Age | Commit message (Collapse) | Author | Files | Lines |
|
a copy of the plaintext password, only the NT and LM
hashes (all it needs). Fix smbencrypt to expose hash
verions of plaintext function. Andrew Bartlett, you
might want to look at this for gensec.
This should make it easier for winbindd to store
cached credentials without having to store plaintext
passwords in an NTLM-only environment (non krb5).
Jeremy.
(This used to be commit 629faa530f0422755823644f1c23bea74830912f)
|
|
Let's see what it breaks. For me it works :-)
Volker
(This used to be commit 337be14b432e5dfd80c7418b2db4fe0087259b77)
|
|
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
|
|
bytes returned" is less than the amount we want
to send, return what we can and set STATUS_BUFFER_OVERFLOW
(doserror ERRDOS,ERRbufferoverflow). Required by
OS/2 to handle EA's that are too large. It's hard
to test this in Samba4 smbtorture as the max data
bytes returned is hard coded at 0xffff (as it is
in the Samba3 client libraries also). I used a
custom version of Samba4 smbtorture to test this
out. Might add a "max data bytes" param to make
this testable in the build farm. Confirmed by
"Guenter Kukkukk (sambaos2)" <sambaos2@kukkukk.com>
and Andreas Taegener <atsamba11@eideltown.de>
that this fixes the issue.
Jeremy.
(This used to be commit ff2f1202b76991a404dae8df17c36f8135c8dc51)
|
|
Remove some unused code: pdb_find_alias is not used anymore, and nobody I
think has ever used the pdb_nop operations for group mapping. smbpasswd and
tdb use the default ones and ldap has its own.
Make the functions pdb_getgr* return NTSTATUS instead of BOOL. Nobody right
now really makes use of it, but it feels wrong to throw away information so
early.
Volker
(This used to be commit f9856f6490fe44fdba97ea86062237d8c74d4bdc)
|
|
Volker
(This used to be commit 68db058fdf508d5b4d38731ece21f5d92feca00c)
|
|
Guenther
(This used to be commit 8c1198c1592e7c07904b448ed7a54b9b23c941df)
|
|
* Remove "unknown" from dfs_Enum (samba4 dfs IDL updates to follow).
* When encountering an unsupported infolevel the rpc server must reply
with a dfs_info_0 structure and WERR_OK (observed from w2k3 when talking
to nt4).
Guenther
(This used to be commit f9bef1f08f7d2a4c95c28329ac73e8646f033998)
|
|
argument.
Volker
(This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
|
|
we don't get the chainlock when getting the byte range
lock record read-only.
Jeremy.
(This used to be commit fcd798ca0c1b76adb2bcda4a99c40c7aacb0addb)
|
|
(This used to be commit 1e4ee728df7eeafc1b4d533240acb032f73b4f5c)
|
|
a POSIX lock (applying a read-lock) and we overlap
pending read locks then send them an unlock message,
we may have allowed them to proceed.
Jeremy.
(This used to be commit a7a0b6ba50f4cf7c5a0a29809fdff9e1266a29e7)
|
|
A patch to make ntlm_auth recognize three new commands in
ntlmssp-client-1 and squid-2.5-ntlmssp:
The commands are the following:
Command: SF <hex number>
Reply: OK
Description: Takes feature request flags similar to samba4's
gensec_want_feature() call. So far, only NTLMSSP_FEATURE_SESSION_KEY,
NTLMSSP_FEATURE_SIGN and NTLMSSP_FEATURE_SEAL are implemented, using the same
values as the corresponding GENSEC_FEATURE_* flags in samba4.
Command: GF
Reply: GF <hex number>
Description: Returns the negotiated flags.
Command: GK
Reply: GK <base64 encoded session key>
Description: Returns the negotiated session key.
(These commands assist a wine project to use ntlm_auth for signing and
sealing of bulk data).
Andrew Bartlett
(This used to be commit bd3e06a0e4435f1c48fa3b7862333efe273119ee)
|
|
(This used to be commit 32fbf66a4be3d1cc0251f00e54020bf2dbd0dfb0)
|
|
modularizes our interface into the special posix API used on
the system. Without this patch the specific API flavor is
determined at compile time, something which severely limits
usability on systems with more than one file system. Our
first targets are AIX with its JFS and JFS2 APIs, at a later
stage also GPFS. But it's certainly not limited to IBM
stuff, this abstraction is also necessary for anything that
copes with NFSv4 ACLs. For this we will check in handling
very soon.
Major contributions can be found in the copyright notices as
well as the checkin log of the vl-posixacls branch. The
final merge to 3_0 post-3.0.23 was done by Peter Somogyi
<psomogyi@gamax.hu>
(This used to be commit ca0c73f281a2a65a988094a46bb3e46a94011a53)
|
|
share_mode_forall().
Volker
(This used to be commit f97f6cedffdc4d10afcac90a163b93a801acf514)
|
|
* add code to lookup NS records (in prep for later coe that
does DNS updates as part of the net ads join)
(This used to be commit 36d4970646638a2719ebb05a091c951183535987)
|
|
Might need to be a parameter ?
Jeremy.
(This used to be commit 98d8d9399bb287319578daaf2a2fb42f3c48f858)
|
|
test. Phew - that was painful :-). But what it means
is that we now implement lock cancels and I can add
lock cancels into POSIX lock handling which will fix
the fast/slow system call issue with cifsfs !
