[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9e766f0 samba-tool: added missing GUID component checks to dbcheck via 505dce2 pyldb: added methods to get/set extended components on DNs via 202f0a4 pydsdb: added get_syntax_oid_from_lDAPDisplayName() via 341884c ldb: added extended_str() method to pyldb via dd5350b ldb: expose syntax oids to python via c4a7908 samba-tool: try to keep dbcheck.py in a logical ordering via c46f808 s4-dsdb: don't add zero GUID to BINARY_DN from c173e6e s3-spoolss: Fix some valgrind warnings. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9e766f019bff74ec9c1d5df326cdea2c7fe05e2a Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:44:36 2011 +1000 samba-tool: added missing GUID component checks to dbcheck Pair-Programmed-With: Andrew Bartlett abart...@samba.org Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Wed Jun 22 07:59:30 CEST 2011 on sn-devel-104 commit 505dce2d3aa95d475e12c4e5e4e2b3f1907bdd84 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:44:12 2011 +1000 pyldb: added methods to get/set extended components on DNs this will be used by the dbcheck code Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 202f0a4b576d78928a403b68f3e057d3a425bddf Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 14:41:50 2011 +1000 pydsdb: added get_syntax_oid_from_lDAPDisplayName() this gives you access to the syntax oid of an attribute Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit 341884c835b9c5785794cba562c2a21939eb4bce Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 13:49:37 2011 +1000 ldb: added extended_str() method to pyldb this gives access to ldb_dn_get_extended_linearized() from python Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit dd5350b0a87c82be7d0b0d124885ecfd73bb1b5b Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 12:34:32 2011 +1000 ldb: expose syntax oids to python Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit c4a7908f46e7005f323eeca5fd38ec9e88a54aa9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 12:23:05 2011 +1000 samba-tool: try to keep dbcheck.py in a logical ordering keep individual error handlers together and separate from driver code commit c46f80824b649647b5a61364a1b8fe26267bbdd9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 11:56:40 2011 +1000 s4-dsdb: don't add zero GUID to BINARY_DN When converting from DRS to ldb format for a BINARY_DN, don't add the GUID extended DN element if the GUID is all zeros. Pair-Programmed-With: Andrew Bartlett abart...@samba.org --- Summary of changes: source4/dsdb/pydsdb.c| 40 ++ source4/dsdb/schema/schema_syntax.c | 20 ++-- source4/lib/ldb/pyldb.c | 77 +++ source4/scripting/python/samba/netcmd/dbcheck.py | 160 + source4/scripting/python/samba/samdb.py |5 + 5 files changed, 262 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index 62f33bb..5ca6b02 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -331,6 +331,38 @@ static PyObject *py_dsdb_get_attid_from_lDAPDisplayName(PyObject *self, PyObject } /* + return the attribute syntax oid as a string from the attribute name + */ +static PyObject *py_dsdb_get_syntax_oid_from_lDAPDisplayName(PyObject *self, PyObject *args) +{ + PyObject *py_ldb; + struct ldb_context *ldb; + struct dsdb_schema *schema; + const char *ldap_display_name; + const struct dsdb_attribute *attribute; + + if (!PyArg_ParseTuple(args, Os, py_ldb, ldap_display_name)) + return NULL; + + PyErr_LDB_OR_RAISE(py_ldb, ldb); + + schema = dsdb_get_schema(ldb, NULL); + + if (!schema) { + PyErr_SetString(PyExc_RuntimeError, Failed to find a schema from ldb); + return NULL; + } + + attribute = dsdb_attribute_by_lDAPDisplayName(schema, ldap_display_name); + if (attribute == NULL) { + PyErr_Format(PyExc_RuntimeError, Failed to find attribute '%s', ldap_display_name); + return NULL; + } + + return PyString_FromString(attribute-syntax-ldap_oid); +} + +/* convert a python string to a DRSUAPI drsuapi_DsReplicaAttribute attribute */ static PyObject *py_dsdb_DsReplicaAttribute(PyObject *self, PyObject *args) @@ -802,6 +834,8 @@ static PyMethodDef py_dsdb_methods[] = { METH_VARARGS, NULL }, {
