from:"abartlet"

svn commit: samba r8901 - in branches/SAMBA_4_0/source/utils: .

2005-08-01 Thread abartlet

Author: abartlet
Date: 2005-08-01 22:04:25 + (Mon, 01 Aug 2005)
New Revision: 8901

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8901

Log:
Fix ntlm_auth segfault (invalid free()).  We have moved to talloc
here.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/utils/ntlm_auth.c


Changeset:
Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c
===
--- branches/SAMBA_4_0/source/utils/ntlm_auth.c 2005-08-01 21:04:24 UTC (rev 
8900)
+++ branches/SAMBA_4_0/source/utils/ntlm_auth.c 2005-08-01 22:04:25 UTC (rev 
8901)
@@ -300,6 +300,8 @@
BOOL first = False;
const char *reply_code;
struct cli_credentials *creds;
+
+   TALLOC_CTX *mem_ctx;

if (strlen(buf) < 2) {
DEBUG(1, ("query [%s] invalid", buf));
@@ -413,6 +415,9 @@
return;
}
 
+   /* update */
+   mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal 
mem_ctx");
+   
if (strncmp(buf, "UG", 2) == 0) {
int i;
char *grouplist = NULL;
@@ -426,7 +431,7 @@
}

/* get the string onto the context */
-   grouplist = talloc_strdup(session_info, "");
+   grouplist = talloc_strdup(mem_ctx, "");

for (i=0; isecurity_token->num_sids; i++) {
struct security_token *token = 
session_info->security_token; 
@@ -438,21 +443,21 @@
mux_printf(mux_id, "GL %s\n", grouplist);
talloc_free(session_info);
data_blob_free(&in);
+   talloc_free(mem_ctx);
return;
}
 
-   /* update */
-
-   nt_status = gensec_update(*gensec_state, NULL, in, &out);
+   nt_status = gensec_update(*gensec_state, mem_ctx, in, &out);

/* don't leak 'bad password'/'no such user' info to the network client 
*/
nt_status = auth_nt_status_squash(nt_status);
 
if (out.length) {
-   out_base64 = base64_encode_data_blob(NULL, out);
+   out_base64 = base64_encode_data_blob(mem_ctx, out);
} else {
out_base64 = NULL;
}
+
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
reply_arg = "*";
if (first) {
@@ -517,7 +522,7 @@
}
}
 
-   SAFE_FREE(out_base64);
+   talloc_free(mem_ctx);
return;
 }

svn commit: samba r8912 - in branches/SAMBA_3_0/source/smbd: .

2005-08-01 Thread abartlet

Author: abartlet
Date: 2005-08-02 06:36:42 + (Tue, 02 Aug 2005)
New Revision: 8912

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8912

Log:
Samba 3.0 was failing from a Vista client, because it was using 'raw'
NTLMSSP (not wrapped in SPNEGO).  We really should have supported this
anyway, but we got away with it for a while...

Andrew Bartlett

Modified:
   branches/SAMBA_3_0/source/smbd/sesssetup.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===
--- branches/SAMBA_3_0/source/smbd/sesssetup.c  2005-08-02 06:24:45 UTC (rev 
8911)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c  2005-08-02 06:36:42 UTC (rev 
8912)
@@ -353,7 +353,8 @@
 static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char 
*outbuf,
 uint16 vuid,
 AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
-DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status) 
+DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status, 
+BOOL wrap) 
 {
BOOL ret;
DATA_BLOB response;
@@ -406,9 +407,16 @@
}
}
 
-response = spnego_gen_auth_response(ntlmssp_blob, nt_status, 
OID_NTLMSSP);
+   if (wrap) {
+   response = spnego_gen_auth_response(ntlmssp_blob, nt_status, 
OID_NTLMSSP);
+   } else {
+   response = *ntlmssp_blob;
+   }
+
ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
-   data_blob_free(&response);
+   if (wrap) {
+   data_blob_free(&response);
+   }
 
/* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
   and the other end, that we are not finished yet. */
@@ -504,8 +512,8 @@
data_blob_free(&secblob);
 
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, auth_ntlmssp_state,
-&chal, nt_status);
-   
+&chal, nt_status, True);
+
data_blob_free(&chal);
 
/* already replied */
@@ -550,7 +558,7 @@
 
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, 
 auth_ntlmssp_state,
-&auth_reply, nt_status);
+&auth_reply, nt_status, True);

data_blob_free(&auth_reply);
 
@@ -652,6 +660,31 @@
return ret;
}
 
+   if (strncmp(blob1.data, "NTLMSSP", 7) == 0) {
+   DATA_BLOB chal;
+   NTSTATUS nt_status;
+   if (!vuser->auth_ntlmssp_state) {
+   nt_status = 
auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
+   if (!NT_STATUS_IS_OK(nt_status)) {
+   /* Kill the intermediate vuid */
+   invalidate_vuid(vuid);
+   
+   return ERROR_NT(nt_status);
+   }
+   }
+
+   nt_status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
+   blob1, &chal);
+   
+   data_blob_free(&blob1);
+   
+   reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, 
+  &vuser->auth_ntlmssp_state,
+  &chal, nt_status, False);
+   data_blob_free(&blob1);
+   return -1;
+   }
+
/* what sort of packet is this? */
DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));

svn commit: samba r8913 - in branches/SAMBA_3_0/source/smbd: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-02 07:07:43 + (Tue, 02 Aug 2005)
New Revision: 8913

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8913

Log:
Fix memory leak in -r 8912: Free the right thing, rather than blob1 'twice'.

Andrew Bartlett

Modified:
   branches/SAMBA_3_0/source/smbd/sesssetup.c


Changeset:
Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===
--- branches/SAMBA_3_0/source/smbd/sesssetup.c  2005-08-02 06:36:42 UTC (rev 
8912)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c  2005-08-02 07:07:43 UTC (rev 
8913)
@@ -681,7 +681,7 @@
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, 
   &vuser->auth_ntlmssp_state,
   &chal, nt_status, False);
-   data_blob_free(&blob1);
+   data_blob_free(&chal);
return -1;
}

svn commit: samba r8915 - in trunk/source/smbd: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-02 07:11:41 + (Tue, 02 Aug 2005)
New Revision: 8915

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8915

Log:
Merge 'raw' NTLMSSP support from 3.0 to trunk.

Andrew Bartlett

Modified:
   trunk/source/smbd/sesssetup.c


Changeset:
Modified: trunk/source/smbd/sesssetup.c
===
--- trunk/source/smbd/sesssetup.c   2005-08-02 07:08:04 UTC (rev 8914)
+++ trunk/source/smbd/sesssetup.c   2005-08-02 07:11:41 UTC (rev 8915)
@@ -353,7 +353,8 @@
 static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *inbuf, char 
*outbuf,
 uint16 vuid,
 AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
-DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status) 
+DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status, 
+BOOL wrap) 
 {
BOOL ret;
DATA_BLOB response;
@@ -406,9 +407,16 @@
}
}
 
-response = spnego_gen_auth_response(ntlmssp_blob, nt_status, 
OID_NTLMSSP);
+   if (wrap) {
+   response = spnego_gen_auth_response(ntlmssp_blob, nt_status, 
OID_NTLMSSP);
+   } else {
+   response = *ntlmssp_blob;
+   }
+
ret = reply_sesssetup_blob(conn, outbuf, response, nt_status);
-   data_blob_free(&response);
+   if (wrap) {
+   data_blob_free(&response);
+   }
 
/* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
   and the other end, that we are not finished yet. */
@@ -504,8 +512,8 @@
data_blob_free(&secblob);
 
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, auth_ntlmssp_state,
-&chal, nt_status);
-   
+&chal, nt_status, True);
+
data_blob_free(&chal);
 
/* already replied */
@@ -550,7 +558,7 @@
 
reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, 
 auth_ntlmssp_state,
-&auth_reply, nt_status);
+&auth_reply, nt_status, True);

data_blob_free(&auth_reply);
 
@@ -652,6 +660,31 @@
return ret;
}
 
+   if (strncmp(blob1.data, "NTLMSSP", 7) == 0) {
+   DATA_BLOB chal;
+   NTSTATUS nt_status;
+   if (!vuser->auth_ntlmssp_state) {
+   nt_status = 
auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
+   if (!NT_STATUS_IS_OK(nt_status)) {
+   /* Kill the intermediate vuid */
+   invalidate_vuid(vuid);
+   
+   return ERROR_NT(nt_status);
+   }
+   }
+
+   nt_status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
+   blob1, &chal);
+   
+   data_blob_free(&blob1);
+   
+   reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, 
+  &vuser->auth_ntlmssp_state,
+  &chal, nt_status, False);
+   data_blob_free(&chal);
+   return -1;
+   }
+
/* what sort of packet is this? */
DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));

svn commit: samba r8939 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-02 20:08:23 + (Tue, 02 Aug 2005)
New Revision: 8939

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8939

Log:
Do an open domain in the schannel SAMR test.  This should test some of
the win2k3 SP1 interactions.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/schannel.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/schannel.c
===
--- branches/SAMBA_4_0/source/torture/rpc/schannel.c2005-08-02 19:48:42 UTC 
(rev 8938)
+++ branches/SAMBA_4_0/source/torture/rpc/schannel.c2005-08-02 20:08:23 UTC 
(rev 8939)
@@ -34,12 +34,39 @@
 {
NTSTATUS status;
struct samr_GetDomPwInfo r;
+   struct samr_Connect connect;
+   struct samr_OpenDomain opendom;
int i;
struct lsa_String name;
+   struct policy_handle handle;
+   struct policy_handle domain_handle;
 
name.string = lp_workgroup();
r.in.domain_name = &name;
 
+   connect.in.system_name = 0;
+   connect.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+   connect.out.connect_handle = &handle;
+   
+   printf("Testing Connect and OpenDomain on BUILTIN\n");
+
+   status = dcerpc_samr_Connect(p, mem_ctx, &connect);
+   if (!NT_STATUS_IS_OK(status)) {
+   printf("Connect failed - %s\n", nt_errstr(status));
+   return False;
+   }
+
+   opendom.in.connect_handle = &handle;
+   opendom.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+   opendom.in.sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32");
+   opendom.out.domain_handle = &domain_handle;
+
+   status = dcerpc_samr_OpenDomain(p, mem_ctx, &opendom);
+   if (!NT_STATUS_IS_OK(status)) {
+   printf("OpenDomain failed - %s\n", nt_errstr(status));
+   return False;
+   }
+
printf("Testing GetDomPwInfo with name %s\n", r.in.domain_name->string);

/* do several ops to test credential chaining */

svn commit: samba r8952 - in branches/SAMBA_4_0/source/libnet: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-02 21:21:43 + (Tue, 02 Aug 2005)
New Revision: 8952

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8952

Log:
Partial work commit to find the DN of the new machine account - we
will use ldb to add servicePrincipalNames to this.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libnet/config.mk
   branches/SAMBA_4_0/source/libnet/libnet_join.c


Changeset:
Modified: branches/SAMBA_4_0/source/libnet/config.mk
===
--- branches/SAMBA_4_0/source/libnet/config.mk  2005-08-02 20:59:23 UTC (rev 
8951)
+++ branches/SAMBA_4_0/source/libnet/config.mk  2005-08-02 21:21:43 UTC (rev 
8952)
@@ -18,6 +18,6 @@
libnet/userman.o \
libnet/domain.o 
 
-REQUIRED_SUBSYSTEMS = RPC_NDR_SAMR RPC_NDR_LSA RPC_NDR_SRVSVC LIBCLI_COMPOSITE 
LIBCLI_RESOLVE LIBSAMBA3
+REQUIRED_SUBSYSTEMS = RPC_NDR_SAMR RPC_NDR_LSA RPC_NDR_SRVSVC RPC_NDR_DRSUAPI 
LIBCLI_COMPOSITE LIBCLI_RESOLVE LIBSAMBA3
 # End SUBSYSTEM LIBNET
 #

Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-02 20:59:23 UTC 
(rev 8951)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-02 21:21:43 UTC 
(rev 8952)
@@ -23,6 +23,7 @@
 #include "libnet/libnet.h"
 #include "librpc/gen_ndr/ndr_samr.h"
 #include "librpc/gen_ndr/ndr_lsa.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
 #include "lib/ldb/include/ldb.h"
 #include "include/secrets.h"
 
@@ -73,6 +74,14 @@
struct samr_GetUserPwInfo pwp;
struct lsa_String samr_account_name;
 
+   struct dcerpc_pipe *drsuapi_pipe;
+   struct dcerpc_binding *drsuapi_binding;
+   struct drsuapi_DsBind r_drsuapi_bind;
+   struct drsuapi_DsCrackNames r_crack_names;
+   struct drsuapi_DsNameString names[1];
+   struct policy_handle drsuapi_bind_handle;
+   struct GUID drsuapi_bind_guid;
+
uint32_t acct_flags;
uint32_t rid, access_granted;
int policy_min_pw_len = 0;
@@ -80,6 +89,7 @@
struct dom_sid *domain_sid;
const char *domain_name;
const char *realm = NULL; /* Also flag for remote being AD */
+   const char *account_dn;
 
tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
if (!tmp_ctx) {
@@ -418,8 +428,105 @@
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
-   
+
+   drsuapi_binding = talloc(tmp_ctx, struct dcerpc_binding);
+   *drsuapi_binding = *samr_binding;
+   drsuapi_binding->transport = NCACN_IP_TCP;
+   drsuapi_binding->endpoint = NULL;
+   drsuapi_binding->flags |= DCERPC_SEAL;

+   status = dcerpc_pipe_connect_b(tmp_ctx, 
+  &drsuapi_pipe,
+  drsuapi_binding,
+  DCERPC_DRSUAPI_UUID,
+  DCERPC_DRSUAPI_VERSION, 
+  ctx->cred, 
+  ctx->event_ctx);
+
+   if (!NT_STATUS_IS_OK(status)) {
+   r->out.error_string = talloc_asprintf(mem_ctx,
+   "Connection to DRSUAPI pipe of 
PDC of domain '%s' failed: %s",
+   r->in.domain_name, 
nt_errstr(status));
+   talloc_free(tmp_ctx);
+   return status;
+   }
+   
+   GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
+
+   r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
+   r_drsuapi_bind.in.bind_info = NULL;
+   r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
+
+   status = dcerpc_drsuapi_DsBind(drsuapi_pipe, tmp_ctx, &r_drsuapi_bind);
+   if (!NT_STATUS_IS_OK(status)) {
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   r->out.error_string
+   = talloc_asprintf(mem_ctx,
+ "dcerpc_drsuapi_DsBind for 
[%s\\%s] failed - %s\n", 
+ domain_name, 
r->in.account_name, 
+ dcerpc_errstr(tmp_ctx, 
drsuapi_pipe->last_fault_code));
+   talloc_free(tmp_ctx);
+   return status;
+   } else {
+   r->out.error_string
+   = talloc_asprintf(mem_ctx,
+ "dcerpc_drsuapi_DsBind for 
[%s\\%s] failed - %s\n", 
+ domain_nam

svn commit: samba r8970 - in branches/SAMBA_4_0/source/libnet: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 00:59:35 + (Wed, 03 Aug 2005)
New Revision: 8970

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8970

Log:
Add 'ADS' join support to Samba4.

We now fill in the servicePrincipalName over LDAP, just like XP does,
and store the kvno in our local db.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libnet/libnet_join.c
   branches/SAMBA_4_0/source/libnet/libnet_join.h


Changeset:
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-03 00:57:48 UTC 
(rev 8969)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-03 00:59:35 UTC 
(rev 8970)
@@ -82,6 +82,8 @@
struct policy_handle drsuapi_bind_handle;
struct GUID drsuapi_bind_guid;
 
+   struct ldb_context *remote_ldb;
+
uint32_t acct_flags;
uint32_t rid, access_granted;
int policy_min_pw_len = 0;
@@ -91,6 +93,17 @@
const char *realm = NULL; /* Also flag for remote being AD */
const char *account_dn;
 
+   char *remote_ldb_url;
+   struct ldb_message **msgs, *msg;
+   int ldb_ret;
+
+   const char *attrs[] = {
+   "msDS-KeyVersionNumber",
+   "servicePrincipalName",
+   "dNSHostName",
+   NULL,
+   };
+
tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
if (!tmp_ctx) {
r->out.error_string = NULL;
@@ -476,7 +489,7 @@
talloc_free(tmp_ctx);
return status;
}
-   } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
+   } else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
r->out.error_string
= talloc_asprintf(mem_ctx,
  "DsBind failed - %s\n", 
win_errstr(r_drsuapi_bind.out.result));
@@ -525,8 +538,57 @@
 
account_dn = r_crack_names.out.ctr.ctr1->array[0].result_name;
 
-   printf("Account DN is: %s\n", account_dn);
-   
+   remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s";, 
+drsuapi_binding->host);
+   remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url, 0, NULL);
+
+   if (!remote_ldb) {
+   return NT_STATUS_UNSUCCESSFUL;
+   }
+
+   /* search for the secret record */
+   ldb_ret = ldb_search(remote_ldb, account_dn, LDB_SCOPE_BASE, 
+NULL, attrs, &msgs);
+
+   if (ldb_ret != 1) {
+   r->out.error_string
+   = talloc_asprintf(mem_ctx,
+ "ldb_search for %s failed - %s\n", 
+ account_dn, 
+ ldb_errstring(remote_ldb));
+   return NT_STATUS_UNSUCCESSFUL;
+   }
+   r->out.kvno = ldb_msg_find_uint(msgs[0], "msDS-KeyVersionNumber", 0);
+
+   msg = ldb_msg_new(tmp_ctx);
+   if (!msg) {
+   return NT_STATUS_NO_MEMORY;
+   }
+
+   msg->dn = msgs[0]->dn;
+
+   {
+   char *service_principal_name[2];
+   char *dns_host_name = strlower_talloc(mem_ctx, 
+ talloc_asprintf(mem_ctx, 
+ "%s.%s", 
lp_netbios_name(), realm));
+   service_principal_name[0] = talloc_asprintf(tmp_ctx, "host/%s", 
dns_host_name);
+   service_principal_name[1] = talloc_asprintf(tmp_ctx, "host/%s", 
strlower_talloc(mem_ctx, lp_netbios_name()));
+
+   samdb_msg_add_string(remote_ldb, tmp_ctx, msg, "dNSHostName", 
dns_host_name);
+   samdb_msg_add_string(remote_ldb, tmp_ctx, msg, 
"servicePrincipalName", service_principal_name[0]);
+   samdb_msg_add_string(remote_ldb, tmp_ctx, msg, 
"servicePrincipalName", service_principal_name[1]);
+   
+   ldb_ret = samdb_replace(remote_ldb, tmp_ctx, msg);
+   if (ldb_ret != 0) {
+   r->out.error_string
+   = talloc_asprintf(mem_ctx, 
+ "Failed to replace entries on 
%s\n", 
+ msg->dn);
+   return NT_STATUS_INTERNAL_DB_CORRUPTION;
+   }
+   }
+
/* close connection */
talloc_free(tmp_ctx);
 
@@ -604,8 +666,12 @@
samdb_msg_add_string(ldb, mem_ctx, msg, "samAccountName", 
r2.in.account_name);

samdb_ms

svn commit: samba r8980 - in branches/SAMBA_4_0/source/auth: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 04:41:10 + (Wed, 03 Aug 2005)
New Revision: 8980

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8980

Log:
Make Samba4 honour account control flags (we were asking for a
non-existant field).

Also change time(NULL) into an NTTIME for comparison, rather than
experience rounding bugs (size of time_t) when converting an NTTIME
into a time_t.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/auth_sam.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===
--- branches/SAMBA_4_0/source/auth/auth_sam.c   2005-08-03 04:15:16 UTC (rev 
8979)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c   2005-08-03 04:41:10 UTC (rev 
8980)
@@ -117,6 +117,7 @@
   const char *workstation_list,
   const struct auth_usersupplied_info 
*user_info)
 {
+   NTTIME now;
DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", 
user_info->mapped.account_name));
 
/* Quit if the account was disabled. */
@@ -132,7 +133,8 @@
}
 
/* Test account expire time */
-   if ((acct_expiry) != -1 && time(NULL) > nt_time_to_unix(acct_expiry)) {
+   unix_to_nt_time(&now, time(NULL));
+   if (now > acct_expiry) {
DEBUG(1,("authsam_account_ok: Account for user '%s' has 
expired.\n", user_info->mapped.account_name));
DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n", 
 nt_time_string(mem_ctx, acct_expiry)));
@@ -148,7 +150,7 @@
}
 
/* check for expired password */
-   if ((must_change_time) != 0 && 
nt_time_to_unix(must_change_time) < time(NULL)) {
+   if ((must_change_time != 0) && (must_change_time < now)) {
DEBUG(1,("sam_account_ok: Account for user '%s' 
password expired!.\n", 
 user_info->mapped.account_name));
DEBUG(1,("sam_account_ok: Password expired at '%s' unix 
time.\n", 
@@ -356,7 +358,7 @@
NTSTATUS nt_status;
const char *domain_dn = samdb_result_string(msgs_domain[0], "nCName", 
"");
 
-   acct_flags = samdb_result_acct_flags(msgs[0], "sAMAcctFlags");
+   acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");

/* Quit if the account was locked out. */
if (acct_flags & ACB_AUTOLOCK) {

svn commit: samba r8981 - in branches/SAMBA_4_0/source/libnet: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 05:24:13 + (Wed, 03 Aug 2005)
New Revision: 8981

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8981

Log:
Add comments, fix typos (in attribute names) and check for errors in
SamSync and 'net join'.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/libnet/libnet_join.c
   branches/SAMBA_4_0/source/libnet/libnet_samsync_ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/libnet/libnet_join.c
===
--- branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-03 04:41:10 UTC 
(rev 8980)
+++ branches/SAMBA_4_0/source/libnet/libnet_join.c  2005-08-03 05:24:13 UTC 
(rev 8981)
@@ -158,6 +158,8 @@
return status;
}
 
+   /* Look to see if this is ADS (a fault indicates NT4 or Samba 3.0) */
+
lsa_query_info2.in.handle = &lsa_p_handle;
lsa_query_info2.in.level = LSA_POLICY_INFO_DNS;
 
@@ -175,6 +177,8 @@
realm = lsa_query_info2.out.info->dns.dns_domain.string;
}
 
+   /* Grab the domain SID (regardless of the result of the previous call */
+
lsa_query_info.in.handle = &lsa_p_handle;
lsa_query_info.in.level = LSA_POLICY_INFO_DOMAIN;
 
@@ -196,7 +200,7 @@
r->out.realm = talloc_steal(mem_ctx, realm);
 
/*
- step 1 - establish a SAMR connection, on the same CIFS transport
+ establish a SAMR connection, on the same CIFS transport
*/
 
/* Find the original binding string */
@@ -357,13 +361,15 @@
}
}
 
+   /* Find out what password policy this user has */
pwp.in.user_handle = &u_handle;
 
status = dcerpc_samr_GetUserPwInfo(samr_pipe, tmp_ctx, &pwp);
if (NT_STATUS_IS_OK(status)) {
policy_min_pw_len = pwp.out.info.min_password_length;
}
-
+   
+   /* Grab a password of that minimum length */
r->out.join_password = generate_random_str(mem_ctx, MAX(8, 
policy_min_pw_len));
 
r2.samr_handle.level= LIBNET_SET_PASSWORD_SAMR_HANDLE;
@@ -436,12 +442,21 @@
}
 
/* Now, if it was AD, then we want to start looking changing a
-* few more things */
+* few more things.  Otherwise, we are done. */
if (!realm) {
+   r->out.realm = NULL;
+   r->out.kvno = 0;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
 
+   /* We need to convert between a samAccountName and domain to a
+* DN in the directory.  The correct way to do this is with
+* DRSUAPI CrackNames */
+
+
+   /* Fiddle with the bindings, so get to DRSUAPI on
+* NCACN_IP_TCP, sealed */
drsuapi_binding = talloc(tmp_ctx, struct dcerpc_binding);
*drsuapi_binding = *samr_binding;
drsuapi_binding->transport = NCACN_IP_TCP;
@@ -464,6 +479,7 @@
return status;
}

+   /* get a DRSUAPI pipe handle */
GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
 
r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
@@ -497,6 +513,7 @@
return NT_STATUS_UNSUCCESSFUL;
}
 
+   /* Actually 'crack' the names */
ZERO_STRUCT(r_crack_names);
r_crack_names.in.bind_handle= &drsuapi_bind_handle;
r_crack_names.in.level  = 1;
@@ -534,10 +551,21 @@
  "DsCrackNames failed - %s\n", 
win_errstr(r_crack_names.out.result));
talloc_free(tmp_ctx);
return NT_STATUS_UNSUCCESSFUL;
+   } else if (r_crack_names.out.level != 1 
+  || !r_crack_names.out.ctr.ctr1 
+  || r_crack_names.out.ctr.ctr1->count != 1 
+  || r_crack_names.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_OK) {
+   
+   r->out.error_string = talloc_asprintf(mem_ctx, "DsCrackNames 
failed\n");
+   talloc_free(tmp_ctx);
+   return NT_STATUS_UNSUCCESSFUL;
}
 
account_dn = r_crack_names.out.ctr.ctr1->array[0].result_name;
 
+
+   /* Now we know the user's DN, open with LDAP, read and modify a few 
things */
+
remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s";, 
 drsuapi_binding->host);
remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url, 0, NULL);
@@ -546,7 +574,7 @@
return NT_STATUS_UNSUCCESSFUL;
}
 
-   /* search for the secret record */
+   /* search for the user's record */
ldb_ret = ldb_search(remote_ldb, account_dn, LDB_SCOPE_BASE, 
 NULL, attrs, &msgs);
 
@@ -558,8 +586,11 @@
  ldb_er

svn commit: samba r8982 - in branches/SAMBA_4_0/source/rpc_server/lsa: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 05:25:30 + (Wed, 03 Aug 2005)
New Revision: 8982

