[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 9e766f0 samba-tool: added missing GUID component checks to dbcheck
via 505dce2 pyldb: added methods to get/set extended components on DNs
via 202f0a4 pydsdb: added get_syntax_oid_from_lDAPDisplayName()
via 341884c ldb: added extended_str() method to pyldb
via dd5350b ldb: expose syntax oids to python
via c4a7908 samba-tool: try to keep dbcheck.py in a logical ordering
via c46f808 s4-dsdb: don't add zero GUID to BINARY_DN
from c173e6e s3-spoolss: Fix some valgrind warnings.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 9e766f019bff74ec9c1d5df326cdea2c7fe05e2a
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:44:36 2011 +1000
samba-tool: added missing GUID component checks to dbcheck
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104
commit 505dce2d3aa95d475e12c4e5e4e2b3f1907bdd84
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:44:12 2011 +1000
pyldb: added methods to get/set extended components on DNs
this will be used by the dbcheck code
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit 202f0a4b576d78928a403b68f3e057d3a425bddf
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 14:41:50 2011 +1000
pydsdb: added get_syntax_oid_from_lDAPDisplayName()
this gives you access to the syntax oid of an attribute
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit 341884c835b9c5785794cba562c2a21939eb4bce
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 13:49:37 2011 +1000
ldb: added extended_str() method to pyldb
this gives access to ldb_dn_get_extended_linearized() from python
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit dd5350b0a87c82be7d0b0d124885ecfd73bb1b5b
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 12:34:32 2011 +1000
ldb: expose syntax oids to python
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit c4a7908f46e7005f323eeca5fd38ec9e88a54aa9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 12:23:05 2011 +1000
samba-tool: try to keep dbcheck.py in a logical ordering
keep individual error handlers together and separate from driver code
commit c46f80824b649647b5a61364a1b8fe26267bbdd9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 11:56:40 2011 +1000
s4-dsdb: don't add zero GUID to BINARY_DN
When converting from DRS to ldb format for a BINARY_DN, don't add the
GUID extended DN element if the GUID is all zeros.
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
---
Summary of changes:
source4/dsdb/pydsdb.c| 40 ++
source4/dsdb/schema/schema_syntax.c | 20 ++--
source4/lib/ldb/pyldb.c | 77 +++
source4/scripting/python/samba/netcmd/dbcheck.py | 160 +
source4/scripting/python/samba/samdb.py |5 +
5 files changed, 262 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 62f33bb..5ca6b02 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -331,6 +331,38 @@ static PyObject
*py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject
}
/*
+ return the attribute syntax oid as a string from the attribute name
+ */
+static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self,
PyObject *args)
+{
+ PyObject *py_ldb;
+ struct ldb_context *ldb;
+ struct dsdb_schema *schema;
+ const char *ldap_display_name;
+ const struct dsdb_attribute *attribute;
+
+ if (!PyArg_ParseTuple(args, Os, py_ldb, ldap_display_name))
+ return NULL;
+
+ PyErr_LDB_OR_RAISE(py_ldb, ldb);
+
+ schema = dsdb_get_schema(ldb, NULL);
+
+ if (!schema) {
+ PyErr_SetString(PyExc_RuntimeError, Failed to find a schema
from ldb);
+ return NULL;
+ }
+
+ attribute = dsdb_attribute_by_lDAPDisplayName(schema,
ldap_display_name);
+ if (attribute == NULL) {
+ PyErr_Format(PyExc_RuntimeError, Failed to find attribute
'%s', ldap_display_name);
+ return NULL;
+ }
+
+ return PyString_FromString(attribute-syntax-ldap_oid);
+}
+
+/*
convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute
*/
static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args)
@@ -802,6 +834,8 @@ static PyMethodDef py_dsdb_methods[] = {
METH_VARARGS, NULL },
{
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc()
against old KDCs
via e5378e6 s4:auth/kerberos: remove one indentation level in
kerberos_kinit_password_cc()
via b98428e s4:auth/kerberos: reformat kerberos_kinit_password_cc()
via 9c56303 s4:auth/kerberos: don't mix s4u2self creds with machine
account creds
via b3d4962 s4:auth/kerberos: use better variable names in
kerberos_kinit_password_cc()
via 7cf3842 s4:auth/kerberos: don't ignore return code in
kerberos_kinit_password_cc()
from 9e766f0 samba-tool: added missing GUID component checks to dbcheck
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ede3046b8b9b0576a35626026cb28c31b42da46d
Author: Stefan Metzmacher me...@samba.org
Date: Tue Jun 21 01:39:58 2011 +0200
s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets
which belongs to the client principal of the TGT.
