Stefan Metzmacher [Mon, 13 Dec 2010 10:42:48 +0000 (11:42 +0100)]
test password_hash bypass
Stefan Metzmacher [Fri, 10 Dec 2010 09:36:37 +0000 (10:36 +0100)]
Revert "buildtools: only use the ABI based version script for non private libraries"
This reverts commit
4d3126555ae05bc991d06cf08535a6e815479709.
Stefan Metzmacher [Fri, 10 Dec 2010 09:36:31 +0000 (10:36 +0100)]
Revert "buildtools: prefix the private symbol namespaces with PRIVATE_"
This reverts commit
ed1285502614c69d16b79a26070b211eba11d258.
Stefan Metzmacher [Thu, 9 Dec 2010 15:39:13 +0000 (16:39 +0100)]
buildtools: prefix the private symbol namespaces with PRIVATE_
metze
Stefan Metzmacher [Thu, 9 Dec 2010 15:34:28 +0000 (16:34 +0100)]
buildtools: only use the ABI based version script for non private libraries
Private libraries should not expose the symbols from the public namespace,
as then we may conflict with external libraries.
E.g. if we build tdb as private library, we want to be sure we're using the
private library and symbols, even if we also have the system libtdb.so loaded
via some external modules.
metze
Stefan Metzmacher [Wed, 1 Dec 2010 06:02:15 +0000 (07:02 +0100)]
s4:gensec/spnego: only look at the optimistic token if we support the first mech
As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.
If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.
metze
Jeremy Allison [Tue, 14 Dec 2010 03:17:57 +0000 (19:17 -0800)]
Ensure we use vfs_fsp_stat(), not VFS_STAT directly, and store into fsp->fsp_name->st
instead of a SMB_STRUCT_STAT on the stack.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Dec 14 05:05:50 CET 2010 on sn-devel-104
Andrew Bartlett [Mon, 13 Dec 2010 23:53:34 +0000 (10:53 +1100)]
wintest Add testing of kerberos connections to Windows members of an AD domain
This improves the Samba3 wintest script to test against Windows7 and
WinXP domain members, and Windows7 standalone servers. To do this,
more of the samba4 script is put in common, and we splut up the
starting of the VMs from the preperation of the VM.
This also improves the nmblookup command parsing to cope with both the
samba3 and samba4 nmblookup commands.
A krb5.conf is now provided for both s3 and s4 tests.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Dec 14 01:54:46 CET 2010 on sn-devel-104
Andrew Bartlett [Mon, 13 Dec 2010 01:40:25 +0000 (12:40 +1100)]
s3-libsmb Improve error message when denying LM encryption
Now that 'client ntlmv2 auth = yes' is the default, make it more clear
what options a user may need to enable to get this to work.
Andrew Bartlett
Jeremy Allison [Mon, 13 Dec 2010 23:22:47 +0000 (15:22 -0800)]
Change crediting so that the credits are returned on the interim async response.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Dec 14 01:09:05 CET 2010 on sn-devel-104
Jeremy Allison [Mon, 13 Dec 2010 22:00:34 +0000 (14:00 -0800)]
As we handle missing sendfile() inside lib/sendfile.c, remove the WITH_SENDFILE ifdefs.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Dec 13 23:47:07 CET 2010 on sn-devel-104
Jeremy Allison [Mon, 13 Dec 2010 21:34:50 +0000 (13:34 -0800)]
We need to start off with smb2.credits_granted == 0. That way
when processing the faked up SMB2 NegProt from the SMB1 packet we
always allocate one credit on reply.
Jeremy.
Jeremy Allison [Mon, 13 Dec 2010 21:17:49 +0000 (13:17 -0800)]
Remove extra unused credit arg. to smbd_smb2_request_setup_out()
Stefan Metzmacher [Tue, 7 Dec 2010 15:10:49 +0000 (16:10 +0100)]
s4:dsdb:password_hash: verify content if the BYPASS_PASSWORD_HASH control is used
Make it much harder to import bad data into the password attributes.