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8982

Log:
"name" is not the netbios name, but the RDN.  Return the correct
netbios domain name of the host, as well as the sid from the cache we
fetched earlier.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c
===
--- branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c   2005-08-03 
05:24:13 UTC (rev 8981)
+++ branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c   2005-08-03 
05:25:30 UTC (rev 8982)
@@ -360,18 +360,9 @@
 static NTSTATUS lsa_info_AccountDomain(struct lsa_policy_state *state, 
TALLOC_CTX *mem_ctx,
   struct lsa_DomainInfo *info)
 {
-   const char * const attrs[] = { "objectSid", "name", NULL};
-   int ret;
-   struct ldb_message **res;
+   info->name.string = state->domain_name;
+   info->sid = state->domain_sid;
 
-   ret = gendb_search_dn(state->sam_ldb, mem_ctx, state->domain_dn, &res, 
attrs);
-   if (ret != 1) {
-   return NT_STATUS_INTERNAL_DB_CORRUPTION;
-   }
-
-   info->name.string = samdb_result_string(res[0], "name", NULL);
-   info->sid = samdb_result_dom_sid(mem_ctx, res[0], "objectSid");
-
return NT_STATUS_OK;
 }
 
@@ -390,11 +381,11 @@
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
 
-   info->name.string   = samdb_result_string(res[0],   "name", 
NULL);
+   info->name.string = state->domain_name;
+   info->sid = state->domain_sid;
info->dns_domain.string = samdb_result_string(res[0],   
"dnsDomain", NULL);
info->dns_forest.string = samdb_result_string(res[0],   
"dnsDomain", NULL);
info->domain_guid   = samdb_result_guid(res[0], 
"objectGUID");
-   info->sid   = samdb_result_dom_sid(mem_ctx, res[0], 
"objectSid");
 
return NT_STATUS_OK;
 }

svn commit: samba r8983 - in branches/SAMBA_4_0/source/rpc_server/samr: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 05:26:17 + (Wed, 03 Aug 2005)
New Revision: 8983

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8983

Log:
The KVNO (Kerberos key version number) should be incremented with
every password set.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c
===
--- branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c   2005-08-03 
05:25:30 UTC (rev 8982)
+++ branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c   2005-08-03 
05:26:17 UTC (rev 8983)
@@ -510,6 +510,7 @@
struct samr_Password *new_lmPwdHistory, *new_ntPwdHistory;
struct samr_Password local_lmNewHash, local_ntNewHash;
int lmPwdHistory_len, ntPwdHistory_len;
+   uint_t kvno;
struct ldb_message **res;
int count;
time_t now = time(NULL);
@@ -534,6 +535,7 @@
lmPwdHash =  samdb_result_hash(res[0],   "lmPwdHash");
ntPwdHash =  samdb_result_hash(res[0],   "ntPwdHash");
pwdLastSet = samdb_result_uint64(res[0], "pwdLastSet", 0);
+   kvno =   samdb_result_uint(res[0],   
"msDS-KeyVersionNumber", 0);
 
/* pull the domain parameters */
count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs);
@@ -679,6 +681,8 @@
}
 
CHECK_RET(samdb_msg_add_uint64(ctx, mem_ctx, mod, "pwdLastSet", 
now_nt));
+
+   CHECK_RET(samdb_msg_add_uint(ctx, mem_ctx, mod, 
"msDS-KeyVersionNumber", kvno + 1));

if (pwdHistoryLength == 0) {
CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, 
"lmPwdHistory"));

svn commit: samba r8984 - in branches/SAMBA_4_0/source/rpc_server/drsuapi: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 05:28:06 + (Wed, 03 Aug 2005)
New Revision: 8984

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8984

Log:
Use the correct cross-reference search in DRSUAPI, rather than making
assumptions about the behaviour of "name" as a NETBIOS domain name.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c
===
--- branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-08-03 05:26:17 UTC (rev 8983)
+++ branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-08-03 05:28:06 UTC (rev 8984)
@@ -94,8 +94,9 @@
account = &p[1];
}
 
-   domain_filter = talloc_asprintf(mem_ctx, 
"(&(objectClass=domainDNS)(name=%s))",
-   domain);
+   domain_filter = talloc_asprintf(mem_ctx, 
+   
"(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
+   domain);
WERR_TALLOC_CHECK(domain_filter);
if (account) {
result_filter = talloc_asprintf(mem_ctx, 
"(sAMAccountName=%s)",
@@ -115,7 +116,7 @@
/* here we need to set the attrs lists for domain and result lookups */
switch (format_desired) {
case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
-   const char * const _domain_attrs[] = { "dn", 
"dnsDomain", NULL};
+   const char * const _domain_attrs[] = { "ncName", 
"dnsRoot", NULL};
const char * const _result_attrs[] = { "dn", NULL};

domain_attrs = _domain_attrs;
@@ -123,7 +124,7 @@
break;
}
case DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT: {
-   const char * const _domain_attrs[] = { "name", 
"dnsDomain", "dn", NULL};
+   const char * const _domain_attrs[] = { "ncName", 
"dnsRoot", "nETBIOSName", NULL};
const char * const _result_attrs[] = { 
"sAMAccountName", NULL};

domain_attrs = _domain_attrs;
@@ -131,7 +132,7 @@
break;
}
case DRSUAPI_DS_NAME_FORMAT_GUID: {
-   const char * const _domain_attrs[] = { "objectGUID", 
"dnsDomain", "dn", NULL};
+   const char * const _domain_attrs[] = { "ncName", 
"dnsRoot", NULL};
const char * const _result_attrs[] = { "objectGUID", 
NULL};

domain_attrs = _domain_attrs;
@@ -159,12 +160,12 @@
return WERR_OK;
}
 
-   info1->dns_domain_name  = samdb_result_string(domain_res[0], 
"dnsDomain", NULL);
+   info1->dns_domain_name  = samdb_result_string(domain_res[0], "dnsRoot", 
NULL);
WERR_TALLOC_CHECK(info1->dns_domain_name);
info1->status   = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
 
if (result_filter) {
-   result_basedn = samdb_result_string(domain_res[0], "dn", NULL);
+   result_basedn = samdb_result_string(domain_res[0], "ncName", 
NULL);
 
ret = gendb_search(b_state->sam_ctx, mem_ctx, result_basedn, 
&result_res,
result_attrs, "%s", result_filter);
@@ -187,7 +188,7 @@
/* here we can use result_res[0] and domain_res[0] */
switch (format_desired) {
case DRSUAPI_DS_NAME_FORMAT_FQDN_1779: {
-   info1->result_name  = 
samdb_result_string(result_res[0], "dn", NULL);
+   info1->result_name  = result_res[0]->dn;
WERR_TALLOC_CHECK(info1->result_name);
 
info1->status   = DRSUAPI_DS_NAME_STATUS_OK;
@@ -197,7 +198,7 @@
const char *_dom;
const char *_acc = "";
 
-   _dom = samdb_result_string(domain_res[0], "name", NULL);
+   _dom = samdb_result_string(domain_res[0], 
"nETBIOSName", NULL);
WERR_TALLOC_CHECK(_dom);
 
if (result_filter) {

svn commit: samba r8986 - in branches/SAMBA_4_0/source/librpc/idl: .

2005-08-02 Thread abartlet

Author: abartlet
Date: 2005-08-03 05:29:34 + (Wed, 03 Aug 2005)
New Revision: 8986

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8986

Log:
As far as I can tell, given the ldif I get from behind this, we have a
signed NTTIME here.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/librpc/idl/netlogon.idl


Changeset:
Modified: branches/SAMBA_4_0/source/librpc/idl/netlogon.idl
===
--- branches/SAMBA_4_0/source/librpc/idl/netlogon.idl   2005-08-03 05:28:08 UTC 
(rev 8985)
+++ branches/SAMBA_4_0/source/librpc/idl/netlogon.idl   2005-08-03 05:29:34 UTC 
(rev 8986)
@@ -389,7 +389,7 @@
typedef struct {
lsa_String domain_name;
lsa_String comment;
-   NTTIME force_logoff_time;
+   dlong force_logoff_time;
uint16 min_password_length;
uint16 password_history_length;
/* yes, these are signed. They are in negative 100ns */

svn commit: samba r8998 - in branches/SAMBA_4_0/source/rpc_server: drsuapi netlogon

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 07:24:42 + (Wed, 03 Aug 2005)
New Revision: 8998

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8998

Log:
More work on the RPC server code to avoid abusing the name attribute
as a netbios name.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c
   branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c
===
--- branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-08-03 07:17:14 UTC (rev 8997)
+++ branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-08-03 07:24:42 UTC (rev 8998)
@@ -58,18 +58,19 @@
case DRSUAPI_DS_NAME_FORMAT_CANONICAL: {
char *str;
 
-   str = talloc_asprintf(mem_ctx, "%s/", lp_realm());
+   str = talloc_strdup(mem_ctx, name);
WERR_TALLOC_CHECK(str);
-
-   ret = strcasecmp(str, name);
-   talloc_free(str);
-   if (ret != 0) {
-   info1->status = 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
+   
+   if (strlen(str) == 0 || str[strlen(str)-1] != '/') {
+   info1->status = 
DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
+   
+   str[strlen(str)-1] = '\0';
 
-   domain_filter = talloc_asprintf(mem_ctx, 
"(&(objectClass=domainDNS)(name=%s))",
-   lp_workgroup());
+   domain_filter = talloc_asprintf(mem_ctx, 
+   
"(&(&(&(dnsRoot=%s)(objectclass=crossRef)))(nETBIOSName=*)(ncName=*))", 
+   str);
WERR_TALLOC_CHECK(domain_filter);
 
break;

Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c
===
--- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 
2005-08-03 07:17:14 UTC (rev 8997)
+++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 
2005-08-03 07:24:42 UTC (rev 8998)
@@ -1233,9 +1233,10 @@
 {
struct netr_DomainTrust *trusts;
void *sam_ctx;
-   int ret, i;
-   struct ldb_message **res;
-   const char * const attrs[] = { "name", "dnsDomain", "objectSid", 
"objectGUID", NULL };
+   int ret;
+   struct ldb_message **dom_res, **ref_res;
+   const char * const dom_attrs[] = { "dnsDomain", "objectSid", 
"objectGUID", NULL };
+   const char * const ref_attrs[] = { "nETBIOSName", NULL };
 
ZERO_STRUCT(r->out);
 
@@ -1244,39 +1245,47 @@
return WERR_GENERAL_FAILURE;
}
 
-   ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, 
"(objectClass=domainDNS)");
+   ret = gendb_search(sam_ctx, mem_ctx, NULL, &dom_res, dom_attrs, 
"(&(objectClass=domainDNS)(dnsDomain=%s))", lp_realm());
if (ret == -1) {
return WERR_GENERAL_FAILURE;
}
 
-   if (ret == 0) {
-   return WERR_OK;
+   if (ret != 1) {
+   return WERR_GENERAL_FAILURE;
}
 
+   ret = gendb_search(sam_ctx, mem_ctx, NULL, &ref_res, ref_attrs, 
"(&(objectClass=crossRef)(ncName=%s))", dom_res[0]->dn);
+   if (ret == -1) {
+   return WERR_GENERAL_FAILURE;
+   }
+
+   if (ret != 1) {
+   return WERR_GENERAL_FAILURE;
+   }
+
+
+
trusts = talloc_array(mem_ctx, struct netr_DomainTrust, ret);
if (trusts == NULL) {
return WERR_NOMEM;
}

-   r->out.count = ret;
+   r->out.count = 1;
r->out.trusts = trusts;
 
/* TODO: add filtering by trust_flags, and correct trust_type
   and attributes */
-   for (i=0;i

svn commit: samba r8999 - in branches/SAMBA_4_0/source/setup: .

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 07:25:36 + (Wed, 03 Aug 2005)
New Revision: 8999

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=8999

Log:
Use the timestamps module to ensure we update times.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/setup/secrets.ldif


Changeset:
Modified: branches/SAMBA_4_0/source/setup/secrets.ldif
===
--- branches/SAMBA_4_0/source/setup/secrets.ldif2005-08-03 07:24:42 UTC 
(rev 8998)
+++ branches/SAMBA_4_0/source/setup/secrets.ldif2005-08-03 07:25:36 UTC 
(rev 8999)
@@ -8,6 +8,11 @@
 flatname: CASE_INSENSITIVE
 sAMAccountName: CASE_INSENSITIVE
 
+#Add modules to the list to activate them by default
+#beware often order is important
+dn: @MODULES
[EMAIL PROTECTED]: timestamps
+
 dn: CN=LSA Secrets
 objectClass: top
 objectClass: container

svn commit: samba r9011 - in branches/SAMBA_4_0/source: cldap_server nbt_server/dgram rpc_server/lsa rpc_server/samr

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 18:30:21 + (Wed, 03 Aug 2005)
New Revision: 9011

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9011

Log:
Remove more references to "name" as a netbios name, using the
cross-reference instead.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/cldap_server/netlogon.c
   branches/SAMBA_4_0/source/nbt_server/dgram/netlogon.c
   branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c
   branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c


Changeset:
Sorry, the patch is too large (372 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9011

svn commit: samba r9015 - in branches/SAMBA_4_0/source/rpc_server/samr: .

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 19:58:58 + (Wed, 03 Aug 2005)
New Revision: 9015

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9015

Log:
Fix access to BUILTIN again.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c
===
--- branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c 2005-08-03 
19:18:05 UTC (rev 9014)
+++ branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c 2005-08-03 
19:58:58 UTC (rev 9015)
@@ -271,14 +271,14 @@
int ret;
array->entries[i].idx = start_i + i;
/* try and find the domain */
-   ret = gendb_search(c_state->sam_ctx, mem_ctx, NULL, &ref_msgs, 
ref_attrs, 
+   ret = gendb_search(c_state->sam_ctx, mem_ctx, NULL, 
+  &ref_msgs, ref_attrs, 
   "(&(objectClass=crossRef)(ncName=%s))", 
-  dom_msgs[0]->dn);
+  dom_msgs[i]->dn);
if (ret == 1) {
array->entries[i].name.string = 
samdb_result_string(ref_msgs[0], "nETBIOSName", NULL);
} else {
-   /* Builtin? If we can't find the reference, punt */
-   array->entries[i].name.string = 
samdb_result_string(dom_msgs[0], "cn", NULL);
+   array->entries[i].name.string = 
samdb_result_string(dom_msgs[i], "cn", NULL);
}
}
 
@@ -300,7 +300,7 @@
const char *domain_name;
struct samr_connect_state *c_state;
struct samr_domain_state *d_state;
-   const char * const dom_attrs[] = { NULL};
+   const char * const dom_attrs[] = { "cn", NULL};
const char * const ref_attrs[] = { "nETBIOSName", NULL};
struct ldb_message **dom_msgs;
struct ldb_message **ref_msgs;
@@ -318,25 +318,38 @@
 
ret = gendb_search(c_state->sam_ctx,
   mem_ctx, NULL, &dom_msgs, dom_attrs,
-  "(&(objectSid=%s)(objectclass=domain))", 
+  
"(&(objectSid=%s)(&(objectclass=domain)(!(objectClass=builtinDomain",
   ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
-   if (ret != 1) {
-   return NT_STATUS_NO_SUCH_DOMAIN;
-   }
+   if (ret == -1) {
+   return NT_STATUS_INTERNAL_DB_CORRUPTION;
+   } else if (ret == 0) {
+   ret = gendb_search(c_state->sam_ctx,
+  mem_ctx, NULL, &dom_msgs, dom_attrs,
+  
"(&(objectSid=%s)(objectClass=builtinDomain))", 
+  ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
+   if (ret != 1) {
+   return NT_STATUS_NO_SUCH_DOMAIN;
+   }
 
-   ret = gendb_search(c_state->sam_ctx,
-  mem_ctx, NULL, &ref_msgs, ref_attrs,
-  
"(&(&(nETBIOSName=*)(objectclass=crossRef))(ncName=%s))", 
-  dom_msgs[0]->dn);
-   if (ret != 1) {
-   return NT_STATUS_NO_SUCH_DOMAIN;
+   domain_name = ldb_msg_find_string(dom_msgs[0], "cn", NULL);
+   if (domain_name == NULL) {
+   return NT_STATUS_NO_SUCH_DOMAIN;
+   }
+   } else {
+   ret = gendb_search(c_state->sam_ctx,
+  mem_ctx, NULL, &ref_msgs, ref_attrs,
+  
"(&(&(nETBIOSName=*)(objectclass=crossRef))(ncName=%s))", 
+  dom_msgs[0]->dn);
+   if (ret != 1) {
+   return NT_STATUS_NO_SUCH_DOMAIN;
+   }
+   
+   domain_name = ldb_msg_find_string(ref_msgs[0], "nETBIOSName", 
NULL);
+   if (domain_name == NULL) {
+   return NT_STATUS_NO_SUCH_DOMAIN;
+   }
}
 
-   domain_name = ldb_msg_find_string(ref_msgs[0], "nETBIOSName", NULL);
-   if (domain_name == NULL) {
-   return NT_STATUS_NO_SUCH_DOMAIN;
-   }
-
d_state = talloc(c_state, struct samr_domain_state);
if (!d_state) {
return NT_STATUS_NO_MEMORY;
@@ -406,10 +419,8 @@
   struct samr_DomInfo2 *info)
 {
const char * const dom_attrs[] = { "comment", NULL };
-   const char * const ref_attrs[] = { "nETBIOSName", NULL };
int ret;
struct l

svn commit: samba r9016 - in branches/SAMBA_4_0/source/rpc_server/netlogon: .

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 20:27:33 + (Wed, 03 Aug 2005)
New Revision: 9016

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9016

Log:
More work to avoid abuse of the "name" attribute, this time on
NETLOGON.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c
===
--- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 
2005-08-03 19:58:58 UTC (rev 9015)
+++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 
2005-08-03 20:27:33 UTC (rev 9016)
@@ -870,11 +870,12 @@
   fill in a netr_DomainTrustInfo from a ldb search result
 */
 static NTSTATUS fill_domain_primary_info(TALLOC_CTX *mem_ctx, struct 
ldb_message *res,
-struct netr_DomainTrustInfo *info)
+struct netr_DomainTrustInfo *info, 
+const char *local_domain)
 {
ZERO_STRUCTP(info);
 
-   info->domainname.string = samdb_result_string(res, "name", NULL);
+   info->domainname.string = local_domain;
info->fulldomainname.string = talloc_asprintf(info, "%s.", 
samdb_result_string(res, "dnsDomain", NULL));
/* TODO: we need proper forest support */
info->forest.string = info->fulldomainname.string;
@@ -888,12 +889,13 @@
   fill in a netr_DomainTrustInfo from a ldb search result
 */
 static NTSTATUS fill_domain_trust_info(TALLOC_CTX *mem_ctx, struct ldb_message 
*res,
-  struct netr_DomainTrustInfo *info, BOOL 
is_local)
+  struct netr_DomainTrustInfo *info, 
+  const char *local_domain, BOOL is_local)
 {
ZERO_STRUCTP(info);
 
if (is_local) {
-   info->domainname.string = samdb_result_string(res, "name", 
NULL);
+   info->domainname.string = local_domain;
info->fulldomainname.string = samdb_result_string(res, 
"dnsDomain", NULL);
info->forest.string = NULL;
info->guid = samdb_result_guid(res, "objectGUID");
@@ -917,15 +919,18 @@
struct netr_LogonGetDomainInfo *r)
 {
struct server_pipe_state *pipe_state = dce_call->context->private;
-   const char * const attrs[] = { "name", "dnsDomain", "objectSid", 
+   const char * const attrs[] = { "dnsDomain", "objectSid", 
   "objectGUID", "flatName", 
"securityIdentifier",
   NULL };
-   void *sam_ctx;
-   struct ldb_message **res1, **res2;
+   const char * const ref_attrs[] = { "nETBIOSName", NULL };
+   struct ldb_context *sam_ctx;
+   struct ldb_message **res1, **res2, **ref_res;
struct netr_DomainInfo1 *info1;
-   int ret1, ret2, i;
+   int ret, ret1, ret2, i;
NTSTATUS status;
 
+   const char *local_domain;
+
status = netr_creds_server_step_check(pipe_state, 
  r->in.credential, 
r->out.return_authenticator);
if (!NT_STATUS_IS_OK(status)) {
@@ -947,6 +952,17 @@
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
 
+   /* try and find the domain */
+   ret = gendb_search(sam_ctx, mem_ctx, NULL, 
+  &ref_res, ref_attrs, 
+  "(&(objectClass=crossRef)(ncName=%s))", 
+  res1[0]->dn);
+   if (ret != 1) {
+   return NT_STATUS_INTERNAL_DB_CORRUPTION;
+   }
+
+   local_domain = samdb_result_string(ref_res[0], "nETBIOSName", NULL);
+
ret2 = gendb_search(sam_ctx, mem_ctx, NULL, &res2, attrs, 
"(objectClass=trustedDomain)");
if (ret2 == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -966,19 +982,19 @@
return NT_STATUS_NO_MEMORY;
}
 
-   status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo);
+   status = fill_domain_primary_info(mem_ctx, res1[0], &info1->domaininfo, 
local_domain);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
 
for (i=0;itrusts[i], False);
+   status = fill_domain_trust_info(mem_ctx, res2[i], 
&info1->trusts[i], NULL, False);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
 
-   status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], 
True);
+   status = fill_domain_trust_info(mem_ctx, res1[0], &info1->trusts[i], 
local_domain, True);
if (!NT_STATUS_IS_OK(status)) {
return status;
}

svn commit: samba r9022 - in branches/SAMBA_4_0/source/auth: .

2005-08-03 Thread abartlet

Author: abartlet
Date: 2005-08-03 23:14:38 + (Wed, 03 Aug 2005)
New Revision: 9022

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9022

Log:
One more step in the game of whack-a-mole with the PAC.

This makes the PAC we generate match (closely) the PAC generated by my
test win2k3 DC.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/auth_sam_reply.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth_sam_reply.c
===
--- branches/SAMBA_4_0/source/auth/auth_sam_reply.c 2005-08-03 22:07:57 UTC 
(rev 9021)
+++ branches/SAMBA_4_0/source/auth/auth_sam_reply.c 2005-08-03 23:14:38 UTC 
(rev 9022)
@@ -117,6 +117,10 @@
 
sam = &sam3->base;
 
+   sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
+   NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
+   sam->domain_sid->num_auths--;
+
sam->last_logon = server_info->last_logon;
sam->last_logoff = server_info->last_logoff;
sam->acct_expiry = server_info->acct_expiry;
@@ -139,6 +143,26 @@
sam->groups.count = 0;
sam->groups.rids = NULL;
 
+   if (server_info->n_domain_groups > 0) {
+   int i;
+   sam->groups.rids = talloc_array(sam, struct 
samr_RidWithAttribute,
+   server_info->n_domain_groups);
+   NT_STATUS_HAVE_NO_MEMORY(sam->groups.rids);
+
+   for (i=0; in_domain_groups; i++) {
+   struct dom_sid *group_sid = 
server_info->domain_groups[i];
+
+   if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
+   continue;
+   }
+
+   sam->groups.rids[sam->groups.count].rid = 
group_sid->sub_auths[group_sid->num_auths-1];
+   sam->groups.rids[sam->groups.count].attributes = 
+   SE_GROUP_MANDATORY | 
SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+   sam->groups.count += 1;
+   }
+   }
+
sam->user_flags = 0x20; /* TODO: w2k3 uses 0x120.  We know 0x20
  * as extra sids (PAC doc) but what is
  * 0x100? */
@@ -146,10 +170,6 @@
sam->logon_server.string = lp_netbios_name();
sam->domain.string = server_info->domain_name;
 
-   sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
-   NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
-   sam->domain_sid->num_auths--;
-
ZERO_STRUCT(sam->unknown);
 
ZERO_STRUCT(sam->key);
@@ -165,7 +185,7 @@
 
sam3->sidcount  = 0;
sam3->sids  = NULL;
-
+#if 0
if (server_info->n_domain_groups > 0) {
int i;
sam3->sids = talloc_array(sam, struct netr_SidAttr,
@@ -173,7 +193,7 @@
NT_STATUS_HAVE_NO_MEMORY(sam3->sids);
 
for (i=0; in_domain_groups; i++) {
-   if (!dom_sid_in_domain(sam->domain_sid, 
server_info->domain_groups[i])) {
+   if (dom_sid_in_domain(sam->domain_sid, 
server_info->domain_groups[i])) {
continue;
}
sam3->sids[sam3->sidcount].sid = 
talloc_reference(sam3->sids,server_info->domain_groups[i]);
@@ -182,7 +202,7 @@
sam3->sidcount += 1;
}
}
-
+#endif
*_sam3 = sam3;
 
return NT_STATUS_OK;

svn commit: samba r9084 - in branches/SAMBA_4_0/source: auth/gensec auth/kerberos kdc torture/auth

2005-08-04 Thread abartlet

Author: abartlet
Date: 2005-08-05 00:41:53 + (Fri, 05 Aug 2005)
New Revision: 9084

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9084

Log:
'resign' the sample PAC for the validation of the signature algorithms.

If we ever get problems with the kerberos code, it should show up as a
different signature in this PAC.

This involved returning more data from the pac functions, so changed
some callers and split up some functions.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
   branches/SAMBA_4_0/source/kdc/pac-glue.c
   branches/SAMBA_4_0/source/torture/auth/pac.c


Changeset:
Sorry, the patch is too large (581 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9084

svn commit: samba r9085 - in branches/SAMBA_4_0/source/include: .

2005-08-04 Thread abartlet

Author: abartlet
Date: 2005-08-05 00:56:21 + (Fri, 05 Aug 2005)
New Revision: 9085

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9085

Log:
Missing structs.h entry.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/include/structs.h


Changeset:
Modified: branches/SAMBA_4_0/source/include/structs.h
===
--- branches/SAMBA_4_0/source/include/structs.h 2005-08-05 00:41:53 UTC (rev 
9084)
+++ branches/SAMBA_4_0/source/include/structs.h 2005-08-05 00:56:21 UTC (rev 
9085)
@@ -90,6 +90,7 @@
 struct drsuapi_DsCrackNames;
 
 struct PAC_BUFFER;
+struct PAC_DATA;
 
 struct samr_ChangePasswordUser;
 struct samr_OemChangePasswordUser2;

svn commit: samba r9165 - in branches/SAMBA_4_0/source/auth/kerberos: .