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104
commit e5378e600e507241dd64c1ea7345676076dc8755
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 21:23:45 2011 +0200
s4:auth/kerberos: remove one indentation level in
kerberos_kinit_password_cc()
This will make the following changes easier to review.
metze
commit b98428e630cc5a1bbc18bf4260030a24322fdf9e
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 21:09:13 2011 +0200
s4:auth/kerberos: reformat kerberos_kinit_password_cc()
In order to make the following changes easier to review.
metze
commit 9c56303f5a56697470ea9f2ee1a428aed2367d75
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 15:27:58 2011 +0200
s4:auth/kerberos: don't mix s4u2self creds with machine account creds
It's important that we don't store the tgt for the machine account
in the same krb5_ccache as the ticket for the impersonated principal.
We may pass it to some krb5/gssapi functions and they may use them
in the wrong way, which would grant machine account privileges to
the client.
metze
commit b3d49620875d878e2ad39896a6fe9fddb039253e
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 18:01:49 2011 +0200
s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc()
This will make the following changes easier to review.
metze
commit 7cf38425b274c43144a2216accf5330d8ef1fe36
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 17:41:52 2011 +0200
s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc()
metze
---
Summary of changes:
source4/auth/kerberos/kerberos.c | 228 +
1 files changed, 178 insertions(+), 50 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index 0db0dd3..fa8c64b 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -84,82 +84,210 @@
The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or the local service (if we are doing s4u2self)
*/
- krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc,
- krb5_principal principal, const
char *password,
- krb5_principal
impersonate_principal, const char *target_service,
+ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache
store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal
impersonate_principal,
+ const char *target_service,
krb5_get_init_creds_opt
*krb_options,
time_t *expire_time, time_t
*kdc_time)
{
krb5_error_code code = 0;
- krb5_creds my_creds;
- krb5_creds *impersonate_creds;
krb5_get_creds_opt options;
+ krb5_principal store_principal;
+ krb5_creds store_creds;
+ const char *self_service = target_service;
+ krb5_creds *s4u2self_creds;
+ krb5_principal self_princ;
+ krb5_ccache tmp_cc;
+ const char *self_realm;
+ krb5_principal blacklist_principal = NULL;
- /* If we are not impersonating, then get this ticket for the
+ /*
+* If we are not impersonating, then get this ticket for the
* target service, otherwise a krbtgt, and get the next
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 21af0af s3: Added missing includes to .clang_complete. from ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 21af0af4e4a498bc676125507fdb96fa5b0e5cd5 Author: Andreas Schneider a...@samba.org Date: Tue Jun 21 15:09:28 2011 +0200 s3: Added missing includes to .clang_complete. Autobuild-User: Andreas Schneider a...@cryptomilk.org Autobuild-Date: Wed Jun 22 11:15:56 CEST 2011 on sn-devel-104 --- Summary of changes: source3/.clang_complete |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/.clang_complete b/source3/.clang_complete index 52de1ac..46925f9 100644 --- a/source3/.clang_complete +++ b/source3/.clang_complete @@ -1,5 +1,6 @@ -I. -I./.. +-I./../lib -I./../lib/replace -I./../lib/talloc -I./../lib/tevent @@ -7,6 +8,7 @@ -I./../lib/iniparser/src -I./../lib/popt -I./../lib/tdb/include +-I./../lib/tdb_compat -I./include/autoconf -I./include -I./librpc -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a353b49 s4-dsdb: bypass validation when relax set
via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap
server
via ff8cdee samba-tool: expanded dbcheck DN checking
via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in
via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in
from 21af0af s3: Added missing includes to .clang_complete.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 18:14:14 2011 +1000
s4-dsdb: bypass validation when relax set
this allows dbcheck to fix bad attributes
Autobuild-User: Andrew Tridgell tri...@samba.org
Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104
commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:38:19 2011 +1000
samba-tool: allow for running dbcheck against a remove ldap server
this is useful for running it against a Windows server
commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:08:28 2011 +1000
samba-tool: expanded dbcheck DN checking
this now checks for bad GUID elements in DN links, and offers to fix
them when possible
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:07:39 2011 +1000
s4-dsdb: prioritise GUID in extended_dn_in
if we search with a base DN that has both a GUID and a SID, then use
the GUID first. This matters for the S-1-5-17 SID.
