Age | Commit message (Collapse) | Author | Files | Lines |
|
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
|
|
session
setups on its way to open a pipe. This gets rid of many round-trips to the
LDAP server during logon by setting up the server_info_guest once and not
asking the LDAP server and nss every time. Make sure that the ldap connection
is reopened in the child. (I did not look at the sql backends.)
Volker
(This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
|
|
Use the fully qualified DOMAIN\user format for 'security = domain|ads'
and apply after authentication has succeeded.
* also change fill_domain_username() to only lowercase the username
and not the domain+username. This was a cosmetic fix only.
makes the output more consistent with %D and %U.
(This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
|
|
(This used to be commit e1364ff774b62f46c0f50864695da49972352126)
|
|
SIDs to
the NT token we build.
Thanks to Guenther Deschner <gd@sernet.de>.
Volker
(This used to be commit 2f9143dee901f7fc9e5ff0218527f1f4cff1991e)
|
|
for setting up an schannel connection. This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
|
|
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in
mainline code paths though :-).
Jeremy.
(This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646)
|
|
Andrew Bartlett
(This used to be commit 1c6d0399d67c9206baf7d4173cc00540146fa897)
|
|
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
(This used to be commit 724e8d3f33719543146280062435c69a835c491e)
|
|
For a (very) long time, we have had a bug in Samba were an NTLMv2-only
PDC would fail, because it converted the password into NTLM format for
checking.
This patch performs the direct comparison required for interactive
logons to function in this situation. It also removes the 'auth flags', which
simply where not ever used.
Natrually, this plays with the size of structures, so rebuild, rebuild
rebuild...
Andrew Bartlett
(This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
|
|
(This used to be commit a7cac639c2cf0e2606d9cfbdb08e961212ee3bfa)
|
|
use default domain = yes
(This used to be commit f2eaa14b1eb7e89c945b2b06a48e17998c75d620)
|
|
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
|
|
* fix bug involving Win9x clients. Make sure we
save the right case for the located username
in fill_sam_account()
(This used to be commit 850e4be29e185ebe890f094372aa8c2cc86de76a)
|
|
Jeremy.
(This used to be commit 3684cffbd269389d14b37edd5959e29912c13a60)
|
|
script).
Jeremy.
(This used to be commit 5d9f06bdae4e7b878a87fb97367cf10afbc5f6b2)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
Volker
(This used to be commit 6b457d0c5c1a18b6e09c2c4cc489ce791aac3c6b)
|
|
(This used to be commit efe257bce2020e94d00946a27e2e586c82a1480f)
|
|
sesssetup to fall back to 'user' instaed of failing is REA.LM\user
doesn't exist.
also fix include line in smb_acls.h as requested by metze
(This used to be commit 62ed2598b3441b3c198872df8eb55e594332807b)
|
|
if he;she has one; bug 406
(This used to be commit 1737b36e9193e30285c598ad75d90f610bab47fe)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
Use winbindd to get the group list if possible since we already
know it from netsamlogon_cache.tdb. More effecient than letting
libc call getgrent() to get seconary groups.
Tested by Ken Cross.
(This used to be commit 3c537c906f29a08e75895c8c8e3ed5c5abaaa940)
|
|
always map to the domain name
(This used to be commit 20b6e64da2669e5dfc7265cae331ec9c89aa02dc)
|
|
not lp_adduser_script() != NULL.
Jeremy.
(This used to be commit 2eac65ebe7147b36a34e0ca1c3f455f559ab0361)
|
|
time. )-:
(This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
|
|
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
|
|
(This used to be commit 3b5ddd8e1f021f6a38434c0d9a47317ab6ff2614)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
(This used to be commit 4acdfc5c944aa8830d6cec7bd1225200448e45c5)
|
|
(This used to be commit 43f21078ec0f885d4d1a0b90476b55f8f92de9e7)
|
|
(This used to be commit 3a1f4f5ea5379b0deb6dc6b8ed81dedc3a08f70e)
|
|
uid for the server_info struct
(This used to be commit 6a84297da53e8658f4bcfa4951ceed011b69201f)
|
|
on a Samba PDC. Will be re-enabled after winbind_passdb is done.
