summaryrefslogtreecommitdiff
path: root/source3/include
AgeCommit message (Collapse)AuthorFilesLines
2003-09-07Nobody complained on the team-list, so commit it ...Volker Lendecke1-0/+17
This implements some kind of improved AFS support for Samba on Linux with OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile into secrets.tdb with 'net afskey'. If this is done, on each tree connect smbd creates a Kerberos V4 ticket suitable for use by the AFS client and gives it to the kernel via the AFS syscall. This is meant to be very light-weight, so I did not link in a whole lot of libraries to be more platform-independent using the ka_SetToken function call. Volker (This used to be commit 5775690ee8e17d3e98355b5147e4aed47e8dc213)
2003-08-28Refactor charset plugins a bit and add CP437 module.Alexander Bokovoy1-0/+87
Now all 8-bit charsets with gaps (not all symbols defined) could be produced through one macro -- SMB_GENERATE_CHARSET_MODULE_8_BIT_GAP(CHARSETNAME) within source file with three charset tables. Full source code for such modules can be generated by source/script/gen-8bit-gap.sh script which was taken from GNU libc and changed slightly to follow our data types and structure. (This used to be commit 37042c7bc0f349370e93e4bed37d8fa371013247)
2003-08-27Fix to properly set AP_OPTS_SUBKEY in heimdal. In MIT it is a #define, butJim McDonough1-1/+1
in heimdal it is an enum. Thanks to Guenther Deschner (gd@suse.de). With this join will work, but without a keytab, cifs connections will still fail with heimdal. Fix to come later. (This used to be commit d30bef4c37e8203c273eb3852215a89348bece7a)
2003-08-27Ensure we use correct length nstrings for workgroup and browser names.Jeremy Allison1-4/+4
Jeremy. (This used to be commit be534c8adf6c3cb8921ce49dbb79991c632d501e)
2003-08-23Half-way though the big conversion of all nmbd access to wire elements beingJeremy Allison3-191/+183
converted to pull/push_ascii. This will not work right at the moment for non English codepages, but compiles - I will finish the work over the weekend. Then nmbd should be completely codepage correct. Jeremy. (This used to be commit 236d6adadf32397b28028ea82ae2ec027366f7c8)
2003-08-22struct nmb_name should have 16 byte namestrings, not 17.Jeremy Allison1-3/+3
Jeremy. (This used to be commit daf7b5fbd93c640c7660bdf173079fa1039794af)
2003-08-20metze's autogenerate patch for version.hGerald Carter2-1/+1
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
2003-08-20Fix bug #252. Implement missing SAMR_REMOVE_USER_FOREIGN_DOMAINGerald Carter1-7/+7
call. (This used to be commit dd2cf4897ec3db25c24a2724ffdef4f905625f6a)
2003-08-19Implement SMBexit properly. Found by Samba4 tester. You must do a makeJeremy Allison1-0/+1
clean proto all; after this commit. Jeremy. (This used to be commit 27af1f9feab12542dc538bfceac4593e644ba3b4)
2003-08-18Add level 261 to search. Found using Samba4 tester.Jeremy Allison1-0/+2
Jeremy. (This used to be commit 4ee99d1c412ecc77541c988f6795ae3cb89907b8)
2003-08-15Latest heimdal snapshot has a krb5_set_real_time with a slightlyVolker Lendecke1-1/+1
different (but by implicit conversion hopefully compatible... ;-) prototype. Fix the build for that. (This used to be commit 497b190edc42cec40fc80e9d9eb6aa4e1a466ac5)
2003-08-15fix typeHerb Lewis1-1/+1
(This used to be commit 327d26253ed21988d95303c4f8c85901199d8f40)
2003-08-15add IRIX EA supportHerb Lewis1-0/+4
(This used to be commit 589e94f4ffa325acfd6562a84906639e19fd5d33)
2003-08-14Fix SMBseek and get/set position information SMBs. Works againstJeremy Allison1-0/+1
Samba4 tester. You will need a make clean; make all after this ! Jeremy. (This used to be commit 10d90171ed58bee3e5ab6476341059b585034134)
2003-08-14Attempt at fixing bug #283. There however is no solution.Gerald Carter4-4/+39