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 17:05:08 2011 +1000
s4-dsdb: catch duplicate matches in extended_dn_in
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17
Pair-Programmed-With: Andrew Bartlett abart...@samba.org
---
Summary of changes:
source4/dsdb/samdb/ldb_modules/extended_dn_in.c| 31 +++-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |3 +-
source4/scripting/python/samba/netcmd/dbcheck.py | 144
3 files changed, 143 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 3e2004d..9a70d9a 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req,
struct ldb_reply *are
switch (ares-type) {
case LDB_REPLY_ENTRY:
+ if (ac-basedn) {
+ /* we have more than one match! This can
+ happen as S-1-5-17 appears twice in a
+ normal provision. We need to return
+ NO_SUCH_OBJECT */
+ const char *str = talloc_asprintf(req, Duplicate
base-DN matches found for '%s',
+
ldb_dn_get_extended_linearized(req, ac-req-op.search.base, 1));
+ ldb_set_errstring(ldb_module_get_ctx(ac-module), str);
+ return ldb_module_done(ac-req, NULL, NULL,
+ LDB_ERR_NO_SUCH_OBJECT);
+ }
+
if (!ac-wellknown_object) {
ac-basedn = talloc_steal(ac, ares-message-dn);
break;
@@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module,
struct ldb_request *req
guid_val = ldb_dn_get_extended_component(dn, GUID);
wkguid_val = ldb_dn_get_extended_component(dn, WKGUID);
- if (sid_val) {
+ /*
+ prioritise the GUID - we have had instances of
+ duplicate SIDs in the database in the
+ ForeignSecurityPrinciples due to provision errors
+*/
+ if (guid_val) {
all_partitions = true;
base_dn =
ldb_get_default_basedn(ldb_module_get_ctx(module));
- base_dn_filter = talloc_asprintf(req, (objectSid=%s),
-ldb_binary_encode(req,
*sid_val));
+ base_dn_filter = talloc_asprintf(req, (objectGUID=%s),
+
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via d4c30a5 Update eDirectory schema
from a353b49 s4-dsdb: bypass validation when relax set
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c
Author: Jim McDonough j...@samba.org
Date: Wed Jun 22 07:36:20 2011 -0400
Update eDirectory schema
Autobuild-User: Jim McDonough j...@samba.org
Autobuild-Date: Wed Jun 22 14:48:09 CEST 2011 on sn-devel-104
---
Summary of changes:
examples/LDAP/samba-nds.schema | 69 +++
1 files changed, 20 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema
index 0b3cf66..369670b 100644
--- a/examples/LDAP/samba-nds.schema
+++ b/examples/LDAP/samba-nds.schema
@@ -35,7 +35,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME
'sambaNTPassword' DESC 'MD4 hash
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account
Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account
Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16}
SINGLE-VALUE )
##
## Password timestamps policies
@@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME
'sambaMungedDial' DESC 'Base64 en
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC
'Concatenated MD4 hashes of the unicode passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC
'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} )
##
## SID, of any type
@@ -137,7 +137,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME
'sambaPasswordHistory' DESC 'Conc
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID'
EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID'
EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
## Primary group SID, compatible with ntSid
@@ -287,47 +287,13 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME
'sambaRefuseMachinePwdChange' DES
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of
trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC
'Clear text password (used for trusted domain passwords)' EQUALITY
octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
dn: cn=schema
changetype: modify
