| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
from APP_HEAD
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Basicly, the password and the salt must be taken from the same place in both
passwd and shadow based systems. Taking salt from one, and password from the
other just doesn't work.
So pull them from passwd, then overwrite them if need be.
When modifying this file, watch the #ifdef hell - as vl found out, some
variables are globals - but only with #ifndef WITH_PAM, and the code jumps all
over the place with the password cracker.
Getting double-reviews of any change to this file highly advised, it is one of
our most system-specifc areas of code.
(So now I get to take the blame for this one... :-)
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
Volker, I would like to understand what you are trying to do here...
I'll trust that it's broken (this code is certainly not well tested) but I do
want to keep a close eye on the fixes...
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
'security = user', 'encrypt passwords = no' did not work anymore.
This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam.
I can provide a config.log / config.h on demand.
Please re-check for consequences, I don't really oversee that file.
Thanks,
Volker
|
| |
|
|
|
|
|
| |
NT_TOKEN and the unix credentials - as we incresingly use the NT stuff we want
to make it easy to check they don't get out of wack.
Andrew Bartlett
|
| |
|
|
| |
the DC being out of sync with the local machine.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>
It includes a conversion of make_user_info*() to NTSTATUS and some minor
changes to other files.
It also picks up on a nasty segfault that can occour in some security=domain
cases.
Andrew Bartlett
|
| |
|
|
| |
the CIFS conference - finally got purify working
|
| |
|
|
|
|
|
|
|
|
| |
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch.
pass also the negociation flags all the way.
all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient.
in the future we will be able to call auth_2 or auth_3 as we want.
J.F.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
- Don't print an uninitialised buffer in service.c
- Change some charcnv.c functions to take smb_ucs2_t ** instead of void **
- Update NTLMv2 code to use dynamic buffers
- Update experimental SMB signing code - still more work to do
- Move sys_getgrouplist() to SAFE_FREE() and do a DEBUG() on initgroups()
failure.
Andrew Bartlett
|
| |
|
|
| |
Andrew Bartlett
|
| | |
|
| |
|
|
| |
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
our authenticaion code - removing some of the duplication from the current
code.
This also gets us *much* closer to supporting a real SAM backend, becouse the
SAM can give us the right info then.
This also changes our service.c code, so that we do a VUID (rather than uid)
cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached
equivilant) on every packet, for the same r or rw mode the whole share was open
for.
Andrew Bartlett
|
| |
|
|
| |
remove unused 'max packet' and 'packet size' options
|
| |
|
|
|
|
| |
the new accessor functions.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
|
| |
|
|
|
|
|
|
|
|
|
| |
Authenticaions will now attempt to use winbind, and only fall back to
'ntdomain' (the old security=domain) code if that fails (for any reason,
including wrong password).
I'll fix up the authenticaion code to better handle the different types of
failures in the near future.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This updates the 'winbind' authentication module and winbind's 'PAM' (actually
netlogon) code to allow smbd to cache connections to the DC.
This is particulary relevent when we need mutex locks already - there is no
parallelism to be gained anyway.
The winbind code authenticates the user, and if successful, passes back the
'info3' struct describing the user. smbd then interprets that in exactly the
same way as an 'ntdomain' logon.
Also, add parinoia to winbind about null termination.
Andrew Bartlett
|
| |
|
|
| |
needed to find the DC IP. Just don't check its return value!
|
| |
|
|
| |
Tridge, please look at this. Did you mean to take out the last parm?
|
| |
|
|
| |
very useful in scripts
|
| |
|
|
|
| |
without any 'realm =' or 'ads server =' options at all, as long as DNS
is working right.
|
| |
|
|
|
| |
make the code a fair bit cleaner as it splits up the ADS and RPC
cases, which really are very different.
|
| |
|
|
| |
field. This has got to be pointless.
|
| |
|
|
|
|
|
|
| |
the servers netbios name when we don't need it. This also fixes ADS
mode when the DC has netbios disabled.
- if the password server is specified as an IP then actually use that
IP, don't do a lookup for the servers name :)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
null before close
this one fixes swat not working with browsers that set more then one language.
along the way implemented language priority in web/neg_lang.c with bubble sort
also changet str_list_make to be able to use a different separator string
Simo.
|
| |
|
|
| |
as they're no longer new!
|
| |
|
|
|
|
|
|
| |
distinction between uchar and char).
Lots of const etc.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
authentication - we can have an NT hash in the LM hash feild.
(I need to double-check this fix with tpot, who discovered it).
Also remove silly casts back and forth between uchar and char.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
becouse thats what Win2k gives when the PDC is down.
Some of these might better go to other errors, but the Win2k text message for
'unsuccessful' is not particularly useful. (A device attached to the system is
not functioning...)
Andrew Bartlett
|
| |
|
|
|
|
| |
for failure.
Andrew Bartlett
|
| |
|
|
|
|
| |
Went through and checked all string_subs I could to ensure they're being
used correctly.
Jeremy.
|
| |
|
|
|
|
| |
few more places to use it.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The previous code both had basic logic flaws in it, and some subtle
issues regarding the Win2k info3 response.
I've tested this against Samba (it looks like that was missed last time
due to the 'called name' corruption - which broke my testsuite) and
accomidated what I've seen from a info3 printout jmcd gave me.
I'll get this tested fully as soon as I get my VMware going again.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It extends the 'server mutex' to conver security=server, becouse the connection
race condition exists here too, and while people *should* use security=domain,
some sites don't....
(This probably should be done in 2.2 as well).
Also, start to actually extract and use the information that the remote
server returns in the info3 struct.
The server mutex code is now in a new file.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
deveopers hack to always send a fixed challange, for the benifit
of tutorials and packet sniffing etc.
Enabling this module removes all security, so its a --enable-developer
option.
Andrew Bartlett
|
| |
|
|
| |
and that local accounts are perfectly fine.
|
| |
|
|
|
| |
and renamed to str_list_* as it is a better name.
Elrond should be satisfied now :)
|
| | |
|
| | |
|
| |
|
|
| |
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Importantly:
The removal of the silly 'delete user script' behaviour when secuity=domain.
I have left the name the same - as it still does the (previously documented,
but not in smb.conf(5)) sane behaviour of deleting users on request.
When we decide what to do with the 'add user' functionality, we might
rename it.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
and secuirty=server.
I *love* automated testing...
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
didn't make any sense, and its was always just strlen(password) anyway.
This fixes it to be strlen(password)+1
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
that the passdb code now uses. Similarly, move the 'pluggable' stuff
over from passdb as well, allowing runtime loading of new authenticaion
modules.
(NOTE: The interfaces here can *and do* change - module writers are
not assured source-level compatibilty, and certainly not binary
compatibility).
|
