summaryrefslogtreecommitdiff
path: root/source3/include
AgeCommit message (Collapse)AuthorFilesLines
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough3-3/+3
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
2003-08-01Fix copyright statements for various pieces of Anthony Liguori's work.Jim McDonough3-3/+2
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
2003-07-31CVAL_NC() doesn't need the (unsigned) fix and breaks the IRIX buildAndrew Tridgell1-1/+1
Thanks to Herb for pointing this out! (This used to be commit 87ede8d310db10d92b4ff57e67d3b53cbb7697fb)
2003-07-31Apply some constVolker Lendecke1-2/+2
(This used to be commit 692ff44ba39cd24dbc906e0319bc51c8be9cc267)
2003-07-31working on transtive trusts issue:Gerald Carter1-4/+12
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-31This is a critical bug fix for a data corruption bug. If youAndrew Tridgell1-2/+2
maintain another tree then please apply! On non-X86 machines out byte-order macros fails for one particular value. If you asked for IVAL() of 0xFFFFFFFF and assigned it to a 64 bit quantity then you got a 63 bit number 0x7FFFFFFFFFFFFFFF rather than the expected 0xFFFFFFFF. This is due to some rather bizarre and obscure sign extension rules to do with unsigned chars and arithmetic operators (basically if you | together two unsigned chars you get a signed result!) This affected a byte range lock using the large lockingX format and a lock of offset 0 and length 0xFFFFFFFF. Microsoft Excel does one of these locks when opening a .csv file. If the platform you run on does not then handle locks of length 0x7FFFFFFFFFFFFFFF then the posix lock fails and the client is given a lockingX failure. This causes the .csv file to be trunated!! (This used to be commit 886661c3777dbfd4fa431746c8a5f48674a12b8e)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison2-0/+2
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-30add support for DsEnumerateDomainTrusted for enumerating all theGerald Carter1-0/+46
trusted domains in a forest. (This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
2003-07-29Add NT quotas support. Users allowed now to manage quotas on systems with ↵Alexander Bokovoy1-0/+16
sysquotas interface detected (Linux at least) using native Windows tools. Also move default quota support for NT quotas to VFS module default_quota. Code by Metze (This used to be commit e856a96c2c42c39843e5e1a3a6b0d538e7179900)
2003-07-29This adds gss-spnego to ntlm_auth. It contains some new spnego supportVolker Lendecke2-0/+67
from Jim McDonough. It is to enable cyrus sasl to provide the gss-spnego support. For a preliminary patch to cyrus sasl see http://samba.sernet.de/cyrus-gss-spnego.diff Volker (This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
2003-07-28Corrected description of SWAT FLAGS since they have changed as a result of theJohn Terpstra1-5/+4
cleanup of loadparm and swat.c (This used to be commit 6956eb9a0b878f6fae37e4de14573cccd2af2156)
2003-07-27Clarified what the SWAT FLAGS mean and what they do.John Terpstra1-3/+5
Note: The comments in this file regarding the FLAGS has been in need of maintenance for some time. (This used to be commit a0d2fa0f25abe22008080df2ad2e58e7ee424a2b)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-1/+1
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-25Jean-Baptiste Marchand on the ethereal list used some auditing tricks toTim Potter1-10/+10
discover names for the SAMR specific permissions that were previously unknown. The existing constant names differ from what win2k calls them but since they aren't heavily used in Samba at the moment I'll leave them as they are. Jean-Baptiste's data is at: http://ethereal.ntop.org/lists/ethereal-dev/200307/msg00314.html (This used to be commit ae77e9e55438a9807da3696fd0d31fba6d0f7370)
2003-07-24Fix packet signing with asynchronous oplock breaks. Removed bad error messageJeremy Allison1-3/+1
due to w2k bug. I think this code is now working.... Need more testing of course but works on all the obvious cases I can think of. Jeremy. (This used to be commit a6e537f6611cc1357fffea0b69901fba7c9ad6ea)
2003-07-24Add a macro to check whether module-specific data set already or not. ↵Alexander Bokovoy1-0/+3
Returns True or False. Should support further encapsulation of VFS-specific structs (This used to be commit 180e617f54021ced270c7c8cb86dd478d809d041)
2003-07-23A fix for bug 174. I'm pushing this to the tree to test it on one ofTim Potter1-0/+8
the build farm machines that I don't have direct access to (hpntc9I). (This used to be commit b01965823341bbabb74dcbc09d379b43db2ec680)
2003-07-22bumping version stringGerald Carter1-1/+1
(This used to be commit e4cd21222dbd1a7a7f79618762799373230d4905)
2003-07-22Fix commentAlexander Bokovoy1-3/+3
(This used to be commit 04f1577a39b926317911f59714de5c5ca87f02bd)
2003-07-17Disconnect an idle LDAP connection after 150 seconds.Volker Lendecke1-0/+3
Not strictly a bugfix, but it should considerably reduce the load we put on LDAP servers given that at least nss_ldap on Linux keeps a connection open. And it should also stress our reconnect-code a bit more ;-) Thanks to metze for this! Volker (This used to be commit e68d8eabeb9c64dc45d057619f9b3dd0cd507444)
