Stefan Metzmacher [Mon, 4 Aug 2008 08:59:00 +0000 (10:59 +0200)]
HACK clock skew when getting tickets...
Stefan Metzmacher [Fri, 18 Jul 2008 10:57:21 +0000 (12:57 +0200)]
hacks drsuapi exop and samr_client stuff...
Stefan Metzmacher [Fri, 8 Aug 2008 14:36:59 +0000 (16:36 +0200)]
gsskrb5: add [un]wrap_ex with des keys
metze
Stefan Metzmacher [Fri, 8 Aug 2008 14:37:25 +0000 (16:37 +0200)]
gsskrb5: add support [un]wrap_ex with cfx
metze
Stefan Metzmacher [Fri, 8 Aug 2008 14:25:56 +0000 (16:25 +0200)]
gsskrb5: add [un]wrap_ex for arcfour-hmac-md5
metze
Stefan Metzmacher [Mon, 11 Aug 2008 12:53:38 +0000 (14:53 +0200)]
krb5: add krb5_[create|verify]_integrity_checksum()
This is needed to do use the correct usage for the checksum
when used together with the kdc_[en|de]crypt_inplace_ivec()
functions.
metze
Stefan Metzmacher [Fri, 8 Aug 2008 14:31:15 +0000 (16:31 +0200)]
krb5: add krb5_[en|de]crypt_inplace_ivec
This functions just do the encryption without
adding confounders or checksums.
metze
Stefan Metzmacher [Fri, 8 Aug 2008 14:00:51 +0000 (16:00 +0200)]
gsskrb5: implement [un]wrap_ex as stubs, still fallback to [un]wrap
metze
Stefan Metzmacher [Fri, 25 Jul 2008 07:30:17 +0000 (09:30 +0200)]
gensec_gssapi: make use of the new gss_wrap_ex() and gss_unwrap_ex() calls
metze
Stefan Metzmacher [Fri, 25 Jul 2008 07:03:36 +0000 (09:03 +0200)]
heimdal: add gss_wrap_ex() infrastructure
The start was from Andrew Bartlett,
but I added missing stuff and made it work
correctly.
It also changed the prototypes to do inplace
decryption of the message_buffer.
metze
Andrew Bartlett [Mon, 18 Aug 2008 00:16:45 +0000 (10:16 +1000)]
Merge the two attribute syntax tables.
This merges the table once found in the oLschema2ldif tool (and moved
many times) with the table used for DRSUAPI.
The OpenLDAP schema map has been updated, to ensure that despite a
number of attributes being declared as OIDs, they are actually used as
strings (as they are actually LDAP class/attribute names).
Andrew Bartlett
Michael Adam [Fri, 15 Aug 2008 22:37:26 +0000 (00:37 +0200)]
configure: use AS_HELP_STRING for --with-disable-ext-lib
Michael
Michael Adam [Fri, 15 Aug 2008 22:35:52 +0000 (00:35 +0200)]
configure: use AS_HELP_STRING for --enable-developer
Michael
Michael Adam [Fri, 15 Aug 2008 22:34:43 +0000 (00:34 +0200)]
configure: use AS_HELP_STRING for --enable-debug.
Michael
Michael Adam [Fri, 15 Aug 2008 22:33:04 +0000 (00:33 +0200)]
configure: use AS_HELP_STRING for --with-selftest-prefix.
Michael
Michael Adam [Fri, 15 Aug 2008 22:31:23 +0000 (00:31 +0200)]
configure: use AS_HELP_STRING for --with-logfilebase.
Michael
Michael Adam [Fri, 15 Aug 2008 22:30:02 +0000 (00:30 +0200)]
configure: use AS_HELP_STRING for --with-piddir
Michael
Michael Adam [Fri, 15 Aug 2008 22:28:36 +0000 (00:28 +0200)]
configure: use AS_HELP_STRING for --with-lockdir.
Michael
Michael Adam [Fri, 15 Aug 2008 22:27:15 +0000 (00:27 +0200)]
configure: use AS_HELP_STRING for --ntp-signd-socket-dir.