There is a workaround documented in the bug report. This patch does: * add server support for the LSA_DS UUID on the lsarpc pipe * store a list of context_ids/api_structs in the pipe_struct so that we don't have to lookup the function table for a pipe. We just match the context_id. Note that a dce/rpc alter_context does not destroy the previous context so it is possible to have multiple bindings active on the same pipe. Observed from standalone win2k sp4 client. * added server code for DsROleGetPrimaryDOmainInfo() but disabled it since it causes problems enumerating users and groups from a 2ksp4 domain member in a Samba domain. (This used to be commit 96bc2abfcb0dd0912696fad76e43cb217b33e061)
2003-08-10Store the server domain from the ntlmssp challenge in the client structVolker Lendecke1-0/+1
to be able to ask a LMB for the servers in its workgroup. Against W2k this only works on port 139.... Volker (This used to be commit 62b04d7776852098dd768268500f36c3a362f688)
2003-08-08RPC fix from Ronan Waide <waider@waider.ie>. Tested with rpcecho.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 68590b9e2266cf76b46a68cca0acaa47733811fe)
2003-08-07Shadow copy API - Original work by "Ken Cross" <kcross@nssolutions.com>, adaptedJeremy Allison4-2/+35
into a patch by "Stefan (metze) Metzmacher" <metze@metzemix.de>. Jeremy. (This used to be commit ce5c91d35dabc5ff6fb3df2b259ed186d6a7e0da)
2003-08-07Patch from waider@waider.ie to print out Port Type.Jeremy Allison1-0/+6
Jeremy. (This used to be commit 8516baf58d333a54bcbe1c1a08eee499b3dd2636)
2003-08-06Get rid of MAXPATHLEN, move to standard PATH_MAX.Jeremy Allison1-4/+0
Jeremy. (This used to be commit 455ed2d51d86f39ce0fa6e6abca31a5425d2ea17)
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough3-3/+3
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
2003-08-01Fix copyright statements for various pieces of Anthony Liguori's work.Jim McDonough3-3/+2
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
2003-07-31CVAL_NC() doesn't need the (unsigned) fix and breaks the IRIX buildAndrew Tridgell1-1/+1
Thanks to Herb for pointing this out! (This used to be commit 87ede8d310db10d92b4ff57e67d3b53cbb7697fb)
2003-07-31Apply some constVolker Lendecke1-2/+2
(This used to be commit 692ff44ba39cd24dbc906e0319bc51c8be9cc267)
2003-07-31working on transtive trusts issue:Gerald Carter1-4/+12
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-31This is a critical bug fix for a data corruption bug. If youAndrew Tridgell1-2/+2
maintain another tree then please apply! On non-X86 machines out byte-order macros fails for one particular value. If you asked for IVAL() of 0xFFFFFFFF and assigned it to a 64 bit quantity then you got a 63 bit number 0x7FFFFFFFFFFFFFFF rather than the expected 0xFFFFFFFF. This is due to some rather bizarre and obscure sign extension rules to do with unsigned chars and arithmetic operators (basically if you | together two unsigned chars you get a signed result!) This affected a byte range lock using the large lockingX format and a lock of offset 0 and length 0xFFFFFFFF. Microsoft Excel does one of these locks when opening a .csv file. If the platform you run on does not then handle locks of length 0x7FFFFFFFFFFFFFFF then the posix lock fails and the client is given a lockingX failure. This causes the .csv file to be trunated!! (This used to be commit 886661c3777dbfd4fa431746c8a5f48674a12b8e)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison2-0/+2
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-30add support for DsEnumerateDomainTrusted for enumerating all theGerald Carter1-0/+46
trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-29Add NT quotas support. Users allowed now to manage quotas on systems with ↵Alexander Bokovoy1-0/+16
sysquotas interface detected (Linux at least) using native Windows tools. Also move default quota support for NT quotas to VFS module default_quota. Code by Metze (This used to be commit e856a96c2c42c39843e5e1a3a6b0d538e7179900)