Jeremy.
(This used to be commit f1a9cf075b87c76c032d19da0168424c90f6cb3c)
|
|
pstrings.
Volker
(This used to be commit c5e393d5eda4e13a844171d9ff319d1f1bac3d84)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
metze
(This used to be commit a558abb40d9a0bcce568a336ce7e9f4ae5e066db)
|
|
bad cast warning.
Jeremy.
(This used to be commit d60e6e0abc17361fe180d6723b970552dc377741)
|
|
by ensuring we return the correct enum for sid
type, not a uint32.
Jeremy.
(This used to be commit 98a5e20ff4ceacda65dcc0ce5498ed4ffde520f8)
|
|
Although I've never met a computer or compiler that produced pointers to
functions which are a different size than pointers to data, I suppose they
probably exist. Assigning a pointer to a function is technically illegal in C
anyway.
Change casts of the option_value based on the option_name to use of variable
argument lists.
For binary compatibility, I've maintained but deprecated the old behavior of
debug_stderr (which expected to be passed a NULL or non-NULL pointer) and
added a new option debug_to_stderr which properly expects a boolean (int)
parameter.
Derrell
(This used to be commit c1b4c510530ca3118d1eccb9615a8cad732c7373)
|
|
Jeremy.
(This used to be commit 2b8d72f09c6d79d5d41421545b538da573adcd9d)
|
|
(This used to be commit 8cf364e602eea408fd9cd6acd12f2b72971361ae)
|
|
share_mode struct. Allows us to know the unix
uid of the opener of the file/directory. Needed
for info level queries on open files.
Jeremy.
(This used to be commit d929323d6f513902381369d77bcd7b714346d713)
|
|
1107, 1109,
1111
Volker
(This used to be commit def075baf873b24c522d09ddc0141d84431a1fae)
|
|
Guenther
(This used to be commit 546710d58c07acdaa175caa48cec4d3f2bc657ad)
|
|
eDir, we already add 'sn' as required attribute on LDAP add
operations.
When we modify an entry, we need to request 'sn' as well in our
attribute lists, so that we don't try to add it a second time.
Guenther
(This used to be commit e018ea3d1d70e68e6802843f88b3245dc09244c9)
|
|
enough of
SetUserInfo level 25 to survive the join method XP uses if the user did not
exist before. For good taste this contains way too much cut&paste, but for a
real fix there is just not enough time.
Up to 3.0.22 we completely ignored that a full level 21 is being sent together
with level 25, but we got away with that because on creation we did not set
the "disabled" flag on the workstation account. Now we correctly follow W2k3
in this regard, and we end up with a disabled workstation after join.
Man, I hate rpc_parse/. The correct fix would be to import PIDL generated samr
parsing, but this is would probably be a bit too much for .23...
Thanks to Tom Bork for finding this one.
Volker
(This used to be commit 5a37aba10551456042266443cc0a92f28f8c3d0d)
|
|
This allows a requestor to set FORCE_OPLOCK_BREAK_TO_NONE
to ensure we don't break to level 2. Fixed a couple
of resource leaks in error paths in open_file_ntcreatex.
Jeremy.
(This used to be commit c7c9adcce7f13d01445f31b07fb28a76f0a1d6df)
|
|
reserved word check when we selecte --enable-developer
(This used to be commit ece5fe3e78da460fb1c0eca3185da7f80c5cfdc4)
|
|
int16 and int32 definitions in internal and system headers
(This used to be commit 094443ed6c0fdd06f459211dbca50feed58463ef)
|
|
dynconfig.c. This is mainly useful for test harness scripts, hence the
lack of short options.
(This used to be commit bf3b71c84595608d71e0f15a6158adacb295518e)
|
|
Jeremy.
(This used to be commit f6c110ddb8cfaa1a57dea52818e7611134c2dcfe)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
fsp pointers. Ensure we cope with this to pass Samba4
DENY tests (we used to pass these, there must have been
a regression with newer code). We now pass them.
Jeremy
(This used to be commit fd6fa1d4eaf61783df74ee2da50d331477f06998)
|
|
Windows). Fixes bug #1914.
Guenther
(This used to be commit b5a5d0b24ea5320cb2f28dbefe81ddf5c58baf77)
|
|
defined in <stdint.h>, ensure that it is present. (Not all
implementations pull it in when <sys/types.h> is used).
Paul
(This used to be commit dafe36ec4cff4e5f94e35841966007e3e4758582)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|
|
(This used to be commit f06d94382fa0f501fb1da7e308012b91a9eadb44)
|
|
the fastest clock available on uniprocessors.
(This used to be commit d44862928206b524f826bd7c2997ab5353c0b6a0)
|
|
changing the token generation. I *hate* this code!
Jerry, you have been looking at this as well, can you double-check that I did
not screw it up?
Thanks,
Volker
(This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6)
|
|
locating AD DC's with out own DNS SRV queries.
Testing on Linux and Solaris.
(This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb)
|
|
globals. This catches mismatched start/end calls and removes
the need for special nested profiling calls.
(This used to be commit ee750498812190edd3ec52ca3c750258f3b8a97a)
|
|
Guenther
(This used to be commit ef40428d935831bdb19111c933d20e381647f6f8)
|