summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2004-01-05Grumble... grumble... fix the build...Andrew Bartlett1-5/+7
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)
2004-01-05Show the sid type in name->sid translatons in a way that can be easilyAndrew Bartlett1-1/+1
understood by humans. Andrew Bartlett (This used to be commit 3d91b0a0060f18d49b2fdd9f93ef310e2ea7779d)
2004-01-05Always call the auto-init funciton - this avoids tdb segfaulting underAndrew Bartlett1-0/+6
us if we failed to open it earlier. Andrew Bartlett (This used to be commit 379368b0bec1f57cc5302b274362ce2f1df0fd9d)
2004-01-05Correctly handle per-pipe NTLMSSP inside a NULL session. Previously weAndrew Bartlett2-7/+20
would attempt to supply a password to the 'inside' NTLMSSP, which the remote side naturally rejected. Andrew Bartlett (This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett9-121/+144
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05Fix typo in RW2 torture test. Closes bugzilla bug #924.Tim Potter1-1/+1
(This used to be commit d22313998abff680d38b208588824a1981fe2aa7)
2004-01-05Add const.Andrew Bartlett1-3/+3
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)
2004-01-05There is some memory corruption hidden somewhere in our winbind code. If IAndrew Bartlett1-4/+8
could reproduce it, I would fix it, but for now just make sure we always SAFE_FREE() and set our starting pointers to NULL. Andrew Bartlett (This used to be commit c279e178bc122e1e2aa519f7a373a3d93672a3ac)
2004-01-05Change (unused) structure parameter for cli_ds_enum_domain_trusts() cleanup.Andrew Bartlett1-1/+1
(This used to be commit 6e5b084c20b59a86e86445bf6d101cada45da602)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett8-104/+102
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett2-30/+202
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-05I'm not quite sure what happened here - but replace the ads_sid_to_dnAndrew Bartlett1-9/+9
function with one that compiles. Andrew Bartlett (This used to be commit 0d5b0345a60741ae50f6770d9cecf698864cd209)
2004-01-05We can't possilby get 'ok' here, as the if statement above just checked for it.Andrew Bartlett1-2/+0
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
2004-01-05Make arbitary binary data unsigned char.Andrew Bartlett1-4/+4
(This used to be commit a78b0205622f10e0acfdf54915df6864608ab928)
2004-01-05Add a utilty function for converting a sid to a DN.Andrew Bartlett1-0/+74
Andrew Bartlett (This used to be commit 49a7a3fd17cfeef439e2049a51dbfcbc037f1a93)
2004-01-05Make it clear that we cannot sign if we don't have a session key.Andrew Bartlett1-14/+43
(This used to be commit a2f6dec05b3b30292ec3e42808dc89f1bf5c7ab4)
2004-01-05Automaticly initialise the signing engine, if we have a session key.Andrew Bartlett1-0/+6
(This used to be commit cb063c1b6949a2a9637689537c6ab8dc881bc568)
2004-01-04- Put functions for generating SQL queries in pdb_sql.cJelmer Vernooij7-507/+1074
- Add pgSQL backend (based on patch by Hamish Friedlander) - Use query generate functions from pdb_mysql and pdb_pgsql - Only pdb_pgsql.c needs to be changed whenever the fields in SAM_ACCOUNT change (This used to be commit 65ad2c02fd2bf36d535c279ad290ab81e39f6816)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke5-3/+126
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
2004-01-04Even if the 'device type' is always an ascii string, use push_string to getAndrew Bartlett1-1/+1
it out onto the wire. Avoids valgrind warnings because the fstrcpy() causes part of the wire buffer to be 'marked'. Andrew Bartlett (This used to be commit 53d802c72aa712e099dc8de666ab66a21e18fae1)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-03There is not a particularly good excuse for complaining to the *client* thatAndrew Bartlett1-4/+12
it sent 'INVALID_PARAMETER', when it was us as the server that could not come up with a session key. Instead, allow normal authentication to take place, but do not setup a session key. Andrew Bartlett (This used to be commit e5abd93d799e5f86839560feca448743c13a9055)
2004-01-02Match Win2k, and return NT_STATUS_INVALID_PARAMETERAndrew Bartlett1-2/+2
if this parameter is not an account type Andrew Bartlett (This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-02Having no members of a group is a perfectly valid (if unusual) situation.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)