2005-08-06 Thread abartlet

Author: abartlet
Date: 2005-08-06 22:43:09 + (Sat, 06 Aug 2005)
New Revision: 9165

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9165

Log:
Fix inverted error check in untested code path.  (My untested code...)

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c  2005-08-06 
18:02:35 UTC (rev 9164)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c  2005-08-06 
22:43:09 UTC (rev 9165)
@@ -216,7 +216,7 @@
smb_krb5_context,
krbtgt_keyblock,
service_keyblock);
-   if (NT_STATUS_IS_OK(nt_status)) {
+   if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}

svn commit: samba r9166 - in branches/SAMBA_4_0/source/torture: auth rpc

2005-08-06 Thread abartlet

Author: abartlet
Date: 2005-08-06 23:07:21 + (Sat, 06 Aug 2005)
New Revision: 9166

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9166

Log:
This checks more of auth subsystem in the PAC test.  

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/auth/pac.c
   branches/SAMBA_4_0/source/torture/rpc/samlogon.c
   branches/SAMBA_4_0/source/torture/rpc/xplogin.c


Changeset:
Sorry, the patch is too large (443 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9166

svn commit: samba r9167 - in branches/SAMBA_4_0/source/torture/auth: .

2005-08-06 Thread abartlet

Author: abartlet
Date: 2005-08-06 23:25:00 + (Sat, 06 Aug 2005)
New Revision: 9167

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9167

Log:
Further PAC parionia:  ensure the checksum fails if we modify it.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/auth/pac.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/auth/pac.c
===
--- branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-06 23:07:21 UTC 
(rev 9166)
+++ branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-06 23:25:00 UTC 
(rev 9167)
@@ -308,7 +308,7 @@
return False;
}
 
-   tmp_blob = data_blob_const(saved_pac, sizeof(saved_pac));
+   tmp_blob = data_blob(saved_pac, sizeof(saved_pac));

/*tmp_blob.data = file_load(lp_parm_string(-1,"torture","pac_file"), 
&tmp_blob.length);*/

@@ -371,6 +371,11 @@
 
if (!dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
"S-1-5-21-3048156945-3961193616-3706469200-1005"), 
   server_info_out->account_sid)) {
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
+
printf("PAC Decode resulted in *different* domain SID: %s != 
%s\n",
   "S-1-5-21-3048156945-3961193616-3706469200-1005", 
   dom_sid_string(mem_ctx, server_info_out->account_sid));
@@ -385,12 +390,12 @@
  &server_keyblock,
  &validate_blob);
 
-   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
-   &krbtgt_keyblock);
-   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
-   &server_keyblock);
+   if (ret != 0) {
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
 
-   if (ret != 0) {
DEBUG(0, ("PAC push failed\n"));
talloc_free(mem_ctx);
return False;
@@ -403,6 +408,11 @@
 * pointer, padding etc algorithms as win2k3.
 */
if (tmp_blob.length != validate_blob.length) {
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
+
DEBUG(0, ("PAC push failed: orignial buffer length[%u] != 
created buffer length[%u]\n",
(unsigned)tmp_blob.length, 
(unsigned)validate_blob.length));
talloc_free(mem_ctx);
@@ -410,12 +420,41 @@
}
 
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
+
DEBUG(0, ("PAC push failed: length[%u] matches, but data does 
not\n",
  (unsigned)tmp_blob.length));
talloc_free(mem_ctx);
return False;
}
 
+   /* Finally...  Bugger up the signature, and check we fail the checksum 
*/
+   
+   tmp_blob.data[tmp_blob.length - 2] = 0xff;
+   nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
+   tmp_blob,
+   smb_krb5_context,
+   &krbtgt_keyblock,
+   &server_keyblock);
+   if (NT_STATUS_IS_OK(nt_status)) {
+   DEBUG(1, ("PAC decoding DID NOT fail on broken checksum\n"));
+
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
+   talloc_free(mem_ctx);
+   return False;
+   }
+
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &krbtgt_keyblock);
+   krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
+   &server_keyblock);
+
talloc_free(mem_ctx);
return True;
 }

svn commit: lorikeet r399 - in trunk/heimdal: . admin appl/afsutil appl/ftp appl/ftp/ftp appl/ftp/ftpd appl/kf appl/kx appl/login appl/otp appl/popper appl/push appl/rsh appl/su appl/telnet appl/telne

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-08 20:26:35 + (Mon, 08 Aug 2005)
New Revision: 399

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=399

Log:
Update to Heimdal CVS from 20050803 or so.

This tries to bring us up to date with current Heimdal, which I got
behind on, without including changes with conflict with our
modifications to GSSAPI and the KDC.

This is the easy part, the part of merging this into Samba4 will be
far more difficult.

Andrew Bartlett

Added:
   trunk/heimdal/appl/ftp/ftpd/klist.c
   trunk/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-26.txt
   trunk/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-27.txt
   trunk/heimdal/doc/standardisation/draft-ietf-kitten-gss-naming-02.txt
   trunk/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-naming-exts-00.txt
   trunk/heimdal/doc/standardisation/draft-ietf-kitten-gssapi-prf-04.txt
   trunk/heimdal/doc/standardisation/draft-ietf-kitten-krb5-gssapi-prf-04.txt
   trunk/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-referrals-06.txt
   trunk/heimdal/doc/standardisation/draft-ietf-krb-wg-ocsp-for-pkinit-05.txt
   trunk/heimdal/doc/standardisation/draft-ietf-krb-wg-ocsp-for-pkinit-06.txt
   trunk/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-02.txt
   trunk/heimdal/doc/standardisation/draft-swift-win2k-krb-user2user-03.txt
   trunk/heimdal/doc/standardisation/draft-zhu-kerb-enctype-nego-03.txt
   trunk/heimdal/doc/standardisation/rfc4120.txt
   trunk/heimdal/doc/standardisation/rfc4121.txt
   trunk/heimdal/fix-export
   trunk/heimdal/kcm/kcm_protos.h
   trunk/heimdal/lib/asn1/CMS.asn1
   trunk/heimdal/lib/asn1/ChangeLog
   trunk/heimdal/lib/asn1/asn1_gen.c
   trunk/heimdal/lib/asn1/asn1_queue.h
   trunk/heimdal/lib/asn1/canthandle.asn1
   trunk/heimdal/lib/asn1/der.c
   trunk/heimdal/lib/asn1/extra.c
   trunk/heimdal/lib/asn1/heim_asn1.h
   trunk/heimdal/lib/asn1/libasn1.h
   trunk/heimdal/lib/asn1/pkcs12.asn1
   trunk/heimdal/lib/asn1/pkcs8.asn1
   trunk/heimdal/lib/asn1/pkcs9.asn1
   trunk/heimdal/lib/asn1/test.asn1
   trunk/heimdal/lib/asn1/test.gen
   trunk/heimdal/lib/krb5/test_crypto_wrapping.c
   trunk/heimdal/lib/krb5/test_pkinit_dh2key.c
Removed:
   
trunk/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-07.txt
   trunk/heimdal/lib/asn1/gen.h
   trunk/heimdal/lib/des/asm/
   trunk/heimdal/lib/des/t/
Modified:
   trunk/heimdal/ChangeLog
   trunk/heimdal/admin/ChangeLog
   trunk/heimdal/admin/change.c
   trunk/heimdal/admin/get.c
   trunk/heimdal/admin/ktutil.c
   trunk/heimdal/admin/ktutil.cat8
   trunk/heimdal/admin/list.c
   trunk/heimdal/appl/afsutil/afslog.cat1
   trunk/heimdal/appl/afsutil/pagsh.cat1
   trunk/heimdal/appl/ftp/ChangeLog
   trunk/heimdal/appl/ftp/ftp/cmds.c
   trunk/heimdal/appl/ftp/ftp/cmdtab.c
   trunk/heimdal/appl/ftp/ftp/ftp.c
   trunk/heimdal/appl/ftp/ftp/ftp.cat1
   trunk/heimdal/appl/ftp/ftp/gssapi.c
   trunk/heimdal/appl/ftp/ftp/kauth.c
   trunk/heimdal/appl/ftp/ftp/ruserpass.c
   trunk/heimdal/appl/ftp/ftp/security.c
   trunk/heimdal/appl/ftp/ftpd/Makefile.am
   trunk/heimdal/appl/ftp/ftpd/extern.h
   trunk/heimdal/appl/ftp/ftpd/ftpcmd.y
   trunk/heimdal/appl/ftp/ftpd/ftpd.c
   trunk/heimdal/appl/ftp/ftpd/ftpd.cat8
   trunk/heimdal/appl/ftp/ftpd/ftpusers.cat5
   trunk/heimdal/appl/ftp/ftpd/gss_userok.c
   trunk/heimdal/appl/ftp/ftpd/kauth.c
   trunk/heimdal/appl/kf/kf.cat1
   trunk/heimdal/appl/kf/kfd.cat8
   trunk/heimdal/appl/kx/ChangeLog
   trunk/heimdal/appl/kx/common.c
   trunk/heimdal/appl/kx/krb4.c
   trunk/heimdal/appl/kx/krb5.c
   trunk/heimdal/appl/kx/kx.c
   trunk/heimdal/appl/kx/kx.cat1
   trunk/heimdal/appl/kx/kx.h
   trunk/heimdal/appl/kx/kxd.c
   trunk/heimdal/appl/kx/kxd.cat8
   trunk/heimdal/appl/kx/rxtelnet.cat1
   trunk/heimdal/appl/kx/rxterm.cat1
   trunk/heimdal/appl/kx/tenletxr.cat1
   trunk/heimdal/appl/login/login.access.cat5
   trunk/heimdal/appl/login/login.cat1
   trunk/heimdal/appl/otp/otp.cat1
   trunk/heimdal/appl/otp/otpprint.cat1
   trunk/heimdal/appl/popper/popper.cat8
   trunk/heimdal/appl/push/pfrom.cat1
   trunk/heimdal/appl/push/push.cat8
   trunk/heimdal/appl/rsh/rsh.cat1
   trunk/heimdal/appl/rsh/rshd.cat8
   trunk/heimdal/appl/su/su.cat1
   trunk/heimdal/appl/telnet/ChangeLog
   trunk/heimdal/appl/telnet/libtelnet/kerberos.c
   trunk/heimdal/appl/telnet/telnet/telnet.cat1
   trunk/heimdal/appl/telnet/telnetd/telnetd.cat8
   trunk/heimdal/appl/xnlock/xnlock.cat1
   trunk/heimdal/cf/ChangeLog
   trunk/heimdal/cf/Makefile.am.common
   trunk/heimdal/cf/check-compile-et.m4
   trunk/heimdal/cf/check-symbols.sh
   trunk/heimdal/cf/crypto.m4
   trunk/heimdal/compile
   trunk/heimdal/config.abartlet
   trunk/heimdal/config.guess
   trunk/heimdal/config.sub
   trunk/heimdal/configure.in
   trunk/heimdal/doc/setup.texi
   trunk/heimdal/doc/win2k.texi
   trunk/heimdal/install-sh
   trunk/heimdal/kadmin/ChangeLog
   trunk/heimdal/kadmin/add-random-users.c
   trunk/heimda

svn commit: samba r9217 - in branches/SAMBA_4_0/source/heimdal_build: .

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-08 22:14:40 + (Mon, 08 Aug 2005)
New Revision: 9217

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9217

Log:
Add 'make clean' hooks to the ans1 depedency generator.

To be used by the impending Heimdal resync, which has files starting
with asn1_ that are not generated.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal_build/asn1_deps.pl


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal_build/asn1_deps.pl
===
--- branches/SAMBA_4_0/source/heimdal_build/asn1_deps.pl2005-08-08 
22:14:37 UTC (rev 9216)
+++ branches/SAMBA_4_0/source/heimdal_build/asn1_deps.pl2005-08-08 
22:14:40 UTC (rev 9217)
@@ -7,7 +7,8 @@
 
 my $file = shift;
 my $prefix = shift;
-
+my $x_file, @x_files;
+my $c_file, @c_files;
 if (not defined ($prefix)) { $prefix = "asn1"; }
 
 $dirname = dirname($file);
@@ -24,9 +25,23 @@
if (/^([A-Za-z0-9_-]+)[ \t]*::= /) {
my $output = $1;
$output =~ s/-/_/g;
-   print "$dirname/asn1_$output.x: $header\n";
-   print "$dirname/asn1_$output.c: $dirname/asn1_$output.x\n";
-   print "[EMAIL PROTECTED] $dirname/asn1_$output.x 
$dirname/asn1_$output.c\n\n";
+   $c_file = "$dirname/asn1_$output.c";
+   $x_file = "$dirname/asn1_$output.x";
+   print "$x_file: $header\n";
+   print "$c_file: $dirname/asn1_$output.x\n";
+   print "[EMAIL PROTECTED] $x_file $c_file\n\n";
+   push @x_files, $x_file;
+   push @c_files, $c_file;
}
 }
 close(IN);
+print $prefix."_clean: \n";
+print "[EMAIL PROTECTED] \"Deleting ASN1 ouput files generated from $file\"";
+print "[EMAIL PROTECTED] -f $header";
+foreach $c_file (@c_files) {
+print "[EMAIL PROTECTED] -f $c_file";
+}
+foreach $x_file (@x_files) {
+print "[EMAIL PROTECTED] -f $x_file";
+}
+print "\n\n";

svn commit: lorikeet r400 - in trunk/heimdal/kdc: .

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-09 00:22:28 + (Tue, 09 Aug 2005)
New Revision: 400

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=400

Log:
Only spit out one error message per TGS authenticator failure.

Now to figure out why we are getting them...

Andrew Bartlett

Modified:
   trunk/heimdal/kdc/kerberos5.c


Changeset:
Modified: trunk/heimdal/kdc/kerberos5.c
===
--- trunk/heimdal/kdc/kerberos5.c   2005-08-08 20:26:35 UTC (rev 399)
+++ trunk/heimdal/kdc/kerberos5.c   2005-08-09 00:22:28 UTC (rev 400)
@@ -189,22 +189,26 @@
  KerberosTime authtime, KerberosTime *starttime, 
  KerberosTime endtime, KerberosTime *renew_till)
 {
-char atime[100], stime[100], etime[100], rtime[100];
+char authtime_str[100], starttime_str[100], endtime_str[100], 
renewtime_str[100];
 
-krb5_format_time(context, authtime, atime, sizeof(atime), TRUE); 
+krb5_format_time(context, authtime, 
+authtime_str, sizeof(authtime_str), TRUE); 
 if (starttime)
-   krb5_format_time(context, *starttime, stime, sizeof(stime), TRUE); 
+   krb5_format_time(context, *starttime, 
+starttime_str, sizeof(starttime_str), TRUE); 
 else
-   strlcpy(stime, "unset", sizeof(stime));
-krb5_format_time(context, endtime, etime, sizeof(etime), TRUE); 
+   strlcpy(starttime_str, "unset", sizeof(starttime_str));
+krb5_format_time(context, endtime, 
+endtime_str, sizeof(endtime_str), TRUE); 
 if (renew_till)
-   krb5_format_time(context, *renew_till, rtime, sizeof(rtime), TRUE); 
+   krb5_format_time(context, *renew_till, 
+renewtime_str, sizeof(renewtime_str), TRUE); 
 else
-   strlcpy(rtime, "unset", sizeof(rtime));
+   strlcpy(renewtime_str, "unset", sizeof(renewtime_str));
 
 kdc_log(context, config, 5,
"%s authtime: %s starttime: %s endtype: %s renew till: %s",
-   type, atime, stime, etime, rtime);
+   type, authtime_str, starttime_str, endtime_str, renewtime_str);
 }
 
 static krb5_error_code
@@ -928,17 +932,18 @@
  &ts_data);
krb5_crypto_destroy(context, crypto);
if(ret){
-   ret = krb5_enctype_to_string(context, 
+   krb5_error_code ret2;
+   ret2 = krb5_enctype_to_string(context, 
 pa_key->key.keytype, &str);
-   if (ret)
+   if (ret2)
str = NULL;
kdc_log(context, config, 5, 
"Failed to decrypt PA-DATA -- %s "
-   "(enctype %s) error %d",
-   client_name, str ? str : "unknown enctype", ret);
+   "(enctype %s) error %s",
+   client_name, str ? str : "unknown enctype", 
+   krb5_get_err_text(context, ret));
free(str);
 
-
if(hdb_next_enctype2key(context, client, 
enc_data.etype, &pa_key) == 0)
goto try_next_key;
@@ -1901,7 +1906,7 @@
 free(buf);
 krb5_crypto_destroy(context, crypto);
 if(ret){
-   kdc_log(context, config, 0, "Failed to verify checksum: %s", 
+   kdc_log(context, config, 0, "Failed to verify authenticator checksum: 
%s", 
krb5_get_err_text(context, ret));
 }
 out:
@@ -2097,7 +2102,11 @@
 
 ret = tgs_check_authenticator(context, config, 
  ac, b, &e_text, &tgt->key);
-
+if(ret){
+   krb5_auth_con_free(context, ac);
+   goto out2;
+}
+
 if (b->enc_authorization_data) {
krb5_keyblock *subkey;
krb5_data ad;
@@ -2158,14 +2167,6 @@
}
 }
 
-krb5_auth_con_free(context, ac);
-
-if(ret){
-   kdc_log(context, config, 0, "Failed to verify authenticator: %s", 
-   krb5_get_err_text(context, ret));
-   goto out2;
-}
-
 {
PrincipalName *s;
Realm r;

svn commit: lorikeet r401 - in trunk/heimdal: .

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-09 00:49:33 + (Tue, 09 Aug 2005)
New Revision: 401

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=401

Log:
Don't clobber the script at the conclusion of fix-export (I may use
this script in ./autogen.sh in future).

Andrew Bartlett

Modified:
   trunk/heimdal/fix-export


Changeset:
Modified: trunk/heimdal/fix-export
===
--- trunk/heimdal/fix-export2005-08-09 00:22:28 UTC (rev 400)
+++ trunk/heimdal/fix-export2005-08-09 00:49:33 UTC (rev 401)
@@ -76,7 +76,4 @@
 make_proto kcm kcm_protos.h /dev/null '$(kcm_SOURCES)'
 make_proto kdc kdc-protos.h /dev/null '$(libkdc_la_SOURCES)'
 
-rm fix-export make-release make-release.el
-find . -name .cvsignore -print | xargs rm
-find . -name .__afs\* -print | xargs rm
 rm -fr autom4te*.cache

svn commit: lorikeet r402 - in trunk/heimdal: .

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-09 00:50:21 + (Tue, 09 Aug 2005)
New Revision: 402

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=402

Log:
Try to fix the build issue on loirkeet-heimdal, by removing some of
the scripts that autoconf likes to install.

Andrew Bartlett

Removed:
   trunk/heimdal/compile
   trunk/heimdal/missing
   trunk/heimdal/ylwrap


Changeset:
Sorry, the patch is too large (732 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=402

svn commit: lorikeet r403 - in trunk/heimdal: .

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-09 01:37:55 + (Tue, 09 Aug 2005)
New Revision: 403

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=403

Log:
Remove all the auto* 'installed files' from SVN.

Andrew Bartlett

Removed:
   trunk/heimdal/config.guess
   trunk/heimdal/config.sub
   trunk/heimdal/ltmain.sh


Changeset:
Sorry, the patch is too large (9444 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=403

svn commit: samba r9221 - in branches/SAMBA_4_0/source: heimdal heimdal/kdc heimdal/lib/asn1 heimdal/lib/com_err heimdal/lib/des heimdal/lib/gssapi heimdal/lib/hdb heimdal/lib/krb5 heimdal/lib/roken h

2005-08-08 Thread abartlet

Author: abartlet
Date: 2005-08-09 03:04:47 + (Tue, 09 Aug 2005)
New Revision: 9221

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9221

Log:
Try to merge Heimdal across from lorikeet-heimdal to samba4. 

This is my first attempt at this, so there may be a few rough edges.

Andrew Bartlett

Added:
   branches/SAMBA_4_0/source/heimdal/fix-export
   branches/SAMBA_4_0/source/heimdal/lib/asn1/CMS.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/asn1_gen.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/asn1_queue.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/canthandle.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/extra.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/heim_asn1.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/libasn1.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/pkcs12.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/pkcs8.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/pkcs9.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/test.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/test.gen
   branches/SAMBA_4_0/source/heimdal/lib/krb5/test_crypto_wrapping.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/test_pkinit_dh2key.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/ecalloc.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/estrdup.c
Modified:
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
   branches/SAMBA_4_0/source/heimdal/kdc/pkinit.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/asn1-common.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_cmp.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_copy.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_free.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_get.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_length.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_locl.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/der_put.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_copy.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_decode.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_encode.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_free.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_glue.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_length.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_locl.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/hash.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/k5.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/lex.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/lex.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/lex.l
   branches/SAMBA_4_0/source/heimdal/lib/asn1/main.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.y
   branches/SAMBA_4_0/source/heimdal/lib/asn1/symbol.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/symbol.h
   branches/SAMBA_4_0/source/heimdal/lib/com_err/lex.c
   branches/SAMBA_4_0/source/heimdal/lib/com_err/parse.c
   branches/SAMBA_4_0/source/heimdal/lib/com_err/parse.h
   branches/SAMBA_4_0/source/heimdal/lib/des/des.c
   branches/SAMBA_4_0/source/heimdal/lib/des/des.h
   branches/SAMBA_4_0/source/heimdal/lib/des/rnd_keys.c
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/accept_sec_context.c
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb-private.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/get_cred.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/keytab.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/keytab_file.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-private.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/pkinit.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/rd_cred.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/base64.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/gai_strerror.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/roken.h
   branches/SAMBA_4_0/source/heimdal_build/asn1_deps.pl
   branches/SAMBA_4_0/source/heimdal_build/config.mk
   branches/SAMBA_4_0/source/heimdal_build/krb5-types.h


Changeset:
Sorry, the patch is too large (19374 lines) to include; please use WebSVN to 
see it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9221

svn commit: samba r9233 - in branches/SAMBA_4_0/source/auth/gensec: .

2005-08-10 Thread abartlet

Author: abartlet
Date: 2005-08-10 22:27:04 + (Wed, 10 Aug 2005)
New Revision: 9233

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9233

Log:
Ensure that the output variable is initialised in this conversion from
error to non-error case.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-10 20:47:03 UTC 
(rev 9232)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-10 22:27:04 UTC 
(rev 9233)
@@ -354,6 +354,7 @@
 * for better luck next time */
 
if (NT_STATUS_EQUAL(nt_status, 
NT_STATUS_INVALID_PARAMETER)) {
+   *unwrapped_out = data_blob(NULL, 0);
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
}

svn commit: samba r9234 - in branches/SAMBA_4_0/source/torture/auth: .

2005-08-10 Thread abartlet

Author: abartlet
Date: 2005-08-10 22:27:55 + (Wed, 10 Aug 2005)
New Revision: 9234

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9234

Log:
Ensure we always change the end of the PAC, no matter what it is.  Fix
typo in comment.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/auth/pac.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/auth/pac.c
===
--- branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-10 22:27:04 UTC 
(rev 9233)
+++ branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-10 22:27:55 UTC 
(rev 9234)
@@ -413,7 +413,7 @@
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
&server_keyblock);
 
-   DEBUG(0, ("PAC push failed: orignial buffer length[%u] != 
created buffer length[%u]\n",
+   DEBUG(0, ("PAC push failed: original buffer length[%u] != 
created buffer length[%u]\n",
(unsigned)tmp_blob.length, 
(unsigned)validate_blob.length));
talloc_free(mem_ctx);
return False;
@@ -432,8 +432,8 @@
}
 
/* Finally...  Bugger up the signature, and check we fail the checksum 
*/
-   
-   tmp_blob.data[tmp_blob.length - 2] = 0xff;
+   tmp_blob.data[tmp_blob.length - 2]++;
+
nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
tmp_blob,
smb_krb5_context,

svn commit: samba r9235 - in branches/SAMBA_4_0/source/kdc: .

2005-08-10 Thread abartlet

Author: abartlet
Date: 2005-08-10 22:28:37 + (Wed, 10 Aug 2005)
New Revision: 9235

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9235

Log:
Remove attribute search we no longer reference.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/kdc/hdb-ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c
===
--- branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2005-08-10 22:27:55 UTC (rev 
9234)
+++ branches/SAMBA_4_0/source/kdc/hdb-ldb.c 2005-08-10 22:28:37 UTC (rev 
9235)
@@ -46,7 +46,6 @@
 static const char * const krb5_attrs[] = {
"objectClass",
"cn",
-   "name",
"sAMAccountName",
 
"userPrincipalName",

svn commit: lorikeet r407 - in trunk/heimdal: . appl/ftp appl/login appl/telnet appl/telnet/telnetd kadmin kcm kdc lib/asn1 lib/gssapi lib/hdb lib/kadm5 lib/kafs lib/krb5 tests tests/db

2005-08-12 Thread abartlet

Author: abartlet
Date: 2005-08-12 07:57:52 + (Fri, 12 Aug 2005)
New Revision: 407

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=407

Log:
Update Lorikeet-Heimdal to today (20050812)'s Heimdal CVS.

Andrew Bartlett

Added:
   trunk/heimdal/lib/hdb/ext.c
   trunk/heimdal/tests/
   trunk/heimdal/tests/ChangeLog
   trunk/heimdal/tests/Makefile.am
   trunk/heimdal/tests/db/
   trunk/heimdal/tests/db/Makefile.am
   trunk/heimdal/tests/db/krb5.conf.in
   trunk/heimdal/tests/db/loaddump-db.in
   trunk/heimdal/tests/db/text-dump-0.7
   trunk/heimdal/tests/db/text-dump-known-ext
   trunk/heimdal/tests/db/text-dump-no-ext
   trunk/heimdal/tests/db/text-dump-unknown-ext
Modified:
   trunk/heimdal/ChangeLog
   trunk/heimdal/NEWS
   trunk/heimdal/appl/ftp/ChangeLog
   trunk/heimdal/appl/login/ChangeLog
   trunk/heimdal/appl/login/login.c
   trunk/heimdal/appl/telnet/ChangeLog
   trunk/heimdal/appl/telnet/telnetd/ext.h
   trunk/heimdal/appl/telnet/telnetd/state.c
   trunk/heimdal/appl/telnet/telnetd/sys_term.c
   trunk/heimdal/appl/telnet/telnetd/telnetd.c
   trunk/heimdal/appl/telnet/telnetd/utility.c
   trunk/heimdal/configure.in
   trunk/heimdal/fix-export
   trunk/heimdal/kadmin/ChangeLog
   trunk/heimdal/kadmin/get.c
   trunk/heimdal/kadmin/kadmin-commands.in
   trunk/heimdal/kadmin/kadmin_locl.h
   trunk/heimdal/kadmin/load.c
   trunk/heimdal/kadmin/server.c
   trunk/heimdal/kcm/acquire.c
   trunk/heimdal/kdc/kerberos5.c
   trunk/heimdal/lib/asn1/ChangeLog
   trunk/heimdal/lib/asn1/asn1_gen.c
   trunk/heimdal/lib/asn1/canthandle.asn1
   trunk/heimdal/lib/gssapi/ChangeLog
   trunk/heimdal/lib/gssapi/init_sec_context.c
   trunk/heimdal/lib/hdb/Makefile.am
   trunk/heimdal/lib/hdb/common.c
   trunk/heimdal/lib/hdb/db3.c
   trunk/heimdal/lib/hdb/hdb-private.h
   trunk/heimdal/lib/hdb/hdb-protos.h
   trunk/heimdal/lib/hdb/hdb.asn1
   trunk/heimdal/lib/hdb/hdb.h
   trunk/heimdal/lib/hdb/hdb_err.et
   trunk/heimdal/lib/hdb/mkey.c
   trunk/heimdal/lib/hdb/print.c
   trunk/heimdal/lib/kadm5/ChangeLog
   trunk/heimdal/lib/kadm5/admin.h
   trunk/heimdal/lib/kadm5/chpass_s.c
   trunk/heimdal/lib/kadm5/ent_setup.c
   trunk/heimdal/lib/kadm5/get_s.c
   trunk/heimdal/lib/kadm5/kadm5_err.et
   trunk/heimdal/lib/kadm5/log.c
   trunk/heimdal/lib/kadm5/randkey_s.c
   trunk/heimdal/lib/kadm5/set_keys.c
   trunk/heimdal/lib/kafs/ChangeLog
   trunk/heimdal/lib/krb5/krb5_verify_user.3
   trunk/heimdal/lib/krb5/test_pkinit_dh2key.c
   trunk/heimdal/lib/krb5/verify_user.c


Changeset:
Sorry, the patch is too large (2975 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=407

svn commit: lorikeet r408 - in trunk/heimdal/lib/roken: .

2005-08-12 Thread abartlet

Author: abartlet
Date: 2005-08-12 09:25:51 + (Fri, 12 Aug 2005)
New Revision: 408

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=408

Log:
Try to remove references to make-roken

Andrew Bartlett

Modified:
   trunk/heimdal/lib/roken/Makefile.am


Changeset:
Modified: trunk/heimdal/lib/roken/Makefile.am
===
--- trunk/heimdal/lib/roken/Makefile.am 2005-08-12 07:57:52 UTC (rev 407)
+++ trunk/heimdal/lib/roken/Makefile.am 2005-08-12 09:25:51 UTC (rev 408)
@@ -12,8 +12,6 @@
 
 noinst_PROGRAMS = snprintf-test resolve-test
 
-nodist_make_roken_SOURCES = make-roken.c
-
 check_PROGRAMS =   \
base64-test \
getaddrinfo-test\
@@ -28,7 +26,6 @@
 TESTS = $(check_PROGRAMS)
 
 LDADD = libroken.la $(LIB_crypt)
-make_roken_LDADD = 
 
 noinst_LTLIBRARIES = libtest.la
 libtest_la_SOURCES = strftime.c strptime.c snprintf.c
@@ -160,8 +157,6 @@
 
 build_HEADERZ = test-mem.h
 
-nodist_include_HEADERS = roken.h
-
 man_MANS = getarg.3 parse_time.3 rtbl.3
 
 SUFFIXES += .hin

svn commit: lorikeet r409 - in trunk/heimdal: .

2005-08-12 Thread abartlet

Author: abartlet
Date: 2005-08-12 10:19:09 + (Fri, 12 Aug 2005)
New Revision: 409

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=409

Log:
Use the full 'fix-export' script from upstream heimdal.  See if this
runs better...

Andrew Bartlett

Modified:
   trunk/heimdal/autogen.sh


Changeset:
Modified: trunk/heimdal/autogen.sh
===
--- trunk/heimdal/autogen.sh2005-08-12 09:25:51 UTC (rev 408)
+++ trunk/heimdal/autogen.sh2005-08-12 10:19:09 UTC (rev 409)
@@ -1,4 +1,4 @@
 #!/bin/sh
 rm -rf autom4*.cache
-autoreconf -i
-rm -rf autom4*.cache
+./fix-export .
+

svn commit: lorikeet r417 - in trunk/heimdal/cf: .

2005-08-14 Thread abartlet

Author: abartlet
Date: 2005-08-15 01:37:13 + (Mon, 15 Aug 2005)
New Revision: 417

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=417

Log:
I don't think we need this auto-update definition in cf/check-var.cf
any more, and it seems to get in the way of using this file in
Samba4's configure.

Andrew Bartlett

Modified:
   trunk/heimdal/cf/check-var.m4


Changeset:
Modified: trunk/heimdal/cf/check-var.m4
===
--- trunk/heimdal/cf/check-var.m4   2005-08-14 17:31:09 UTC (rev 416)
+++ trunk/heimdal/cf/check-var.m4   2005-08-15 01:37:13 UTC (rev 417)
@@ -23,5 +23,3 @@
 fi
 ])
 
-AC_WARNING_ENABLE([obsolete])
-AU_DEFUN([AC_CHECK_VAR], [rk_CHECK_VAR([$2], [$1])], [foo])

svn commit: samba r9305 - in branches/SAMBA_4_0/source: heimdal heimdal/cf heimdal_build

2005-08-14 Thread abartlet

Author: abartlet
Date: 2005-08-15 01:38:21 + (Mon, 15 Aug 2005)
New Revision: 9305

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9305

Log:
Use the check-var.m4 from roken to really, really detect h_errno correctly.

This fixes the build on Fedora Core 4.

Andrew Bartlett

Added:
   branches/SAMBA_4_0/source/heimdal/cf/
   branches/SAMBA_4_0/source/heimdal/cf/check-var.m4
Modified:
   branches/SAMBA_4_0/source/heimdal_build/config.m4


Changeset:
Added: branches/SAMBA_4_0/source/heimdal/cf/check-var.m4
===
--- branches/SAMBA_4_0/source/heimdal/cf/check-var.m4   2005-08-14 12:13:32 UTC 
(rev 9304)
+++ branches/SAMBA_4_0/source/heimdal/cf/check-var.m4   2005-08-15 01:38:21 UTC 
(rev 9305)
@@ -0,0 +1,25 @@
+dnl $Id: check-var.m4,v 1.12 2005/06/16 18:59:10 lha Exp $
+dnl
+dnl rk_CHECK_VAR(variable, includes)
+AC_DEFUN([rk_CHECK_VAR], [
+AC_MSG_CHECKING(for $1)
+AC_CACHE_VAL(ac_cv_var_$1, [
+m4_ifval([$2],[
+   AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2
+   void * foo(void) { return &$1; }]],[[foo()]])],
+   [ac_cv_var_$1=yes],[ac_cv_var_$1=no])])
+if test "$ac_cv_var_$1" != yes ; then
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[extern int $1;
+int foo(void) { return $1; }]],[[foo()]])],
+   [ac_cv_var_$1=yes],[ac_cv_var_$1=no])
+fi
+])
+ac_foo=`eval echo \\$ac_cv_var_$1`
+AC_MSG_RESULT($ac_foo)
+if test "$ac_foo" = yes; then
+   AC_DEFINE_UNQUOTED(AS_TR_CPP(HAVE_[]$1), 1, 
+   [Define if you have the `]$1[' variable.])
+   m4_ifval([$2], AC_CHECK_DECLS([$1],[],[],[$2]))
+fi
+])
+

Modified: branches/SAMBA_4_0/source/heimdal_build/config.m4
===
--- branches/SAMBA_4_0/source/heimdal_build/config.m4   2005-08-14 12:13:32 UTC 
(rev 9304)
+++ branches/SAMBA_4_0/source/heimdal_build/config.m4   2005-08-15 01:38:21 UTC 
(rev 9305)
@@ -1,4 +1,3 @@
-
 m4_define([upcase],`echo $1 | tr abcdefghijklmnopqrstuvwxyz 
ABCDEFGHIJKLMNOPQRSTUVWXYZ`)dnl
 
 dnl love_FIND_FUNC(func, includes, arguments)
@@ -165,9 +164,11 @@
 fi
 AC_SUBST(VOID_RETSIGTYPE)
 
-AC_CHECK_DECL(h_errno, 
-  [AC_DEFINE(HAVE_DECL_H_ERRNO,1,whether h_errno is declared)], 
[], [
-#ifdef HAVE_SYS_TYPES_H
+
+sinclude(heimdal/cf/check-var.m4)
+
+rk_CHECK_VAR(h_errno, 
+[#ifdef HAVE_SYS_TYPES_H
 #include 
 #endif
 #ifdef HAVE_NETDB_H

svn commit: lorikeet r418 - in trunk/heimdal: .

2005-08-14 Thread abartlet

Author: abartlet
Date: 2005-08-15 02:05:48 + (Mon, 15 Aug 2005)
New Revision: 418

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=418

Log:
Don't modify configure.in in the fix-export script run.

Andrew Bartlett

Modified:
   trunk/heimdal/fix-export


Changeset:
Modified: trunk/heimdal/fix-export
===
--- trunk/heimdal/fix-export2005-08-15 01:37:13 UTC (rev 417)
+++ trunk/heimdal/fix-export2005-08-15 02:05:48 UTC (rev 418)
@@ -27,11 +27,6 @@
 echo "$M"
 echo "$M" | sed -e 's/./*/g'
 
-ed -s configure.in << END
-/test -z/s,^,#,
-w
-q
-END
 autoreconf --force --install
 (cd doc && makeinfo heimdal.texi)

svn commit: lorikeet r419 - in trunk/heimdal: . admin appl/afsutil appl/ftp/ftp appl/ftp/ftpd appl/kf appl/kx appl/login appl/otp appl/popper appl/push appl/rsh appl/su appl/telnet/telnet appl/telnet/

2005-08-14 Thread abartlet

Author: abartlet
Date: 2005-08-15 02:14:38 + (Mon, 15 Aug 2005)
New Revision: 419

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=419

Log:
Remove generated files from lorikeet-heimdal SVN.

This should make comparing clean checkouts with heimdal CVS easier.

Andrew Bartlett

Removed:
   trunk/heimdal/admin/ktutil.cat8
   trunk/heimdal/appl/afsutil/afslog.cat1
   trunk/heimdal/appl/afsutil/pagsh.cat1
   trunk/heimdal/appl/ftp/ftp/ftp.cat1
   trunk/heimdal/appl/ftp/ftpd/ftpd.cat8
   trunk/heimdal/appl/ftp/ftpd/ftpusers.cat5
   trunk/heimdal/appl/kf/kf.cat1
   trunk/heimdal/appl/kf/kfd.cat8
   trunk/heimdal/appl/kx/kx.cat1
   trunk/heimdal/appl/kx/kxd.cat8
   trunk/heimdal/appl/kx/rxtelnet.cat1
   trunk/heimdal/appl/kx/rxterm.cat1
   trunk/heimdal/appl/kx/tenletxr.cat1
   trunk/heimdal/appl/login/login.access.cat5
   trunk/heimdal/appl/login/login.cat1
   trunk/heimdal/appl/login/login_protos.h
   trunk/heimdal/appl/otp/otp.cat1
   trunk/heimdal/appl/otp/otpprint.cat1
   trunk/heimdal/appl/popper/popper.cat8
   trunk/heimdal/appl/push/pfrom.cat1
   trunk/heimdal/appl/push/push.cat8
   trunk/heimdal/appl/rsh/rsh.cat1
   trunk/heimdal/appl/rsh/rshd.cat8
   trunk/heimdal/appl/su/su.cat1
   trunk/heimdal/appl/telnet/telnet/telnet.cat1
   trunk/heimdal/appl/telnet/telnetd/telnetd.cat8
   trunk/heimdal/appl/xnlock/xnlock.cat1
   trunk/heimdal/install-sh
   trunk/heimdal/kadmin/kadmin.cat8
   trunk/heimdal/kadmin/kadmind.cat8
   trunk/heimdal/kcm/kcm.cat8
   trunk/heimdal/kcm/kcm_protos.h
   trunk/heimdal/kdc/hprop.cat8
   trunk/heimdal/kdc/hpropd.cat8
   trunk/heimdal/kdc/kdc-protos.h
   trunk/heimdal/kdc/kdc.cat8
   trunk/heimdal/kdc/kstash.cat8
   trunk/heimdal/kdc/string2key.cat8
   trunk/heimdal/kpasswd/kpasswd.cat1
   trunk/heimdal/kpasswd/kpasswdd.cat8
   trunk/heimdal/kuser/kdestroy.cat1
   trunk/heimdal/kuser/kgetcred.cat1
   trunk/heimdal/kuser/kinit.cat1
   trunk/heimdal/kuser/klist.cat1
   trunk/heimdal/lib/editline/editline.cat3
   trunk/heimdal/lib/gssapi/gss_acquire_cred.cat3
   trunk/heimdal/lib/gssapi/gssapi.cat3
   trunk/heimdal/lib/hdb/hdb-private.h
   trunk/heimdal/lib/hdb/hdb-protos.h
   trunk/heimdal/lib/kadm5/iprop.cat8
   trunk/heimdal/lib/kadm5/kadm5-private.h
   trunk/heimdal/lib/kadm5/kadm5-protos.h
   trunk/heimdal/lib/kadm5/kadm5_pwcheck.cat3
   trunk/heimdal/lib/kafs/kafs.cat3
   trunk/heimdal/lib/krb5/kerberos.cat8
   trunk/heimdal/lib/krb5/krb5-private.h
   trunk/heimdal/lib/krb5/krb5-protos.h
   trunk/heimdal/lib/krb5/krb5.cat3
   trunk/heimdal/lib/krb5/krb5.conf.cat5
   trunk/heimdal/lib/krb5/krb524_convert_creds_kdc.cat3
   trunk/heimdal/lib/krb5/krb5_425_conv_principal.cat3
   trunk/heimdal/lib/krb5/krb5_acl_match_file.cat3
   trunk/heimdal/lib/krb5/krb5_address.cat3
   trunk/heimdal/lib/krb5/krb5_aname_to_localname.cat3
   trunk/heimdal/lib/krb5/krb5_appdefault.cat3
   trunk/heimdal/lib/krb5/krb5_auth_context.cat3
   trunk/heimdal/lib/krb5/krb5_c_make_checksum.cat3
   trunk/heimdal/lib/krb5/krb5_ccache.cat3
   trunk/heimdal/lib/krb5/krb5_check_transited.cat3
   trunk/heimdal/lib/krb5/krb5_compare_creds.cat3
   trunk/heimdal/lib/krb5/krb5_config.cat3
   trunk/heimdal/lib/krb5/krb5_context.cat3
   trunk/heimdal/lib/krb5/krb5_create_checksum.cat3
   trunk/heimdal/lib/krb5/krb5_creds.cat3
   trunk/heimdal/lib/krb5/krb5_crypto_init.cat3
   trunk/heimdal/lib/krb5/krb5_data.cat3
   trunk/heimdal/lib/krb5/krb5_eai_to_heim_errno.cat3
   trunk/heimdal/lib/krb5/krb5_encrypt.cat3
   trunk/heimdal/lib/krb5/krb5_expand_hostname.cat3
   trunk/heimdal/lib/krb5/krb5_find_padata.cat3
   trunk/heimdal/lib/krb5/krb5_generate_random_block.cat3
   trunk/heimdal/lib/krb5/krb5_get_all_client_addrs.cat3
   trunk/heimdal/lib/krb5/krb5_get_credentials.cat3
   trunk/heimdal/lib/krb5/krb5_get_forwarded_creds.cat3
   trunk/heimdal/lib/krb5/krb5_get_in_cred.cat3
   trunk/heimdal/lib/krb5/krb5_get_init_creds.cat3
   trunk/heimdal/lib/krb5/krb5_get_krbhst.cat3
   trunk/heimdal/lib/krb5/krb5_getportbyname.cat3
   trunk/heimdal/lib/krb5/krb5_init_context.cat3
   trunk/heimdal/lib/krb5/krb5_is_thread_safe.cat3
   trunk/heimdal/lib/krb5/krb5_keyblock.cat3
   trunk/heimdal/lib/krb5/krb5_keytab.cat3
   trunk/heimdal/lib/krb5/krb5_krbhst_init.cat3
   trunk/heimdal/lib/krb5/krb5_kuserok.cat3
   trunk/heimdal/lib/krb5/krb5_openlog.cat3
   trunk/heimdal/lib/krb5/krb5_parse_name.cat3
   trunk/heimdal/lib/krb5/krb5_principal.cat3
   trunk/heimdal/lib/krb5/krb5_rcache.cat3
   trunk/heimdal/lib/krb5/krb5_rd_error.cat3
   trunk/heimdal/lib/krb5/krb5_set_default_realm.cat3
   trunk/heimdal/lib/krb5/krb5_storage.cat3
   trunk/heimdal/lib/krb5/krb5_string_to_key.cat3
   trunk/heimdal/lib/krb5/krb5_ticket.cat3
   trunk/heimdal/lib/krb5/krb5_timeofday.cat3
   trunk/heimdal/lib/krb5/krb5_unparse_name.cat3
   trunk/heimdal/lib/krb5/krb5_verify_init_creds.cat3
   trunk/heimdal/lib/krb5/krb5_verify_user.cat3
   trunk/heimdal/lib/krb5/krb5_warn.cat3
   trunk/heimdal/lib/krb5/verify_krb5_c

svn commit: lorikeet r422 - in trunk/heimdal: . kdc lib/krb5 lib/roken

2005-08-15 Thread abartlet

Author: abartlet
Date: 2005-08-15 23:39:22 + (Mon, 15 Aug 2005)
New Revision: 422

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=422

Log:
Update to Heimdal CVS at 2005-08-15

Modified:
   trunk/heimdal/ChangeLog
   trunk/heimdal/kdc/kdc_locl.h
   trunk/heimdal/kdc/kerberos5.c
   trunk/heimdal/kdc/pkinit.c
   trunk/heimdal/kdc/process.c
   trunk/heimdal/lib/krb5/fcache.c
   trunk/heimdal/lib/krb5/init_creds_pw.c
   trunk/heimdal/lib/krb5/krb5_create_checksum.3
   trunk/heimdal/lib/krb5/krb5_get_init_creds.3
   trunk/heimdal/lib/krb5/krb5_keytab.3
   trunk/heimdal/lib/krb5/pkinit.c
   trunk/heimdal/lib/krb5/test_mem.c
   trunk/heimdal/lib/roken/ChangeLog
   trunk/heimdal/lib/roken/getaddrinfo-test.c


Changeset:
Sorry, the patch is too large (967 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=422

svn commit: samba r9396 - in branches/SAMBA_4_0/source/utils: .

2005-08-18 Thread abartlet

Author: abartlet
Date: 2005-08-18 22:36:12 + (Thu, 18 Aug 2005)
New Revision: 9396

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9396

Log:
ntlm_auth updates, including again support for the NTLMSSP client
mode, and specification of the workstation.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/utils/ntlm_auth.c


Changeset:
Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c
===
--- branches/SAMBA_4_0/source/utils/ntlm_auth.c 2005-08-18 20:36:13 UTC (rev 
9395)
+++ branches/SAMBA_4_0/source/utils/ntlm_auth.c 2005-08-18 22:36:12 UTC (rev 
9396)
@@ -349,7 +349,9 @@
cli_credentials_set_conf(creds);
if (opt_username) {
cli_credentials_set_username(creds, 
opt_username, CRED_SPECIFIED);
-   } 
+   } else {
+   cli_credentials_set_username(creds, "", 
CRED_GUESSED);
+   }
if (opt_domain) {
cli_credentials_set_domain(creds, opt_domain, 
CRED_SPECIFIED);
}
@@ -360,6 +362,9 @@
creds->password_cb = get_password;
creds->priv_data = (void*)mux_id;
}
+   if (opt_workstation) {
+   cli_credentials_set_workstation(creds, 
opt_workstation, CRED_SPECIFIED);
+   }
 
gensec_set_credentials(*gensec_state, creds);
 
@@ -498,7 +503,7 @@
}
} else if ((*gensec_state)->gensec_role == GENSEC_CLIENT) {
reply_code = "AF";
-   reply_arg = NULL;
+   reply_arg = out_base64;
} else {
abort();
}
@@ -862,6 +867,7 @@
{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, 
"User's plaintext password"},
{ "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, 
"Multiplex Mode"},
POPT_COMMON_SAMBA
+   POPT_COMMON_VERSION
POPT_TABLEEND
};

svn commit: samba r9406 - in branches/SAMBA_4_0/source/torture/basic: .

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 00:10:03 + (Sat, 20 Aug 2005)
New Revision: 9406

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9406

Log:
Add const.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/basic/denytest.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/basic/denytest.c
===
--- branches/SAMBA_4_0/source/torture/basic/denytest.c  2005-08-19 20:50:10 UTC 
(rev 9405)
+++ branches/SAMBA_4_0/source/torture/basic/denytest.c  2005-08-20 00:10:03 UTC 
(rev 9406)
@@ -32,7 +32,7 @@
 
 static const char *denystr(int denymode)
 {
-   struct {
+   const struct {
int v;
const char *name; 
} deny_modes[] = {
@@ -52,7 +52,7 @@
 
 static const char *openstr(int mode)
 {
-   struct {
+   const struct {
int v;
const char *name; 
} open_modes[] = {
@@ -69,7 +69,7 @@
 
 static const char *resultstr(enum deny_result res)
 {
-   struct {
+   const struct {
enum deny_result res;
const char *name; 
} results[] = {

svn commit: samba r9411 - in branches/SAMBA_4_0/source/auth: gensec ntlmssp

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 04:42:19 + (Sat, 20 Aug 2005)
New Revision: 9411

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9411

Log:
Ensure we don't send a challenge without first getting a negotiate in
NTLMSSP, unless we are in datagram mode (not fully implemented yet).

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec.h
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec.h
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec.h  2005-08-20 04:40:08 UTC 
(rev 9410)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec.h  2005-08-20 04:42:19 UTC 
(rev 9411)
@@ -40,6 +40,7 @@
 #define GENSEC_FEATURE_SEAL0x0004
 #define GENSEC_FEATURE_DCE_STYLE   0x0008
 #define GENSEC_FEATURE_ASYNC_REPLIES   0x0010
+#define GENSEC_FEATURE_DATAGRAM_MODE   0x0020
 
 /* GENSEC mode */
 enum gensec_role

Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c
===
--- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c2005-08-20 04:40:08 UTC 
(rev 9410)
+++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c2005-08-20 04:42:19 UTC 
(rev 9411)
@@ -138,8 +138,14 @@
ntlmssp_command = NTLMSSP_INITIAL;
break;
case NTLMSSP_SERVER:
-   /* 'datagram' mode - no neg packet */
-   ntlmssp_command = NTLMSSP_NEGOTIATE;
+   if (gensec_security->want_features & 
GENSEC_FEATURE_DATAGRAM_MODE) {
+   /* 'datagram' mode - no neg packet */
+   ntlmssp_command = NTLMSSP_NEGOTIATE;
+   } else {
+   /* This is normal in SPNEGO mech negotiation 
fallback */
+   DEBUG(2, ("Failed to parse NTLMSSP packet: zero 
length\n"));
+   return NT_STATUS_INVALID_PARAMETER;
+   }
break;
}
} else {

svn commit: samba r9412 - in branches/SAMBA_4_0/source/auth: .

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 05:59:27 + (Sat, 20 Aug 2005)
New Revision: 9412

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9412

Log:
Simplfy this NTLM authentication code by requiring the caller to
supply the user_sess_key and lm_sess_key parameters.  Inspired by
coverty complaining about inconsistant checking.

Also factor out some of this code, where we deal with just NT and LM
hashes, or embedded plaintext passwords.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/auth_sam.c
   branches/SAMBA_4_0/source/auth/ntlm_check.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===
--- branches/SAMBA_4_0/source/auth/auth_sam.c   2005-08-20 04:42:19 UTC (rev 
9411)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c   2005-08-20 05:59:27 UTC (rev 
9412)
@@ -70,14 +70,13 @@
/* NO break */
}
case AUTH_PASSWORD_HASH:
+   *lm_sess_key = data_blob(NULL, 0);
+   *user_sess_key = data_blob(NULL, 0);
status = hash_password_check(mem_ctx, 
 user_info->password.hash.lanman,
 user_info->password.hash.nt,
 user_info->mapped.account_name,
-user_info->client.account_name, 
-user_info->client.domain_name, 
-lm_pwd, nt_pwd,
-user_sess_key, lm_sess_key);
+lm_pwd, nt_pwd);
NT_STATUS_NOT_OK_RETURN(status);
break;


Modified: branches/SAMBA_4_0/source/auth/ntlm_check.c
===
--- branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-08-20 04:42:19 UTC (rev 
9411)
+++ branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-08-20 05:59:27 UTC (rev 
9412)
@@ -221,31 +221,16 @@
 const struct samr_Password *client_lanman,
 const struct samr_Password *client_nt,
 const char *username, 
-const char *client_username, 
-const char *client_domain,
 const struct samr_Password *stored_lanman, 
-const struct samr_Password *stored_nt, 
-DATA_BLOB *user_sess_key, 
-DATA_BLOB *lm_sess_key)
+const struct samr_Password *stored_nt)
 {
if (stored_nt == NULL) {
DEBUG(3,("ntlm_password_check: NO NT password stored for user 
%s.\n", 
 username));
}
 
-   if (lm_sess_key) {
-   *lm_sess_key = data_blob(NULL, 0);
-   }
-   if (user_sess_key) {
-   *user_sess_key = data_blob(NULL, 0);
-   }
-
if (client_nt && stored_nt) {
if (memcmp(client_nt->hash, stored_nt->hash, 
sizeof(stored_nt->hash)) == 0) {
-   if (user_sess_key) {
-   *user_sess_key = data_blob_talloc(mem_ctx, 
NULL, 16);
-   SMBsesskeygen_ntv1(stored_nt->hash, 
user_sess_key->data);
-   }
return NT_STATUS_OK;
} else {
DEBUG(3,("ntlm_password_check: Interactive logon: NT 
password check failed for user %s\n",
@@ -308,56 +293,30 @@
 username));
}
 
-   if (lm_sess_key) {
-   *lm_sess_key = data_blob(NULL, 0);
-   }
-   if (user_sess_key) {
-   *user_sess_key = data_blob(NULL, 0);
-   }
+   *lm_sess_key = data_blob(NULL, 0);
+   *user_sess_key = data_blob(NULL, 0);
 
/* Check for cleartext netlogon. Used by Exchange 5.5. */
if (challenge->length == sizeof(zeros) && 
(memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+   struct samr_Password client_nt;
+   struct samr_Password client_lm;
+   uint8_t dospwd[14]; 
 
DEBUG(4,("ntlm_password_check: checking plaintext passwords for 
user %s\n",
 username));
-   if (stored_nt && nt_response->length) {
-   uint8_t pwhash[16];
-   mdfour(pwhash, nt_response->data, nt_response->length);
-   if (memcmp(pwhash, stored_nt->hash, sizeof(pwhash)) == 
0) {
-   return NT_STATUS_OK;
-   } else {
-   DEBUG(3,("ntlm_password_

svn commit: samba r9413 - in branches/SAMBA_4_0/source: heimdal/kdc heimdal/lib/asn1 heimdal/lib/gssapi heimdal/lib/hdb heimdal/lib/krb5 heimdal_build

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:00:50 + (Sat, 20 Aug 2005)
New Revision: 9413

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9413

Log:
Bring Samba4 back up to date with lorikeet-heimdal.

Delete test_crypto_wrapping.c, previously included but unbuilt.

Andrew Bartlett

Added:
   branches/SAMBA_4_0/source/heimdal/lib/hdb/ext.c
   branches/SAMBA_4_0/source/heimdal/lib/hdb/mkey.c
Removed:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/test_crypto_wrapping.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/test_pkinit_dh2key.c
Modified:
   branches/SAMBA_4_0/source/heimdal/kdc/kdc_locl.h
   branches/SAMBA_4_0/source/heimdal/kdc/kerberos5.c
   branches/SAMBA_4_0/source/heimdal/kdc/pkinit.c
   branches/SAMBA_4_0/source/heimdal/kdc/process.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/asn1_gen.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/canthandle.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/lex.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.h
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/init_sec_context.c
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb-private.h
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb.asn1
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb.h
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb_err.et
   branches/SAMBA_4_0/source/heimdal/lib/krb5/crypto.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/fcache.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/init_creds_pw.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-private.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/pkinit.c
   branches/SAMBA_4_0/source/heimdal_build/config.mk


Changeset:
Sorry, the patch is too large (3739 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9413

svn commit: samba r9414 - in branches/SAMBA_4_0/source/lib: .

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:01:49 + (Sat, 20 Aug 2005)
New Revision: 9414

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9414

Log:
Fix failure to find own domain info due to recent ldb_dn upgrade - we
don't use a simple char* here any more.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/credentials.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/credentials.c
===
--- branches/SAMBA_4_0/source/lib/credentials.c 2005-08-20 06:00:50 UTC (rev 
9413)
+++ branches/SAMBA_4_0/source/lib/credentials.c 2005-08-20 06:01:49 UTC (rev 
9414)
@@ -496,7 +496,6 @@
struct ldb_context *ldb;
int ldb_ret;
struct ldb_message **msgs;
-   const char *base_dn = SECRETS_PRIMARY_DOMAIN_DN;
const char *attrs[] = {
"secret",
"samAccountName",
@@ -527,7 +526,8 @@
 
/* search for the secret record */
ldb_ret = gendb_search(ldb,
-  mem_ctx, base_dn, &msgs, attrs,
+  mem_ctx, ldb_dn_explode(mem_ctx, 
SECRETS_PRIMARY_DOMAIN_DN), 
+  &msgs, attrs,
   SECRETS_PRIMARY_DOMAIN_FILTER, 
   cli_credentials_get_domain(cred));
if (ldb_ret == 0) {

svn commit: samba r9415 - in branches/SAMBA_4_0/source/auth: gensec kerberos

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:08:52 + (Sat, 20 Aug 2005)
New Revision: 9415

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9415

Log:
Remove old kerberos code (including salt guessing code) that has only
caused me pain (and covourty warnings).  

Simply gensec_gssapi to assume the properties of lorikeet-heimdal,
rather than having #ifdef around critical features.  This simplifies
the code rather a lot.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/kerberos/clikrb5.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.c


Changeset:
Sorry, the patch is too large (803 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9415

svn commit: samba r9416 - in branches/SAMBA_4_0/source/auth: gensec ntlmssp

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:14:14 + (Sat, 20 Aug 2005)
New Revision: 9416

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9416

Log:
Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code back
into Samba3.

The NTLMSSP sign/seal code now assumes that GENSEC has already checked
to see if SIGN or SEAL should be permitted.  This simplfies the code
ensures that no matter what the mech, the correct code paths have been
set in place.

Also remove duplication caused by the NTLMv2 code's history, and
document why some of the things a bit funny.

In SPNEGO, create a new routine to handle the negTokenInit creation.
We no longer send an OID for a mech we can't start (like kerberos on
the server without a valid trust account).

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec.c
   branches/SAMBA_4_0/source/auth/gensec/schannel.c
   branches/SAMBA_4_0/source/auth/gensec/spnego.c
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.h
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c


Changeset:
Sorry, the patch is too large (593 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9416

svn commit: samba r9417 - in branches/SAMBA_4_0/source/ldap_server: .

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:14:46 + (Sat, 20 Aug 2005)
New Revision: 9417

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9417

Log:
Ask for the ASYNC_REPLIES feature, as will want that.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/ldap_server/ldap_bind.c


Changeset:
Modified: branches/SAMBA_4_0/source/ldap_server/ldap_bind.c
===
--- branches/SAMBA_4_0/source/ldap_server/ldap_bind.c   2005-08-20 06:14:14 UTC 
(rev 9416)
+++ branches/SAMBA_4_0/source/ldap_server/ldap_bind.c   2005-08-20 06:14:46 UTC 
(rev 9417)
@@ -74,6 +74,7 @@
 
gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SIGN);
gensec_want_feature(call->conn->gensec, GENSEC_FEATURE_SEAL);
+   gensec_want_feature(call->conn->gensec, 
GENSEC_FEATURE_ASYNC_REPLIES);
 
status = gensec_start_mech_by_sasl_name(call->conn->gensec, 
req->creds.SASL.mechanism);
if (!NT_STATUS_IS_OK(status)) {

svn commit: samba r9418 - in branches/SAMBA_4_0/source/auth/gensec: .

2005-08-19 Thread abartlet

Author: abartlet
Date: 2005-08-20 06:36:35 + (Sat, 20 Aug 2005)
New Revision: 9418

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9418

Log:
SPNEGO fixes:

- Fix mixing of code and data
- send mechListMic again in SPENGO server
- only send optomistic first packet in the client.


Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 06:14:46 UTC 
(rev 9417)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 06:36:35 UTC 
(rev 9418)
@@ -408,11 +408,11 @@
DATA_BLOB null_data_blob = data_blob(NULL,0);
const char **mechTypes = NULL;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+   const struct gensec_security_ops_wrapper *all_sec;
 
mechTypes = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
 
-   const struct gensec_security_ops_wrapper *all_sec
-   = gensec_security_by_oid_list(out_mem_ctx, 
+   all_sec = gensec_security_by_oid_list(out_mem_ctx, 
  mechTypes,
  GENSEC_OID_SPNEGO);
for (i=0; all_sec && all_sec[i].op; i++) {
@@ -432,27 +432,38 @@
continue;
}
 
-   nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx, 
- null_data_blob,
- &unwrapped_out);
+   /* In the client, try and produce the first (optimistic) packet 
*/
+   if (spnego_state->state_position = SPNEGO_CLIENT_START) {
+   nt_status = 
gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx, 
+ null_data_blob,
+ &unwrapped_out);
+   
+   if (!NT_STATUS_EQUAL(nt_status, 
NT_STATUS_MORE_PROCESSING_REQUIRED) 
+   && !NT_STATUS_IS_OK(nt_status)) {
+   DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT 
failed: %s\n", 
+ 
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+   talloc_free(spnego_state->sub_sec_security);
+   spnego_state->sub_sec_security = NULL;
+   /* Pretend we never started it (lets the first 
run find some incompatible demand) */
+   
+   continue;
+   }
+   }
 
-   if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
-   && !NT_STATUS_EQUAL(nt_status, 
NT_STATUS_MORE_PROCESSING_REQUIRED) 
-   && !NT_STATUS_IS_OK(nt_status)) {
-   DEBUG(3, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: 
%s\n", 
- spnego_state->sub_sec_security->ops->name, 
nt_errstr(nt_status)));
-   talloc_free(spnego_state->sub_sec_security);
-   spnego_state->sub_sec_security = NULL;
-   /* Pretend we never started it (lets the first run find 
some incompatible demand) */
-
-   continue;
-   }
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
+   
+   /* List the remaining mechs as options */
spnego_out.negTokenInit.mechTypes = 
gensec_security_oids_from_ops_wrapped(out_mem_ctx, 

  &all_sec[i]);
spnego_out.negTokenInit.reqFlags = 0;
-   spnego_out.negTokenInit.mechListMIC = null_data_blob;
+   
+   if (spnego_state->state_position = SPNEGO_SERVER_START) {
+   spnego_out.negTokenInit.mechListMIC
+   = 
data_blob_string_const(talloc_asprintf(out_mem_ctx, "[EMAIL PROTECTED]", 
lp_netbios_name(), lp_realm()));
+   } else {
+   spnego_out.negTokenInit.mechListMIC = null_data_blob;
+   }
spnego_out.negTokenInit.mechToken = unwrapped_out;

if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {

svn commit: samba r9419 - in branches/SAMBA_4_0/source/auth/gensec: .

2005-08-20 Thread abartlet

Author: abartlet
Date: 2005-08-20 07:04:13 + (Sat, 20 Aug 2005)
New Revision: 9419

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9419

Log:
Silly, silly, untested mistake...

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 06:36:35 UTC 
(rev 9418)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 07:04:13 UTC 
(rev 9419)
@@ -433,7 +433,7 @@
}
 
/* In the client, try and produce the first (optimistic) packet 
*/
-   if (spnego_state->state_position = SPNEGO_CLIENT_START) {
+   if (spnego_state->state_position == SPNEGO_CLIENT_START) {
nt_status = 
gensec_update(spnego_state->sub_sec_security,
  out_mem_ctx, 
  null_data_blob,
@@ -458,7 +458,7 @@

  &all_sec[i]);
spnego_out.negTokenInit.reqFlags = 0;

-   if (spnego_state->state_position = SPNEGO_SERVER_START) {
+   if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_out.negTokenInit.mechListMIC
= 
data_blob_string_const(talloc_asprintf(out_mem_ctx, "[EMAIL PROTECTED]", 
lp_netbios_name(), lp_realm()));
} else {

svn commit: samba r9420 - in branches/SAMBA_4_0/source/auth/gensec: .

2005-08-20 Thread abartlet

Author: abartlet
Date: 2005-08-20 07:31:29 + (Sat, 20 Aug 2005)
New Revision: 9420

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9420

Log:
Fix the SPNEGO system again: Update the state position after
processing the state.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 07:04:13 UTC 
(rev 9419)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-08-20 07:31:29 UTC 
(rev 9420)
@@ -596,9 +596,10 @@

return nt_status;
} else {
+   nt_status = 
gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
+out_mem_ctx, 
in, out);
spnego_state->state_position = SPNEGO_SERVER_TARG;
-   return 
gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
-out_mem_ctx, 
in, out);
+   return nt_status;
}
}

@@ -611,9 +612,10 @@
 
if (!in.length) {
/* client to produce negTokenInit */
+   nt_status = 
gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
+out_mem_ctx, 
in, out);
spnego_state->state_position = SPNEGO_CLIENT_TARG;
-   return 
gensec_spnego_create_negTokenInit(gensec_security, spnego_state, 
-out_mem_ctx, 
in, out);
+   return nt_status;
}

len = spnego_read_data(in, &spnego);

svn commit: samba r9421 - in branches/SAMBA_4_0/source: lib lib/crypto libcli/util

2005-08-20 Thread abartlet

Author: abartlet
Date: 2005-08-20 07:59:00 + (Sat, 20 Aug 2005)
New Revision: 9421

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9421

Log:
Move arcfour code into it's own file, in lib/crypto.

Andrew Bartlett

Added:
   branches/SAMBA_4_0/source/lib/crypto/arcfour.c
Modified:
   branches/SAMBA_4_0/source/lib/basic.mk
   branches/SAMBA_4_0/source/lib/crypto/crypto.h
   branches/SAMBA_4_0/source/lib/crypto/hmacmd5.h
   branches/SAMBA_4_0/source/libcli/util/smbdes.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/basic.mk
===
--- branches/SAMBA_4_0/source/lib/basic.mk  2005-08-20 07:31:29 UTC (rev 
9420)
+++ branches/SAMBA_4_0/source/lib/basic.mk  2005-08-20 07:59:00 UTC (rev 
9421)
@@ -22,7 +22,8 @@
 ADD_OBJ_FILES = \
lib/crypto/md5.o \
lib/crypto/hmacmd5.o \
-   lib/crypto/md4.o
+   lib/crypto/md4.o \
+   lib/crypto/arcfour.o
 # End SUBSYSTEM LIBCRYPTO
 ##
 

Added: branches/SAMBA_4_0/source/lib/crypto/arcfour.c
===
--- branches/SAMBA_4_0/source/lib/crypto/arcfour.c  2005-08-20 07:31:29 UTC 
(rev 9420)
+++ branches/SAMBA_4_0/source/lib/crypto/arcfour.c  2005-08-20 07:59:00 UTC 
(rev 9421)
@@ -0,0 +1,92 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   An implementation of the arcfour algorithm
+
+   Copyright (C) Andrew Tridgell 1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "lib/crypto/crypto.h"
+
+/* initialise the arcfour sbox with key */
+void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key) 
+{
+   int ind;
+   uint8_t j = 0;
+   for (ind = 0; ind < sizeof(state->sbox); ind++) {
+   state->sbox[ind] = (uint8_t)ind;
+   }
+   
+   for (ind = 0; ind < sizeof(state->sbox); ind++) {
+   uint8_t tc;
+   
+   j += (state->sbox[ind] + key->data[ind%key->length]);
+   
+   tc = state->sbox[ind];
+   state->sbox[ind] = state->sbox[j];
+   state->sbox[j] = tc;
+   }
+   state->index_i = 0;
+   state->index_j = 0;
+}
+
+/* crypt the data with arcfour */
+void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, int len) 
+{
+   int ind;
+   
+   for (ind = 0; ind < len; ind++) {
+   uint8_t tc;
+   uint8_t t;
+
+   state->index_i++;
+   state->index_j += state->sbox[state->index_i];
+
+   tc = state->sbox[state->index_i];
+   state->sbox[state->index_i] = state->sbox[state->index_j];
+   state->sbox[state->index_j] = tc;
+   
+   t = state->sbox[state->index_i] + state->sbox[state->index_j];
+   data[ind] = data[ind] ^ state->sbox[t];
+   }
+}
+
+/*
+  arcfour encryption with a blob key
+*/
+void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key) 
+{
+   struct arcfour_state state;
+   arcfour_init(&state, key);
+   arcfour_crypt_sbox(&state, data, len);
+}
+
+/*
+  a variant that assumes a 16 byte key. This should be removed
+  when the last user is gone
+*/
+void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len)
+{
+   DATA_BLOB key = data_blob(keystr, 16);
+   
+   arcfour_crypt_blob(data, len, &key);
+
+   data_blob_free(&key);
+}
+
+

Modified: branches/SAMBA_4_0/source/lib/crypto/crypto.h
===
--- branches/SAMBA_4_0/source/lib/crypto/crypto.h   2005-08-20 07:31:29 UTC 
(rev 9420)
+++ branches/SAMBA_4_0/source/lib/crypto/crypto.h   2005-08-20 07:59:00 UTC 
(rev 9421)
@@ -28,3 +28,9 @@
uint8_t index_i;
uint8_t index_j;
 };
+
+void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key);
+void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, int len);
+void arcfour_crypt_blob(uint8_t *data, int len, const DA

svn commit: samba r9422 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-20 Thread abartlet

Author: abartlet
Date: 2005-08-20 08:30:41 + (Sat, 20 Aug 2005)
New Revision: 9422

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9422

Log:
Include crypto.h header.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/testjoin.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/testjoin.c
===
--- branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-08-20 07:59:00 UTC 
(rev 9421)
+++ branches/SAMBA_4_0/source/torture/rpc/testjoin.c2005-08-20 08:30:41 UTC 
(rev 9422)
@@ -28,6 +28,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_samr.h"
 #include "system/time.h"
+#include "lib/crypto/crypto.h"
 
 struct test_join {
struct dcerpc_pipe *p;

svn commit: samba r9490 - in branches/SAMBA_4_0/source/rpc_server: .

2005-08-22 Thread abartlet

Author: abartlet
Date: 2005-08-22 22:33:58 + (Mon, 22 Aug 2005)
New Revision: 9490

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9490

Log:
Fix typo

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
===
--- branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c  2005-08-22 22:06:48 UTC 
(rev 9489)
+++ branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c  2005-08-22 22:33:58 UTC 
(rev 9490)
@@ -151,7 +151,7 @@
DEBUG(1, ("Failed to establish session_info: %s\n", 
nt_errstr(status)));
return False;
}
-   /* Now that we are authenticated, got back to the generic 
session key... */
+   /* Now that we are authenticated, go back to the generic 
session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return True;
} else {

svn commit: samba r9505 - in branches/SAMBA_4_0/source: auth/ntlmssp libcli/composite libcli/ldap librpc/rpc

2005-08-22 Thread abartlet

Author: abartlet
Date: 2005-08-23 05:29:37 + (Tue, 23 Aug 2005)
New Revision: 9505

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9505

Log:
Work on GENSEC and the code that calls it, for tighter interface
requirements, and for better error reporting.

In particular, the composite session setup (extended security/SPNEGO)
code now returns errors, rather than NT_STATUS_NO_MEMORY.  This is
seen particularly when GENSEC fails to start.

The tighter interface rules apply to NTLMSSP, which must be called
exactly the right number of times.  This is to match some of our other
less-tested modules, where adding flexablity is harder.  (and this is
security code, so let's just get it right).  As such, the DCE/RPC and
LDAP clients have been updated.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp.c
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_client.c
   branches/SAMBA_4_0/source/libcli/composite/connect.c
   branches/SAMBA_4_0/source/libcli/composite/sesssetup.c
   branches/SAMBA_4_0/source/libcli/ldap/ldap_bind.c
   branches/SAMBA_4_0/source/librpc/rpc/dcerpc_auth.c


Changeset:
Sorry, the patch is too large (526 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9505

svn commit: samba r9516 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-23 Thread abartlet

Author: abartlet
Date: 2005-08-23 11:54:38 + (Tue, 23 Aug 2005)
New Revision: 9516

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9516

Log:
Try a full-on matrix test of all the combinations in DRSUAPI
CrackNames.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-23 11:46:52 UTC 
(rev 9515)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-23 11:54:38 UTC 
(rev 9516)
@@ -65,6 +65,127 @@
return ret;
 }
 
+static BOOL test_DsCrackNamesMatrix(struct dcerpc_pipe *p, TALLOC_CTX 
*mem_ctx, 
+   struct DsPrivate *priv, const char *dn)
+{
+   
+
+   NTSTATUS status;
+   BOOL ret = True;
+   struct drsuapi_DsCrackNames r;
+   struct drsuapi_DsNameString names[1];
+   enum drsuapi_DsNameFormat formats[] = {
+   DRSUAPI_DS_NAME_FORMAT_FQDN_1779,
+   DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT,
+   DRSUAPI_DS_NAME_FORMAT_DISPLAY,
+   DRSUAPI_DS_NAME_FORMAT_GUID,
+   DRSUAPI_DS_NAME_FORMAT_CANONICAL,
+   DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
+   DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX,
+   DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL,
+   DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY,
+   DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN
+   };
+   int i, j;
+
+   const char *n_matrix[ARRAY_SIZE(formats)][ARRAY_SIZE(formats)];
+   const char *n_from[ARRAY_SIZE(formats)];
+
+   ZERO_STRUCT(r);
+   r.in.bind_handle= &priv->bind_handle;
+   r.in.level  = 1;
+   r.in.req.req1.unknown1  = 0x04e4;
+   r.in.req.req1.unknown2  = 0x0407;
+   r.in.req.req1.count = 1;
+   r.in.req.req1.names = names;
+   r.in.req.req1.format_flags  = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
+
+   n_matrix[0][0] = dn;
+
+   for (i = 0; i < ARRAY_SIZE(formats); i++) {
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   r.in.req.req1.format_desired= formats[i];
+   names[0].str = dn;
+   printf("testing DsCrackNames (matrix prep) with name '%s' from 
format: %d desired format:%d ",
+  names[0].str, r.in.req.req1.format_offered, 
r.in.req.req1.format_desired);
+   
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) 
{
+   errstr = dcerpc_errstr(mem_ctx, 
p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", 
errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", 
win_errstr(r.out.result));
+   ret = False;
+   }
+   
+   if (!ret) {
+   return ret;
+   }
+   if (r.out.ctr.ctr1->array[0].status == 
DRSUAPI_DS_NAME_STATUS_OK) {
+   n_from[i] = r.out.ctr.ctr1->array[0].result_name;
+   printf("%s\n", n_from[i]);
+   } else {
+   n_from[i] = NULL;
+   printf("Error\n");
+   }
+   }
+
+   for (i = 0; i < ARRAY_SIZE(formats); i++) {
+   for (j = 0; j < ARRAY_SIZE(formats); j++) {
+   r.in.req.req1.format_offered= formats[i];
+   r.in.req.req1.format_desired= formats[j];
+   if (!n_from[i]) {
+   n_matrix[i][j] = NULL;
+   continue;
+   }
+   names[0].str = n_from[i];
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, 
NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, 
p->last_fault_code);
+   }
+   printf("testing DsCrackNames (matrix) with name 
'%s' from format: %d desired format:%d failed - %s",
+  nam

svn commit: samba r9547 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-23 Thread abartlet

Author: abartlet
Date: 2005-08-23 22:02:54 + (Tue, 23 Aug 2005)
New Revision: 9547

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9547

Log:
A pile more completeness testing for DsCrackNames.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Sorry, the patch is too large (339 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9547

svn commit: lorikeet r438 - in trunk/heimdal/lib/krb5: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 07:22:51 + (Sat, 27 Aug 2005)
New Revision: 438

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=438

Log:
Add const (I don't think this breaks anything).

Andrew Bartlett

Modified:
   trunk/heimdal/lib/krb5/principal.c


Changeset:
Modified: trunk/heimdal/lib/krb5/principal.c
===
--- trunk/heimdal/lib/krb5/principal.c  2005-08-26 14:39:42 UTC (rev 437)
+++ trunk/heimdal/lib/krb5/principal.c  2005-08-27 07:22:51 UTC (rev 438)
@@ -69,21 +69,21 @@
 
 int KRB5_LIB_FUNCTION
 krb5_principal_get_type(krb5_context context,
-   krb5_principal principal)
+   krb5_const_principal principal)
 {
 return princ_type(principal);
 }
 
 const char* KRB5_LIB_FUNCTION
 krb5_principal_get_realm(krb5_context context,
-krb5_principal principal)
+krb5_const_principal principal)
 {
 return princ_realm(principal);
 }   
 
 const char* KRB5_LIB_FUNCTION
 krb5_principal_get_comp_string(krb5_context context,
-  krb5_principal principal,
+  krb5_const_principal principal,
   unsigned int component)
 {
 if(component >= princ_num_comp(principal))

svn commit: lorikeet r439 - in trunk/heimdal: . cf kdc kuser lib/asn1 lib/gssapi lib/hdb lib/kadm5 lib/krb5 lib/roken

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 08:33:51 + (Sat, 27 Aug 2005)
New Revision: 439

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=439

Log:
Update to Heimdal CVS as of 2005-08-27

Andrew Bartlett

Added:
   trunk/heimdal/lib/hdb/dbinfo.c
   trunk/heimdal/lib/hdb/test_dbinfo.c
   trunk/heimdal/lib/kadm5/iprop-commands.c
   trunk/heimdal/lib/kadm5/iprop-log.c
   trunk/heimdal/lib/krb5/test_hostname.c
Removed:
   trunk/heimdal/lib/kadm5/dump_log.c
   trunk/heimdal/lib/kadm5/replay_log.c
   trunk/heimdal/lib/kadm5/truncate_log.c
   trunk/heimdal/lib/roken/print_version.c
Modified:
   trunk/heimdal/ChangeLog
   trunk/heimdal/cf/ChangeLog
   trunk/heimdal/cf/roken-frag.m4
   trunk/heimdal/configure.in
   trunk/heimdal/kdc/kdc_locl.h
   trunk/heimdal/kuser/klist.c
   trunk/heimdal/lib/asn1/ChangeLog
   trunk/heimdal/lib/asn1/gen.c
   trunk/heimdal/lib/asn1/gen_decode.c
   trunk/heimdal/lib/asn1/gen_encode.c
   trunk/heimdal/lib/asn1/gen_length.c
   trunk/heimdal/lib/asn1/gen_locl.h
   trunk/heimdal/lib/asn1/k5.asn1
   trunk/heimdal/lib/asn1/main.c
   trunk/heimdal/lib/asn1/parse.y
   trunk/heimdal/lib/gssapi/ChangeLog
   trunk/heimdal/lib/gssapi/display_status.c
   trunk/heimdal/lib/gssapi/external.c
   trunk/heimdal/lib/hdb/hdb-ldap.c
   trunk/heimdal/lib/hdb/hdb.c
   trunk/heimdal/lib/hdb/mkey.c
   trunk/heimdal/lib/kadm5/ChangeLog
   trunk/heimdal/lib/kadm5/Makefile.am
   trunk/heimdal/lib/kadm5/iprop.8
   trunk/heimdal/lib/kadm5/ipropd_master.c
   trunk/heimdal/lib/kadm5/log.c
   trunk/heimdal/lib/krb5/Makefile.am
   trunk/heimdal/lib/krb5/get_host_realm.c
   trunk/heimdal/lib/krb5/krb5_config.3
   trunk/heimdal/lib/krb5/principal.c
   trunk/heimdal/lib/krb5/test_crypto_wrapping.c
   trunk/heimdal/lib/roken/ChangeLog
   trunk/heimdal/lib/roken/resolve.c
   trunk/heimdal/lib/roken/setprogname.c
   trunk/heimdal/lib/roken/strpool.c


Changeset:
Sorry, the patch is too large (3735 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=439

svn commit: lorikeet r440 - in trunk/heimdal/lib/krb5: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 10:19:15 + (Sat, 27 Aug 2005)
New Revision: 440

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=440

Log:
Add new functions to always unparse me a short (not including a realm)
principal, regardless of target realm.

Add tests to prove it works.

Andrew Bartlett

Added:
   trunk/heimdal/lib/krb5/test_princ.c
Modified:
   trunk/heimdal/lib/krb5/Makefile.am
   trunk/heimdal/lib/krb5/principal.c


Changeset:
Modified: trunk/heimdal/lib/krb5/Makefile.am
===
--- trunk/heimdal/lib/krb5/Makefile.am  2005-08-27 08:33:51 UTC (rev 439)
+++ trunk/heimdal/lib/krb5/Makefile.am  2005-08-27 10:19:15 UTC (rev 440)
@@ -30,7 +30,8 @@
test_keytab \
test_mem\
test_pkinit_dh2key  \
-   test_time
+   test_time   \
+   test_princ
 
 check_PROGRAMS = $(TESTS) test_hostname
 

Modified: trunk/heimdal/lib/krb5/principal.c
===
--- trunk/heimdal/lib/krb5/principal.c  2005-08-27 08:33:51 UTC (rev 439)
+++ trunk/heimdal/lib/krb5/principal.c  2005-08-27 10:19:15 UTC (rev 440)
@@ -268,16 +268,6 @@
return ERANGE;
 } 
 /* add realm if different from default realm */
-if(short_form) {
-   krb5_realm r;
-   krb5_error_code ret;
-   ret = krb5_get_default_realm(context, &r);
-   if(ret)
-   return ret;
-   if(strcmp(princ_realm(principal), r) != 0)
-   short_form = 0;
-   free(r);
-}
 if(!short_form) {
add_char(name, idx, len, '@');
idx = quote_string(princ_realm(principal), name, idx, len);
@@ -302,7 +292,16 @@
  char *name,
  size_t len)
 {
-return unparse_name_fixed(context, principal, name, len, TRUE);
+krb5_realm r;
+krb5_error_code ret;
+krb5_boolean short_form = TRUE;
+ret = krb5_get_default_realm(context, &r);
+if(ret)
+   return ret;
+if(strcmp(princ_realm(principal), r) != 0)
+   short_form = 0;
+free(r);
+return unparse_name_fixed(context, principal, name, len, short_form);
 }
 
 static krb5_error_code
@@ -356,6 +355,23 @@
krb5_const_principal principal,
char **name)
 {
+krb5_realm r;
+krb5_error_code ret;
+krb5_boolean short_form = TRUE;
+ret = krb5_get_default_realm(context, &r);
+if(ret)
+   return ret;
+if(strcmp(princ_realm(principal), r) != 0)
+   short_form = 0;
+free(r);
+return unparse_name(context, principal, name, short_form);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_always_short(krb5_context context,
+  krb5_const_principal principal,
+  char **name)
+{
 return unparse_name(context, principal, name, TRUE);
 }
 
@@ -372,7 +388,7 @@
 
 #endif
 
-krb5_realm*
+krb5_realm* KRB5_LIB_FUNCTION
 krb5_princ_realm(krb5_context context,
 krb5_principal principal)
 {
@@ -380,6 +396,7 @@
 }
 
 
+
 void KRB5_LIB_FUNCTION
 krb5_princ_set_realm(krb5_context context,
 krb5_principal principal,

Added: trunk/heimdal/lib/krb5/test_princ.c
===
--- trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 08:33:51 UTC (rev 439)
+++ trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 10:19:15 UTC (rev 440)
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *notice, this list of conditions and the following disclaimer in the 
+ *documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of KTH nor the names of its contributors may be
+ *used to endorse or promote products derived from this software without
+ *specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SER

svn commit: lorikeet r441 - in trunk/heimdal/lib/krb5: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 10:31:56 + (Sat, 27 Aug 2005)
New Revision: 441

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=441

Log:
Test a few more things while I'm at it.

Andrew Bartlett

Modified:
   trunk/heimdal/lib/krb5/test_princ.c


Changeset:
Modified: trunk/heimdal/lib/krb5/test_princ.c
===
--- trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 10:19:15 UTC (rev 440)
+++ trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 10:31:56 UTC (rev 441)
@@ -89,8 +89,36 @@
krb5_errx(context, 1, "p != p2");
 }
 
+krb5_free_principal(context, p2);
+
+ret = krb5_set_default_realm(context, "SU.SE");
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+ret = krb5_unparse_name_short(context, p, &princ_unparsed);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (strcmp(princ_short, princ_unparsed)) {
+   krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
+}
+free(princ_unparsed);
+
+ret = krb5_set_default_realm(context, "SAMBA.ORG");
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+ret = krb5_unparse_name_short(context, p, &princ_unparsed);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (strcmp(princ, princ_unparsed)) {
+   krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
+}
+free(princ_unparsed);
+
+
 krb5_free_principal(context, p);
-krb5_free_principal(context, p2);
 }
 
 int

svn commit: lorikeet r442 - in trunk/heimdal/lib/krb5: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 10:42:05 + (Sat, 27 Aug 2005)
New Revision: 442

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=442

Log:
Clean up tests, rename functions per lha's preference.

Andrew Bartlett

Modified:
   trunk/heimdal/lib/krb5/principal.c
   trunk/heimdal/lib/krb5/test_princ.c


Changeset:
Modified: trunk/heimdal/lib/krb5/principal.c
===
--- trunk/heimdal/lib/krb5/principal.c  2005-08-27 10:31:56 UTC (rev 441)
+++ trunk/heimdal/lib/krb5/principal.c  2005-08-27 10:42:05 UTC (rev 442)
@@ -287,6 +287,15 @@
 }
 
 krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_norealm_fixed(krb5_context context,
+   krb5_const_principal principal,
+   char *name,
+   size_t len)
+{
+return unparse_name_fixed(context, principal, name, len, TRUE);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_unparse_name_fixed_short(krb5_context context,
  krb5_const_principal principal,
  char *name,
@@ -368,7 +377,7 @@
 }
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_unparse_name_always_short(krb5_context context,
+krb5_unparse_name_norealm(krb5_context context,
   krb5_const_principal principal,
   char **name)
 {

Modified: trunk/heimdal/lib/krb5/test_princ.c
===
--- trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 10:31:56 UTC (rev 441)
+++ trunk/heimdal/lib/krb5/test_princ.c 2005-08-27 10:42:05 UTC (rev 442)
@@ -50,9 +50,6 @@
 char *princ_reformed = NULL;
 char *realm;
 
-krb5_ccache id, id2;
-const char *nc, *tc;
-char *n, *t, *c;
 krb5_principal p, p2;
 
 ret = krb5_parse_name(context, princ, &p);
@@ -69,7 +66,7 @@
 
 free(princ_unparsed);
 
-ret = krb5_unparse_name_always_short(context, p, &princ_unparsed);
+ret = krb5_unparse_name_norealm(context, p, &princ_unparsed);
 if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");

svn commit: samba r9678 - in branches/SAMBA_4_0/source/auth/ntlmssp: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 11:26:50 + (Sat, 27 Aug 2005)
New Revision: 9678

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9678

Log:
Remove unused variables.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c
===
--- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c   2005-08-27 
08:47:35 UTC (rev 9677)
+++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_sign.c   2005-08-27 
11:26:50 UTC (rev 9678)
@@ -279,8 +279,6 @@
  const DATA_BLOB *sig)
 {
struct gensec_ntlmssp_state *gensec_ntlmssp_state = 
gensec_security->private_data;
-   DATA_BLOB local_sig;
-   NTSTATUS nt_status;
if (!gensec_ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -443,7 +441,6 @@
 const DATA_BLOB *in, 
 DATA_BLOB *out)
 {
-   struct gensec_ntlmssp_state *gensec_ntlmssp_state = 
gensec_security->private_data;
DATA_BLOB sig;
NTSTATUS nt_status;
 
@@ -493,7 +490,6 @@
   const DATA_BLOB *in, 
   DATA_BLOB *out)
 {
-   struct gensec_ntlmssp_state *gensec_ntlmssp_state = 
gensec_security->private_data;
DATA_BLOB sig;
 
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {

svn commit: lorikeet r443 - in trunk/heimdal/kdc: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 11:41:12 + (Sat, 27 Aug 2005)
New Revision: 443

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=443

Log:
Backmerge PAC changes from Samba4 to lorikeet-heimdal.  When I rework
this, I'll have a nice plugin interface...

Andrew Bartlett

Modified:
   trunk/heimdal/kdc/kerberos5.c


Changeset:
Modified: trunk/heimdal/kdc/kerberos5.c
===
--- trunk/heimdal/kdc/kerberos5.c   2005-08-27 10:42:05 UTC (rev 442)
+++ trunk/heimdal/kdc/kerberos5.c   2005-08-27 11:41:12 UTC (rev 443)
@@ -1597,6 +1597,7 @@
   EncTicketPart *tgt, 
   EncTicketPart *adtkt, 
   AuthorizationData *auth_data,
+  krb5_ticket *tgs_ticket,
   hdb_entry *server, 
   hdb_entry *client, 
   krb5_principal client_principal, 
@@ -1774,6 +1775,7 @@
client->principal,
tgtkey,
ekey,
+   tgs_ticket->ticket.authtime,
&pac);
if (ret) {
free_AuthorizationData(if_relevant);
@@ -2357,6 +2359,7 @@
 tgt, 
 b->kdc_options.enc_tkt_in_skey ? &adtkt : NULL, 
 auth_data,
+ticket,
 server, 
 client, 
 cp,

svn commit: samba r9680 - in branches/SAMBA_4_0/source: heimdal heimdal/kdc heimdal/lib heimdal/lib/asn1 heimdal/lib/gssapi heimdal/lib/hdb heimdal/lib/krb5 heimdal/lib/roken heimdal/lib/vers heimdal_

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 11:49:06 + (Sat, 27 Aug 2005)
New Revision: 9680

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9680

Log:
Update Heimdal to current lorikeet-heimdal (which was itself updated
to Heimdal CVS as of 2005-08-27).

Andrew Bartlett

Added:
   branches/SAMBA_4_0/source/heimdal/lib/vers/
   branches/SAMBA_4_0/source/heimdal/lib/vers/print_version.c
Removed:
   branches/SAMBA_4_0/source/heimdal/lib/roken/print_version.c
Modified:
   branches/SAMBA_4_0/source/heimdal/fix-export
   branches/SAMBA_4_0/source/heimdal/kdc/kdc_locl.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_decode.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_encode.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_length.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/gen_locl.h
   branches/SAMBA_4_0/source/heimdal/lib/asn1/k5.asn1
   branches/SAMBA_4_0/source/heimdal/lib/asn1/main.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.c
   branches/SAMBA_4_0/source/heimdal/lib/asn1/parse.y
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/display_status.c
   branches/SAMBA_4_0/source/heimdal/lib/gssapi/external.c
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/hdb/hdb.c
   branches/SAMBA_4_0/source/heimdal/lib/hdb/mkey.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/get_host_realm.c
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-private.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/resolve.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/setprogname.c
   branches/SAMBA_4_0/source/heimdal/lib/roken/strpool.c
   branches/SAMBA_4_0/source/heimdal_build/config.mk


Changeset:
Sorry, the patch is too large (2153 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9680

svn commit: samba r9681 - in branches/SAMBA_4_0/source: auth/gensec auth/kerberos torture/auth

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 12:23:37 + (Sat, 27 Aug 2005)
New Revision: 9681

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9681

Log:
We don't need the full smb_krb5_context here, so just pass the krb5_context.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
   branches/SAMBA_4_0/source/torture/auth/pac.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2005-08-27 
11:49:06 UTC (rev 9680)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c   2005-08-27 
12:23:37 UTC (rev 9681)
@@ -781,7 +781,7 @@

/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, 
pac_blob,
-   
gensec_gssapi_state->smb_krb5_context,
+   
gensec_gssapi_state->smb_krb5_context->krb5_context,
NULL, keyblock);
 
if (NT_STATUS_IS_OK(nt_status)) {

Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
===
--- branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2005-08-27 11:49:06 UTC 
(rev 9680)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c 2005-08-27 12:23:37 UTC 
(rev 9681)
@@ -450,7 +450,7 @@
 
/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, 
gensec_krb5_state->pac,
-   gensec_krb5_state->smb_krb5_context,
+   
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock);
 
/* IF we have the PAC - otherwise we need to get this

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
===
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos.h  2005-08-27 11:49:06 UTC 
(rev 9680)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos.h  2005-08-27 12:23:37 UTC 
(rev 9681)
@@ -129,13 +129,13 @@
 NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 struct PAC_DATA **pac_data_out,
 DATA_BLOB blob,
-struct smb_krb5_context *smb_krb5_context,
+krb5_context context,
 krb5_keyblock *krbtgt_keyblock,
 krb5_keyblock *service_keyblock);
 NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
 struct PAC_LOGON_INFO **logon_info,
 DATA_BLOB blob,
-struct smb_krb5_context *smb_krb5_context,
+krb5_context context,
 krb5_keyblock *krbtgt_keyblock,
 krb5_keyblock *service_keyblock);
 krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,

Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c
===
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c  2005-08-27 
11:49:06 UTC (rev 9680)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_pac.c  2005-08-27 
12:23:37 UTC (rev 9681)
@@ -80,7 +80,7 @@
  NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
  struct PAC_DATA **pac_data_out,
  DATA_BLOB blob,
- struct smb_krb5_context *smb_krb5_context,
+ krb5_context context,
  krb5_keyblock *krbtgt_keyblock,
  krb5_keyblock *service_keyblock)
 {
@@ -165,7 +165,7 @@
/* verify by service_key */
status = check_pac_checksum(mem_ctx, 
modified_pac_blob, &srv_sig, 
-   smb_krb5_context->krb5_context, 
+   context, 
service_keyblock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("PAC Decode: Failed to verify the service 
signature\n"));
@@ -178,7 +178,7 @@
 
status = check_pac_checksum(mem_ctx, 
service_checksum_blob, &kdc_sig, 
-   smb_krb5_context->krb5_context, 
krbtgt_keyblock);
+

svn commit: samba r9693 - in branches/SAMBA_4_0/source/auth/kerberos: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 22:15:29 + (Sat, 27 Aug 2005)
New Revision: 9693

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9693

Log:
Move the smb_krb5_context setup code to use the new pattern of
tmp_ctx, then steal at the last moment, on success.

andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/clikrb5.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/clikrb5.c
===
--- branches/SAMBA_4_0/source/auth/kerberos/clikrb5.c   2005-08-27 21:48:50 UTC 
(rev 9692)
+++ branches/SAMBA_4_0/source/auth/kerberos/clikrb5.c   2005-08-27 22:15:29 UTC 
(rev 9693)
@@ -423,8 +423,8 @@

initialize_krb5_error_table();

-   *smb_krb5_context = talloc(parent_ctx, struct smb_krb5_context);
-   tmp_ctx = talloc_new(*smb_krb5_context);
+   tmp_ctx = talloc_new(parent_ctx);
+   *smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
 
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(*smb_krb5_context);
@@ -445,13 +445,14 @@
char *upper_realm = strupper_talloc(tmp_ctx, lp_realm());
if (!upper_realm) {
DEBUG(1,("gensec_krb5_start: could not uppercase realm: 
%s\n", lp_realm()));
+   talloc_free(tmp_ctx);
return ENOMEM;
}
ret = krb5_set_default_realm((*smb_krb5_context)->krb5_context, 
lp_realm());
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n", 
 
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
-   talloc_free(*smb_krb5_context);
+   talloc_free(tmp_ctx);
return ret;
}
}
@@ -463,7 +464,7 @@
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n", 
 
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
-   talloc_free(*smb_krb5_context);
+   talloc_free(tmp_ctx);
return ret;
}
 
@@ -474,12 +475,13 @@
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n", 
 
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
-   talloc_free(*smb_krb5_context);
+   talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, 
(*smb_krb5_context)->logf);
 
 #endif 
+   talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
 }

svn commit: samba r9696 - in branches/SAMBA_4_0/source/heimdal/lib/krb5: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-27 22:48:39 + (Sat, 27 Aug 2005)
New Revision: 9696

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9696

Log:
Update prototypes for new name of short parsing function.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
===
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h2005-08-27 
22:47:54 UTC (rev 9695)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h2005-08-27 
22:48:39 UTC (rev 9696)
@@ -3164,22 +3164,29 @@
char **/*name*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_unparse_name_always_short (
+krb5_unparse_name_fixed (
krb5_context /*context*/,
krb5_const_principal /*principal*/,
-   char **/*name*/);
+   char */*name*/,
+   size_t /*len*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_unparse_name_fixed (
+krb5_unparse_name_fixed_short (
krb5_context /*context*/,
krb5_const_principal /*principal*/,
char */*name*/,
size_t /*len*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_unparse_name_fixed_short (
+krb5_unparse_name_norealm (
krb5_context /*context*/,
krb5_const_principal /*principal*/,
+   char **/*name*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_norealm_fixed (
+   krb5_context /*context*/,
+   krb5_const_principal /*principal*/,
char */*name*/,
size_t /*len*/);

svn commit: samba r9701 - in branches/SAMBA_4_0/source/torture/auth: .

2005-08-27 Thread abartlet

Author: abartlet
Date: 2005-08-28 01:54:27 + (Sun, 28 Aug 2005)
New Revision: 9701

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9701

Log:
Provide correct parameters.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/auth/pac.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/auth/pac.c
===
--- branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-28 01:37:27 UTC 
(rev 9700)
+++ branches/SAMBA_4_0/source/torture/auth/pac.c2005-08-28 01:54:27 UTC 
(rev 9701)
@@ -339,7 +339,7 @@
/* Decode and verify the signaure on the PAC */
nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
tmp_blob,
-   smb_krb5_context,
+   smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -357,7 +357,7 @@
/* Parse the PAC again, for the logon info this time */
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
tmp_blob,
-   smb_krb5_context,
+   smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock);
 
@@ -459,7 +459,7 @@
 
nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
tmp_blob,
-   smb_krb5_context,
+   smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock);
if (NT_STATUS_IS_OK(nt_status)) {

svn commit: lorikeet r445 - in trunk/heimdal: . cf

2005-08-28 Thread abartlet

Author: abartlet
Date: 2005-08-29 00:32:59 + (Mon, 29 Aug 2005)
New Revision: 445

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=445

Log:
Move resolv tests to a new .m4 file (Samba4 will then include that file)

Andrew Bartlett

Added:
   trunk/heimdal/cf/resolv.m4
Modified:
   trunk/heimdal/cf/roken-frag.m4
   trunk/heimdal/configure.in


Changeset:
Added: trunk/heimdal/cf/resolv.m4
===
--- trunk/heimdal/cf/resolv.m4  2005-08-28 02:41:37 UTC (rev 444)
+++ trunk/heimdal/cf/resolv.m4  2005-08-29 00:32:59 UTC (rev 445)
@@ -0,0 +1,108 @@
+dnl stuff used by DNS resolv code
+
+dnl
+dnl $Id: dlopen.m4,v 1.2 2005/06/16 19:40:59 lha Exp $
+dnl
+
+AC_DEFUN([rk_RESOLV], [
+
+   AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+])
+
+   AC_FIND_FUNC(res_search, resolv,
+[
+#include 
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+#ifdef HAVE_RESOLV_H
+#include 
+#endif
+],
+[0,0,0,0,0])
+
+   AC_FIND_FUNC(res_nsearch, resolv,
+[
+#include 
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+#ifdef HAVE_RESOLV_H
+#include 
+#endif
+],
+[0,0,0,0,0,0])
+
+   AC_FIND_FUNC(res_ndestroy, resolv,
+[
+#include 
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+#ifdef HAVE_RESOLV_H
+#include 
+#endif
+],
+[0])
+
+   AC_FIND_FUNC(dn_expand, resolv,
+[
+#include 
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+#ifdef HAVE_RESOLV_H
+#include 
+#endif
+],
+[0,0,0,0,0])
+
+   rk_CHECK_VAR(_res, 
+[#include 
+#ifdef HAVE_SYS_TYPES_H
+#include 
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include 
+#endif
+#ifdef HAVE_ARPA_NAMESER_H
+#include 
+#endif
+#ifdef HAVE_RESOLV_H
+#include 
+#endif])
+
+])

Modified: trunk/heimdal/cf/roken-frag.m4
===
--- trunk/heimdal/cf/roken-frag.m4  2005-08-28 02:41:37 UTC (rev 444)
+++ trunk/heimdal/cf/roken-frag.m4  2005-08-29 00:32:59 UTC (rev 445)
@@ -120,18 +120,6 @@
 #endif
 ])
 
-AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-])
-
 AC_REQUIRE([CHECK_NETINET_IP_AND_TCP])
 
 AM_CONDITIONAL(have_err_h, test "$ac_cv_header_err_h" = yes)
@@ -149,94 +137,8 @@
 
 AC_FIND_FUNC(gethostbyname2, inet6 ip6)
 
-AC_FIND_FUNC(res_search, resolv,
-[
-#include 
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-#ifdef HAVE_RESOLV_H
-#include 
-#endif
-],
-[0,0,0,0,0])
 
-AC_FIND_FUNC(res_nsearch, resolv,
-[
-#include 
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-#ifdef HAVE_RESOLV_H
-#include 
-#endif
-],
-[0,0,0,0,0,0])
 
-AC_FIND_FUNC(res_ndestroy, resolv,
-[
-#include 
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-#ifdef HAVE_RESOLV_H
-#include 
-#endif
-],
-[0])
-
-AC_FIND_FUNC(dn_expand, resolv,
-[
-#include 
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-#ifdef HAVE_RESOLV_H
-#include 
-#endif
-],
-[0,0,0,0,0])
-
-rk_CHECK_VAR(_res, 
-[#include 
-#ifdef HAVE_SYS_TYPES_H
-#include 
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include 
-#endif
-#ifdef HAVE_ARPA_NAMESER_H
-#include 
-#endif
-#ifdef HAVE_RESOLV_H
-#include 
-#endif])
-
-
 AC_BROKEN_SNPRINTF
 AC_BROKEN_VSNPRINTF
 

Modified: trunk/heimdal/configure.in
===
--- trunk/heimdal/configure.in  2005-08-28 02:41:37 UTC (rev 444)
+++ trunk/heimdal/configure.in  2005-08-29 00:32:59 UTC (rev 445)
@@ -213,6 +213,8 @@
 
 rk_OTP
 
+rk_RESOLV
+
 AC_CHECK_OSFC2
 
 AC_ARG_ENABLE(mmap,

svn commit: samba r9727 - in branches/SAMBA_4_0/source/torture: . rpc

2005-08-28 Thread abartlet

Author: abartlet
Date: 2005-08-29 04:15:08 + (Mon, 29 Aug 2005)
New Revision: 9727

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9727

Log:
A simplier test I can aim at passing when I get the cracknames code done.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
   branches/SAMBA_4_0/source/torture/torture.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-29 01:27:39 UTC 
(rev 9726)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-29 04:15:08 UTC 
(rev 9727)
@@ -1306,3 +1306,40 @@
 
return ret;
 }
+
+BOOL torture_rpc_drsuapi_cracknames(void)
+{
+NTSTATUS status;
+struct dcerpc_pipe *p;
+   TALLOC_CTX *mem_ctx;
+   BOOL ret = True;
+   struct DsPrivate priv;
+
+   mem_ctx = talloc_init("torture_rpc_drsuapi");
+
+   status = torture_rpc_connection(mem_ctx, 
+   &p, 
+   DCERPC_DRSUAPI_NAME,
+   DCERPC_DRSUAPI_UUID,
+   DCERPC_DRSUAPI_VERSION);
+   if (!NT_STATUS_IS_OK(status)) {
+   talloc_free(mem_ctx);
+   return False;
+   }
+
+   printf("Connected to DRAUAPI pipe\n");
+
+   ZERO_STRUCT(priv);
+
+   ret &= test_DsBind(p, mem_ctx, &priv);
+
+   ret &= test_DsGetDCInfo(p, mem_ctx, &priv);
+
+   ret &= test_DsCrackNames(p, mem_ctx, &priv);
+
+   ret &= test_DsUnbind(p, mem_ctx, &priv);
+
+   talloc_free(mem_ctx);
+
+   return ret;
+}

Modified: branches/SAMBA_4_0/source/torture/torture.c
===
--- branches/SAMBA_4_0/source/torture/torture.c 2005-08-29 01:27:39 UTC (rev 
9726)
+++ branches/SAMBA_4_0/source/torture/torture.c 2005-08-29 04:15:08 UTC (rev 
9727)
@@ -2308,6 +2308,7 @@
 {"RPC-COUNTCALLS", torture_rpc_countcalls, 0},
{"RPC-MULTIBIND", torture_multi_bind, 0},
{"RPC-DRSUAPI", torture_rpc_drsuapi, 0},
+   {"RPC-CRACKNAMES", torture_rpc_drsuapi_cracknames, 0},
{"RPC-LOGIN", torture_rpc_login, 0},
{"RPC-ROT", torture_rpc_rot, 0},
{"RPC-DSSETUP", torture_rpc_dssetup, 0},

svn commit: samba r9728 - in branches/SAMBA_4_0/source: auth/gensec auth/kerberos auth/ntlmssp client include lib lib/cmdline lib/ldb/ldb_ildap lib/samba3 libcli/composite librpc/rpc scripting/ejs tor

2005-08-28 Thread abartlet

Author: abartlet
Date: 2005-08-29 04:30:22 + (Mon, 29 Aug 2005)
New Revision: 9728

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9728

Log:
A *major* update to the credentials system, to incorporate the
Kerberos CCACHE into the system.

This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.

It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.

Andrew Bartlett


Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/auth/gensec/gensec_krb5.c
   branches/SAMBA_4_0/source/auth/kerberos/kerberos.h
   branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_client.c
   branches/SAMBA_4_0/source/client/client.c
   branches/SAMBA_4_0/source/include/credentials.h
   branches/SAMBA_4_0/source/include/includes.h
   branches/SAMBA_4_0/source/lib/cmdline/credentials.c
   branches/SAMBA_4_0/source/lib/cmdline/popt_common.c
   branches/SAMBA_4_0/source/lib/credentials.c
   branches/SAMBA_4_0/source/lib/ldb/ldb_ildap/ldb_ildap.c
   branches/SAMBA_4_0/source/lib/samba3/samba3dump.c
   branches/SAMBA_4_0/source/libcli/composite/sesssetup.c
   branches/SAMBA_4_0/source/librpc/rpc/dcerpc_schannel.c
   branches/SAMBA_4_0/source/scripting/ejs/smbcalls_auth.c
   branches/SAMBA_4_0/source/scripting/ejs/smbcalls_creds.c
   branches/SAMBA_4_0/source/torture/rpc/netlogon.c
   branches/SAMBA_4_0/source/torture/rpc/samlogon.c
   branches/SAMBA_4_0/source/torture/rpc/schannel.c
   branches/SAMBA_4_0/source/utils/net/net_password.c
   branches/SAMBA_4_0/source/utils/ntlm_auth.c


Changeset:
Sorry, the patch is too large (1308 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9728

svn commit: samba r9731 - in branches/SAMBA_4_0/source/lib: .

2005-08-28 Thread abartlet

Author: abartlet
Date: 2005-08-29 04:38:37 + (Mon, 29 Aug 2005)
New Revision: 9731

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9731

Log:
Fix typo

Modified:
   branches/SAMBA_4_0/source/lib/credentials.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/credentials.c
===
--- branches/SAMBA_4_0/source/lib/credentials.c 2005-08-29 04:36:01 UTC (rev 
9730)
+++ branches/SAMBA_4_0/source/lib/credentials.c 2005-08-29 04:38:37 UTC (rev 
9731)
@@ -126,7 +126,7 @@
 
 BOOL cli_credentials_authentication_requested(struct cli_credentials *cred) 
 {
-   if (cred->principal_obtained == CRED_SPECIFIED) {
+   if (cred->principal_obtained >= CRED_SPECIFIED) {
return True;
}
if (cred->username_obtained >= CRED_SPECIFIED) {

svn commit: samba r9733 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-29 Thread abartlet

Author: abartlet
Date: 2005-08-29 12:16:49 + (Mon, 29 Aug 2005)
New Revision: 9733

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9733

Log:
Test conversion from known sids in CrackNames.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-29 07:22:41 UTC 
(rev 9732)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-29 12:16:49 UTC 
(rev 9733)
@@ -668,6 +668,62 @@
return ret;
}
 
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = SID_BUILTIN;
+
+   printf("testing DsCrackNames with SID '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_OK) {
+   printf("DsCrackNames failed on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = SID_BUILTIN_ADMINISTRATORS;
+
+   printf("testing DsCrackNames with SID '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_OK) {
+   printf("DsCrackNames failed on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+
/* NEGATIVE test.  This should parse, but not succeed */
r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_GUID;
r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;

svn commit: samba r9772 - in branches/SAMBA_4_0/source: gtk/common lib lib/cmdline utils

2005-08-29 Thread abartlet

Author: abartlet
Date: 2005-08-30 01:19:41 + (Tue, 30 Aug 2005)
New Revision: 9772

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9772

Log:
Make credentials callbacks more consistant with the abstraction
function interface used in the credentials code.

Fix bug in ntlm_auth, where we would overwrite the PW specified as a
first input.  (Reported and chased by Kai Blin <[EMAIL PROTECTED]>, bug
#3040)

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/gtk/common/credentials.c
   branches/SAMBA_4_0/source/lib/cmdline/credentials.c
   branches/SAMBA_4_0/source/lib/credentials.c
   branches/SAMBA_4_0/source/utils/ntlm_auth.c


Changeset:
Sorry, the patch is too large (480 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9772

svn commit: samba-web r795 - in trunk/devel: .

2005-08-29 Thread abartlet

Author: abartlet
Date: 2005-08-30 01:25:50 + (Tue, 30 Aug 2005)
New Revision: 795

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=795

Log:
A first cut at updating the Samba4 status page.  Comments/patches welcome.



Modified:
   trunk/devel/roadmap-4.0.html


Changeset:
Modified: trunk/devel/roadmap-4.0.html
===
--- trunk/devel/roadmap-4.0.html2005-08-29 21:20:56 UTC (rev 794)
+++ trunk/devel/roadmap-4.0.html2005-08-30 01:25:50 UTC (rev 795)
@@ -4,11 +4,29 @@
 
 Roadmap to Samba 4.0.0 
 
-Page Last Updated: 24 February 2005
+Page Last Updated: 30 Aug 2005
 
 Samba4
 
-What is Samba 4 meant to accomplish?  In simplest terms, Samba 4 is an 
ambitious, yet achievable, reworking of the Samba code.  Major features for 
Samba 4 will include: protocol completeness, extreme testability, non-POSIX 
backends, fully asynchronous internals, flexible process models, auto-generated 
RPC infrastructure, and flexible database architecture.
+What is Samba 4 meant to accomplish?  In simplest terms, Samba 4 is
+an ambitious, yet achievable, reworking of the Samba code.  Major
+features for Samba 4 already include: 
+ 
+  support of the 'Active Directory'
+logon and administration protocols
+  new 'full coverage' testsuites
+  full NTFS semantics for sharing backends
+  Internal LDAP server, with AD semantics
+  Internal Kerberos server, including PAC support
+  fully asynchronous internals
+  flexible process models
+  better scalablilty from micro to very large installations
+  new RPC infrastructure (PIDL)
+  flexible database architecture (LDB)
+  embedded scripting language (ejs)
+  generic security subsystem (GENSEC)
+  over 50% auto-generated code!
+
 
 One of the goals of Samba4 is to implement an Active Directory compatible 
Domain
 Controller.  Andrew Bartlett has written an excellent thesis on issues involved
@@ -17,13 +35,18 @@
 http://news.samba.org/";>news.samba.org and is available 
 here (in PDF).
 
+Current Status
 Volker Lendecke has also written an excellent 
 Advances in Samba4 paper (in 
PDF),
-and Tridge has some slides on Samba4 available  
-here.
-  
+and in May 2005, Tridge gave a 
+http://samba.org/ftp/samba/slides/tridge_sambaxp05.pdf";>Samba4
+Progress report and Roadmap.  Since that time, we have implemented
+an embedded web server, a KDC and made vast improvements to the
+embedded LDAP server.  
 
-Current Status
+In short, you can join a WinNT, Win2000, WinXP or Win2003 member
+server to a Samba4 domain, and it will behave much as it does in AD,
+including Kerberos domain logins where applicable.  
 
 Samba4 development is moving very rapidly, but there is still much work to 
be
 done.  A date has not been set for an official release, but the current source 
is
@@ -32,7 +55,6 @@
 Samba4's websvn pages.  For more info on obtaining the sources via a 
Subversion
 client, see the samba.org devel page.
 
-
 Roadmap Overview
 
 Since Samba4 is a test-driven development process, the roadmap here follows 
that

svn commit: samba r9778 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-29 Thread abartlet

Author: abartlet
Date: 2005-08-30 03:37:14 + (Tue, 30 Aug 2005)
New Revision: 9778

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9778

Log:
Test for particular error returns, rather than just OK/not OK.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-30 02:36:48 UTC 
(rev 9777)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-08-30 03:37:14 UTC 
(rev 9778)
@@ -127,12 +127,27 @@
return ret;
}
switch (formats[i]) {
+   case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:  
+   if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE) {
+   printf(__location__ ": Unexpected error (%d): 
This name lookup should fail\n", 
+  r.out.ctr.ctr1->array[0].status);
+   return False;
+   }
+   printf ("(expected) error\n");
+   break;
case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
-   case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL:  
+   if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NO_MAPPING) {
+   printf(__location__ ": Unexpected error (%d): 
This name lookup should fail\n", 
+  r.out.ctr.ctr1->array[0].status);
+   return False;
+   }
+   printf ("(expected) error\n");
+   break;
+   case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: 
case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: 
-   case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: 
-   if (r.out.ctr.ctr1->array[0].status == 
DRSUAPI_DS_NAME_STATUS_OK) {
-   printf("Unexpected success: This name lookup 
should fail\n");
+   if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR) {
+   printf(__location__ ": Unexpected error (%d): 
This name lookup should fail\n", 
+  r.out.ctr.ctr1->array[0].status);
return False;
}
printf ("(expected) error\n");
@@ -724,9 +739,67 @@
}
 
 
-   /* NEGATIVE test.  This should parse, but not succeed */
+   /* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = talloc_asprintf(mem_ctx, "cifs/[EMAIL PROTECTED]", 
+  priv->dcinfo.netbios_name, dns_domain,
+  dns_domain);
+
+   printf("testing DsCrackNames with Service Principal '%s' desired 
format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+   /* NEGATIVE tests.  This should parse, but not succeed */
r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_GUID;
r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = "NOT A GUID";
+
+   printf("testing DsCrackNames with BIND GUID '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_ST

svn commit: lorikeet r446 - in trunk/heimdal/lib/krb5: .

2005-08-30 Thread abartlet

Author: abartlet
Date: 2005-08-30 19:52:04 + (Tue, 30 Aug 2005)
New Revision: 446

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=446

Log:
Add more principal parsing functions, to try and parse principals
where we explicitly expect and want them to be without a realm.

(I want to use the 'real' krb5 parsing functions in DRSUAPI CrackNames).

Andrew Bartlett

Modified:
   trunk/heimdal/lib/krb5/principal.c
   trunk/heimdal/lib/krb5/test_princ.c


Changeset:
Modified: trunk/heimdal/lib/krb5/principal.c
===
--- trunk/heimdal/lib/krb5/principal.c  2005-08-29 00:32:59 UTC (rev 445)
+++ trunk/heimdal/lib/krb5/principal.c  2005-08-30 19:52:04 UTC (rev 446)
@@ -91,10 +91,11 @@
 return princ_ncomp(principal, component);
 }
 
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_parse_name(krb5_context context,
-   const char *name,
-   krb5_principal *principal)
+krb5_error_code 
+parse_name(krb5_context context,
+  const char *name,
+  krb5_boolean short_form,
+  krb5_principal *principal)
 {
 krb5_error_code ret;
 heim_general_string *comp;
@@ -184,19 +185,29 @@
}
*q++ = c;
 }
-if(got_realm){
-   realm = malloc(q - start + 1);
-   if (realm == NULL) {
-   krb5_set_error_string (context, "malloc: out of memory");
-   ret = ENOMEM;
+if (got_realm) {
+   if (short_form) {
+   krb5_set_error_string (context, "realm found in 'short' principal 
expected to be without one!");
+   ret = KRB5_PARSE_MALFORMED;
goto exit;
+   } else {
+   realm = malloc(q - start + 1);
+   if (realm == NULL) {
+   krb5_set_error_string (context, "malloc: out of memory");
+   ret = ENOMEM;
+   goto exit;
+   }
+   memcpy(realm, start, q - start);
+   realm[q - start] = 0;
}
-   memcpy(realm, start, q - start);
-   realm[q - start] = 0;
 }else{
-   ret = krb5_get_default_realm (context, &realm);
-   if (ret)
-   goto exit;
+   if (short_form) {
+   ret = krb5_get_default_realm (context, &realm);
+   if (ret)
+   goto exit;
+   } else {
+   realm = NULL;
+   }
 
comp[n] = malloc(q - start + 1);
if (comp[n] == NULL) {
@@ -229,6 +240,21 @@
 return ret;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name(krb5_context context,
+   const char *name,
+   krb5_principal *principal)
+{
+return parse_name(context, name, FALSE, principal);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_norealm(krb5_context context,
+   const char *name,
+   krb5_principal *principal)
+{
+return parse_name(context, name, TRUE, principal);
+}
 static const char quotable_chars[] = " \n\t\b\\/@";
 static const char replace_chars[] = " ntb\\/@";
 
@@ -323,12 +349,17 @@
 int i;
 krb5_error_code ret;
 /* count length */
-plen = strlen(princ_realm(principal));
-if(strcspn(princ_realm(principal), quotable_chars) == plen)
-   len += plen;
-else
-   len += 2*plen;
-len++;
+if (!short_flag) {
+   plen = strlen(princ_realm(principal));
+   if(strcspn(princ_realm(principal), quotable_chars) == plen)
+   len += plen;
+   else
+   len += 2*plen;
+   len++;
+} else {
+   len = 0;
+}
+
 for(i = 0; i < princ_num_comp(principal); i++){
plen = strlen(princ_ncomp(principal, i));
if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)

Modified: trunk/heimdal/lib/krb5/test_princ.c
===
--- trunk/heimdal/lib/krb5/test_princ.c 2005-08-29 00:32:59 UTC (rev 445)
+++ trunk/heimdal/lib/krb5/test_princ.c 2005-08-30 19:52:04 UTC (rev 446)
@@ -107,14 +107,32 @@
 
 ret = krb5_unparse_name_short(context, p, &princ_unparsed);
 if (ret)
-   krb5_err(context, 1, ret, "krb5_parse_name");
+   krb5_err(context, 1, ret, "krb5_unparse_name_short");
 
 if (strcmp(princ, princ_unparsed)) {
krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
 }
 free(princ_unparsed);
 
+ret = krb5_parse_name_norealm(context, princ, &p2);
+if (!ret)
+   krb5_err(context, 1, ret, "Should have failed to parse %s a short 
name", princ);
 
+ret = krb5_parse_name_norealm(context, princ_short, &p2);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+ret = krb5_unparse_name_norealm(context, p2, &princ_unparsed);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_unparse_name_norealm");
+
+if (strcmp(princ_short, princ_unparsed)) {
+   krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
+}
+free(princ_unparsed);
+
+
+
 krb5_free_principal(context, p);
 }

svn commit: samba r9859 - in branches/SAMBA_4_0/source: heimdal/cf heimdal_build

2005-08-31 Thread abartlet

Author: abartlet
Date: 2005-09-01 01:32:50 + (Thu, 01 Sep 2005)
New Revision: 9859

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9859

Log:
Enable (blocking) KDC resolution with DNS.

To enable, set:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true

in your /etc/krb5.conf.

In the future I may override the krb5.conf and set this on by default
in Samba4.

Andrew Bartlett


Added:
   branches/SAMBA_4_0/source/heimdal/cf/find-func-no-libs.m4
   branches/SAMBA_4_0/source/heimdal/cf/find-func-no-libs2.m4
   branches/SAMBA_4_0/source/heimdal/cf/find-func.m4
   branches/SAMBA_4_0/source/heimdal/cf/resolv.m4
Modified:
   branches/SAMBA_4_0/source/heimdal_build/config.m4
   branches/SAMBA_4_0/source/heimdal_build/config.mk


Changeset:
Sorry, the patch is too large (258 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9859

svn commit: samba r9861 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-08-31 Thread abartlet

Author: abartlet
Date: 2005-09-01 02:23:38 + (Thu, 01 Sep 2005)
New Revision: 9861

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9861

Log:
I need to convert this to table-driven, but anyway...

More CrackNames testing

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-09-01 01:43:30 UTC 
(rev 9860)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-09-01 02:23:38 UTC 
(rev 9861)
@@ -774,7 +774,7 @@
r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
names[0].str = "NOT A GUID";
 
-   printf("testing DsCrackNames with BIND GUID '%s' desired format:%d\n",
+   printf("testing DsCrackNames with GUID '%s' desired format:%d\n",
names[0].str, r.in.req.req1.format_desired);
 
status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
@@ -798,6 +798,34 @@
}
 
/* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = "NOT A SID";
+
+   printf("testing DsCrackNames with SID '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+   /* NEGATIVE tests.  This should parse, but not succeed */
r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_GUID;
r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
names[0].str = GUID_string2(mem_ctx, &priv->bind_guid);
@@ -844,6 +872,52 @@
ret = False;
}
 
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = talloc_asprintf(mem_ctx, "%s$", 
priv->dcinfo.netbios_name);
+
+   printf("testing DsCrackNames with service principal name '%s' desired 
format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = "[EMAIL PROTECTED]";
+
+   printf("testing DsCrackNames with user principal name '%s' desired 
format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames fail

svn commit: samba r9872 - in trunk/source/utils: .

2005-08-31 Thread abartlet

Author: abartlet
Date: 2005-09-01 06:13:14 + (Thu, 01 Sep 2005)
New Revision: 9872

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9872

Log:
Ensure to spit out a base64 blob on the final leg of NTLMSSP in the
client, now the NTLMSSP code issues an 'AF' for the final packet.

Andrew Bartlett

Modified:
   trunk/source/utils/ntlm_auth.c


Changeset:
Modified: trunk/source/utils/ntlm_auth.c
===
--- trunk/source/utils/ntlm_auth.c  2005-09-01 06:11:32 UTC (rev 9871)
+++ trunk/source/utils/ntlm_auth.c  2005-09-01 06:13:14 UTC (rev 9872)
@@ -693,7 +693,8 @@
data_blob_free(&reply);
DEBUG(10, ("NTLMSSP challenge\n"));
} else if (NT_STATUS_IS_OK(nt_status)) {
-   x_fprintf(x_stdout, "AF\n");
+   char *reply_base64 = base64_encode_data_blob(reply);
+   x_fprintf(x_stdout, "AF %s\n", reply_base64);
DEBUG(10, ("NTLMSSP OK!\n"));
if (ntlmssp_state)
ntlmssp_end(&ntlmssp_state);

svn commit: lorikeet r447 - in trunk/heimdal: . cf

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 07:02:24 + (Thu, 01 Sep 2005)
New Revision: 447

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=447

Log:
Move check for arpa/nameser.h into rk_RESOLV, remove bougus rcs header.

Move rk_RESOLV call into roken-frag.m4 per lha's preference.

Andrew Bartlett

Modified:
   trunk/heimdal/cf/resolv.m4
   trunk/heimdal/cf/roken-frag.m4
   trunk/heimdal/configure.in


Changeset:
Modified: trunk/heimdal/cf/resolv.m4
===
--- trunk/heimdal/cf/resolv.m4  2005-08-30 19:52:04 UTC (rev 446)
+++ trunk/heimdal/cf/resolv.m4  2005-09-01 07:02:24 UTC (rev 447)
@@ -1,11 +1,9 @@
 dnl stuff used by DNS resolv code
 
-dnl
-dnl $Id: dlopen.m4,v 1.2 2005/06/16 19:40:59 lha Exp $
-dnl
-
 AC_DEFUN([rk_RESOLV], [
 
+   AC_CHECK_HEADERS(arpa/nameser.h)
+
AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include 

Modified: trunk/heimdal/cf/roken-frag.m4
===
--- trunk/heimdal/cf/roken-frag.m4  2005-08-30 19:52:04 UTC (rev 446)
+++ trunk/heimdal/cf/roken-frag.m4  2005-09-01 07:02:24 UTC (rev 447)
@@ -46,7 +46,6 @@
 
 AC_CHECK_HEADERS([\
arpa/inet.h \
-   arpa/nameser.h  \
config.h\
crypt.h \
dirent.h\
@@ -137,8 +136,8 @@
 
 AC_FIND_FUNC(gethostbyname2, inet6 ip6)
 
+rk_RESOLV
 
-
 AC_BROKEN_SNPRINTF
 AC_BROKEN_VSNPRINTF
 

Modified: trunk/heimdal/configure.in
===
--- trunk/heimdal/configure.in  2005-08-30 19:52:04 UTC (rev 446)
+++ trunk/heimdal/configure.in  2005-09-01 07:02:24 UTC (rev 447)
@@ -213,8 +213,6 @@
 
 rk_OTP
 
-rk_RESOLV
-
 AC_CHECK_OSFC2
 
 AC_ARG_ENABLE(mmap,

svn commit: samba r9877 - in branches/SAMBA_4_0/source/heimdal/cf: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 07:03:33 + (Thu, 01 Sep 2005)
New Revision: 9877

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9877

Log:
Merge from lorikeet-heimdal, to try and fix build failures.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/cf/resolv.m4


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/cf/resolv.m4
===
--- branches/SAMBA_4_0/source/heimdal/cf/resolv.m4  2005-09-01 06:39:19 UTC 
(rev 9876)
+++ branches/SAMBA_4_0/source/heimdal/cf/resolv.m4  2005-09-01 07:03:33 UTC 
(rev 9877)
@@ -2,6 +2,8 @@
 
 AC_DEFUN([rk_RESOLV], [
 
+   AC_CHECK_HEADERS(arpa/nameser.h)
+
AC_CHECK_HEADERS(resolv.h, , , [AC_INCLUDES_DEFAULT
 #ifdef HAVE_SYS_TYPES_H
 #include

svn commit: samba r9878 - in branches/SAMBA_4_0/source/torture/rpc: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 07:07:00 + (Thu, 01 Sep 2005)
New Revision: 9878

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9878

Log:
This is getting a bit out of control, but a few more tests.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Modified: branches/SAMBA_4_0/source/torture/rpc/drsuapi.c
===
--- branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-09-01 07:03:33 UTC 
(rev 9877)
+++ branches/SAMBA_4_0/source/torture/rpc/drsuapi.c 2005-09-01 07:07:00 UTC 
(rev 9878)
@@ -826,6 +826,118 @@
}
 
/* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = "NOT AN NT4 NAME";
+
+   printf("testing DsCrackNames with NT4 Name '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+   /* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_GUID;
+   names[0].str = "NOT A DN";
+
+   printf("testing DsCrackNames with DN '%s' desired format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+   /* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
+   r.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
+   names[0].str = "NOT A PRINCIPAL";
+
+   printf("testing DsCrackNames with user principal '%s' desired 
format:%d\n",
+   names[0].str, r.in.req.req1.format_desired);
+
+   status = dcerpc_drsuapi_DsCrackNames(p, mem_ctx, &r);
+   if (!NT_STATUS_IS_OK(status)) {
+   const char *errstr = nt_errstr(status);
+   if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+   errstr = dcerpc_errstr(mem_ctx, p->last_fault_code);
+   }
+   printf("dcerpc_drsuapi_DsCrackNames failed - %s\n", errstr);
+   ret = False;
+   } else if (!W_ERROR_IS_OK(r.out.result)) {
+   printf("DsCrackNames failed - %s\n", win_errstr(r.out.result));
+   ret = False;
+   } else if (r.out.ctr.ctr1->array[0].status != 
DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
+   printf("DsCrackNames incorrect error on name - %d\n", 
r.out.ctr.ctr1->array[0].status);
+   ret = False;
+   }
+
+   if (!ret) {
+   return ret;
+   }
+
+   /* NEGATIVE tests.  This should parse, but not succeed */
+   r.in.req.req1.format_offered= 
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL;
+   r.in.req.req1.format_desired

svn commit: samba r9927 - in branches/SAMBA_4_0/source/auth/gensec: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 23:23:22 + (Thu, 01 Sep 2005)
New Revision: 9927

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9927

Log:
Extend copyright for all the hard work I've done this year.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-09-01 23:13:18 UTC 
(rev 9926)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c  2005-09-01 23:23:22 UTC 
(rev 9927)
@@ -4,7 +4,7 @@
RFC2478 Compliant SPNEGO implementation

Copyright (C) Jim McDonough <[EMAIL PROTECTED]>  2003
-   Copyright (C) Andrew Bartlett <[EMAIL PROTECTED]> 2004
+   Copyright (C) Andrew Bartlett <[EMAIL PROTECTED]> 2004-2005
 
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by

svn commit: samba r9928 - in branches/SAMBA_4_0/source/lib/ldb/common: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 23:24:16 + (Thu, 01 Sep 2005)
New Revision: 9928

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9928

Log:
ncName is a DN, and needs to use DN matching rules.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/ldb/common/ldb_attributes.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb_attributes.c
===
--- branches/SAMBA_4_0/source/lib/ldb/common/ldb_attributes.c   2005-09-01 
23:23:22 UTC (rev 9927)
+++ branches/SAMBA_4_0/source/lib/ldb/common/ldb_attributes.c   2005-09-01 
23:24:16 UTC (rev 9928)
@@ -149,6 +149,7 @@
const char *syntax;
} wellknown[] = {
{ "dn", LDB_SYNTAX_DN },
+   { "ncName", LDB_SYNTAX_DN },
{ "distinguishedName", LDB_SYNTAX_DN },
{ "cn", LDB_SYNTAX_DIRECTORY_STRING },
{ "dc", LDB_SYNTAX_DIRECTORY_STRING },

svn commit: samba r9929 - in branches/SAMBA_4_0/source/lib: . ldb/common

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 23:24:47 + (Thu, 01 Sep 2005)
New Revision: 9929

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9929

Log:
Fix indentation

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/credentials.c
   branches/SAMBA_4_0/source/lib/ldb/common/ldb_dn.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/credentials.c
===
--- branches/SAMBA_4_0/source/lib/credentials.c 2005-09-01 23:24:16 UTC (rev 
9928)
+++ branches/SAMBA_4_0/source/lib/credentials.c 2005-09-01 23:24:47 UTC (rev 
9929)
@@ -128,7 +128,9 @@
return talloc_reference(mem_ctx, cred->principal);
 }
 
-BOOL cli_credentials_set_principal(struct cli_credentials *cred, const char 
*val, enum credentials_obtained obtained)
+BOOL cli_credentials_set_principal(struct cli_credentials *cred, 
+  const char *val, 
+  enum credentials_obtained obtained)
 {
if (obtained >= cred->principal_obtained) {
cred->principal = talloc_strdup(cred, val);

Modified: branches/SAMBA_4_0/source/lib/ldb/common/ldb_dn.c
===
--- branches/SAMBA_4_0/source/lib/ldb/common/ldb_dn.c   2005-09-01 23:24:16 UTC 
(rev 9928)
+++ branches/SAMBA_4_0/source/lib/ldb/common/ldb_dn.c   2005-09-01 23:24:47 UTC 
(rev 9929)
@@ -688,7 +688,7 @@
 }
 
 struct ldb_dn_component *ldb_dn_build_component(void *mem_ctx, const char 
*attr,
-  const char *val)
+   const char *val)
 {
struct ldb_dn_component *dc;
 
@@ -783,7 +783,7 @@
 
for (i = 0; i < dn1->comp_num; i++) {
new->components[i] = ldb_dn_copy_component(new->components,
-   
&(dn1->components[i]));
+  
&(dn1->components[i]));
}
 
return new;

svn commit: samba r9930 - in branches/SAMBA_4_0/source: dsdb/samdb rpc_server/lsa rpc_server/samr

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 23:26:50 + (Thu, 01 Sep 2005)
New Revision: 9930

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9930

Log:
Use a single samdb_base_dn() function rather than lots of silly
searches all over the place.

