summaryrefslogtreecommitdiff
path: root/source3/include
AgeCommit message (Collapse)AuthorFilesLines
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett3-11/+35
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-11moving more code around.Gerald Carter1-0/+1
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-1/+2
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09Get rid of DISP_USER_INFO/DISP_GROUP_INFO as they serve no usefulJeremy Allison1-10/+0
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries. ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX functions fail. Getting ready to add caching. Jeremy. (This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
2003-07-07and so it begins....Gerald Carter1-2/+1
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+2
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+3
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+5
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-5/+0
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03This patch takes the work the jerry did for beta2, and generalises it:Andrew Bartlett1-0/+2
- The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
2003-07-02SAMBA_3_0 will now become beta3Gerald Carter1-1/+1
beta2 is captured in the release branch (This used to be commit 4b3a15917dd6935353d8998e918c750a6c090671)
2003-07-01Adding jcmd's share ACL on XP patch. Thanks Jim !Jeremy Allison1-1/+7
Jeremy. (This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
2003-06-30Merge of Volkers patch to make the logic clearer (with my mod).Jeremy Allison1-1/+0
Jeremy. (This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30* rename samstrict auth method to samGerald Carter1-0/+7
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30- added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug #122)Andrew Tridgell1-0/+8
- changed --enable-developer debug to use -gstabs as it makes the samba binaries about 10x smaller and is still quite functional for samba debugging (This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
2003-06-26Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLYJeremy Allison1-3/+5
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes for multi-process access. Jeremy. (This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-25fix build on non-ldap platformsGerald Carter1-0/+3
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
2003-06-25large change:Gerald Carter2-0/+9
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-15/+25
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-2/+13
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce3-43/+32
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-16reverted locale patch put in by jht (originally from vorlon).Andrew Tridgell1-8/+0
There are lots of things wrong with this patch, including: 1) it overrides a user chosen configuration option 2) it adds lots of complexity inside a loop when a tiny piece of code outside the loop would do the same thing 3) it does no error checking, and is sure to crash on some systems If you want this functionality then try something like this at the end of charset_name(): #ifdef HAVE_NL_LANGINFO if (strcasecmp(ret, "LOCALE") == 0) { const char *ln = nl_langinfo(CODESET); if (ln) { DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln)); return ln; } } #endif then users can set 'display charset = LOCALE' to get the locale based charset. You could even make that the default for systems that have nl_langinfo(). (This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
2003-06-15Patch from vorlon@debian.org, see bugzilal #122John Terpstra1-0/+8
Samba should preferentially use the locale information from the native system, and only fall back on 'display charset' if this is unavailable or unsupported. (This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
2003-06-11on AIX FD_ZERO() is defined in terms of bzero(), so we can't haveAndrew Tridgell1-5/+0
the "don't use bzero" macros. In general I think it would be better to have a separate script that checks for deprecated functions like these using grep rather than using these cpp tricks. They just get us into trouble. (This used to be commit 2a227c880db0f233fb1f6dae5851450ea6020f3b)