Michael
Michael Adam [Fri, 15 Aug 2008 22:25:42 +0000 (00:25 +0200)]
configure: use AS_HELP_STRING for --with-winbindd-privileged-socket-dir.
Michael
Michael Adam [Fri, 15 Aug 2008 22:25:09 +0000 (00:25 +0200)]
configure: use AS_HELP_STRING for --with-winbindd-socket-dir .
Michael
Michael Adam [Fri, 15 Aug 2008 22:13:34 +0000 (00:13 +0200)]
configure: use AS_HELP_STRING for --with-privatedir
Michael
Michael Adam [Fri, 15 Aug 2008 22:07:54 +0000 (00:07 +0200)]
configure: format help string for --with-fhs with AS_HELP_STRING().
Michael
Michael Adam [Fri, 15 Aug 2008 22:23:47 +0000 (00:23 +0200)]
configure: remove duplicate definition of --with-winbindd-socket-dir.
I think this should have gone with
fa361354433fb9a5c09c84997a7c51f3052c294e.
Michael
Andrew Bartlett [Fri, 15 Aug 2008 11:20:05 +0000 (21:20 +1000)]
Fix the build, after the ad2oLschema changes.
Andrew Bartlett [Fri, 15 Aug 2008 11:16:40 +0000 (21:16 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Fri, 15 Aug 2008 10:41:50 +0000 (20:41 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Fri, 15 Aug 2008 10:40:57 +0000 (20:40 +1000)]
Generate the subSchema in cn=Aggregate
This reads the schema from the in-memory structure, when the magic
attributes are requested. The code is a modified version of that used
in the ad2oLschema tool (now shared).
The schema_fsmo module handles the insertion of the generated result.
As such, this commit also removes these entries from the setup/schema.ldif
Metze's previous stub of this functionality is also removed.
Andrew Bartlett
Andrew Bartlett [Fri, 15 Aug 2008 03:18:48 +0000 (13:18 +1000)]
Rework generation of the objectClass and attributeType lines.
Now that these are subroutines, we can factor them out into a file the
CN=Aggregate schema code can also use.
Andrew Bartlett
Andrew Bartlett [Fri, 15 Aug 2008 02:08:10 +0000 (12:08 +1000)]
Paramaterise the seperator in ad2OLschema
This will allow me to add a new mode, with the CN=Aggregate schema
format automatically generated.
Andrew Bartlett
Andrew Bartlett [Thu, 14 Aug 2008 23:46:51 +0000 (09:46 +1000)]
Don't segfault in RPC-ATSVC.
Stefan Metzmacher [Thu, 14 Aug 2008 13:14:53 +0000 (15:14 +0200)]
RAW-OPEN: be more strict in create_option checking
metze
Stefan Metzmacher [Wed, 13 Aug 2008 05:22:36 +0000 (07:22 +0200)]
Revert "krb5: always generate the acceptor subkey as the same enctype as the used service key"
This reverts commit
dbb94133e0313cae933d261af0bf1210807a6d11.
As we fixed gensec_gssapi to only return a session key when it's
have the correct session key, this hack isn't needed anymore.
metze
Stefan Metzmacher [Wed, 13 Aug 2008 07:52:20 +0000 (09:52 +0200)]
gsskrb5: always return an acceptor subkey
For non cfx keys it's the same as the intiator subkey.
This matches windows behavior.
metze
Stefan Metzmacher [Wed, 13 Aug 2008 05:18:35 +0000 (07:18 +0200)]
gensec_gssapi: only cache the session key in STAGE_DONE
The key may change because we switch from initiator to acceptor
subkey.
metze
Stefan Metzmacher [Thu, 14 Aug 2008 11:12:07 +0000 (13:12 +0200)]
SMB2-CREATE: add a special test for FILE_ATTRIBUTE_ENCRYPTED
Some standalone server (and samba4) doesn't support this.