This isn't 100% safe, but much better than no checks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
Stefan Metzmacher [Wed, 1 Dec 2010 19:36:43 +0000 (20:36 +0100)]
s4:ldap_controls: allow DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID over sockets.
The DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID control has to data attached to it.
So we can allow it to be send over LDAP.
We'll accept this control over the privileged ldapi socket only.
metze
Stefan Metzmacher [Wed, 1 Dec 2010 11:18:21 +0000 (12:18 +0100)]
s4:ldap_server: don't call ldb_req_mark_untrusted() on the privileged ldapi socket
metze
Stefan Metzmacher [Wed, 1 Dec 2010 11:14:22 +0000 (12:14 +0100)]
s4:ldap_server: rename helper functions to ldapsrv_ prefix and pass ldapsrv_call
metze
Stefan Metzmacher [Mon, 13 Dec 2010 10:28:59 +0000 (11:28 +0100)]
s4:dsdb:util: dsdb_get_single_valued_attr() only needs a const ldb_messages
metze
Günther Deschner [Mon, 13 Dec 2010 11:56:38 +0000 (12:56 +0100)]
s3-waf: try to fix the build with snow leopard.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Dec 13 15:03:08 CET 2010 on sn-devel-104
Stefan Metzmacher [Mon, 13 Dec 2010 11:04:28 +0000 (12:04 +0100)]
s3:selftest: fix knownfail for samba3.posix_s3.rpc.spoolss.*printserver.enum_printers_old
The name is in lowercase since commit
35fbc7bbda5851f7172538f79fc79be201f1d521
(s4-smbtorture: Make test names lowercase and dot-separated.)
This should avoid intermittent failures in make test.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 13 13:52:18 CET 2010 on sn-devel-104
Stefan Metzmacher [Mon, 13 Dec 2010 10:53:03 +0000 (11:53 +0100)]
s4:heimdal_build: replace '+' by '_' for vscripts in HEIMDAL_LIBRARY()
metze
Günther Deschner [Fri, 10 Dec 2010 16:15:18 +0000 (17:15 +0100)]
s3-selftest: support differing VFSLIBDIR in autoconf and waf build.
With this change make test in the s3 waf build (w/o s4 smbtorture yet) works!
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Mon Dec 13 13:06:05 CET 2010 on sn-devel-104
Günther Deschner [Thu, 9 Dec 2010 14:44:30 +0000 (15:44 +0100)]
s3-waf: add -Wl,--export-dynamic to LDFLAGS.
Our binaries did not export symbols so e.g. smbd could not load vfs modules.
Patch from tridge.
We might remove this later on, once we decide to resolve all symbols and fix all
dependencies in s3 modules.
Guenther
Günther Deschner [Thu, 9 Dec 2010 14:33:25 +0000 (15:33 +0100)]
nss_wrapper: make nss_wrapper.pl executeable.
Guenther
Matthieu Patou [Sun, 12 Dec 2010 21:55:08 +0000 (00:55 +0300)]
build: remove -no-undefined and -as-needed on openbsd
This is causing problems with linker
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Mon Dec 13 00:25:38 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 20:42:30 +0000 (21:42 +0100)]
s4:dsdb/pydsdb.c - don't throw another exception on "PyObject_AsDn"
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 23:40:17 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 20:40:03 +0000 (21:40 +0100)]
ldb:pyldb.h - revert to the previous header behaviour
"ldb_private.h" is private and therefore might not always be available.