(This used to be commit c4762aa3bc0d5d2dc5161b543b22808a369e0698)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
Samba will now use the user's UNIX primary group, as the primary group when
dealing with the filesystem. The NT primary group is ignored in unix.
For the NT_TOKEN, the primary group is the NT priamry group, and the unix
primary group is added to the NT_TOKEN as a supplementary group.
This should fix bug #109, but will need to be revisited when we get a full
NT group database.
Also in this commit:
- Fix debug statements in service.c
- Make idmap_ldap show if it's adding, or modifying an existing DN
- Make idmap_ldap show both the error message and error string
(This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
It was caused by the winbind_ping() call in is_trusted_domain()
o if we are a DC then we check our own direct trust relationships
we have to rely on winbindd to update the truatdom_cache
o if we are a domain member, then we can update the trustdom_cache
ourselves if winbindd is not there
(This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc)
|
|
* add get_default_sam_name() to be used by make_user_info_map()
* add comments describing get_*_sam_name()
(This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
|
|
smbd will update the trustdom_cache periodically after locking
the timestamp key
(This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
|
|
* is_trusted_domain() is broken without winbind. Still working on this.
* get_global_sam_name() should return the workgroup name unless we
are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
if 'user' exists in the local list of accounts (on domain members w/o
winbind)
Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.
notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd. disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
|
|
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
|
|
to handle domain trusts. Jeremy and I talked about this
and it's going in as working code. It keeps winbind clean
and solves the trust problem with minimal changes.
To summarize, there are 2 basic cases where the deadlock would
occur. (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.
o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
the username includes the 'winbind separator'.
o Case #2 is handled by adding checks in winbindd to return failure
if we are a DC and the domain matches our own.
This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain'). The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.
Other misc fixes:
* we need to fix check_ntlm_password() to be able to determine
if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
etc...). I worked around my specific situation, but this needs to be
fixed. the winbindd auth module was causing delays.
* fix named server mutex deadlock between trust domain auth module
and winbindd looking up a uid
* make sure SAM_ACCOUNT gets stored in the server_info struct for the
_net_sam_logon() reply.
Configuration details:
The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.
* set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
* create domain trusts like normal
* join winbind on the pdc to the Samba domain using 'net rpc join'
* add normal parameters to smb.conf for winbind
* set 'auth method = guest sam winbind'
* start smbd, nmbd, & winbindd
Problems that remain:
* join a Windows 2k/XP box to a Samba domain.
* create a 2-way trust between the Samba domain
and an NT domain
* logon to the windows client as a user from theh trusted
domain
* try to browse server in the trusted domain (or other
workstations). an NT client seems to work ok, but 2k
and XP either prompt for passwords or fail with errors.
apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
|
|
map to guest = bad user works again when "trustdomain" is listed
as last auth method.
Also clean up some more DC location calls.
(This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
|
|
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
|
|
that has been authenticated unmapped.
We need to make sure that every caller of idmap handles failure gracefully.
Volker
(This used to be commit 902d607b668b2e997778a0ca676ea689943c2817)
|
|
(This used to be commit 9c003ae4ff21040b55264f8b4c34bd5956c97dc6)
|
|
Take away the automatic mapping of users and groups again.
Volker
(This used to be commit 74510369d48545e813ac07e52814840803dd6ba2)
|
|
from the PDC as a mapping to the uid we got from getpwnam in the
local idmap.
This should not be worse than the current state, so I decided to
commit it. It is different from abartlet's preliminary patch, but I
believe this is the better solution. Feel free to comment and/or
revert it.
Volker
(This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59)
|