add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC
'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC
'Direction of a trust' EQUALITY integerMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully
qualified name of the domain with which a trust exists' EQUALITY
caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS
name of a domain' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC
'Authentication information for the outgoing portion of a trust' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC
'Authentication information for the incoming portion of a trust' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
-
-dn: cn=schema
-changetype: modify
-add: attributetypes
-attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC
'SID of a trusted
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy
via 033f337 s4:auth/kerberos: protect kerberos_kinit_password_cc()
against old KDCs
via b9e095f s4:auth/kerberos: add S4U2Proxy support to
kerberos_kinit_password_cc()
from d4c30a5 Update eDirectory schema
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5a8ac842701b65c0abd9731545792c2a0fd2aa79
Author: Stefan Metzmacher me...@samba.org
Date: Fri Mar 11 08:32:22 2011 +0100
s4:ntvfs/cifs: add option to use S4U2Proxy
Note: this doesn't work against a Samba4 KDC yet.
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104
commit 033f3376a834c1078b377647069b7e30aef59667
Author: Stefan Metzmacher me...@samba.org
Date: Tue Jun 21 11:05:15 2011 +0200
s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs
If the KDC does not support S4U2Proxy, it might return a ticket
for the TGT client principal.
metze
commit b9e095fdfb684005f9bb5c1d943b2a0705308500
Author: Stefan Metzmacher me...@samba.org
Date: Mon Jun 20 20:28:44 2011 +0200
s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc()
For S4U2Proxy we need to use the ticket from the S4U2Self stage
and ask the kdc for the delegated ticket for the target service.
metze
---
Summary of changes:
source4/auth/kerberos/kerberos.c | 181 -
source4/auth/kerberos/kerberos.h |4 +-
source4/auth/kerberos/kerberos_util.c |1 +
source4/ntvfs/cifs/vfs_cifs.c | 49 +
4 files changed, 230 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c
index fa8c64b..0fc9d14 100644
--- a/source4/auth/kerberos/kerberos.c
+++ b/source4/auth/kerberos/kerberos.c
@@ -81,13 +81,16 @@
The impersonate_principal is the principal if NULL, or the principal to
impersonate
- The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or the local service (if we are doing s4u2self)
+ The self_service, should be the local service (for S4U2Self if
impersonate_principal is given).
+
+ The target_service defaults to the krbtgt if NULL, but could be
kpasswd/realm or a remote service (for S4U2Proxy)
*/
krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache
store_cc,
krb5_principal init_principal,
const char *init_password,
krb5_principal
impersonate_principal,
+ const char *self_service,
const char *target_service,
krb5_get_init_creds_opt
*krb_options,
time_t *expire_time, time_t
*kdc_time)
@@ -96,12 +99,21 @@
krb5_get_creds_opt options;
krb5_principal store_principal;
krb5_creds store_creds;
- const char *self_service = target_service;
krb5_creds *s4u2self_creds;
+ Ticket s4u2self_ticket;
+ size_t s4u2self_ticketlen;
+ krb5_creds *s4u2proxy_creds;
krb5_principal self_princ;
+ bool s4u2proxy;
+ krb5_principal target_princ;
krb5_ccache tmp_cc;
const char *self_realm;
krb5_principal blacklist_principal = NULL;
+ krb5_principal whitelist_principal = NULL;
+
+ if (impersonate_principal self_service == NULL) {
+ return EINVAL;
+ }
/*
* If we are not impersonating, then get this ticket for the
@@ -168,6 +180,18 @@
krb5_free_cred_contents(ctx, store_creds);
/*
+* Check if we also need S4U2Proxy or if S4U2Self is
+* enough in order to get a ticket for the target.