2004-01-02JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett5-133/+118
his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke2-140/+29
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke2-29/+140
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett2-16/+36
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Forgot to commit this for the 'get our primary domain' change.Andrew Bartlett1-0/+1
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett7-22/+54
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett2-4/+6
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Move to short lived TALLOC_CTX* for allocating printerGerald Carter1-4/+22
objects from the print handle cache. Fixes bug that caused smbd to consume large amounts of RAM when (a) a printer handle was kept open over an extended period of time, and (b) the client issued frequent requests that resulted in a call to get_a_printer() (This used to be commit 10b9976e0ab961dc34c9426f0a497e0f81a5e17f)
2003-12-30Another little one: Make pdb_test.c at least compile, although its way out ofVolker Lendecke2-8/+4
date. Volker (This used to be commit 5d7a14166af3daf04b570fd5f66469d5db5a3500)
2003-12-30The AFS pts command always generates completely lower-case user names. As caseVolker Lendecke1-1/+4
is not significant in windows user names we should not lose information by lower-casing the name before handing it to AFS. Volker (This used to be commit 6d2285b6d1599648661be47abaaa888419700d22)
2003-12-30Fix Bug # 924Volker Lendecke1-2/+11
Volker (This used to be commit 3663ed2b964cc306cfe6b4060b51d991405e720d)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett3-11/+50
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-30Make the name of the NTLMSSP client more consistant before we lock it in stone.Andrew Bartlett1-2/+2
(This used to be commit 0fa268863b7352343eb7f211181a02f60848bd0c)
2003-12-30Remove testing hackAndrew Bartlett1-2/+0
(This used to be commit 96f3beb462a6d4a489e894c1f05c528107135b3a)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett4-400/+634
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-30Refactor our authentication and authentication testing code.Andrew Bartlett2-490/+400
The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)
2003-12-29Add the alignment required before all 2-byte quantities in NDR. Allows usAndrew Bartlett1-0/+3
to correctly parse plaintext netlogon calls with odd-length passwords Andrew Bartlett (This used to be commit de3c3cbeeb8b674ffc0dd8fe16913f15edcf9022)
2003-12-28Shutting down the connection closes outstanding sessions, so we don't needAndrew Bartlett1-1/+0
to do it twice... Amdrew Bartlett (This used to be commit 8f9a069c59cbd357cbef8814764c10f6d8b6e6e8)
2003-12-27This patch corrects some errors in the NTLMSSP implementation, thatAndrew Bartlett1-9/+18
would incorrectly return INVALID_PARAMETER, instead of allowing a login. Andrew Bartlett (This used to be commit 76c59469a340209959c420bd5c2e947d3347bdb1)
2003-12-27Preliminary fix for our signing problem with failed NTLMSSP logins. This patchVolker Lendecke2-9/+19
solves the problem for me here, I can still successfully set up signing using NTLMSSP against w2k3 and it does not show a signing error anymoe when the password was wrong. Jeremy, you might want to take a further look at it as this is not particularly elegant. Volker (This used to be commit f5afaafd61dc7bd191225ffa8eee184125dd97c3)
2003-12-26Collecting another little patch from gd@suse.deVolker Lendecke1-1/+1
As broken as it might be, smbwrapper.so should be put into the libdir and not bindir. Volker (This used to be commit d74137d227cfb7b09294f4429fa09b10d3d01229)
2003-12-26Collecting some minor patches...Volker Lendecke1-8/+10
This adds the ability to specify the new user password for 'net ads password' on the command line. As this needs the admin password on the command line, the information leak is minimally more. Patch from gd@suse.de Volker (This used to be commit e6b4b956f68bfea69b2de3608b4c829250d24a7a)
2003-12-26Check the return value of string_to_sid in a few more places. (ButAndrew Bartlett1-2/+10
string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26Show the error message for failure to set the ldap password.Andrew Bartlett1-2/+8
(For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)