Matthieu Patou [Sun, 12 Dec 2010 20:57:37 +0000 (23:57 +0300)]
build: move the import near the place where need it, so that we can build on hosts with python's zlib
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sun Dec 12 22:54:19 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 18:23:53 +0000 (19:23 +0100)]
s4:scripting/python/pyglue.c - add a OOM handling
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 20:50:55 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 18:23:34 +0000 (19:23 +0100)]
s4:scripting/python/pyglue.c - optimise includes
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 18:19:43 +0000 (19:19 +0100)]
s4:param/provision.c - optimise includes
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 18:13:51 +0000 (19:13 +0100)]
s4:libcli/finddc.h - fix header dependancies
And optimise includes
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 18:01:23 +0000 (19:01 +0100)]
s4:libcli/finddcs_nbt.c - optimise headers
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 17:54:56 +0000 (18:54 +0100)]
s4:libnet/py_net.c - add checks for OOM conditions
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 17:45:07 +0000 (18:45 +0100)]
s4:dsdb/pydsdb.c and web_server/wsgi.c - remove accidentally introduced Py_RETURN_NONE
This was only thought for Python 2.3 which we generally no longer support (only
pyldb in the LDB library is an exception).
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 17:42:58 +0000 (18:42 +0100)]
s4:lib/ldb-samba/pyldb.c - optimise includes
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 17:31:37 +0000 (18:31 +0100)]
s4:dsdb/pydsdb.c - clean up memory handling
- Remove memory contexts when not really useful (if only one allocation)
- Try to find out OOM conditions and return correct error codes
- Move the parameter parsing always to the beginning (to prevent
unneeded allocations in case of errors)
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 16:44:04 +0000 (17:44 +0100)]
ldb:pyldb - optimise includes
Matthieu Patou [Sun, 12 Dec 2010 18:14:28 +0000 (21:14 +0300)]
change searched name from _ss_family to __ss_family
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sun Dec 12 20:05:23 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 16:36:16 +0000 (17:36 +0100)]
s4:web_server/*.c - optimise includes
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 18:23:05 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 16:27:36 +0000 (17:27 +0100)]
s4:web_server/wsgi.c - fix a counter type
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 16:27:09 +0000 (17:27 +0100)]
s4:web_server/wsgi.c - add missing Python compatibility code
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 13:34:14 +0000 (14:34 +0100)]
s4:kdc/*.c - minimise includes
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 15:20:46 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 11:33:08 +0000 (12:33 +0100)]
s4:smbd/process*.c - fix PID warnings on Solaris
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Dec 12 13:21:13 CET 2010 on sn-devel-104
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 11:15:51 +0000 (12:15 +0100)]
s4:kdc/proxy.c - optimise includes in order to fix a build warning on Tru64
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 11:07:24 +0000 (12:07 +0100)]
s4:param/loadparm.c - fix a warning by introducing a "const" cast
Matthias Dieter Wallnöfer [Sun, 12 Dec 2010 10:58:59 +0000 (11:58 +0100)]
s4:kdc/kpasswdd.c - don't return an uninitialised NT_STATUS
Discovered by Tru64 build
Matthieu Patou [Sun, 12 Dec 2010 09:06:31 +0000 (12:06 +0300)]
build: change lib order to fix build on netbsd
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sun Dec 12 10:54:02 CET 2010 on sn-devel-104
Matthieu Patou [Sun, 12 Dec 2010 09:05:43 +0000 (12:05 +0300)]
build: add a check for _ss_family as it used on aix to replace ss_family
Matthieu Patou [Sun, 12 Dec 2010 09:04:51 +0000 (12:04 +0300)]
replace: add comments to make the #ifdef/#else/endif more readable
Jelmer Vernooij [Sat, 11 Dec 2010 17:47:11 +0000 (18:47 +0100)]
selftest-s4: Support listing smbtorture4 tests.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 19:32:07 CET 2010 on sn-devel-104
Jelmer Vernooij [Sat, 11 Dec 2010 17:21:58 +0000 (18:21 +0100)]
selftest: Support multiple instances of $LISTOPT.
Jelmer Vernooij [Sat, 11 Dec 2010 17:21:27 +0000 (18:21 +0100)]
filter-subunit: Add --list argument.
