samba.git/libds, branch master Unnamed repository; edit this file 'description' to name the repository. dsdb-samldb: Only allow known and settable userAccountControl bits to be set 2015-01-22T06:50:06+00:00 Andrew Bartlett abartlet@samba.org 2015-01-06T03:43:37+00:00 49485ab9782b7abc32581f29c35d862bb9a7058c Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type 2015-01-22T06:50:06+00:00 Andrew Bartlett abartlet@samba.org 2014-12-10T01:15:54+00:00 412b602314e1174824d86940eacd74fb76774aba This list should only be of the account exclusive account type bits. Note, this corrects the behaviour in samldb modifies of userAccountControl. This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This list should only be of the account exclusive account type bits.

Note, this corrects the behaviour in samldb modifies of
userAccountControl.

This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK 2014-04-02T15:12:47+00:00 Stefan Metzmacher metze@samba.org 2014-04-01T11:21:35+00:00 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
lib/param: Create a seperate server role for "active directory domain controller" 2012-06-15T07:18:33+00:00 Andrew Bartlett abartlet@samba.org 2012-06-10T12:08:20+00:00 b8815dc23d36468cce9b615335ed62f119eb8f35 This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett 
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
s3-auth: remove "security=server" (depricated since 3.6) 2012-05-15T06:18:28+00:00 Stefan Metzmacher metze@samba.org 2012-05-12T10:00:00+00:00 b4abd3faaf3bdcbcd24fed8325960ccdee43bea9 "security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______ 
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
s3-auth: Remove security=share (depricated since 3.6). 2012-03-04T22:33:05+00:00 Andrew Bartlett abartlet@samba.org 2012-02-03T07:03:10+00:00 d7bb961859a3501aec4d28842bfffb6190d19a73 This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______ 
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
Intersite KCC flags 2012-01-14T05:13:08+00:00 Dave Craft wimberosa@gmail.com 2012-01-11T14:08:52+00:00 11e2c8493f08214c290fec87dac18ad23de234bf NTDSSITELINK option flags added Signed-off-by: Andrew Tridgell <tridge@samba.org> 
NTDSSITELINK option flags added

Signed-off-by: Andrew Tridgell <tridge@samba.org>
libds: Make server role values explicit for easier debugging 2011-11-16T23:34:09+00:00 Andrew Bartlett abartlet@samba.org 2011-11-10T08:48:06+00:00 a01a186a6cfd3b6f1f49ea6d3e7363d2a58d3d4a 






param: calculate server role from security, and security from server role
2011-11-16T23:34:08+00:00

Andrew Bartlett
abartlet@samba.org

2011-11-10T01:45:54+00:00

9524e2fce1b7f644fef5f7c8134f72681d786e65

This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.

This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).

Andrew Bartlett

Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>





This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.

This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).

Andrew Bartlett

Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>







roles: Add ROLE_AUTO to indicate that the server role is calculated
2011-11-16T23:34:08+00:00

Amitay Isaacs
amitay@gmail.com

2011-11-08T02:22:37+00:00

299ed456705944c0b6f848d4fce1fbf6853df965