The story so far goes like this:
Without the line
idmap backend = ad:ldap://PDC's FQDN/ in smb.conf,
I can successfully do all of:
# wbinfo -S $(wbinfo -n some_user | awk '{print
$1}')
# getent passwd | grep some_user
# net ads search '(objectCategory=user)' \
sAMAccountName
It's probably worth noting that for users who are
adding idmap_ad over an existing winbind setup, the
old mapping has to be deleted as above.
Thanks, I'll put this in the README for the next version.
regards,
-- Luke
--
--
To unsubscribe from this list go to the following URL and read the
(struct auth_context *auth_context, const char *param, auth_methods
**auth_method);
int auth_paula_init(void)
{
return smb_register_auth(paula, auth_init, AUTH_INTERFACE_VERSION);
}
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
that complicated. It is not difficult to enumerate the
supported encryption types. Moreover, there's no requirement that SAMBA use
the same keytab as other applications, or that keytab support completely
replace the secret store.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
it is.
In that case, perhaps it *is* better just to provide a get/set command line
tool for the secret store rather than trying to hook the keytab into SAMBA
per se.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
would this be a problem? (I mean, I can understand it would be
a problem if it happened while SAMBA was running, but keytabs tend to be
fairly static...)
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
Will this break compatability with auth plugins?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
Will the migration to the new format be difficult and/or documented?
-- Luke
From: Jelmer Vernooij [EMAIL PROTECTED]
Subject: Re: The new modules system
To: Luke Howard [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Date: Thu, 20 Mar 2003 13:12:39 +0100
On Thu, Mar 20, 2003 at 10:45:04PM +1100, Luke
Ah, and another point: This is certainly not race-free. But
that is difficult to do with LDAP.
This is true.
In our code we ended up implementing lazy set accessors that
took both a snapshot of the entry and a set of changes as
inputs.
-- Luke
--
Luke Howard | PADL Software Pty Ltd
platform, and is thus unlikely to disappear overnight. Many large
organisations have deployed this schema (they are our customers).
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
aggressively.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
I hadn't realized that an SID is actually 256 bits and we at
best only have 32 bits to work with I I was only thinking
about the RIDs).
A SID is variable length, really.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
in release
branches.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
What is it that limit samba to root ? When I use samba with afs beeing root
will certenly not help samba access files, what else do samba need.
SAMBA does need to bind to privileged ports.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
you the revised patch. :-)
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
)
+ ENCTYPE_ARCFOUR_HMAC_MD5,
#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_NULL};
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
patch later today...
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
--- libads/kerberos_verify.c19 Feb 2003 01:16:40 - 1.6
+++ libads/kerberos_verify.c24 Feb 2003 06:04:26 -
@@ -3,7 +3,7 @@
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
-29,14
,w3svc,iisadmin
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
like this should work:
Interesting. According to Microsoft documentation, the servicePrincipalName
can never be modified over LDAP, only over RPC.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
On Tue, 4 Feb 2003, Luke Howard wrote:
I created it with OpenLDAP's ldapmodify after I joined the machine to the
domain. An LDIF like this should work:
Interesting. According to Microsoft documentation, the servicePrincipalName
can never be modified over LDAP, only over RPC.
Well, what can
Also, if you are going to support specific enctypes, note that Heimdal
defines ENCTYPE_ARCFOUR_HMAC_MD5 rather than ENCTYPE_ARCFOUR_HMAC.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
-
@@ -3,7 +3,7 @@
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License
) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,15 +29,14 @@
authorization_data if available
*/
NTSTATUS ads_verify_ticket
and with the Linux server set up to understand Kerberos
credentials. The question here would be if the smbfs client side would
understand the kerberos credentials of the user?
I think you could do this using delegation.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
and delegation.
-- Luke
From: Steve Langasek [EMAIL PROTECTED]
Subject: Re: More Kerberos-related questions
To: Andrew Bartlett [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], Luke Howard [EMAIL PROTECTED],
[EMAIL PROTECTED]
Date: Wed, 8 Jan 2003 16:08:06 -0600
On Thu, Jan 09, 2003 at 09:03:03AM +1100, Andrew
By default, Kerberos is used for SMB authentication only.
I thought I had seen some of the new Windows 2000 DCERPC pipes (FRS
for example) use Kerberos encryption.
Yes (and LDAP too). I meant to refer only to SMB, though.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
form part of the TCB.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
,
it is important to note that they are logically distinct from raw
DCE RPC over domain sockets (ncalrpc).