Jelmer Vernooij [Sat, 11 Dec 2010 17:00:24 +0000 (18:00 +0100)]
smbtorture: Default to listing all tests if no prefix was specified.
Jelmer Vernooij [Sat, 11 Dec 2010 16:56:37 +0000 (17:56 +0100)]
smbtorture: Implement --list argument.
Matthieu Patou [Sat, 11 Dec 2010 16:20:51 +0000 (19:20 +0300)]
build: add more CFLAGS for aix
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 18:09:23 CET 2010 on sn-devel-104
Matthieu Patou [Sat, 11 Dec 2010 15:50:51 +0000 (18:50 +0300)]
build: add a dependency on lib iconv for lib intl if we are not able to find it
This is due that on some platform lib intl depend on lib iconv, failling
to provide this library cause waf to be unable to link with lib intl and
makes it think that the library doesn't exists !
Matthieu Patou [Sat, 11 Dec 2010 10:13:42 +0000 (13:13 +0300)]
build: On AIX we need _XOPEN_SOURCE >= 500 for CLOCK_REALTIME
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 14:48:21 CET 2010 on sn-devel-104
Stefan Metzmacher [Sat, 11 Dec 2010 10:17:17 +0000 (11:17 +0100)]
libcli/echo: fix off by 1 crash bug
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Dec 11 13:48:54 CET 2010 on sn-devel-104
Stefan Metzmacher [Sat, 11 Dec 2010 10:04:29 +0000 (11:04 +0100)]
s4:selftest: use correct name for the test "ECHO-UDP" => "echo.udp"
I wonder how commit
35fbc7bbda5851f7172538f79fc79be201f1d521
(s4-smbtorture: Make test names lowercase and dot-separated)
ever passed make test.
metze
Stefan Metzmacher [Sat, 11 Dec 2010 10:03:52 +0000 (11:03 +0100)]
libcli/echo: lowercase testsuite names
metze
Jelmer Vernooij [Sat, 11 Dec 2010 02:26:31 +0000 (03:26 +0100)]
s4-smbtorture: Make test names lowercase and dot-separated.
This is consistent with the test names used by selftest, should
make the names less confusing and easier to integrate with other tools.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Dec 11 04:16:13 CET 2010 on sn-devel-104
Jelmer Vernooij [Sat, 11 Dec 2010 00:05:13 +0000 (01:05 +0100)]
talloc: Add ability to generate Python docs using pydoctor.
James Peach [Mon, 6 Dec 2010 19:27:31 +0000 (11:27 -0800)]
smbtorture: correct error handling in BASE-OPEN.
There are a number of cases in BASE-OPEN where an initial failure cascades
into multiple failures due to lack of cleanup between test phases. Fix
all these so that they close open file handles correctly. Replace
torture_comment with torture_result where appropriate so that the results
output contains a useful diagnostic.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Dec 11 03:19:39 CET 2010 on sn-devel-104
Jeremy Allison [Fri, 10 Dec 2010 22:40:17 +0000 (14:40 -0800)]
Add documentation for "smb2 max credits".
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Dec 11 02:14:07 CET 2010 on sn-devel-104
Jeremy Allison [Fri, 10 Dec 2010 23:46:41 +0000 (15:46 -0800)]
Add a SMB2 crediting algorithm, by default the same as Windows. Defaults to 128 credits.
Jeremy.
Matthieu Patou [Fri, 10 Dec 2010 22:39:34 +0000 (01:39 +0300)]
heimdal: unset SLIST_ENTRY only if we are with windows
This is needed because otherwise on some OS like netbsd,openbsd,MacOSX.
The preprossessing of ./heimdal/lib/gssapi/mech/cred.h on this plateform
is broken because mechqueue.h's definition won't be used as SLIST_HEAD
is already defined.
