| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
|
| |
|
|
|
|
| |
This allows embedded systems to compile out the higher debug
levels. It should gain speed as well as reducing the code
size. Setting it to 1 saves about 300k of code on my system.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves the rest of the functionality into the 'net rpc join' code.
Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.
I have also fixed up the smbpasswd -a -m bug in the process.
We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.
With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).
Andrew Bartlett
|
| |
|
|
|
|
| |
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
not the privileges. Usually we don't need them, so the memory is free
early.
lib/util_sid.c: added some helper functions to check an SID.
passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !
rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.
J.F.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can change them with either usermanager->policies->account
or from a command prompt on NT/W2K: net accounts /domain
we can add a rpc accounts to the net command. As the net_rpc.c is still
empty, I did not start. How should I add command to it ? Should I take the
rpcclient/cmd_xxx functions and call them from there ?
alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more
for jeremy ;-)
J.F.
|
| | |
|
| |
|
|
| |
least basic operations work
|
| |
|
|
| |
rats.
|
| |
|
|
|
|
| |
This just splits off the dispinfo call behind a methods structure.
I'll split off a few more functions soon, then we will be ready for
LDAP replacement methods
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
definitions.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It
makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP
struct as some privilege showing in USRMGR.EXE are not real privs but a
bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT
3.1 box to verify, but I'm too lazy (yes I still have my CDs).
Added 3 more LSA calls: SetSystemAccount, AddPrivileges and
RemovePrivileges, we can manage all this privilege from UserManager.
Time to change the NT_USER_TOKEN struct and add checks in all the rpc
functions. Fun, fun, fun.
J.F.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We now get the full account policy window in usermanager, and the
framework to store all those values. I plan to add a TDB file to store
them.
oh, and found that the last value in a sam_unknown_info_12_inf struct is
an uint16 and not a uint32.
andrewb: you hardcoded the MAX_PASSWORD_AGE to 21 days. We can now turn it
to a value setable in usermanager.
J.F.
|
| |
|
|
|
| |
this was causing the kerberos stuff to fail compilation on several
platforms
|
| |
|
|
| |
Jeremy
|
| |
|
|
| |
some systems have libkrb5 but not krb5.h
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Why do people keep adding stuff to includes.h (OK I am guilty of this too)?
It's getting really huge and full of random junk. )-:
I've noticed TNG have started to split stuff up in to individual header
files included as needed.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
this completes the first stage of the smbd ADS support
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
|
| |
|
|
|
|
| |
and more to come ...
J.F.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
|
| |
|
|
|
|
|
|
|
|
| |
NT_STATUS_UNABLE_TO_FREE_VM error. This error code was mis-defined
as 0x8000001a instead of 0xc000001a. The former is actually a
NT_STATUS_NO_MORE_ENTRIES warning which is what we see in the status
code.
Removed the & 0xffffff from the loop in get_nt_error_msg() as all the
error constants now have the correct high bits set.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
fixed lsa_enum_rpivs server code. This time it works as W2K.
fixed smbgroupedit to compile and work.
J.F.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
under it.
|
| |
|
|
|
|
|
|
|
|
|
| |
discovered that our reply is short by 4 bytes since day 1 of this code.
Added a decode function to rpcclient too.
splitted the STRING2 fields filling while trying to understand the win9x
userlist bug. (didn't fix the bug, but the reply looks closer to NT).
J.F.
|
| |
|
|
|
| |
Apply the patches from Tom Jansen, get rid of fprintfs and change them to
DEBUGs, etc ...
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
this is only to get the cast right, but it might help with other parts
of the API that changed later.
|
| |
|
|
|
| |
it's just copied in to the parameter table and optionally overridden
there.
|
| | |
|