+*/
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ /*
* For S4U2Self we need our own service principal,
* which belongs to our own realm (available on
* our client principal).
@@ -197,6 +221,14 @@
return code;
}
+ if (s4u2proxy) {
+ /*
+* If we want S4U2Proxy, we need the forwardable flag
+* on the S4U2Self ticket.
+*/
+ krb5_get_creds_opt_set_options(ctx, options,
KRB5_GC_FORWARDABLE);
+ }
+
code = krb5_get_creds_opt_set_impersonate(ctx,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order
to work against w2k8r2
from 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit ae6a7f945f8a48a2b4b2c6cc43a0efee4f134a8b
Author: Stefan Metzmacher me...@samba.org
Date: Wed Jun 22 18:25:30 2011 +0200
s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against
w2k8r2
metze
Autobuild-User: Stefan Metzmacher me...@samba.org
Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104
---
Summary of changes:
source4/winbind/wb_init_domain.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 50a6af0..9847afb 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -154,7 +154,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX
*mem_ctx,
(lpcfg_server_role(service-task-lp_ctx) ==
ROLE_DOMAIN_CONTROLLER))
(dom_sid_equal(state-domain-info-sid,
state-service-primary_sid))) {
- state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL;
+ state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL |
DCERPC_SCHANNEL_128;
/* For debugging, it can be a real pain if all the traffic is
encrypted */
if (lpcfg_winbind_sealed_pipes(service-task-lp_ctx)) {
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via a9e4592 s4-dbcheck: fix uninitialized errstr in
err_dn_target_mismatch
via ef7940f s4-dbcheck: remove unused include
via 4d51ddb s4-schema: avoid segfaulting if id3.guid is NULL
via 249fbd8 s4-samba_dnsupdate: set environment via the env parameter
via c2dfaa2 s4-upgradeprovision: Don't forget to populate the non
replicated objects, and don't touch rIDPreviousAllocationPool
via 2f4251c dbchecker: cope with a broken link to Deleted Objects
via 4fe9ebc dbchecker: fixed argument error for -H and DN
via 6b939f4 dbchecker: when fixing a bad GUID in a DN, search by the
string DN
via 9676c26 samba-tool: added --attrs option to dbcheck
via 7fff636 samba-tool: make the dbcheck class available outside of
samba-tool
via 9be9f0e samba-tool: added --quiet option to dbcheck
from ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order
to work against w2k8r2
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit a9e45923369e3171cb7f42284f52ce3c4c8b0a4b
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 21:28:25 2011 +0400
s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch
Autobuild-User: Matthieu Patou m...@samba.org
Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104
commit ef7940f7be7de238a693cfba649faf8b67b7da3a
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 21:28:00 2011 +0400
s4-dbcheck: remove unused include
commit 4d51ddbb5c9e4465887d9fcd2c10de3f46c6a12a
Author: Matthieu Patou m...@matws.net
Date: Wed Jun 22 20:54:37 2011 +0400
s4-schema: avoid segfaulting if id3.guid is NULL
commit 249fbd8a334b4d19f9148e07449fec3f26b8267d
Author: Matthieu Patou m...@matws.net
Date: Tue Jun 21 13:39:28 2011 +0400
s4-samba_dnsupdate: set environment via the env parameter
I faced a situation where the os.environ(KRB5CCNAME) = ... didn't
seems to be effective
commit c2dfaa2580918cf31069c1063ff07a819ca0554a
Author: Matthieu Patou m...@matws.net
Date: Tue Jun 21 13:37:26 2011 +0400
s4-upgradeprovision: Don't forget to populate the non replicated objects,
and don't touch rIDPreviousAllocationPool
commit 2f4251c389f5fa92bfba10739677a760f0bdf198
