summaryrefslogtreecommitdiff
path: root/source3/include/ads.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-0/+15
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-5/+27
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-15/+0
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15243: Sorry for the breakage:Günther Deschner1-1/+5
* Fix the build without kerberos headers * Fix memleak in the krb5_address handling Guenther (This used to be commit 10e42117559d4bc6a34e41a94914bf6c65c3477f)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+12
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r14051: Add remaining (documented) userAccountControl bits, thanks to LukeGünther Deschner1-2/+2
Howard for pointing this out. Guenther (This used to be commit 170038f4cdfa51ea31b2255a020740d28dfbfba2)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-0/+2
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-0/+2
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11242: use LDAP bitwise machting rule when searching for groups in ADS.Günther Deschner1-3/+25
This avoids that each time a full-group-dump is requested from ADS; the bitwise match allows to only query those groups we are interested in. The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap filter with extensible match in the latest SPs (fixes). From the patch: /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o * rollup-fixes: * * According to Section 5.1(4) of RFC 2251 if a value of a type is it's * default value, it MUST be absent. In case of extensible matching the * "dnattr" boolean defaults to FALSE and so it must be only be present * when set to TRUE. * * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a * filter using bitwise matching rule then a buggy AD fails to decode * the extensible match. As a workaround set it to TRUE and thereby add * the dnAttributes "dn" field to cope with those older AD versions. * It should not harm and won't put any additional load on the AD since * none of the dn components have a bitmask-attribute. * * Thanks to Ralf Haferkamp for input and testing */ Guenther (This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1/+1
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-4/+20
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.Jeremy Allison1-3/+0
Make all LDAP timeouts consistent. Jeremy. (This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
2007-10-10r2832: Readd WKGUID-binding to match the correct default-locations of newGünther Deschner1-0/+3
User-, Group- and Machine-Accounts in Active Directory (this got lost during the last trunk-merge). This way we match e.g. default containers moved by redircmp.exe and redirusr.exe in Windows 2003 and don't blindly default to cn=Users or cn=Computers. Further wkguids can be examied via "net ads search wellknownobjects=*". This should still keep a samba3-client joining a samba4 dc. Fixes Bugzilla #1343. Guenther (This used to be commit 8836621694c95779475fa9a1acf158e5e0577288)
2004-03-24Fix bugzilla # 1208Jim McDonough1-0/+1
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-22bug 1195: add flag to ADS_STRUCT so we know who owns the main structure's ↵Gerald Carter1-0/+2
memory (not the members though) (This used to be commit 4449e0e251190b741f51348819669453f0758f36)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-9/+9
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2003-08-27Fix to properly set AP_OPTS_SUBKEY in heimdal. In MIT it is a #define, butJim McDonough1-1/+1
in heimdal it is an enum. Thanks to Guenther Deschner (gd@suse.de). With this join will work, but without a keytab, cifs connections will still fail with heimdal. Fix to come later. (This used to be commit d30bef4c37e8203c273eb3852215a89348bece7a)
2003-06-10added an auth flag that indicates if we should be allowed to fallbackAndrew Tridgell1-0/+1
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
2003-05-09Fix comment - we now have 5 types of error...Andrew Bartlett1-1/+1
(This used to be commit 372a574a73b86855cf6efc18349e5ba24067d690)
2003-03-17Merge from HEAD:Andrew Bartlett1-0/+7
net ads password Heimdal compile fixes. Andrew Bartlett (This used to be commit 3aa4f923e99f453310bb4a8d43ce43757591909d)
2003-03-17Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard'sAndrew Bartlett1-0/+5
session key and auth verifier patches. Andrew Bartlett (This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-0/+3
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
2002-11-18Revert changes to ADS_ERR_OK() as in head. Broke some compilers.Jim McDonough1-1/+1
(This used to be commit a3ca6d5a191ee9d3c7022ec2dfcaf41533ee1244)
2002-11-18Next step of printer publishing.Jim McDonough1-56/+1
net ads printer publish <printername> [servername] Will retreive the DsSpooler and DsDriver info by rpc for a remote server then publish it. Next comes doing it within smbd (This used to be commit 8f047a4492f7bd66ac2afd2a2f6194d5dad4a434)
2002-10-01syncing up with HEAD. Seems to be a lot of differences creeping inGerald Carter1-2/+5
(i ignored the new SAMBA stuff, but the rest of this looks like it should have been merged already). (This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-20/+110
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-12/+50
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-0/+1
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-04-10Add ads ldap server controlsJim McDonough1-0/+5
(This used to be commit 9126f008ef542b80f0040f621aa28478be5c80a0)
2002-02-11Add ability to extend ads modification list on the fly. Added ADS_MODLIST type.Jim McDonough1-0/+6
(This used to be commit 3f7ba70615008d74a145a94aa087cae08efab343)
2002-02-02Change ADS_ERROR family of macros - removed semicolon from the end, since ↵Jim McDonough1-4/+4
they were only being used correctly in one location, and all other assumed the semicolon wasn't there. Amazing that none of them mattered syntactically, until today. (This used to be commit 6515c3e8ef546975657e45fce7f147fe4a08e9ca)
2002-02-01Add ads printer informationJim McDonough1-0/+55
(This used to be commit a844d9af21d8047629129c5e842db7acbc059932)
2001-12-19much better ADS error handling systemAndrew Tridgell1-6/+16
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
2001-12-19- added initial support for trusted domains in winbindd_adsAndrew Tridgell1-0/+11
- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo (This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
2001-12-08added internal sasl/gssapi code. This means we are no longer dependent on ↵Andrew Tridgell1-0/+2
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm (This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
2001-12-05added a REALLY gross hack into kerberos_kinit_password so thatAndrew Tridgell1-0/+1
winbindd can do a kinit this will be removed once we have code that gets a tgt and puts it in a place where cyrus-sasl can see it (This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
2001-12-05added timeouts and retries to ldap operationsAndrew Tridgell1-0/+7
(This used to be commit 4f004eb54d66b6f811cb2f4791da6c70d77f87c2)
2001-12-03added another ATYPE_Andrew Tridgell1-1/+2
(This used to be commit 514bc61daa3f6d11dadac1baed5a5bf61313b1f9)
2001-12-03added a basic ADS backend to winbind. More work needed, but atAndrew Tridgell1-0/+3
least basic operations work (This used to be commit 88241cab983b2c7db7d477c6c4654694a7a56cd3)
2001-11-20forgot this fileAndrew Tridgell1-0/+29
(This used to be commit 1dd255b06d4c8669d839a387d4c63ff3475ab1ab)