| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Jeremy.
|
|
Jeremy.
|
|
metze
|
|
metze
|
|
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.
This fix was being circumvented in the case where the client passed
a NULL domain. Vista clients do this. In that case smbd was always
remapping the name to the machine workgroup. The NULL domain case
should also be mapped to the global sam name.
Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.
|
|
|
|
Should make Solaris 10 builds look cleaner.
Jeremy.
|
|
Patch from Jeremy.
With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.
There are still two registry settings required:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.
Guenther
(cherry picked from commit b5097d54cb74ca0ea328f9e029562f65f4a01134)
|
|
A previous fix broke the invariant that *uid is always
initialized on return from create_token_from_username().
Restore it.
Jeremy.
|
|
|
|
This is particuarly in the netlogon client (but not server at this
stage)
|
|
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
|
|
Guenther
|
|
This fix is very subtle. If a server is configured with "security = share"
and "guest ok = yes" and winbindd is running authorization will fail during
tree connect.
This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid
through sid_to_uid(). Winbindd is unaware of the hard coded mapping
between this sid and whatever uid the name in lp_guestaccount() is assigned.
So sid_to_uid() fails and we exit create_token_from_username() without
ever calling pdb_getsampwsid() which IS aware of the hard coded mapping.
This patch just reorganizes the code, moving sid_to_uid() down to the
block of code in which it is needed, avoiding this early failure.
|
|
|
|
auth_onefs_wb.c -> auth_wbc.c
pdb_onefs_sam.c -> pdb_wbc_sam.c
No changes to functionality
|
|
After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change. The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.
This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b.
|
|
|
|
|
|
|
|
This new backend is custom tailored to onefs' unique requirements:
1) No fallback logic
2) Does not validate the domain of the user
3) Handles unencrypted passwords
|
|
When set to yes, "force username map" forces every user, even AD
users, through an NSS lookup. This allows the token to be overridden
with information from NSS in certain broken environments.
|
|
metze
|
|
metze
|
|
When enabled this reverts smbd to the legacy domain remapping behavior when
a user provides an untrusted domain
This partially reverts d8c54fdd
|
|
After a lot of testing against various Windows servers (W2K, W2K3, W2K8),
within an AD domain it seems that unknown domains will only be translated
to the local account domain, not the netbios name of the member server's
domain. This makes samba act more like Windows.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A somewhat more elegant fix than I could use for 3.2.x or 3.0.x.
Turns out the only part of check_user_ok() that needs to change
for share level security is the VUID cache pieces, so I can just
always use check_user_ok() for all lp_security() cases.
Jeremy
|
|
This is an orthogonality measure to make clear this pointer now belongs to the
cache.
(cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
|
|
talloc_autofree_context() instead of NULL.
Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting
to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should
be deleted when their parent context is deleted, so freeing them at some arbitrary point later
will be a double-free.
Jeremy.
|
|
str_list_make(). From Dan Sledz <dan.sledz@isilon.com>:
In samba 3.2 passing NULL or an empty string returned NULL.
In master, it now returns a list of length 1 with the first string set
to NULL (an empty list).
Jeremy.
|
|
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
|
|
null byte and use it in Samba 3.
This matches the behaviour prior to my data_blob changes.
|
|
|
|
|
|
This authenticates against a local running samba4 using SamLogonEx. We retrieve
the machine password using samba4's mymachinepwd script and store the schannel
key for re-use in secrets.tdb.
|
|
previous "special" cases.
A step on the way to adding signals to the events and being able to merge the S3 event system with
the S4 one.
Jeremy.
|
|
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6.
(This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
|
|
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
|
|
Guenther
(This used to be commit 4661ef625a6522d6f859b83e3e3702f01d0b952f)
|
|
lookup_domain_name(). This new function accept separated
strings for domain and name.
(This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
|
|
position zero being the primary group sid. Authenicating
via winbindd call returned a non-sorted sid list. This
fixes is for both a winbindd call and a pac list from
an info3 struct. Without this we mess up the
primary group associated with created files. Found by
Herb.
Jeremy.
(This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7)
|
