DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_TIME_DIFFERENCE_AT_DC;
default:
- DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
+ DEBUG(1, ("Acquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
&pac_blob);
/* IF we have the PAC - otherwise we need to get this
- * data from elsewere - local ldb, or (TODO) lookup of some
+ * data from elsewhere - local ldb, or (TODO) lookup of some
* kind...
*/
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
default:
- DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
+ DEBUG(1, ("gensec_krb5_start: Acquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
server_in_keytab = NULL;
}
- /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
+ /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omitted) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
inbuf.data = (char *)unwrapped_in.data;
part of the port to MIT is to replace hdb-samba4 with a similar glue layer
that's designed for MIT's code.
-PAC requirements are implemeneted in source4/kdc/pac-glue.c
+PAC requirements are implemented in source4/kdc/pac-glue.c
The plugins (both of the above are Heimdal plugins) for the above are loaded
in source4/kdc/kdc.c
there's two kinds of name-canonicalization that can occur:
* lower-to-upper case conversion, because Windows domain names are
usually in upper case;
- * an unrecognizable subsitution of names, such as might happen when
+ * an unrecognizable substitution of names, such as might happen when
a user requests a ticket for a NetBIOS domain name, but gets back
- a ticket for the corresponging FQDN.
+ a ticket for the corresponding FQDN.
As developers, we should test if the AD KDC's name-canonicalisation
can be turned off with the KDCOption flags in the AS-REQ or TGS-REQ;
library might be called again, while still in the send_to_kdc hook).
Heimdal has this 'state machine safety' in parts, and we have modified
-the lorikeet branch to improve this behviour, when using a new,
+the lorikeet branch to improve this behaviour, when using a new,
non-standard API to tunnelling a ccache (containing a set of tickets)
through the gssapi, by temporarily casting the ccache pointer to a
gss credential pointer.
GSSAPI code. Therefore there is no need to use global variables to
communicate this information about keytab & ccache.
-At a more theoritical level (simply counting static and global
+At a more theoretical level (simply counting static and global
variables) Heimdal is not state machine safe for the GSSAPI layer.
(Heimdal is now (6/09) much more nearly free of globals.)
The Krb5 layer alone is much closer, as far as I can tell, blocking
- gsskrb5_get_initiator_subkey() (return the exact key that Samba3
has always asked for. gsskrb5_get_subkey() might do what we need
anyway). This is necessary, because in some spots, Microsoft uses
- raw Kerberos keys, outside the Kerberos protocls, and not using Kerberos
+ raw Kerberos keys, outside the Kerberos protocols, and not using Kerberos
wrappings etc. Ie, as a direct input to MD5 and ARCFOUR, without using
the make_priv() or make_safe() calls.
- server (tgt)
- krbtgt (kinit, tgt) the kdc's own ldap record
-I also now specify the kerberos principal as an explict parameter to LDB_fetch(),
+I also now specify the kerberos principal as an explicit parameter to LDB_fetch(),
not an in/out value on the struct hdb_entry parameter itself.
Private Data pointer (and windc hooks) (see above):
In addition, I have added a new interface hdb_fetch_ex(), which
returns a structure including a private data-pointer, which may be used
- by the windc plugin inferface functions. The windc plugin provides
+ by the windc plugin interface functions. The windc plugin provides
the hook for the PAC, as well as a function for the main access control routines.
A new windc plugin function should be added to increment the bad password counter
An important detail in the use of libkdc is that we use samba4's own socket
lib. This allows the KDC code to be as portable as the rest of samba
(this cuts both ways), but far more importantly it ensures a
-consistancy in the handling of requests, binding to sockets etc.
+consistency in the handling of requests, binding to sockets etc.
To handle TCP, we use of our socket layer in much the same way as
we deal with TCP for CIFS. Tridge created a generic packet handling
glue layer, so the main part of the port to MIT is
to replace hdb-samba4 with a similar glue layer
that's designed for MIT's code.
- * Samba4's PAC requirements are implemeneted in
+ * Samba4's PAC requirements are implemented in
source4/kdc/pac-glue.c
* Both of the above two layers are Heimdal plugins, and
both get loaded in source4/kdc/kdc.c
occur on Windows:
* Lower-to-upper case conversion, because Windows domain
names are usually in upper case;
- * An unrecognizable subsitution of names, such as might
+ * An unrecognizable substitution of names, such as might
happen when a user requests a ticket for a NetBIOS domain
- name, but gets back a ticket for the corresponging FQDN.
+ name, but gets back a ticket for the corresponding FQDN.
As developers, we should test if the AD KDC's name-canonical-
isation can be turned off with the KDCOption flags in the
AS-REQ or TGS-REQ; Windows clients always send the
c. Turn on MIT-krb 1.7'sPAC handling.
In addition, I have added a new interface hdb_fetch_ex(),
which returns a structure including a private data-pointer,
- which may be used by the windc plugin inferface functions.
+ which may be used by the windc plugin interface functions.
The windc plugin provides the hook for the PAC.
d. Samba4 needsaccess control hooks in the Heimdal& MIT
KDCs. We need to lockout accounts (eg, after 10 failed PW-
- attemps), and perform other controls. This is standard
+ attempts), and perform other controls. This is standard
AD behavior, that Samba4 needs to get right, whether
Heimdal or MIT-krb is doing the ticket work.
- If PADL doesn't publish their patch for this,
c. Make sure Samba4'sportable socket API works:
* An important detail in the use of libkdc is that we use samba4's
own socket lib. This allows the KDC code to be as portable as
- the rest of samba, but more importantly it ensures consistancy
+ the rest of samba, but more importantly it ensures consistency
in the handling of requests, binding to sockets etc.
* To handle TCP, we use of our socket layer in much the same way as
we deal with TCP for CIFS. Tridge created a generic packet handling
* from the start (otherwise we may miss a socket
* drop) and mark as AUTOCLOSE along with the fde */
- /* Ths is equivilant to EVENT_FD_READABLE(smb_krb5->fde) */
+ /* This is equivalent to EVENT_FD_READABLE(smb_krb5->fde) */
smb_krb5->fde = tevent_add_fd(ev, smb_krb5->sock,
socket_get_fd(smb_krb5->sock),
TEVENT_FD_READ,
*
* @param auth_ctx Supplies the challenges and some other data.
* Must be created with auth_context_create(), and the challenges should be
- * filled in, either at creation or by calling the challenge geneation
+ * filled in, either at creation or by calling the challenge generation
* function auth_get_challenge().
*
* @param user_info Contains the user supplied components, including the passwords.
/* Wrapper because we don't want to expose all callers to needing to
* know that session_info is generated from the main ldb, and because
- * we need to break a depenency loop between the DCE/RPC layer and the
+ * we need to break a dependency loop between the DCE/RPC layer and the
* generation of unix tokens via IRPC */
static NTSTATUS auth_generate_session_info_wrapper(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
/*
Unix SMB/CIFS implementation.
- Anonymous Authentification
+ Anonymous Authentication
Copyright (C) Stefan Metzmacher 2004-2005
/**
* Return an error based on username
*
- * This function allows the testing of obsure errors, as well as the generation
+ * This function allows the testing of obscure errors, as well as the generation
* of NT_STATUS -> DOS error mapping tables.
*
* This module is of no value to end-users.
* samdb_result_passwords_from_history() currently
* does not fail for missing attributes, it only sets
* nt_history_pwd = NULL, so "break" and fall down to
- * the bad password count upate if this happens
+ * the bad password count update if this happens
*/
if (!NT_STATUS_IS_OK(nt_status)) {
break;
/*
Unix SMB/CIFS implementation.
- Winbind authentication mechnism
+ Winbind authentication mechanism
Copyright (C) Tim Potter 2000
Copyright (C) Andrew Bartlett 2001 - 2002
* This ordering (having msDS-ResultantPSO first) is
* important. By processing this attribute first it is
* available in the operational module for the other PSO
- * attribute calcuations to use.
+ * attribute calculations to use.
*/
"msDS-ResultantPSO",
* level is raised to DS_BEHAVIOR_WIN2003 or higher, is calculated as
* 14 days minus a random percentage of 5 days", but we aren't doing
* that. The blogosphere seems to think that this randomised update
- * happens everytime, but [MS-ADA1] doesn't agree.
+ * happens every time, but [MS-ADA1] doesn't agree.
*
* Dochelp referred us to the following blog post:
* http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
*/
/* This code sets up GENSEC in the way that all Samba servers want
- * (becaue they have presumed access to the sam.ldb etc */
+ * (because they have presumed access to the sam.ldb etc */
#include "includes.h"
#include "auth/auth.h"
/* Fill out the auth_session_info with a cli_credentials based on the
* auth_session_info we were forwarded over named pipe forwarding.
*
- * NOTE: The stucture members of session_info_transport are stolen
+ * NOTE: The structure members of session_info_transport are stolen
* with talloc_move() into auth_session_info for long term use
*/
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
}
-/* Produce a session_info for an arbitary DN or principal in the local
+/* Produce a session_info for an arbitrary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
* Supply either a principal or a DN
struct loadparm_context *lp_ctx,
struct auth_session_info_transport **transport_out);
-/* Produce a session_info for an arbitary DN or principal in the local
+/* Produce a session_info for an arbitrary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
* Supply either a principal or a DN
git.samba.org / samba.git / commitdiff