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs via e5378e6 s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc() via b98428e s4:auth/kerberos: reformat kerberos_kinit_password_cc() via 9c56303 s4:auth/kerberos: don't mix s4u2self creds with machine account creds via b3d4962 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc() via 7cf3842 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc() from 9e766f0 samba-tool: added missing GUID component checks to dbcheck http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ede3046b8b9b0576a35626026cb28c31b42da46d Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 21 01:39:58 2011 +0200 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs Old KDCs may not support S4U2Self (or S4U2Proxy) and return tickets which belongs to the client principal of the TGT. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 09:10:55 CEST 2011 on sn-devel-104 commit e5378e600e507241dd64c1ea7345676076dc8755 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 21:23:45 2011 +0200 s4:auth/kerberos: remove one indentation level in kerberos_kinit_password_cc() This will make the following changes easier to review. metze commit b98428e630cc5a1bbc18bf4260030a24322fdf9e Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 21:09:13 2011 +0200 s4:auth/kerberos: reformat kerberos_kinit_password_cc() In order to make the following changes easier to review. metze commit 9c56303f5a56697470ea9f2ee1a428aed2367d75 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 15:27:58 2011 +0200 s4:auth/kerberos: don't mix s4u2self creds with machine account creds It's important that we don't store the tgt for the machine account in the same krb5_ccache as the ticket for the impersonated principal. We may pass it to some krb5/gssapi functions and they may use them in the wrong way, which would grant machine account privileges to the client. metze commit b3d49620875d878e2ad39896a6fe9fddb039253e Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 18:01:49 2011 +0200 s4:auth/kerberos: use better variable names in kerberos_kinit_password_cc() This will make the following changes easier to review. metze commit 7cf38425b274c43144a2216accf5330d8ef1fe36 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 17:41:52 2011 +0200 s4:auth/kerberos: don't ignore return code in kerberos_kinit_password_cc() metze --- Summary of changes: source4/auth/kerberos/kerberos.c | 228 + 1 files changed, 178 insertions(+), 50 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index 0db0dd3..fa8c64b 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -84,82 +84,210 @@ The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) */ - krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache cc, - krb5_principal principal, const char *password, - krb5_principal impersonate_principal, const char *target_service, + krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache store_cc, + krb5_principal init_principal, + const char *init_password, + krb5_principal impersonate_principal, + const char *target_service, krb5_get_init_creds_opt *krb_options, time_t *expire_time, time_t *kdc_time) { krb5_error_code code = 0; - krb5_creds my_creds; - krb5_creds *impersonate_creds; krb5_get_creds_opt options; + krb5_principal store_principal; + krb5_creds store_creds; + const char *self_service = target_service; + krb5_creds *s4u2self_creds; + krb5_principal self_princ; + krb5_ccache tmp_cc; + const char *self_realm; + krb5_principal blacklist_principal = NULL; - /* If we are not impersonating, then get this ticket for the + /* +* If we are not impersonating, then get this ticket for the * target service, otherwise a krbtgt, and get the next