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 22:06:18 2011 +1000
dbchecker: cope with a broken link to Deleted Objects
if a DN link to Deleted Objects has a bad GUID, we need to use
show_deleted
commit 4fe9ebc2e3e09befe8d7a2ce577336eefd9b9694
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 21:22:39 2011 +1000
dbchecker: fixed argument error for -H and DN
commit 6b939f4a9c19cd868ac1b6d77cc26662e2726e8c
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:53:44 2011 +1000
dbchecker: when fixing a bad GUID in a DN, search by the string DN
commit 9676c26fdd7ca53405abd06f58ae40d39d818e4d
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:44:35 2011 +1000
samba-tool: added --attrs option to dbcheck
this allows checking of a specific list of attributes
commit 7fff636bce2576a63170bf3cc555eb85b8fefd67
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 20:01:58 2011 +1000
samba-tool: make the dbcheck class available outside of samba-tool
this will be used in provision, and probably in upgradeprovision as
well
commit 9be9f0e43c9312094a42efa236791dfcd95dc9f9
Author: Andrew Tridgell tri...@samba.org
Date: Wed Jun 22 19:32:45 2011 +1000
samba-tool: added --quiet option to dbcheck
this will be used to allow for other tools (such as provision) to call
into dbcheck without generating a lot of noise
---
Summary of changes:
source4/dsdb/schema/schema_syntax.c|3 +-
source4/scripting/bin/samba_dnsupdate |2 +-
source4/scripting/bin/upgradeprovision |6 +-
.../samba/{netcmd/dbcheck.py = dbchecker.py} | 182 +---
source4/scripting/python/samba/netcmd/dbcheck.py | 307 ++--
5 files changed, 102 insertions(+), 398 deletions(-)
copy source4/scripting/python/samba/{netcmd/dbcheck.py = dbchecker.py} (61%)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/schema/schema_syntax.c
b/source4/dsdb/schema/schema_syntax.c
index f542f67..a93cdfa 100644
--- a/source4/dsdb/schema/schema_syntax.c
+++ b/source4/dsdb/schema/schema_syntax.c
@@ -1995,10 +1995,9 @@ static WERROR dsdb_syntax_DN_BINARY_drsuapi_to_ldb(const
struct dsdb_syntax_ctx
talloc_free(tmp_ctx);
return WERR_FOOBAR;
}
+ talloc_free(guid_blob.data);
}
- talloc_free(guid_blob.data);
-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 4f7f143 dfsreferral: search client's site and use it
from a9e4592 s4-dbcheck: fix uninitialized errstr in
err_dn_target_mismatch
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 4f7f1430268f0ab5447fe189da6435bdd8e0614e
Author: Matthieu Patou m...@matws.net
Date: Thu Jun 23 02:35:50 2011 +0400
dfsreferral: search client's site and use it
Autobuild-User: Matthieu Patou m...@samba.org
Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104
---
Summary of changes:
source4/smb_server/smb/trans2.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/smb_server/smb/trans2.c b/source4/smb_server/smb/trans2.c
index b3aa690..72babd5 100644
--- a/source4/smb_server/smb/trans2.c
+++ b/source4/smb_server/smb/trans2.c
@@ -1107,7 +1107,7 @@ static NTSTATUS get_dcs(TALLOC_CTX *ctx, struct
ldb_context *ldb,
}
talloc_free(r);
- if (searched_site != NULL) {
+ if (searched_site != NULL searched_site[0] != '\0') {
ret = ldb_search(ldb, subctx, r, configdn, LDB_SCOPE_SUBTREE,
attrs_none, ((name=%s)(objectClass=site)),
searched_site);
if (ret != LDB_SUCCESS) {
@@ -1461,7 +1461,7 @@ static NTSTATUS dodc_or_sysvol_referral(TALLOC_CTX *ctx,
client_addr = tsocket_address_inet_addr_string(remote_address,
context);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(client_addr, context);
}
-
+ site_name = samdb_client_site_name(ldb, context, client_addr, NULL);
status = get_dcs(context, ldb, site_name, need_fqdn, set, 0);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3,(Unable to get list of DCs\n));
--
Samba Shared Repository