2003-07-16Refactor signing code to remove most dependencies on 'struct cli'.Jeremy Allison2-12/+14
Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
2003-07-15Added the "required" keyword to the "client signing" parameter to force itJeremy Allison2-1/+2
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett3-11/+35
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-11moving more code around.Gerald Carter1-0/+1
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-1/+2
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09Get rid of DISP_USER_INFO/DISP_GROUP_INFO as they serve no usefulJeremy Allison1-10/+0
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries. ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX functions fail. Getting ready to add caching. Jeremy. (This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
2003-07-07and so it begins....Gerald Carter1-2/+1
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+2
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+3
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+5
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-5/+0
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03This patch takes the work the jerry did for beta2, and generalises it:Andrew Bartlett1-0/+2
- The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
2003-07-02SAMBA_3_0 will now become beta3Gerald Carter1-1/+1
beta2 is captured in the release branch (This used to be commit 4b3a15917dd6935353d8998e918c750a6c090671)
2003-07-01Adding jcmd's share ACL on XP patch. Thanks Jim !Jeremy Allison1-1/+7
Jeremy. (This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
2003-06-30Merge of Volkers patch to make the logic clearer (with my mod).Jeremy Allison1-1/+0
Jeremy. (This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30* rename samstrict auth method to samGerald Carter1-0/+7
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30- added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug #122)Andrew Tridgell1-0/+8
- changed --enable-developer debug to use -gstabs as it makes the samba binaries about 10x smaller and is still quite functional for samba debugging (This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
2003-06-26Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLYJeremy Allison1-3/+5
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes for multi-process access. Jeremy. (This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-25fix build on non-ldap platformsGerald Carter1-0/+3
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
2003-06-25large change:Gerald Carter2-0/+9
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-15/+25
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-2/+13
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce3-43/+32
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-16reverted locale patch put in by jht (originally from vorlon).Andrew Tridgell1-8/+0
There are lots of things wrong with this patch, including: 1) it overrides a user chosen configuration option 2) it adds lots of complexity inside a loop when a tiny piece of code outside the loop would do the same thing 3) it does no error checking, and is sure to crash on some systems If you want this functionality then try something like this at the end of charset_name(): #ifdef HAVE_NL_LANGINFO if (strcasecmp(ret, "LOCALE") == 0) { const char *ln = nl_langinfo(CODESET); if (ln) { DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln)); return ln; } } #endif then users can set 'display charset = LOCALE' to get the locale based charset. You could even make that the default for systems that have nl_langinfo(). (This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
2003-06-15Patch from vorlon@debian.org, see bugzilal #122John Terpstra1-0/+8
Samba should preferentially use the locale information from the native system, and only fall back on 'display charset' if this is unavailable or unsupported. (This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
2003-06-11on AIX FD_ZERO() is defined in terms of bzero(), so we can't haveAndrew Tridgell1-5/+0
the "don't use bzero" macros. In general I think it would be better to have a separate script that checks for deprecated functions like these using grep rather than using these cpp tricks. They just get us into trouble. (This used to be commit 2a227c880db0f233fb1f6dae5851450ea6020f3b)
2003-06-10Ok, I've tried being Mr. Nice Guy and people (you know who you are) stillJeremy Allison2-4/+5
keep putting bzero BSD'ism's into our source code. Make this an error like bcopy and others to prevent it in future. Jeremy. (This used to be commit 80d043231626192db85f08ccea062b91fcf999cc)
2003-06-10added an auth flag that indicates if we should be allowed to fallbackAndrew Tridgell1-0/+1
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
2003-06-07bumping cvs version number to distinguish between SAMBA_3_0 cvs treeGerald Carter1-1/+1
and 3.0.0beta1 release (This used to be commit 2619cc5d44f0162d829f5e18163df1b23b4ef5f5)
2003-06-06fix build on systems w/o LDAP libsGerald Carter1-0/+14
(This used to be commit f33aeaa039d49b4eef884b27dc81d3418a051f1a)