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 21af0af s3: Added missing includes to .clang_complete. from ede3046 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 21af0af4e4a498bc676125507fdb96fa5b0e5cd5 Author: Andreas Schneider a...@samba.org Date: Tue Jun 21 15:09:28 2011 +0200 s3: Added missing includes to .clang_complete. Autobuild-User: Andreas Schneider a...@cryptomilk.org Autobuild-Date: Wed Jun 22 11:15:56 CEST 2011 on sn-devel-104 --- Summary of changes: source3/.clang_complete |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/.clang_complete b/source3/.clang_complete index 52de1ac..46925f9 100644 --- a/source3/.clang_complete +++ b/source3/.clang_complete @@ -1,5 +1,6 @@ -I. -I./.. +-I./../lib -I./../lib/replace -I./../lib/talloc -I./../lib/tevent @@ -7,6 +8,7 @@ -I./../lib/iniparser/src -I./../lib/popt -I./../lib/tdb/include +-I./../lib/tdb_compat -I./include/autoconf -I./include -I./librpc -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a353b49 s4-dsdb: bypass validation when relax set via 6d1fe05 samba-tool: allow for running dbcheck against a remove ldap server via ff8cdee samba-tool: expanded dbcheck DN checking via c42aeb7 s4-dsdb: prioritise GUID in extended_dn_in via d9ee7ae s4-dsdb: catch duplicate matches in extended_dn_in from 21af0af s3: Added missing includes to .clang_complete. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a353b49047a54461a1b4fd3c5f232adcea5fbeaf Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 18:14:14 2011 +1000 s4-dsdb: bypass validation when relax set this allows dbcheck to fix bad attributes Autobuild-User: Andrew Tridgell tri...@samba.org Autobuild-Date: Wed Jun 22 12:27:06 CEST 2011 on sn-devel-104 commit 6d1fe054dd93b8d282fcf515fc62f5d5ab72e6a8 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:38:19 2011 +1000 samba-tool: allow for running dbcheck against a remove ldap server this is useful for running it against a Windows server commit ff8cdeecfc28be396dcbdc4af6b7e60ab9de45f1 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:08:28 2011 +1000 samba-tool: expanded dbcheck DN checking this now checks for bad GUID elements in DN links, and offers to fix them when possible Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit c42aeb7872c89983ea274d72b7ef8d9c7a59bc08 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:07:39 2011 +1000 s4-dsdb: prioritise GUID in extended_dn_in if we search with a base DN that has both a GUID and a SID, then use the GUID first. This matters for the S-1-5-17 SID. Pair-Programmed-With: Andrew Bartlett abart...@samba.org commit d9ee7aebcb26c6115e0caeacb90f3f916a5af600 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 17:05:08 2011 +1000 s4-dsdb: catch duplicate matches in extended_dn_in When searching using extended DNs, if there are multiple matches then return an object not found error. This is needed for the case of a duplicate objectSid, which happens for S-1-5-17 Pair-Programmed-With: Andrew Bartlett abart...@samba.org --- Summary of changes: source4/dsdb/samdb/ldb_modules/extended_dn_in.c| 31 +++- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |3 +- source4/scripting/python/samba/netcmd/dbcheck.py | 144 3 files changed, 143 insertions(+), 35 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 3e2004d..9a70d9a 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are switch (ares-type) { case LDB_REPLY_ENTRY: + if (ac-basedn) { + /* we have more than one match! This can + happen as S-1-5-17 appears twice in a + normal provision. We need to return + NO_SUCH_OBJECT */ + const char *str = talloc_asprintf(req, Duplicate base-DN matches found for '%s', + ldb_dn_get_extended_linearized(req, ac-req-op.search.base, 1)); + ldb_set_errstring(ldb_module_get_ctx(ac-module), str); + return ldb_module_done(ac-req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + if (!ac-wellknown_object) { ac-basedn = talloc_steal(ac, ares-message-dn); break; @@ -303,30 +315,33 @@ static int extended_dn_in_fix(struct ldb_module *module, struct ldb_request *req guid_val = ldb_dn_get_extended_component(dn, GUID); wkguid_val = ldb_dn_get_extended_component(dn, WKGUID); - if (sid_val) { + /* + prioritise the GUID - we have had instances of + duplicate SIDs in the database in the + ForeignSecurityPrinciples due to provision errors +*/ + if (guid_val) { all_partitions = true; base_dn = ldb_get_default_basedn(ldb_module_get_ctx(module)); - base_dn_filter = talloc_asprintf(req, (objectSid=%s), -ldb_binary_encode(req, *sid_val)); + base_dn_filter = talloc_asprintf(req, (objectGUID=%s), +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d4c30a5 Update eDirectory schema from a353b49 s4-dsdb: bypass validation when relax set http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d4c30a5ffbeab75506bf1ad5d8d5da48e3f4d41c Author: Jim McDonough j...