2003-07-29This adds gss-spnego to ntlm_auth. It contains some new spnego supportVolker Lendecke2-0/+67
from Jim McDonough. It is to enable cyrus sasl to provide the gss-spnego support. For a preliminary patch to cyrus sasl see http://samba.sernet.de/cyrus-gss-spnego.diff Volker (This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
2003-07-28Corrected description of SWAT FLAGS since they have changed as a result of theJohn Terpstra1-5/+4
cleanup of loadparm and swat.c (This used to be commit 6956eb9a0b878f6fae37e4de14573cccd2af2156)
2003-07-27Clarified what the SWAT FLAGS mean and what they do.John Terpstra1-3/+5
Note: The comments in this file regarding the FLAGS has been in need of maintenance for some time. (This used to be commit a0d2fa0f25abe22008080df2ad2e58e7ee424a2b)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-1/+1
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-25Jean-Baptiste Marchand on the ethereal list used some auditing tricks toTim Potter1-10/+10
discover names for the SAMR specific permissions that were previously unknown. The existing constant names differ from what win2k calls them but since they aren't heavily used in Samba at the moment I'll leave them as they are. Jean-Baptiste's data is at: http://ethereal.ntop.org/lists/ethereal-dev/200307/msg00314.html (This used to be commit ae77e9e55438a9807da3696fd0d31fba6d0f7370)
2003-07-24Fix packet signing with asynchronous oplock breaks. Removed bad error messageJeremy Allison1-3/+1
due to w2k bug. I think this code is now working.... Need more testing of course but works on all the obvious cases I can think of. Jeremy. (This used to be commit a6e537f6611cc1357fffea0b69901fba7c9ad6ea)
2003-07-24Add a macro to check whether module-specific data set already or not. ↵Alexander Bokovoy1-0/+3
Returns True or False. Should support further encapsulation of VFS-specific structs (This used to be commit 180e617f54021ced270c7c8cb86dd478d809d041)
2003-07-23A fix for bug 174. I'm pushing this to the tree to test it on one ofTim Potter1-0/+8
the build farm machines that I don't have direct access to (hpntc9I). (This used to be commit b01965823341bbabb74dcbc09d379b43db2ec680)
2003-07-22bumping version stringGerald Carter1-1/+1
(This used to be commit e4cd21222dbd1a7a7f79618762799373230d4905)
2003-07-22Fix commentAlexander Bokovoy1-3/+3
(This used to be commit 04f1577a39b926317911f59714de5c5ca87f02bd)
2003-07-17Disconnect an idle LDAP connection after 150 seconds.Volker Lendecke1-0/+3
Not strictly a bugfix, but it should considerably reduce the load we put on LDAP servers given that at least nss_ldap on Linux keeps a connection open. And it should also stress our reconnect-code a bit more ;-) Thanks to metze for this! Volker (This used to be commit e68d8eabeb9c64dc45d057619f9b3dd0cd507444)
2003-07-16Refactor signing code to remove most dependencies on 'struct cli'.Jeremy Allison2-12/+14
Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
2003-07-15Added the "required" keyword to the "client signing" parameter to force itJeremy Allison2-1/+2
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett3-11/+35
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-11moving more code around.Gerald Carter1-0/+1
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-1/+2
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09Get rid of DISP_USER_INFO/DISP_GROUP_INFO as they serve no usefulJeremy Allison1-10/+0
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries. ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX functions fail. Getting ready to add caching. Jeremy. (This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
2003-07-07and so it begins....Gerald Carter1-2/+1
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+2
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+3
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+5
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)