes, and while technically not
correct, is the best solution we have at this time. Otherwise,
SCHANNEL binds from WinXP fail.
Andrew Bartlett
Andrew Bartlett [Wed, 23 Jul 2008 03:49:00 +0000 (13:49 +1000)]
Explain where some other OIDs are allocated.
This is an odd place for an OID registry - we perhaps need a central
wiki page.
Andrew Bartlett
Michael Adam [Tue, 22 Jul 2008 13:35:23 +0000 (15:35 +0200)]
Change occurrences of the u1 member of DsBindInfo* to pid after idl change.
Michael
Michael Adam [Tue, 22 Jul 2008 13:33:26 +0000 (15:33 +0200)]
drsuapi.idl: change the u1 field in DsBindInfo* to "pid".
According to the WSPP docs, section 5.35,
this is the "process identifyer" of the client.
It is meant for informational and debugging purposes
only and its assignment is implementation specific.
Michael
Michael Adam [Tue, 22 Jul 2008 11:07:55 +0000 (13:07 +0200)]
drsuapi.idl: add drsuapi_SupportedExtensionsExt bitfield.
This knowledge is obtained from the wspp-docs (section 5.35).
Michael
Michael Adam [Tue, 22 Jul 2008 10:46:04 +0000 (12:46 +0200)]
drsuapi.idl: the last 16 bytes in DsBindInfo48 ar the GUID of the config dn.
This bit seems not to be documented in the WSPP docs.
Michael
Michael Adam [Tue, 22 Jul 2008 09:37:32 +0000 (11:37 +0200)]
drsuapi.idl: add drsuapi_DsBindInfo48.
This is necessary to make DsGetNcChanges work with win2008.
Michael
Volker Lendecke [Mon, 21 Jul 2008 11:05:23 +0000 (13:05 +0200)]
s3 cli_do_rpc_ndr does not use PI_* anymore
Andrew Bartlett [Tue, 22 Jul 2008 01:09:18 +0000 (11:09 +1000)]
Install'named.txt' to private/ as documentation.
This document is much more use when subbed with all the right things.
Andrew Bartlett
Matthias Dieter Wallnöfer [Tue, 22 Jul 2008 01:06:47 +0000 (11:06 +1000)]
Improve DNS and Group poicy configurations.
- fixes bug #4813 (simplify DNS setup)
- This reworks the named.conf to be a fully fledged include
- This also moves the documentation into named.txt
- improves bug #4900 (Group policy support in Samba)
- by creating an empty GPT.INI
- fixes bug #5582 (DNS: Enhanced zone file)
- This is now closer to the zone file AD creates
committed by Andrew Bartlett
Jelmer Vernooij [Mon, 21 Jul 2008 10:47:08 +0000 (12:47 +0200)]
Properly cast array length in print functions.
Andrew Bartlett [Mon, 21 Jul 2008 05:00:18 +0000 (15:00 +1000)]
Fix winbindd not to sit in a busy loop...
Clearly winbindd in Samba4 has not ever been run against windows, as
when we fixed the Samba4 server not to cause XP to loop like this,
Samba4's own client starts looping...
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 03:42:07 +0000 (13:42 +1000)]
Rename structures to better match the names in the WSPP IDL.
The 'comment' element in a number of domain structures is called
oem_information. This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.
The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.
This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 02:05:53 +0000 (12:05 +1000)]
Remove bogus test in 'enum trusted domains' LSA server.
The change to the RPC-LSA test proves that when the remote server has
0 trusted domains, it will return NT_STATUS_NO_MORE_ENTRIES, not
NT_STATUS_OK.
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 01:27:23 +0000 (11:27 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Mon, 21 Jul 2008 01:18:54 +0000 (11:18 +1000)]
Sleep longer in the hope that the OpenLDAP backend might catch up