@samba.org Date: Wed Jun 22 07:36:20 2011 -0400 Update eDirectory schema Autobuild-User: Jim McDonough j...@samba.org Autobuild-Date: Wed Jun 22 14:48:09 CEST 2011 on sn-devel-104 --- Summary of changes: examples/LDAP/samba-nds.schema | 69 +++ 1 files changed, 20 insertions(+), 49 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/LDAP/samba-nds.schema b/examples/LDAP/samba-nds.schema index 0b3cf66..369670b 100644 --- a/examples/LDAP/samba-nds.schema +++ b/examples/LDAP/samba-nds.schema @@ -35,7 +35,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) ## ## Password timestamps policies @@ -128,7 +128,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC 'Base64 en dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} ) ## ## SID, of any type @@ -137,7 +137,7 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' DESC 'Conc dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) ## ## Primary group SID, compatible with ntSid @@ -287,47 +287,13 @@ attributeTypes: ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' DES dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) dn: cn=schema changetype: modify add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' DESC 'Authentication information for the outgoing portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' DESC 'Authentication information for the incoming portion of a trust' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) - -dn: cn=schema -changetype: modify -add: attributetypes -attributeTypes: ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' DESC 'SID of a trusted
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy via 033f337 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs via b9e095f s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc() from d4c30a5 Update eDirectory schema http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a8ac842701b65c0abd9731545792c2a0fd2aa79 Author: Stefan Metzmacher me...@samba.org Date: Fri Mar 11 08:32:22 2011 +0100 s4:ntvfs/cifs: add option to use S4U2Proxy Note: this doesn't work against a Samba4 KDC yet. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 18:17:43 CEST 2011 on sn-devel-104 commit 033f3376a834c1078b377647069b7e30aef59667 Author: Stefan Metzmacher me...@samba.org Date: Tue Jun 21 11:05:15 2011 +0200 s4:auth/kerberos: protect kerberos_kinit_password_cc() against old KDCs If the KDC does not support S4U2Proxy, it might return a ticket for the TGT client principal. metze commit b9e095fdfb684005f9bb5c1d943b2a0705308500 Author: Stefan Metzmacher me...@samba.org Date: Mon Jun 20 20:28:44 2011 +0200 s4:auth/kerberos: add S4U2Proxy support to kerberos_kinit_password_cc() For S4U2Proxy we need to use the ticket from the S4U2Self stage and ask the kdc for the delegated ticket for the target service. metze --- Summary of changes: source4/auth/kerberos/kerberos.c | 181 - source4/auth/kerberos/kerberos.h |4 +- source4/auth/kerberos/kerberos_util.c |1 + source4/ntvfs/cifs/vfs_cifs.c | 49 + 4 files changed, 230 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/kerberos/kerberos.c b/source4/auth/kerberos/kerberos.c index fa8c64b..0fc9d14 100644 --- a/source4/auth/kerberos/kerberos.c +++ b/source4/auth/kerberos/kerberos.c @@ -81,13 +81,16 @@ The impersonate_principal is the principal if NULL, or the principal to impersonate - The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or the local service (if we are doing s4u2self) + The self_service, should be the local service (for S4U2Self if impersonate_principal is given). + + The target_service defaults to the krbtgt if NULL, but could be kpasswd/realm or a remote service (for S4U2Proxy) */ krb5_error_code kerberos_kinit_password_cc(krb5_context ctx, krb5_ccache store_cc, krb5_principal init_principal, const char *init_password, krb5_principal impersonate_principal, + const char *self_service, const char *target_service, krb5_get_init_creds_opt *krb_options, time_t *expire_time, time_t *kdc_time) @@ -96,12 +99,21 @@ krb5_get_creds_opt options; krb5_principal store_principal; krb5_creds store_creds; - const char *self_service = target_service; krb5_creds *s4u2self_creds; + Ticket s4u2self_ticket; + size_t s4u2self_ticketlen; + krb5_creds *s4u2proxy_creds; krb5_principal self_princ; + bool s4u2proxy; + krb5_principal target_princ; krb5_ccache tmp_cc; const char *self_realm; krb5_principal blacklist_principal = NULL; + krb5_principal whitelist_principal = NULL; + + if (impersonate_principal self_service == NULL) { + return EINVAL; + } /* * If we are not impersonating, then get this ticket for the @@ -168,6 +180,18 @@ krb5_free_cred_contents(ctx, store_creds); /* +* Check if we also need S4U2Proxy or if S4U2Self is +* enough in order to get a ticket for the target. +*/ + if (target_service == NULL) { + s4u2proxy = false; + } else if (strcmp(target_service, self_service) == 0) { + s4u2proxy = false; + } else { + s4u2proxy = true; + } + + /* * For S4U2Self we need our own service principal, * which belongs to our own realm (available on * our client principal). @@ -197,6 +221,14 @@ return code; } + if (s4u2proxy) { + /* +* If we want S4U2Proxy, we need the forwardable flag +* on the S4U2Self ticket. +*/ + krb5_get_creds_opt_set_options(ctx, options, KRB5_GC_FORWARDABLE); + } + code = krb5_get_creds_opt_set_impersonate(ctx,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 from 5a8ac84 s4:ntvfs/cifs: add option to use S4U2Proxy http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ae6a7f945f8a48a2b4b2c6cc43a0efee4f134a8b Author: Stefan Metzmacher me...@samba.org Date: Wed Jun 22 18:25:30 2011 +0200 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104 --- Summary of changes: source4/winbind/wb_init_domain.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 50a6af0..9847afb 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -154,7 +154,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx, (lpcfg_server_role(service-task-lp_ctx) == ROLE_DOMAIN_CONTROLLER)) (dom_sid_equal(state-domain-info-sid, state-service-primary_sid))) { - state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL; + state-domain-netlogon_binding-flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_128; /* For debugging, it can be a real pain if all the traffic is encrypted */ if (lpcfg_winbind_sealed_pipes(service-task-lp_ctx)) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a9e4592 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch via ef7940f s4-dbcheck: remove unused include via 4d51ddb s4-schema: avoid segfaulting if id3.guid is NULL via 249fbd8 s4-samba_dnsupdate: set environment via the env parameter via c2dfaa2 s4-upgradeprovision: Don't forget to populate the non replicated objects, and don't touch rIDPreviousAllocationPool via 2f4251c dbchecker: cope with a broken link to Deleted Objects via 4fe9ebc dbchecker: fixed argument error for -H and DN via 6b939f4 dbchecker: when fixing a bad GUID in a DN, search by the string DN via 9676c26 samba-tool: added --attrs option to dbcheck via 7fff636 samba-tool: make the dbcheck class available outside of samba-tool via 9be9f0e samba-tool: added --quiet option to dbcheck from ae6a7f9 s4:winbind/wb_init_domain: use DCERPC_SCHANNEL_128 in order to work against w2k8r2 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a9e45923369e3171cb7f42284f52ce3c4c8b0a4b Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 21:28:25 2011 +0400 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Wed Jun 22 21:22:27 CEST 2011 on sn-devel-104 commit ef7940f7be7de238a693cfba649faf8b67b7da3a Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 21:28:00 2011 +0400 s4-dbcheck: remove unused include commit 4d51ddbb5c9e4465887d9fcd2c10de3f46c6a12a Author: Matthieu Patou m...@matws.net Date: Wed Jun 22 20:54:37 2011 +0400 s4-schema: avoid segfaulting if id3.guid is NULL commit 249fbd8a334b4d19f9148e07449fec3f26b8267d Author: Matthieu Patou m...