samba.git - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enable	Andrew Bartlett	2003-02-15	1	-1/+6
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett
*	Removed global_myworkgroup, global_myname, global_myscope. Added liberal	Jeremy Allison	2002-11-12	1	-2/+1
\| \| \| \| \| \|	dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy.
*	make sure that if kerberos fails we can fall back on NTLMSSP for SASL	Andrew Tridgell	2002-11-10	1	-2/+5
\|
*	Re-enable use of existing kerberos tickets.	Jim McDonough	2002-10-31	1	-2/+6
\|
*	Try to compile as much as possible with only ldap, but not kerberos.	Andrew Bartlett	2002-09-28	1	-1/+3
\|
*	Avoid a segfault in net join when you have not done an kinit, and it's falling	Andrew Bartlett	2002-09-25	1	-0/+5
\| \| \| \| \| \| \|	back to NTLMSSP. We need to get the password out of the user, and this eventually does. Andrew Bartlett
*	Add clock skew handling to our kerberos code. This allows us to cope with	Andrew Tridgell	2002-09-17	1	-3/+4
\| \| \| \|	the DC being out of sync with the local machine.
*	convert the LDAP/SASL code to use GSS-SPNEGO if possible	Andrew Tridgell	2002-08-30	1	-28/+220
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	we now do this: - look for suported SASL mechanisms on the LDAP server - choose GSS-SPNEGO if possible - within GSS-SPNEGO choose KRB5 if we can do a kinit - otherwise use NTLMSSP This change also means that we no longer rely on having a gssapi library to do ADS. todo: - add TLS/SSL support over LDAP - change to using LDAP/SSL for password change in ADS
*	This fixes a number of ADS problems, particularly with netbiosless	Andrew Tridgell	2002-08-05	1	-4/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm
*	Fix length in snprintf invocation to account for "dn:" in sasl gssapi bind.	Jim McDonough	2002-07-08	1	-2/+1
\| \| \| \| \| \|	Also remove unused line which incremented pointer by the wrong length anyway. Provided by Anthony Liguori (aliguori@us.ibm.com).
*	Removed version number from file header.	Tim Potter	2002-01-30	1	-2/+1
\| \| \| \|	Changed "SMB/Netbios" to "SMB/CIFS" in file header.
*	much better ADS error handling system	Andrew Tridgell	2001-12-19	1	-21/+33
\|
*	- added initial support for trusted domains in winbindd_ads	Andrew Tridgell	2001-12-19	1	-17/+36
\| \| \| \| \| \|	- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo
*	added internal sasl/gssapi code. This means we are no longer dependent on ↵	Andrew Tridgell	2001-12-08	1	-0/+186
	cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm