summaryrefslogtreecommitdiff
path: root/source3/include/ads.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r24804: As a temporary workaround, also try to guess the server's principal ↵Günther Deschner1-0/+2
in the "not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds succeed with windows server 2008. Guenther (This used to be commit f5b3de4d3069eaa750240e3422bac5cb169b6c0a)
2007-10-10r24131: - make it more clear what the different min and max fields meanStefan Metzmacher1-4/+5
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation is independed from the req_flags and ret_flags - verify the server supports the wrapping type we want - better handling on negotiated buffer sizes metze (This used to be commit d0ec7323870ca16b28d458ff5f7dacce278b7d54)
2007-10-10r24039: remove unused global variable...Stefan Metzmacher1-1/+1
metze (This used to be commit 05fce8815f2f08f71522ba326224185dcecd62ae)
2007-10-10r23946: add support for NTLMSSP sign and sealStefan Metzmacher1-1/+1
NOTE: windows servers are broken with sign only... metze (This used to be commit 408bb2e6e2171196a2bd314db181d9b124e931a1)
2007-10-10r23945: add infrastructure to select plain, sign or seal LDAP connectionStefan Metzmacher1-1/+12
metze (This used to be commit 2075c05b3d8baa7d6d8510cd962471a5781740a6)
2007-10-10r23926: implement output buffer handling for the SASL write wrapperStefan Metzmacher1-2/+2
metze (This used to be commit 65ce6fa21adec704b3cde30c57001e5620f048e4)
2007-10-10r23922: implement input buffer handling for the SASL read wrapperStefan Metzmacher1-15/+46
metze (This used to be commit 7d8518ebd9470062b499b7074a940e14520e99f2)
2007-10-10r23898: rename HAVE_ADS_SASL_WRAPPING -> HAVE_LDAP_SASL_WRAPPINGStefan Metzmacher1-3/+3
metze (This used to be commit 873eaff8febb50f00f9dac64c57b2a22c16f4f9b)
2007-10-10r23896: hopefully fix the build on most systemsStefan Metzmacher1-1/+1
metze (This used to be commit d5512da62a6ae38321709611b04f419cc6c3b190)
2007-10-10r23893: add dummy callbacks for LDAP SASL wrapping,Stefan Metzmacher1-4/+6
they're not used yet... metze (This used to be commit a3b97cdce719d9d5e82f26096c0e8c3a86ff3965)
2007-10-10r23888: move elements belonging to the current ldap connection to aStefan Metzmacher1-10/+13
substructure. metze (This used to be commit 00909194a6c1ed193dfdb296f50f58a53450583c)
2007-10-10r23838: Allow to store schema and config path in ADS_STRUCT config.Günther Deschner1-0/+2
Guenther (This used to be commit 1d5b08326fa72bd3423b377a4e6243466e778622)
2007-10-10r23826: Fix gpo security filtering by matching the security descriptor ace's ↵Günther Deschner1-0/+3
for the extended apply group policy right. Guenther (This used to be commit d832014a6fef657f484412372b5d09047552b183)
2007-10-10r23766: Add GTYPE_SECURITY_UNIVERSAL_GROUP define.Günther Deschner1-0/+5
Guenther (This used to be commit 964acb2716e230172e716d8d24ee2f888930130d)
2007-10-10r23607: Add legacy support for Services for Unix (SFU) 2.0.Günther Deschner1-4/+12
Guenther (This used to be commit 11b390309b9677805e5b68f3a1b780658ae85137)
2007-10-10r23128: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit 52fdbbda53df79461322b9d21aba998f19181df8)
2007-10-10r22841: Add comment to endif statement.Lars Müller1-1/+1
(This used to be commit 1351207626ee0f99aef93326ef96bf69651bf472)
2007-10-10r22797: We are only interested in the DACL of the security descriptor, so ↵Günther Deschner1-0/+1
search with the SD_FLAGS control. Guenther (This used to be commit 648df57e53ddabe74052e816b8eba95180736208)
2007-10-10r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the ↵Günther Deschner1-0/+6
NTSTATUS codes directly out of the krb5_error edata. Guenther (This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+2
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r20986: Commit the prototype of the nss_info plugin interface.Gerald Carter1-10/+11
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10r20857: Silence gives assent :-). Checking in the fix forJeremy Allison1-0/+1
site support in a network where many DC's are down. I heard via Volker there is still a bug w.r.t the wrong site being chosen with trusted domains but we'll have to layer that fix on top of this. Gd - complain if this doesn't work for you. Jeremy. (This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-0/+4
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r17970: Add missing include-guards around ads.h and ads_cldap.h.Jeremy Allison1-0/+3
Remove all reference to "Default-First-Site-Name" and treat it like any other site. Jeremy. (This used to be commit 5ae3564d6844f44a6943b2028917bd457371af1e)
2007-10-10r17945: Store the server and client sitenames in the ADSJeremy Allison1-0/+2
struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
2007-10-10r17943: The horror, the horror. Add KDC site support byJeremy Allison1-0/+1
writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy. (This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
2007-10-10r16548: Fix bug #3867 reported by jason@ncac.gwu.edu.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 2b8d72f09c6d79d5d41421545b538da573adcd9d)
2007-10-10r16336: Fix Klocwork ID's 1087, 1095, 1096, 1098, 1099, 1101, 1102, 1105, ↵Volker Lendecke1-0/+4
1107, 1109, 1111 Volker (This used to be commit def075baf873b24c522d09ddc0141d84431a1fae)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-0/+15
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-5/+27
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-15/+0
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15243: Sorry for the breakage:Günther Deschner1-1/+5
* Fix the build without kerberos headers * Fix memleak in the krb5_address handling Guenther (This used to be commit 10e42117559d4bc6a34e41a94914bf6c65c3477f)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+12
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r14051: Add remaining (documented) userAccountControl bits, thanks to LukeGünther Deschner1-2/+2
Howard for pointing this out. Guenther (This used to be commit 170038f4cdfa51ea31b2255a020740d28dfbfba2)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-0/+2
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-0/+2
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11242: use LDAP bitwise machting rule when searching for groups in ADS.Günther Deschner1-3/+25
This avoids that each time a full-group-dump is requested from ADS; the bitwise match allows to only query those groups we are interested in. The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap filter with extensible match in the latest SPs (fixes). From the patch: /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o * rollup-fixes: * * According to Section 5.1(4) of RFC 2251 if a value of a type is it's * default value, it MUST be absent. In case of extensible matching the * "dnattr" boolean defaults to FALSE and so it must be only be present * when set to TRUE. * * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a * filter using bitwise matching rule then a buggy AD fails to decode * the extensible match. As a workaround set it to TRUE and thereby add * the dnAttributes "dn" field to cope with those older AD versions. * It should not harm and won't put any additional load on the AD since * none of the dn components have a bitmask-attribute. * * Thanks to Ralf Haferkamp for input and testing */ Guenther (This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1/+1
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-4/+20
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.Jeremy Allison1-3/+0
Make all LDAP timeouts consistent. Jeremy. (This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
2007-10-10r2832: Readd WKGUID-binding to match the correct default-locations of newGünther Deschner1-0/+3
User-, Group- and Machine-Accounts in Active Directory (this got lost during the last trunk-merge). This way we match e.g. default containers moved by redircmp.exe and redirusr.exe in Windows 2003 and don't blindly default to cn=Users or cn=Computers. Further wkguids can be examied via "net ads search wellknownobjects=*". This should still keep a samba3-client joining a samba4 dc. Fixes Bugzilla #1343. Guenther (This used to be commit 8836621694c95779475fa9a1acf158e5e0577288)
2004-03-24Fix bugzilla # 1208Jim McDonough1-0/+1
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-22bug 1195: add flag to ADS_STRUCT so we know who owns the main structure's ↵Gerald Carter1-0/+2
memory (not the members though) (This used to be commit 4449e0e251190b741f51348819669453f0758f36)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-9/+9
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2003-08-27Fix to properly set AP_OPTS_SUBKEY in heimdal. In MIT it is a #define, butJim McDonough1-1/+1
in heimdal it is an enum. Thanks to Guenther Deschner (gd@suse.de). With this join will work, but without a keytab, cifs connections will still fail with heimdal. Fix to come later. (This used to be commit d30bef4c37e8203c273eb3852215a89348bece7a)
2003-06-10added an auth flag that indicates if we should be allowed to fallbackAndrew Tridgell1-0/+1
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
2003-05-09Fix comment - we now have 5 types of error...Andrew Bartlett1-1/+1
(This used to be commit 372a574a73b86855cf6efc18349e5ba24067d690)
2003-03-17Merge from HEAD:Andrew Bartlett1-0/+7
net ads password Heimdal compile fixes. Andrew Bartlett (This used to be commit 3aa4f923e99f453310bb4a8d43ce43757591909d)
2003-03-17Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard'sAndrew Bartlett1-0/+5
session key and auth verifier patches. Andrew Bartlett (This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-0/+3
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)