@matws.net Date: Tue Jun 21 13:39:28 2011 +0400 s4-samba_dnsupdate: set environment via the env parameter I faced a situation where the os.environ(KRB5CCNAME) = ... didn't seems to be effective commit c2dfaa2580918cf31069c1063ff07a819ca0554a Author: Matthieu Patou m...@matws.net Date: Tue Jun 21 13:37:26 2011 +0400 s4-upgradeprovision: Don't forget to populate the non replicated objects, and don't touch rIDPreviousAllocationPool commit 2f4251c389f5fa92bfba10739677a760f0bdf198 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 22:06:18 2011 +1000 dbchecker: cope with a broken link to Deleted Objects if a DN link to Deleted Objects has a bad GUID, we need to use show_deleted commit 4fe9ebc2e3e09befe8d7a2ce577336eefd9b9694 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 21:22:39 2011 +1000 dbchecker: fixed argument error for -H and DN commit 6b939f4a9c19cd868ac1b6d77cc26662e2726e8c Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:53:44 2011 +1000 dbchecker: when fixing a bad GUID in a DN, search by the string DN commit 9676c26fdd7ca53405abd06f58ae40d39d818e4d Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:44:35 2011 +1000 samba-tool: added --attrs option to dbcheck this allows checking of a specific list of attributes commit 7fff636bce2576a63170bf3cc555eb85b8fefd67 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 20:01:58 2011 +1000 samba-tool: make the dbcheck class available outside of samba-tool this will be used in provision, and probably in upgradeprovision as well commit 9be9f0e43c9312094a42efa236791dfcd95dc9f9 Author: Andrew Tridgell tri...@samba.org Date: Wed Jun 22 19:32:45 2011 +1000 samba-tool: added --quiet option to dbcheck this will be used to allow for other tools (such as provision) to call into dbcheck without generating a lot of noise --- Summary of changes: source4/dsdb/schema/schema_syntax.c|3 +- source4/scripting/bin/samba_dnsupdate |2 +- source4/scripting/bin/upgradeprovision |6 +- .../samba/{netcmd/dbcheck.py = dbchecker.py} | 182 +--- source4/scripting/python/samba/netcmd/dbcheck.py | 307 ++-- 5 files changed, 102 insertions(+), 398 deletions(-) copy source4/scripting/python/samba/{netcmd/dbcheck.py = dbchecker.py} (61%) Changeset truncated at 500 lines: diff --git a/source4/dsdb/schema/schema_syntax.c b/source4/dsdb/schema/schema_syntax.c index f542f67..a93cdfa 100644 --- a/source4/dsdb/schema/schema_syntax.c +++ b/source4/dsdb/schema/schema_syntax.c @@ -1995,10 +1995,9 @@ static WERROR dsdb_syntax_DN_BINARY_drsuapi_to_ldb(const struct dsdb_syntax_ctx talloc_free(tmp_ctx); return WERR_FOOBAR; } + talloc_free(guid_blob.data); } - talloc_free(guid_blob.data); -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f7f143 dfsreferral: search client's site and use it from a9e4592 s4-dbcheck: fix uninitialized errstr in err_dn_target_mismatch http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f7f1430268f0ab5447fe189da6435bdd8e0614e Author: Matthieu Patou m...@matws.net Date: Thu Jun 23 02:35:50 2011 +0400 dfsreferral: search client's site and use it Autobuild-User: Matthieu Patou m...@samba.org Autobuild-Date: Thu Jun 23 01:50:39 CEST 2011 on sn-devel-104 --- Summary of changes: source4/smb_server/smb/trans2.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/smb_server/smb/trans2.c b/source4/smb_server/smb/trans2.c index b3aa690..72babd5 100644 --- a/source4/smb_server/smb/trans2.c +++ b/source4/smb_server/smb/trans2.c @@ -1107,7 +1107,7 @@ static NTSTATUS get_dcs(TALLOC_CTX *ctx, struct ldb_context *ldb, } talloc_free(r); - if (searched_site != NULL) { + if (searched_site != NULL searched_site[0] != '\0') { ret = ldb_search(ldb, subctx, r, configdn, LDB_SCOPE_SUBTREE, attrs_none, ((name=%s)(objectClass=site)), searched_site); if (ret != LDB_SUCCESS) { @@ -1461,7 +1461,7 @@ static NTSTATUS dodc_or_sysvol_referral(TALLOC_CTX *ctx, client_addr = tsocket_address_inet_addr_string(remote_address, context); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(client_addr, context); } - + site_name = samdb_client_site_name(ldb, context, client_addr, NULL); status = get_dcs(context, ldb, site_name, need_fqdn, set, 0); if (!NT_STATUS_IS_OK(status)) { DEBUG(3,(Unable to get list of DCs\n)); -- Samba Shared Repository