metze
Stefan Metzmacher [Thu, 14 Aug 2008 07:54:51 +0000 (09:54 +0200)]
SMB2-CREATE: be more strict in checking file attributes
metze
Stefan Metzmacher [Thu, 14 Aug 2008 07:54:22 +0000 (09:54 +0200)]
SMB2-CREATE: be more strict in error checking
metze
Stefan Metzmacher [Thu, 14 Aug 2008 07:52:45 +0000 (09:52 +0200)]
ntvfs_generic: fix handling of create_options for SMB2
metze
Stefan Metzmacher [Thu, 14 Aug 2008 10:48:37 +0000 (12:48 +0200)]
libcli/smb2: add SMB2_CREATE_OPTIONS_NOT_SUPPORTED_MASK
SMB2 returns NOT_SUPPORTED to some more NTCREATE_OPTIONS.
metze
Stefan Metzmacher [Thu, 14 Aug 2008 10:37:31 +0000 (12:37 +0200)]
pvfs: fix handling of create_option flags
metze
Stefan Metzmacher [Thu, 14 Aug 2008 10:44:25 +0000 (12:44 +0200)]
libcli/raw: fix the special NTCREATE_OPTIONS_*_MASK values
We now reuse ignored values for the ntvfs backend private flags.
metze
Stefan Metzmacher [Wed, 13 Aug 2008 07:48:44 +0000 (09:48 +0200)]
smb2srv: async replies with STATUS_PENDING are not signed
..., but the they may have the sign flag set.
metze
Stefan Metzmacher [Wed, 13 Aug 2008 13:20:18 +0000 (15:20 +0200)]
smb2srv: sign replies when the request was also signed
metze
Stefan Metzmacher [Wed, 13 Aug 2008 07:45:44 +0000 (09:45 +0200)]
smb2srv: use defines instead of hex values
metze
Stefan Metzmacher [Wed, 13 Aug 2008 13:19:01 +0000 (15:19 +0200)]
libcli/smb2: use smb2 signing in auto mode if the server supports it
metze
Stefan Metzmacher [Wed, 13 Aug 2008 07:44:06 +0000 (09:44 +0200)]
libcli/smb2: we don't need check the same thing twice...
metze
Stefan Metzmacher [Wed, 13 Aug 2008 07:42:27 +0000 (09:42 +0200)]
libcli/smb2: async replies with STATUS_PENDING are not signed
metze
Stefan Metzmacher [Wed, 13 Aug 2008 14:58:12 +0000 (16:58 +0200)]
pidl: fix samba4.pidl.samba3-cli test
metze
Stefan Metzmacher [Wed, 13 Aug 2008 14:53:13 +0000 (16:53 +0200)]
NBT-WINSREPLICATION: be more robust to timing errors
Also reenable disabled tests.
metze
Andrew Tridgell [Thu, 14 Aug 2008 07:26:30 +0000 (17:26 +1000)]
expanded the SMB2-CREATE and RAW-OPEN tests to explore more of how the
create options fields are supposed to work
Andrew Tridgell [Thu, 14 Aug 2008 05:27:48 +0000 (15:27 +1000)]
cope with arbitrary unknown pac buffer types, so when MS adds
a new one we don't break our server
Andrew Tridgell [Thu, 14 Aug 2008 05:27:22 +0000 (15:27 +1000)]
cope with not knowing the kdc key
Andrew Bartlett [Tue, 12 Aug 2008 23:47:18 +0000 (09:47 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Stefan Metzmacher [Tue, 12 Aug 2008 13:02:02 +0000 (15:02 +0200)]
gensec_gssapi: add support for GENSEC_FEATURE_NEW_SPNEGO
metze
Stefan Metzmacher [Tue, 12 Aug 2008 12:57:14 +0000 (14:57 +0200)]
gensec_gssapi: fix compiler warnings
metze
Stefan Metzmacher [Tue, 12 Aug 2008 12:56:36 +0000 (14:56 +0200)]
gensec_gssapi: add a function to load the lucid structure once
metze
Stefan Metzmacher [Tue, 12 Aug 2008 12:26:21 +0000 (14:26 +0200)]
gensec: add support for new style spnego and correctly handle mechListMIC
metze
Andrew Bartlett [Tue, 12 Aug 2008 07:46:48 +0000 (17:46 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Stefan Metzmacher [Mon, 11 Aug 2008 16:14:51 +0000 (18:14 +0200)]
dcerpc.idl: remove used DCERPC_MAX_SIGN_SIZE
metze
Stefan Metzmacher [Mon, 11 Aug 2008 16:12:54 +0000 (18:12 +0200)]
rpc_server: correct the chunk_size depending on the signature size
metze
Stefan Metzmacher [Mon, 11 Aug 2008 16:00:11 +0000 (18:00 +0200)]
librpc/rpc: correct the chunk_size depending on the signature size
metze
Stefan Metzmacher [Mon, 11 Aug 2008 15:59:38 +0000 (17:59 +0200)]
dcerpc.idl: add DCERPC_AUTH_TRAILER_LENGTH
metze
Andrew Bartlett [Mon, 11 Aug 2008 01:45:45 +0000 (11:45 +1000)]
Only allow trust accounts access to the NTP signing service.