This can be extended to cover an NT4 (no ADS) mode in future as well.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/samdb.c
   branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c
   branches/SAMBA_4_0/source/rpc_server/samr/dcesrv_samr.c


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/samdb.c
===
--- branches/SAMBA_4_0/source/dsdb/samdb/samdb.c2005-09-01 23:24:47 UTC 
(rev 9929)
+++ branches/SAMBA_4_0/source/dsdb/samdb/samdb.c2005-09-01 23:26:50 UTC 
(rev 9930)
@@ -969,3 +969,37 @@
 
return sd;
 }
+
+struct ldb_dn *samdb_base_dn(TALLOC_CTX *mem_ctx) 
+{
+   TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+   int server_role = lp_server_role();
+   const char **split_realm;
+   struct ldb_dn *dn;
+   
+   if (!tmp_ctx) {
+   return NULL;
+   }
+
+   if ((server_role == ROLE_DOMAIN_PDC)
+   || (server_role == ROLE_DOMAIN_BDC)) {
+   int i;
+   split_realm = str_list_make(tmp_ctx, lp_realm(), ".");
+   if (!split_realm) {
+   talloc_free(tmp_ctx);
+   return NULL;
+   }
+   dn = NULL;
+   i = str_list_length(split_realm);
+   i--;
+   for (; i >= 0; i--) {
+   dn = ldb_dn_build_child(tmp_ctx, "dc", split_realm[i], 
dn);
+   if (!dn) {
+   talloc_free(tmp_ctx);
+   return NULL;
+   }
+   }
+   return dn;
+   }
+   return ldb_dn_string_compose(mem_ctx, NULL, "cn=%s", lp_netbios_name());
+}

Modified: branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c
===
--- branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c   2005-09-01 
23:24:47 UTC (rev 9929)
+++ branches/SAMBA_4_0/source/rpc_server/lsa/dcesrv_lsa.c   2005-09-01 
23:26:50 UTC (rev 9930)
@@ -240,9 +240,15 @@
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
 
+   /* work out the domain_dn - useful for so many calls its worth
+  fetching here */
+   state->domain_dn = samdb_base_dn(state);
+   if (!state->domain_dn) {
+   return NT_STATUS_NO_MEMORY; 
+   }
+
ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, 
domain_attrs,
- 
"(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
- lp_workgroup());
+ "(&(objectclass=crossRef)(ncName=%s))", 
ldb_dn_linearize(mem_ctx, state->domain_dn));

if (ret_domain == -1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -252,16 +258,9 @@
return NT_STATUS_NO_SUCH_DOMAIN;
}
 
-   /* work out the domain_dn - useful for so many calls its worth
-  fetching here */
-   state->domain_dn = samdb_result_dn(state, msgs_domain[0], "nCName", 
NULL);
-   if (!state->domain_dn) {
-   return NT_STATUS_NO_SUCH_DOMAIN;
-   }
-
/* work out the builtin_dn - useful for so many calls its worth
   fetching here */
-   state->builtin_dn = samdb_search_dn(state->sam_ldb, mem_ctx, NULL, 
"objectClass=builtinDomain");
+   state->builtin_dn = samdb_search_dn(state->sam_ldb, mem_ctx, 
state->domain_dn, "(objectClass=builtinDomain)");
if (!state->builtin_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -1062,9 +1061,9 @@
}
 
domains->domains = talloc_realloc(domains, 
-   domains->domains,
-   struct lsa_TrustInformation,
-   domains->count+1);
+ domains->domains,
+ struct lsa_TrustInformation,
+ domains->count+1);
if (domains->domains == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1301,9 +1300,9 @@
}

/* check it really exists */
-   astate->account_dn = samdb_search_string(state->sam_ldb, astate,
-NULL, 
"(&(objectSid=%s)(objectClass=group))&

svn commit: samba r9931 - in branches/SAMBA_4_0/source: heimdal/lib/krb5 kdc

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-01 23:31:51 + (Thu, 01 Sep 2005)
New Revision: 9931

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9931

Log:
Make use of new 'norealm' parsing functions rather than strchr(p '@').

Merge these norealm functions from lorikeet-heimdal.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
   branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c
   branches/SAMBA_4_0/source/kdc/hdb-ldb.c


Changeset:
Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h
===
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h2005-09-01 
23:26:50 UTC (rev 9930)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/krb5-protos.h2005-09-01 
23:31:51 UTC (rev 9931)
@@ -2377,6 +2377,12 @@
const char */*name*/,
krb5_principal */*principal*/);
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_norealm (
+   krb5_context /*context*/,
+   const char */*name*/,
+   krb5_principal */*principal*/);
+
 const char* KRB5_LIB_FUNCTION
 krb5_passwd_result_to_string (
krb5_context /*context*/,
@@ -3430,6 +3436,13 @@
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_xfree (void */*ptr*/);
 
+krb5_error_code
+parse_name (
+   krb5_context /*context*/,
+   const char */*name*/,
+   krb5_boolean /*short_form*/,
+   krb5_principal */*principal*/);
+
 #ifdef __cplusplus
 }
 #endif

Modified: branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c
===
--- branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c  2005-09-01 
23:26:50 UTC (rev 9930)
+++ branches/SAMBA_4_0/source/heimdal/lib/krb5/principal.c  2005-09-01 
23:31:51 UTC (rev 9931)
@@ -91,10 +91,11 @@
 return princ_ncomp(principal, component);
 }
 
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_parse_name(krb5_context context,
-   const char *name,
-   krb5_principal *principal)
+krb5_error_code 
+parse_name(krb5_context context,
+  const char *name,
+  krb5_boolean short_form,
+  krb5_principal *principal)
 {
 krb5_error_code ret;
 heim_general_string *comp;
@@ -184,19 +185,29 @@
}
*q++ = c;
 }
-if(got_realm){
-   realm = malloc(q - start + 1);
-   if (realm == NULL) {
-   krb5_set_error_string (context, "malloc: out of memory");
-   ret = ENOMEM;
+if (got_realm) {
+   if (short_form) {
+   krb5_set_error_string (context, "realm found in 'short' principal 
expected to be without one!");
+   ret = KRB5_PARSE_MALFORMED;
goto exit;
+   } else {
+   realm = malloc(q - start + 1);
+   if (realm == NULL) {
+   krb5_set_error_string (context, "malloc: out of memory");
+   ret = ENOMEM;
+   goto exit;
+   }
+   memcpy(realm, start, q - start);
+   realm[q - start] = 0;
}
-   memcpy(realm, start, q - start);
-   realm[q - start] = 0;
 }else{
-   ret = krb5_get_default_realm (context, &realm);
-   if (ret)
-   goto exit;
+   if (short_form) {
+   ret = krb5_get_default_realm (context, &realm);
+   if (ret)
+   goto exit;
+   } else {
+   realm = NULL;
+   }
 
comp[n] = malloc(q - start + 1);
if (comp[n] == NULL) {
@@ -229,6 +240,21 @@
 return ret;
 }
 
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name(krb5_context context,
+   const char *name,
+   krb5_principal *principal)
+{
+return parse_name(context, name, FALSE, principal);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_norealm(krb5_context context,
+   const char *name,
+   krb5_principal *principal)
+{
+return parse_name(context, name, TRUE, principal);
+}
 static const char quotable_chars[] = " \n\t\b\\/@";
 static const char replace_chars[] = " ntb\\/@";
 
@@ -323,12 +349,17 @@
 int i;
 krb5_error_code ret;
 /* count length */
-plen = strlen(princ_realm(principal));
-if(strcspn(princ_realm(principal), quotable_chars) == plen)
-   len += plen;
-else
-   len += 2*plen;
-len++;
+if (!short_flag) {
+   plen = strlen(princ_realm(principal));
+   if(strcspn(princ_realm(principal), quotable_chars) == plen)
+   len += plen;
+   else
+   len += 2*plen;
+   len++;
+} else {
+   len = 0;
+}
+
 for(i = 0; i < princ_num_comp(principal); i++){
plen = strlen(princ_ncomp(principal, i));
if(strcspn(princ_ncomp(principal, i), quotable_chars) == plen)

Modified: branches/SAMBA_4_0/source/kdc/hdb-ldb.c
===

svn commit: samba r9940 - in branches/SAMBA_4_0/source/lib: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-02 03:13:04 + (Fri, 02 Sep 2005)
New Revision: 9940

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9940

Log:
When guessing, don't make DEBUG(1,... errors.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/lib/credentials.c


Changeset:
Modified: branches/SAMBA_4_0/source/lib/credentials.c
===
--- branches/SAMBA_4_0/source/lib/credentials.c 2005-09-02 03:10:42 UTC (rev 
9939)
+++ branches/SAMBA_4_0/source/lib/credentials.c 2005-09-02 03:13:04 UTC (rev 
9940)
@@ -334,7 +334,7 @@
} else {
ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, 
&ccc->ccache);
if (ret) {
-   DEBUG(1,("failed to read default krb5 ccache: %s\n", 
+   DEBUG(3,("failed to read default krb5 ccache: %s\n", 
 
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
talloc_free(ccc);
return ret;
@@ -346,7 +346,7 @@
ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, 
ccc->ccache, &princ);
 
if (ret) {
-   DEBUG(1,("failed to get principal from default ccache: %s\n", 
+   DEBUG(3,("failed to get principal from default ccache: %s\n", 
 
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context, ret, ccc)));
talloc_free(ccc);   
return ret;

svn commit: samba r9941 - in branches/SAMBA_4_0/source: rpc_server/drsuapi torture/rpc

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-02 03:19:27 + (Fri, 02 Sep 2005)
New Revision: 9941

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9941

Log:
Update the CrackNames test, and provide a much improved server-side
DRSUAPI CrackNames.

We can't pass the full cracknames test until the initial provision is
updated, the seperate DomainControllerInfo and canonical names support
is added.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c
   branches/SAMBA_4_0/source/torture/rpc/drsuapi.c


Changeset:
Sorry, the patch is too large (950 lines) to include; please use WebSVN to see 
it!
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9941

svn commit: samba r9942 - in branches/SAMBA_4_0/source/rpc_server/drsuapi: .

2005-09-01 Thread abartlet

Author: abartlet
Date: 2005-09-02 03:27:13 + (Fri, 02 Sep 2005)
New Revision: 9942

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9942

Log:
CN=Configuration is always under the database-wide base dn, so don't
try and pass it down as a parameter.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c


Changeset:
Modified: branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c
===
--- branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-09-02 03:19:27 UTC (rev 9941)
+++ branches/SAMBA_4_0/source/rpc_server/drsuapi/drsuapi_cracknames.c   
2005-09-02 03:27:13 UTC (rev 9942)
@@ -43,7 +43,6 @@
 
 static enum drsuapi_DsNameStatus LDB_lookup_spn_alias(krb5_context context, 
struct ldb_context *ldb_ctx, 
   TALLOC_CTX *mem_ctx,
-  const struct ldb_dn *base_dn,
   const char *alias_from,
   char **alias_to)
 {
@@ -51,7 +50,7 @@
int count;
struct ldb_message **msg;
struct ldb_message_element *spnmappings;
-   struct ldb_dn *service_dn = ldb_dn_string_compose(mem_ctx, base_dn,
+   struct ldb_dn *service_dn = ldb_dn_string_compose(mem_ctx, 
samdb_base_dn(mem_ctx),
"CN=Directory 
Service,CN=Windows NT"

",CN=Services,CN=Configuration");
char *service_dn_str = ldb_dn_linearize(mem_ctx, service_dn);
@@ -117,7 +116,6 @@
 static WERROR DsCrackNameSPNAlias(struct drsuapi_bind_state *b_state, 
TALLOC_CTX *mem_ctx,
  struct smb_krb5_context *smb_krb5_context,
  uint32_t format_flags, uint32_t 
format_offered, uint32_t format_desired,
- const struct ldb_dn *result_basedn,
  const char *name, struct drsuapi_DsNameInfo1 
*info1)
 {
WERROR wret;
@@ -149,7 +147,6 @@
/* MAP it */
namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context, 
  b_state->sam_ctx, mem_ctx, 
- result_basedn, 
  service, &new_service);

if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
@@ -530,7 +527,7 @@
return DsCrackNameSPNAlias(b_state, mem_ctx, 
   smb_krb5_context, 
   format_flags, 
format_offered, format_desired,
-  result_basedn, name, info1);
+  name, info1);

case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL:
return DsCrackNameUPN(b_state, mem_ctx, 
smb_krb5_context,

svn commit: lorikeet r448 - in trunk/heimdal/lib/krb5: .

2005-09-02 Thread abartlet

Author: abartlet
Date: 2005-09-02 09:59:21 + (Fri, 02 Sep 2005)
New Revision: 448

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=448

Log:
More kerberos parsing code, I think I need a function to parse names
which *must* have a realm.

Add more tests.

Andrew Bartlett

Modified:
   trunk/heimdal/lib/krb5/principal.c
   trunk/heimdal/lib/krb5/test_princ.c


Changeset:
Modified: trunk/heimdal/lib/krb5/principal.c
===
--- trunk/heimdal/lib/krb5/principal.c  2005-09-01 07:02:24 UTC (rev 447)
+++ trunk/heimdal/lib/krb5/principal.c  2005-09-02 09:59:21 UTC (rev 448)
@@ -91,10 +91,16 @@
 return princ_ncomp(principal, component);
 }
 
-krb5_error_code 
+enum realm_presence {
+   MAY,
+   MUSTNOT,
+   MUST
+};
+
+static krb5_error_code 
 parse_name(krb5_context context,
   const char *name,
-  krb5_boolean short_form,
+  enum realm_presence realm_presence,
   krb5_principal *principal)
 {
 krb5_error_code ret;
@@ -186,7 +192,7 @@
*q++ = c;
 }
 if (got_realm) {
-   if (short_form) {
+   if (realm_presence == MUSTNOT) {
krb5_set_error_string (context, "realm found in 'short' principal 
expected to be without one!");
ret = KRB5_PARSE_MALFORMED;
goto exit;
@@ -201,12 +207,16 @@
realm[q - start] = 0;
}
 }else{
-   if (short_form) {
+   if (realm_presence == MAY) {
ret = krb5_get_default_realm (context, &realm);
if (ret)
goto exit;
-   } else {
+   } else if (realm_presence == MUSTNOT) {
realm = NULL;
+   } else if (realm_presence == MUST) {
+   krb5_set_error_string (context, "realm NOT found in principal 
expected to be with one!");
+   ret = KRB5_PARSE_MALFORMED;
+   goto exit;
}
 
comp[n] = malloc(q - start + 1);
@@ -245,7 +255,7 @@
const char *name,
krb5_principal *principal)
 {
-return parse_name(context, name, FALSE, principal);
+return parse_name(context, name, MAY, principal);
 }
 
 krb5_error_code KRB5_LIB_FUNCTION
@@ -253,8 +263,16 @@
const char *name,
krb5_principal *principal)
 {
-return parse_name(context, name, TRUE, principal);
+return parse_name(context, name, MUSTNOT, principal);
 }
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_parse_name_mustrealm(krb5_context context,
+ const char *name,
+ krb5_principal *principal)
+{
+return parse_name(context, name, MUST, principal);
+}
 static const char quotable_chars[] = " \n\t\b\\/@";
 static const char replace_chars[] = " ntb\\/@";
 

Modified: trunk/heimdal/lib/krb5/test_princ.c
===
--- trunk/heimdal/lib/krb5/test_princ.c 2005-09-01 07:02:24 UTC (rev 447)
+++ trunk/heimdal/lib/krb5/test_princ.c 2005-09-02 09:59:21 UTC (rev 448)
@@ -78,7 +78,7 @@
 
 asprintf(&princ_reformed, "[EMAIL PROTECTED]", princ_short, realm);
 
-ret = krb5_parse_name(context, princ, &p2);
+ret = krb5_parse_name(context, princ_reformed, &p2);
 if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
 
@@ -99,12 +99,65 @@
 if (strcmp(princ_short, princ_unparsed)) {
krb5_errx(context, 1, "%s != %s", princ_short, princ_unparsed);
 }
+
 free(princ_unparsed);
 
+ret = krb5_parse_name(context, princ_short, &p2);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (!krb5_principal_compare(context, p, p2)) {
+   krb5_errx(context, 1, "p != p2");
+}
+
+ret = krb5_unparse_name(context, p, &princ_unparsed);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (strcmp(princ, princ_unparsed)) {
+   krb5_errx(context, 1, "%s != %s", princ, princ_unparsed);
+}
+
 ret = krb5_set_default_realm(context, "SAMBA.ORG");
 if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
 
+ret = krb5_parse_name(context, princ_short, &p2);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (krb5_principal_compare(context, p, p2)) {
+   krb5_errx(context, 1, "p == p2");
+}
+
+ret = krb5_unparse_name(context, p2, &princ_unparsed);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_parse_name");
+
+if (strcmp(princ, princ_unparsed) == 0) {
+   krb5_errx(context, 1, "%s == %s", princ, princ_unparsed);
+}
+
+krb5_free_principal(context, p2);
+
+ret = krb5_parse_name(context, princ, &p2);
+if (ret)
+   krb5_err(context, 1, ret, "krb5_

svn commit: lorikeet r449 - in trunk/heimdal/lib/kadm5: .

2005-09-02 Thread abartlet

Author: abartlet
Date: 2005-09-03 00:46:24 + (Sat, 03 Sep 2005)
New Revision: 449

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=449

Log:
Add file I forgot to commit ages ago.  This might get some of
lorikeet-heimdal building again...

Andrew Bartlett

Added:
   trunk/heimdal/lib/kadm5/iprop-commands.in


Changeset:
Added: trunk/heimdal/lib/kadm5/iprop-commands.in
===
--- trunk/heimdal/lib/kadm5/iprop-commands.in   2005-09-02 09:59:21 UTC (rev 
448)
+++ trunk/heimdal/lib/kadm5/iprop-commands.in   2005-09-03 00:46:24 UTC (rev 
449)
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2005 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *notice, this list of conditions and the following disclaimer in the 
+ *documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *may be used to endorse or promote products derived from this software 
+ *without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+/* $Id: iprop-commands.in,v 1.2 2005/08/24 18:09:08 lha Exp $ */
+
+command = {
+   name = "dump"
+   option = {
+   long = "config-file"
+   short = "c"
+   type = "string"
+   help = "configuration file"
+   argument = "file"
+   }
+   option = {
+   long = "realm"
+   short = "r"
+   type = "string"
+   help = "realm"
+   }
+   function = "iprop_dump"
+   help = "Prints the iprop transaction log in text."
+   max_args = "0"
+}
+command = {
+   name = "truncate"
+   option = {
+   long = "config-file"
+   short = "c"
+   type = "string"
+   help = "configuration file"
+   argument = "file"
+   }
+   option = {
+   long = "realm"
+   short = "r"
+   type = "string"
+   help = "realm"
+   }
+   function = "iprop_truncate"
+   help = "Truncate the log, preserve the version number."
+   max_args = "0"
+}
+command = {
+   name = "replay"
+   option = {
+   long = "start-version"
+   type = "integer"
+   help = "start replay with this version"
+   argument = "version-number"
+   }
+   option = {
+   long = "end-version"
+   type = "integer"
+   help = "end replay with this version"
+   argument = "version-number"
+   }
+   option = {
+   long = "config-file"
+   short = "c"
+   type = "string"
+   help = "configuration file"
+   argument = "file"
+   }
+   option = {
+   long = "realm"
+   short = "r"
+   type = "string"
+   help = "realm"
+   }
+   function = "iprop_replay"
+   help = "Replay the log on the database."
+   max_args = "0"
+}
+command = {
+   name = "help"
+   argument = "command"
+   max_args = "1"
+   function = "help"
+}

svn commit: lorikeet r450 - in trunk/heimdal/lib/kadm5: .

2005-09-02 Thread abartlet

Author: abartlet
Date: 2005-09-03 01:48:28 + (Sat, 03 Sep 2005)
New Revision: 450

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=450

Log:
Add more new and delete more old files missing from recent merge.

Andrew Bartlett

Added:
   trunk/heimdal/lib/kadm5/iprop-log.8
Removed:
   trunk/heimdal/lib/kadm5/iprop-commands.c


Changeset:
Sorry, the patch is too large (307 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=450

svn commit: lorikeet r451 - in trunk/heimdal: . appl/rcp cf kadmin kcm kdc lib/kafs lib/krb5 lib/roken

2005-09-02 Thread abartlet

Author: abartlet
Date: 2005-09-03 04:56:33 + (Sat, 03 Sep 2005)
New Revision: 451

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=451

Log:
Update to Heimdal CVS as of 2005-09-05.  This includes build fixes for
hosts without a IPV6_V6ONLY define, as well as the intergration of the
changes to split out the resolv tests.

Andrew Bartlett

Modified:
   trunk/heimdal/ChangeLog
   trunk/heimdal/NEWS
   trunk/heimdal/appl/rcp/ChangeLog
   trunk/heimdal/appl/rcp/util.c
   trunk/heimdal/cf/ChangeLog
   trunk/heimdal/cf/resolv.m4
   trunk/heimdal/cf/roken-frag.m4
   trunk/heimdal/configure.in
   trunk/heimdal/kadmin/ChangeLog
   trunk/heimdal/kadmin/kadm_conn.c
   trunk/heimdal/kcm/connect.c
   trunk/heimdal/kcm/headers.h
   trunk/heimdal/kdc/kerberos5.c
   trunk/heimdal/lib/kafs/ChangeLog
   trunk/heimdal/lib/kafs/afskrb5.c
   trunk/heimdal/lib/krb5/rd_req.c
   trunk/heimdal/lib/roken/ChangeLog
   trunk/heimdal/lib/roken/roken-common.h
   trunk/heimdal/lib/roken/socket.c


Changeset:
Sorry, the patch is too large (542 lines) to include; please use WebSVN to see 
it!
WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=451

svn commit: samba r10021 - in branches/SAMBA_4_0/source/auth/kerberos: .

2005-09-03 Thread abartlet

Author: abartlet
Date: 2005-09-04 06:19:57 + (Sun, 04 Sep 2005)
New Revision: 10021

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10021

Log:
More kerberos notes.

Modified:
   branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt


Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt  2005-09-04 
02:09:32 UTC (rev 10020)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt  2005-09-04 
06:19:57 UTC (rev 10021)
@@ -229,8 +229,9 @@
 
  - DCE_STYLE
 
- - gsskrb5_get_initiator_subkey() (return the opposite key to what the
-   lucid context and get_subkey() calls return).
+ - gsskrb5_get_initiator_subkey() (return the exact key that Samba3
+   has always asked for.  gsskrb5_get_subkey() might do what we need
+   anyway)
 
  - gsskrb5_get_authz_data()
 
@@ -281,13 +282,29 @@
 keytab was devised.  MEMORY_WILDCARD: is much like MEMORY:, except it
 only matches on kvno, rather than on the principal name.
 
+Another way of handling this amy be to declare "" as a wildcard name,
+or perhaps allow principal names to be fnmatch() or regex expressions.
+
+Hmm, looking over the code again, I'm really not sure we need this...
+We should be able to just specify the same principal as a desired name
+(GSSAPI) and principal (keytab).
+
 Extra Heimdal functions used
 
 (an attempt to list some of the Heimdal-specific functions I know we use)
 
-krb5_make_principal()
 krb5_free_keyblock_contents()
 
+also a raft of prinicpal manipulation functions:
+
+Prncipal Manipulation
+-
+
+Samba makes extensive use of the principal manipulation functions in
+Heimdal, including the known structure behind krb_principal and
+krb5_realm (a char *).
+
+
 KDC Extensions
 --

1 2 3 4 5 6 7 8 9 10 >

1 - 100 of 3893 matches

Mail list logo