| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>)
|
| |
|
|
| |
- Quite some small fixes (also fixes the build)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
and domain controller respecting interdomain trust relationships.
In the latter case we need to find DC of remote domain instead
of ours. In the former 'domain' is our domain name.
Rafal
|
| | |
|
| |
|
|
|
|
|
|
| |
last changed at '0'.
We need to actually change this password sometime...
Andrew Bartlett
|
| |
|
|
| |
server = DC1 *
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
90% fix for CR 1076. The password server parameter will no take things
like
password server = DC1 *
which means to contact DC1 first and the go to auto lookup if it
fails.
jerry
|
| |
|
|
|
|
| |
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
lp_machine_password_timeout() is set to zero.
|
| |
|
|
| |
than the version in APPLIANCE so watch out for boogs.
|
| |
|
|
|
| |
that app-head does.
Jeremy.
|
| |
|
|
| |
from APP_HEAD
|
| |
|
|
| |
the DC being out of sync with the local machine.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>
It includes a conversion of make_user_info*() to NTSTATUS and some minor
changes to other files.
It also picks up on a nasty segfault that can occour in some security=domain
cases.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch.
pass also the negociation flags all the way.
all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient.
in the future we will be able to call auth_2 or auth_3 as we want.
J.F.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
|
| |
|
|
| |
needed to find the DC IP. Just don't check its return value!
|
| |
|
|
| |
Tridge, please look at this. Did you mean to take out the last parm?
|
| |
|
|
| |
very useful in scripts
|
| |
|
|
|
| |
without any 'realm =' or 'ads server =' options at all, as long as DNS
is working right.
|
| |
|
|
|
| |
make the code a fair bit cleaner as it splits up the ADS and RPC
cases, which really are very different.
|
| |
|
|
| |
field. This has got to be pointless.
|
| |
|
|
|
|
|
|
| |
the servers netbios name when we don't need it. This also fixes ADS
mode when the DC has netbios disabled.
- if the password server is specified as an IP then actually use that
IP, don't do a lookup for the servers name :)
|
| |
|
|
| |
as they're no longer new!
|
| |
|
|
|
|
|
|
| |
distinction between uchar and char).
Lots of const etc.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
becouse thats what Win2k gives when the PDC is down.
Some of these might better go to other errors, but the Win2k text message for
'unsuccessful' is not particularly useful. (A device attached to the system is
not functioning...)
Andrew Bartlett
|
| |
|
|
|
|
| |
for failure.
Andrew Bartlett
|
| |
|
|
|
|
| |
Went through and checked all string_subs I could to ensure they're being
used correctly.
Jeremy.
|
| |
|
|
|
|
| |
few more places to use it.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The previous code both had basic logic flaws in it, and some subtle
issues regarding the Win2k info3 response.
I've tested this against Samba (it looks like that was missed last time
due to the 'called name' corruption - which broke my testsuite) and
accomidated what I've seen from a info3 printout jmcd gave me.
I'll get this tested fully as soon as I get my VMware going again.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It extends the 'server mutex' to conver security=server, becouse the connection
race condition exists here too, and while people *should* use security=domain,
some sites don't....
(This probably should be done in 2.2 as well).
Also, start to actually extract and use the information that the remote
server returns in the info3 struct.
The server mutex code is now in a new file.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
and secuirty=server.
I *love* automated testing...
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
didn't make any sense, and its was always just strlen(password) anyway.
This fixes it to be strlen(password)+1
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
that the passdb code now uses. Similarly, move the 'pluggable' stuff
over from passdb as well, allowing runtime loading of new authenticaion
modules.
(NOTE: The interfaces here can *and do* change - module writers are
not assured source-level compatibilty, and certainly not binary
compatibility).
|
| | |
|
| | |
|
| |
|
|
|
| |
NT4.x DC's require this.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
<mimir@diament.ists.pwr.wroc.pl>) this patch allows samba to correctly
enumerate its trusted domains - by exaimining the keys in the secrets.tdb file.
This patch has been tested with both NT4 and rpcclient/wbinfo, and adds
some extra functionality to talloc and rpc_parse to allow it to deal with
already unicode strings.
Finally, this cleans up some const warnings that were in net_rpc.c by pushing
another dash of const into the rpc client code.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit builds on the auth subsystem to give Samba support for trusting NT4
domains. It is off by default, but is enabled by adding 'trustdomain' to the
'auth methods' smb.conf paramater.
Tested against NT4 only - there are still some issues with the join code for
Win2k servers (spnego stuff).
The main work TODO involves enumerating the trusted domains (including the RPC
calls to match), and getting winbind to run on the PDC correctly.
Similarly, work remains on getting NT4 to trust Samba domains.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
Remove a stray 'unbecome_root()' in the ntdomain an auth failure case.
Only allow trust accounts to request a challange in srv_netlogon_nt.c.
Currently any user can be the 'machine' for the domain logon. MERGE for 2.2.
Andrew Bartlett
|
| |
|
|
|
| |
Fix bug where zeroip addresses were being checked.
Jeremy.
|
| |
|
|
|
|
|
|
|
| |
this is needed because W2K will send a TCP reset to any open
connections that have not done a negprot when a second connection is
made. This meant that under heavy netlogon load a Samba domain member
would fail authentications.
Jeremy, you may wish to port this to 2.2.x
|
| |
|
|
| |
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
|