Stefan Metzmacher [Fri, 8 Aug 2008 10:39:11 +0000 (12:39 +0200)]
gensec_gssapi: use the correct signature size for cfx/rfc4121 style signatures
metze
Stefan Metzmacher [Fri, 8 Aug 2008 13:01:15 +0000 (15:01 +0200)]
gsskrb5: try to be compatible with windows for gss_wrap* and cfx
The good thing is that windows and heimdal both use EC=0
in the non DCE_STYLE case, so we need the windows compat hack
only in DCE_STYLE mode.
metze
Stefan Metzmacher [Fri, 8 Aug 2008 13:27:40 +0000 (15:27 +0200)]
gensec_gssapi: use gsskrb5_get_subkey() to get the session key
This is needed to get the correct key, when aes keys are used.
metze
Stefan Metzmacher [Fri, 8 Aug 2008 13:22:39 +0000 (15:22 +0200)]
krb5: always generate the acceptor subkey as the same enctype as the used service key
With this patch samba4 can use gsskrb5_get_subkey() to get the session key.
metze
Stefan Metzmacher [Fri, 25 Jul 2008 11:11:46 +0000 (13:11 +0200)]
gsskrb5: add support for DCE_STYLE and des and des3 keys
Only the des keys are tested as windows doesn't support des3
metze
Andrew Bartlett [Fri, 8 Aug 2008 04:05:16 +0000 (14:05 +1000)]
Always set a session key, even for the 'no password' case.
This is for bug 5664 reported by Tom <hto@arcor.de>.
Andrew Bartlett
Andrew Bartlett [Fri, 8 Aug 2008 04:04:08 +0000 (14:04 +1000)]
Clarify comment
Andrew Bartlett [Fri, 8 Aug 2008 00:32:21 +0000 (10:32 +1000)]
We can't use ndr_pull_struct_blob_all in combinatin with relative pointers
Stefan Metzmacher [Tue, 29 Jul 2008 20:06:18 +0000 (20:06 +0000)]
lib: prepare the build of zlib
metze
Stefan Metzmacher [Thu, 7 Aug 2008 16:20:11 +0000 (16:20 +0000)]
zlib: add inflateReset2()...
metze
Stefan Metzmacher [Tue, 29 Jul 2008 20:01:23 +0000 (20:01 +0000)]
import of zlib-1.2.3
We want to use zlib for the mszip ndr (de)compression
later, we'll need to add some new functions to zlib.
metze
Stefan Metzmacher [Thu, 7 Aug 2008 17:15:30 +0000 (19:15 +0200)]
drsuapi: fix callers after idl change
metze
Stefan Metzmacher [Thu, 7 Aug 2008 16:15:26 +0000 (16:15 +0000)]
drsuapi.idl: directly use mszip in level 2
This fixes the push because the switch_level doesn't work
otherwise because the pointer is the same as for
the outer switch_level.
metze
Stefan Metzmacher [Wed, 6 Aug 2008 20:28:04 +0000 (22:28 +0200)]
rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
you need "dcesrv:header signing=yes" to enable it.