The definition occurs when net/if.h is included as it includes
sys/queue.h
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat Dec 11 00:34:51 CET 2010 on sn-devel-104
Matthieu Patou [Fri, 10 Dec 2010 20:47:54 +0000 (23:47 +0300)]
build: cpp is prefixed by CPP=
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Fri Dec 10 22:34:45 CET 2010 on sn-devel-104
Matthieu Patou [Fri, 10 Dec 2010 20:16:28 +0000 (23:16 +0300)]
build: add a function to test if -lc is needed
This is needed on openbsd as some linking flags makes mandatory to
specify the libc for the linking
Stefan Metzmacher [Wed, 1 Dec 2010 14:12:58 +0000 (15:12 +0100)]
drsblobs.idl: remove nopython from package_PrimaryKerberosBlob related stuff
This allows parsing and construction of the supplementatlCredentials
attribute in python.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Dec 10 19:08:33 CET 2010 on sn-devel-104
Stefan Metzmacher [Wed, 8 Dec 2010 14:11:48 +0000 (15:11 +0100)]
pidl:Samba4/Python.pm: ignore "SUBCONTEXT" levels
These are only important for the NDR marshalling
and not for the python bindings.
metze
Stefan Metzmacher [Fri, 10 Dec 2010 15:32:35 +0000 (16:32 +0100)]
pidl:Samba4/Python.pm: don't handle scalar reference types special
The only special thing is that don't need get_value_of(),
all other checks are needed.
metze
Matthieu Patou [Fri, 10 Dec 2010 16:08:18 +0000 (19:08 +0300)]
build: compiler on aix is xlc_r not xlr_c
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Fri Dec 10 17:54:49 CET 2010 on sn-devel-104
Matthieu Patou [Fri, 10 Dec 2010 11:37:00 +0000 (14:37 +0300)]
build: reset cpp on host with xlr_c and let pidl use $CC -E
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Fri Dec 10 13:27:22 CET 2010 on sn-devel-104
Nadezhda Ivanova [Fri, 10 Dec 2010 08:31:58 +0000 (10:31 +0200)]
s4-tests: Modified sec_descriptor.py to use the sd_utils helpers.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Fri Dec 10 11:03:28 CET 2010 on sn-devel-104
Nadezhda Ivanova [Fri, 10 Dec 2010 08:31:19 +0000 (10:31 +0200)]
s4-tests: Modified acl.py to use the sd_utils helpers.
Nadezhda Ivanova [Fri, 10 Dec 2010 08:29:14 +0000 (10:29 +0200)]
s4-tests: Moved some commonly redefined security descriptor methods to a utils class
These methods are used in more than one testsuite now so they are now in a utility class instead of being defined everywhere.
Matthieu Patou [Fri, 10 Dec 2010 07:06:44 +0000 (10:06 +0300)]
build: detect if conf.env['CPP'] is an array or not
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Fri Dec 10 10:18:20 CET 2010 on sn-devel-104
Andrew Tridgell [Fri, 10 Dec 2010 06:59:34 +0000 (17:59 +1100)]
waf: the libXX.inst.so file also depends on the vscript
this fixes a problem with installed libraries not relinking after a
git version change
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Dec 10 09:30:46 CET 2010 on sn-devel-104
Andrew Tridgell [Thu, 9 Dec 2010 11:41:58 +0000 (22:41 +1100)]
s3-vfstest: fixed paths in vfstest
vfstest tries to create /messages.tdb as loadparm has not been
initialised
Andrew Bartlett [Fri, 10 Dec 2010 05:56:57 +0000 (16:56 +1100)]
wintest flush DNS on Windows clients to improve reliablity
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Dec 10 08:45:28 CET 2010 on sn-devel-104
Andrew Bartlett [Fri, 10 Dec 2010 04:32:08 +0000 (15:32 +1100)]
s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it
Andrew Bartlett [Fri, 10 Dec 2010 04:30:22 +0000 (15:30 +1100)]
s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it
Andrew Bartlett
Andrew Bartlett [Fri, 10 Dec 2010 04:09:54 +0000 (15:09 +1100)]
wintest More work to make test-s3.py work
- Set the password on the newly added 'root' user so we can connect with a user that exists in getpwnam() without further configuration
- bind interfaces only so we don't conflict with other Samba instances
- use the full DNS name for smbclient
- don't connect to localhost (as we will be on ${INTERFACE_IP} only
- Use the windows domain in the wbinfo command (winbindd won't take bare name here).