Non-named pipe clients must make a DCE RPC BIND or ALTER_CONTEXT in order
to authenticate themselves to the RPC server.
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
The RPC server listens on ncacn_ip_tcp, ncacn_ip_udp, ncalrpc and
Should be ncadg_ip_udp. Whoops.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
attribute to determine the trusted domain name, as
cn is _just_ a naming attribute.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
I would like to add support for dynamic loading of named pipe
providers in rpc_server/srv_pipe_hnd.c.
- Is anyone else working on this?
- Would such a patch be accepted?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
pipe client looks exactly
the same as a client that has authenticated using NTLMSSP, SPNEGO or
Kerberos.
Code is at http://www.padl.com/~lukeh/XAD/dce_funnel.tar.gz.
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
Copyright (C) Luke Howard 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version
it with #defines but it would be nice not to.
regards,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
.??) it should work.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
in Active Directory is patented
by Microsoft. This is only useful in a multi-master
directory, though.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
for forwarding NTLM credentials via a temporary
file.
Thanks to the SAMBA team for making the named pipe API easy to extend!
Luke Howard [EMAIL PROTECTED]
PADL Software Pty Ltd
August 26, 2002
dce_funnel.tar.gz
Description: Binary data
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
...
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
implementation include this field,
though, except on the NegTokenTarg in which case it includes a
copy of the responseToken.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
http://www.samba.org
--http://www.plainjoe.org
SAMS Teach Yourself Samba in 24 Hours 2ed. ISBN 0-672-32269-2
--I never saved anything for the swim back. Ethan Hawk in Gattaca--
--
Luke Howard | PADL Software Pty Ltd
, or was it just
tweaking compile-time options?
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
to these,
win2k clients send more variations...it could very easily get out of hand.
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Phone: (207) 885-5565
IBM tie-line: 776-9984
--
Luke
the
OSF DCE runtime (actually, FreeDCE), which is BSD-licensed.
We are doing a similar thing, except in reverse, so that SAMBA can act as
a named pipe front-end to our proprietary DCE RPC services. More
information is at http://www.padl.com/Research/XAD.html.
-- Luke
--
Luke Howard | PADL Software
string API.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
it.
Isn't that just analagous to presenting different negotiation flags,
assuming the IDL code on NT ignores the trailing data?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
0x0007bfff from Win2K.
regards,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
.spinnakernet.com
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
are ostensibly irrelevant, because the client
sends the authenticator before it receives the flags from the
server.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
turn SignOrSeal
back on and get some traces myself :-)
cheers,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
of view, there are other interoperability
hurdles that we need to resolve before we look at finishing our
implementation of this (which doesn't use SAMBA anyway, so it's probably
off-topic here).
regards,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
channel is negotiated over SPNEGO?
I haven't seen that before, I'd like to know what OID they use.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
the algo ?
The return code always follows the last top-level [out] value, but there
is an additional [out] ULONG in NetrServerAuthenticate3.
The algorithm for calculating credentials is the same.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
header of
0x77 0x00 0x7a 0x00 0xff 0xff 0x00 0x00
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
What is returned in the bind response?
An array of 8 nonce bytes if memory serves well.
Hmm, maybe that is used to generate a subkey so the credential chain
session key is not over-used.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
(KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
messages and 03 00 for KRB_ERROR messages.
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
.
cheers,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
the interoperability of the OSF DCE runtime, it's real
nice to be able to have all the marshalling and unmarshalling taken care of
by an IDL compiler, be able to support RPC directly over IP (as required
by Windos 2000) and yet still have SAMBA funnel over named pipe RPCs. :-)
-- Luke
--
Luke Howard
Oh, and the aforementioned funnel still relies on SAMBA's internal mapping
of pipe names to UUIDs. It's a start, though...
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
. The next is the real Kerberos OID. Not
sure about the one afther that. The final one is NTLMSSP.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
).
But I'm not sure whether anyone has actually seen this RPC. OTOH while we
know the layout of the structures passed to and from 0x1D, the contents are
not yet clear.
Time to get a new trace with signseal disabled.
Yes, please send one if you have it.
cheers,
-- Luke
--
Luke Howard
.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
Scarborough, ME 04074
USA
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Phone: (207) 885-5565
IBM tie-line: 776-9984
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
65 matches
Mail list logo