metze
Stefan Metzmacher [Wed, 6 Aug 2008 19:35:07 +0000 (21:35 +0200)]
librpc/rpc: add support DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
You can trigger it like this:
ncacn_ip_tcp:172.31.9.234[sign,hdrsign]
or
ncacn_ip_tcp:172.31.9.234[seal,hdrsign]
metze
Stefan Metzmacher [Wed, 6 Aug 2008 19:34:00 +0000 (21:34 +0200)]
librpc/rpc: pass struct dcerpc_pipe to dcerpc_auth3()
metze
Stefan Metzmacher [Wed, 6 Aug 2008 19:30:17 +0000 (21:30 +0200)]
gensec_gssapi: add support for GENSEC_FEATURE_SIGN_PKT_HEADER
This only works for sign/verify_packet() yet,
seal/unseal_packet() doesn't work yet...
metze
Stefan Metzmacher [Wed, 6 Aug 2008 19:26:20 +0000 (21:26 +0200)]
gensec: add GENSEC_FEATURE_SIGN_PKT_HEADER flag
metze
Jelmer Vernooij [Fri, 1 Aug 2008 19:36:49 +0000 (21:36 +0200)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into manpage
Jelmer Vernooij [Fri, 1 Aug 2008 19:12:37 +0000 (21:12 +0200)]
Add helper object Hostconfig to make it easier to get to e.g. the
SAM database.
Stefan Metzmacher [Fri, 1 Aug 2008 16:15:11 +0000 (18:15 +0200)]
heimdal: add experimental --enable-external-heimdal
This should only be used for testing and when you're
absolutly sure the installed heimdal libraries
support the features we need.
(E.g. heimdal-1.2 or lower should NOT work)
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:30:16 +0000 (19:30 +0200)]
libreplace: include <krb5.h> and <com_err.h> and no heimdal specific headers
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:29:08 +0000 (19:29 +0200)]
auth/kerberos: remove dependencies to internal heimdal
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:24:09 +0000 (19:24 +0200)]
heimdal_build/internal: add some useful defines
metze
Stefan Metzmacher [Fri, 1 Aug 2008 18:27:38 +0000 (20:27 +0200)]
heimdal: fix dependency
metze
Stefan Metzmacher [Fri, 1 Aug 2008 17:23:29 +0000 (19:23 +0200)]
lib/crypto: remove dependency to internal heimdal
metze
Stefan Metzmacher [Fri, 1 Aug 2008 18:15:52 +0000 (20:15 +0200)]
build: remove warning about missing generated include file
metze
Jelmer Vernooij [Fri, 1 Aug 2008 19:00:09 +0000 (21:00 +0200)]
Use new style python classes.
Jelmer Vernooij [Fri, 1 Aug 2008 18:47:22 +0000 (20:47 +0200)]
Move domain DN determination out of newuser function.
Jelmer Vernooij [Fri, 1 Aug 2008 18:47:03 +0000 (20:47 +0200)]
Actually fix missing substitution variables.
Jelmer Vernooij [Fri, 1 Aug 2008 18:17:56 +0000 (20:17 +0200)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into manpage
Jelmer Vernooij [Fri, 1 Aug 2008 18:17:29 +0000 (20:17 +0200)]
Fix some forgotten substitute variables in provision, add check to prevent this sort of regression in the future.
Stefan Metzmacher [Fri, 1 Aug 2008 15:24:24 +0000 (17:24 +0200)]
kdc: use mostly only public kerberos headers
We shoule avoid using the private heimdal function
_krb5_principalname2krb5_principal()
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:59:40 +0000 (16:59 +0200)]
auth/kerberos: we don't need to include heimdal private headers
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:58:01 +0000 (16:58 +0200)]
gensec_gssapi: include <gssapi/gssapi.h>
metze
Stefan Metzmacher [Fri, 1 Aug 2008 14:57:00 +0000 (16:57 +0200)]
heimdal_build: we should only use PRIVATE_DEPENDENCIES
metze