- Register our IP address in DNS using 'net ads dns register'
Andrew Bartlett
Andrew Bartlett [Fri, 10 Dec 2010 04:08:53 +0000 (15:08 +1100)]
s3-net Allow 'net ads dns register' to take an optional hostname argument
This allows the administrator to more carefully chose what name to register.
Andrew Bartlett
Andrew Bartlett [Fri, 10 Dec 2010 01:13:58 +0000 (12:13 +1100)]
wintest Share more of the S4 test code with the s3 test
This allows us to run a private BIND in the S3 test, and allows the S3
test to join a freshly provisioned AD instance if the VM isn't already
configured.
Andrew Bartlett
Andrew Bartlett [Fri, 10 Dec 2010 01:12:23 +0000 (12:12 +1100)]
s3-winbind Improve memory handling in NTLMv2-backend plaintext authentication
Andrew Bartlett
Andrew Bartlett [Fri, 10 Dec 2010 01:10:07 +0000 (12:10 +1100)]
s3-winbind Don't send the LM password to the server, ever
This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.
We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.
Andrew Bartlett
Andrew Bartlett [Thu, 9 Dec 2010 20:57:59 +0000 (07:57 +1100)]
s3-libsmb Don't ever ask for machine$ principals as a target.
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
Andrew Bartlett [Thu, 9 Dec 2010 06:37:14 +0000 (17:37 +1100)]
s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
Andrew Bartlett
Andrew Bartlett [Thu, 9 Dec 2010 05:47:08 +0000 (16:47 +1100)]
s3-docs Explain change to NTLMv2 by default in the client
Andrew Bartlett [Sat, 4 Dec 2010 03:57:46 +0000 (14:57 +1100)]
s3-client Use NTLMv2 by default in the Samba client
This matches the improved security measures of Windows Vista.
Andrew Bartlett
Andrew Bartlett [Sat, 4 Dec 2010 03:11:57 +0000 (14:11 +1100)]
s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.
This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour. It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.
Andrew Bartlett
Andrew Bartlett [Sat, 4 Dec 2010 02:48:37 +0000 (13:48 +1100)]
s3-libads Default to NOT using the server-supplied principal from SPNEGO
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
Jelmer Vernooij [Fri, 10 Dec 2010 02:03:18 +0000 (03:03 +0100)]
subunitrun: Use unittest.TestProgram if subunit.TestProgram is not
available.
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Fri Dec 10 03:49:03 CET 2010 on sn-devel-104
Jelmer Vernooij [Thu, 9 Dec 2010 23:47:33 +0000 (00:47 +0100)]
s4-python: Add convenience function for forcibly importing bundled
package.
Jelmer Vernooij [Thu, 9 Dec 2010 22:28:25 +0000 (23:28 +0100)]
subunitrun: Extend hack to cope with older system subunit run installs.
Jelmer Vernooij [Thu, 9 Dec 2010 21:48:16 +0000 (22:48 +0100)]
subunitrun: Remove global subunit module when reimporting from a
different location.
Jelmer Vernooij [Thu, 9 Dec 2010 21:46:08 +0000 (22:46 +0100)]
s4-dist: Remove no longer existing files from blacklist (fixes 'make
dist' inclusion of configure)
Jelmer Vernooij [Thu, 9 Dec 2010 20:38:48 +0000 (21:38 +0100)]
s4-python: Fix use of bundled modules.