Age | Commit message (Collapse) | Author | Files | Lines |
|
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
|
|
In auth_winbind, remove the push_utf8 calls, as this is no longer a
UTF8 interface. (Removed from everywhere else earlier).
Tested with ASCII - I tried to load the weird charset for testing, but
it doesn't seem to work any more.
Andrew Bartlett
(This used to be commit cb27c197ee44d2be09014598e3928642b59ef956)
|
|
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in
mainline code paths though :-).
Jeremy.
(This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646)
|
|
* fix bug involving Win9x clients. Make sure we
save the right case for the located username
in fill_sam_account()
(This used to be commit 850e4be29e185ebe890f094372aa8c2cc86de76a)
|
|
if he;she has one; bug 406
(This used to be commit 1737b36e9193e30285c598ad75d90f610bab47fe)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
length of what the pointer points to).
Jeremy.
(This used to be commit 492a96e9922c1ef96b967f2965f8bba1f5bc8f23)
|
|
(This used to be commit e1a8e9b7f3e69c7271d2b715703b2d5b2412bd42)
|
|
(This used to be commit 40127404e3a664539de516723cf1239f47adc442)
|
|
(This used to be commit b9e7ce9d85c4203779d6b9bfb2e65a4ed5fe33ff)
|
|
function. Patch by metze with some minor modifications.
(This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d)
|
|
(This used to be commit 456eb5d05a442ee380cfa756be54619b1d68fa48)
|
|
- better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors
- make auth_winbind load the ntdomain module if winbind isn't there.
- use new trusted domains cache to determine if the domain is valid.
Andrew Bartlett
(This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150)
|
|
(This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9)
|
|
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
|
|
Jeremy.
(This used to be commit aa8439a49ec4b9f433745fefa1e769e45398f4df)
|
|
- const for PACKS() in lanman.c
- change auth to 'account before password'
- add help to net rpc {vampire,samsync}
- configure updates for sun workshop cc
- become_root() around pdb_ calls in auth_util for guest login.
Andrew Bartlett
(This used to be commit 43e90eb6e331d478013a9c038292f245edc51bd0)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
Andrew Bartlett
(This used to be commit c796799afd69fe627b1c8e51fb47957d30da9fae)
|
|
The auth_authsupplied_info typedef is now just a plain struct - auth_context,
but it has been modified to contain the function pointers to the rest
of the auth subsystem's components.
(Who needs non-static functions anyway?)
In working all this mess out, I fixed a number of memory leaks and moved the
entire auth subsystem over to talloc().
Note that the TALLOC_CTX attached to the auth_context can be rather long-lived,
it is provided for things that are intended to live as long. (The
global_negprot_auth_context lasts the whole life of the smbd).
I've also adjusted a few things in auth_domain.c, mainly passing the domain as
a paramater to a few functions instead of looking up lp_workgroup(). I'm
hopign to make this entire thing a bit more trusted domains (as PDC) freindly
in the near future.
Other than that, I moved a bit of the code around, hence the rather messy diff.
Andrew Bartlett
(This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048)
|
|
- Move rpc_client/cli_trust.c to smbd/change_trust_pw.c
- It hasn't been used by anything else since smbpasswd lost its -j
- Add a TALLOC_CTX to the auth subsytem. These are only valid for the length
of the calls to the individual modules, if you want a longer context hide it
in your private data.
Similarly, all returns (like the server_info) should still be malloced.
- Move the 'ntdomain' module (security=domain in oldspeak) over to use the new
libsmb domain logon code. Also rework much of the code to use some better
helper functions for the connection - getting us much better error returns
(the new code is NTSTATUS).
The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for
the LUID feilds is sufficient, or if we should do random LUIDs as per the old
code.
Similarly, I'll move winbind over to this when I get a chance.
This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in
rpc_client, at least as far as smbd is concerned.
While I've given this a basic rundown, any testing is as always appriciated.
Andrew Bartlett
(This used to be commit d870edce76ecca259230fbdbdacd0c86793b4837)
|
|
(This used to be commit d6318add27f6bca5be00cbedf2226b642341297a)
|
|
(large change to modularise the auth subsystem)
Andrew Bartlett
(This used to be commit 324c4676280641fee0647221dba1e826e03ba9ab)
|