2003-06-10Ok, I've tried being Mr. Nice Guy and people (you know who you are) stillJeremy Allison2-4/+5
keep putting bzero BSD'ism's into our source code. Make this an error like bcopy and others to prevent it in future. Jeremy. (This used to be commit 80d043231626192db85f08ccea062b91fcf999cc)
2003-06-10added an auth flag that indicates if we should be allowed to fallbackAndrew Tridgell1-0/+1
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
2003-06-07bumping cvs version number to distinguish between SAMBA_3_0 cvs treeGerald Carter1-1/+1
and 3.0.0beta1 release (This used to be commit 2619cc5d44f0162d829f5e18163df1b23b4ef5f5)
2003-06-06fix build on systems w/o LDAP libsGerald Carter1-0/+14
(This used to be commit f33aeaa039d49b4eef884b27dc81d3418a051f1a)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter2-1/+3
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06Fixup of typos.Jeremy Allison1-8/+8
Jeremy. (This used to be commit 99589b8a8f7081ced792e085ef448d9ebee135d3)
2003-06-06metze noticed some conn elements remaining in a VFS_NEXT.Jeremy Allison1-4/+4
Jeremy. (This used to be commit b863be794b7db11f91185ef2d669d0f89bbc1fae)
2003-06-06Fix for VFS_NEXT xattr calls (from metze). I will add these to skel.c toJeremy Allison1-4/+4
ensure they are tested. Jeremy. (This used to be commit 9ad02a7ba80c4796fecbaf2b4c75992988b002f7)
2003-06-06- the 8.3 name in BOTH_DIRECTORY_INFO is supposed to be always unicodeAndrew Tridgell1-0/+1
(to match win2003 behaviour) - added the STR_TERMINATE_ASCII flag from samba4 so we can get the string termination right for the case where it is supposed to be non-terminated for UCS2 and terminated when ASCII (This used to be commit 791a4cc7cf84eca77116bca00aeb5f95560f6705)
2003-06-06Missed (name) arg in fgetxattr.Jeremy Allison1-1/+1
Jeremy. (This used to be commit f42e164e9029c38279e36ee8955b9170b0fead87)
2003-06-06Added EA operations to VFS layer.Jeremy Allison2-3/+88
Jeremy. (This used to be commit 024de9213e414659296cb518a6753e510c64f614)
2003-06-05Get ready for EA code... Add Linux interface.Jeremy Allison2-1/+11
Jeremy. (This used to be commit 48853140749b74053f1a7857a983397b6e9a0234)
2003-06-05working draft of the idmap_ldap code.Gerald Carter2-0/+105
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-04Sync VFS API changes for vfs_nt_*get_acl. Patch from Stefan Metzmacher ↵Alexander Bokovoy2-5/+5
<mezte@metzemix.de> (This used to be commit c5e8acd3b7b8a7063aa6ffde1099196daf1c317b)
2003-06-01added the COMPRESSION_INFO trans2 QFILEINFO level and fixed theAndrew Tridgell1-0/+1
IS_NAME_VALID QPATHINFO level (This used to be commit 1634346e2a6e73af80d4e68d50c6398fb24869a5)
2003-05-31Fix compile.Volker Lendecke1-1/+1
(This used to be commit 3ac622532a27659b9f9e26b1aa6858ce156641ac)
2003-05-30Ensure 'blank' entries show up in both default and normal entries toJeremy Allison1-1/+10
allow them to be changed. Works well with W2K and above. Jeremy. (This used to be commit 685e4e518236079f201650f26152f6f9ad3c61ab)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough1-1/+1
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-05-29Change get_nt_acl() to include security_info wanted. Only return this.Jeremy Allison2-5/+6
This gets us closer to W2k+ in what we return for file ACLs. Fix horribly broken make_sec_desc() that screwed up the size when given a SD with no owner or group (how did it get this bad... ?). Jeremy. (This used to be commit 183c9ed4052ab14e269ed1234ca557053f77e77a)
2003-05-29Add smb_register_idmap(). Based on a patch from metzeJelmer Vernooij1-0/+3
(This used to be commit 7e352f5c62c4889bdf2662dded1e74a354890dc7)
2003-05-29Get the events API right. Patch from metze with some minor modifications.Jelmer Vernooij1-13/+7
(This used to be commit 2aad5736256968f27c42a6f94bdbc7a22c236c19)
2003-05-28DNS domain/server name constants were also swapped.Tim Potter1-2/+2
(This used to be commit 0666e34d7c8f0863148763932f60a65ad936f2c9)
2003-05-28The constants for NetBIOS domain and server names in a NTLMSSP name list wereTim Potter1-2/+2
swapped. (This used to be commit 92be28aa4a6ff42c601e9d2de978265a6c2e8c46)
2003-05-22updating versionGerald Carter1-1/+1
(This used to be commit b1eb0dd7e0593e08f71aa9c4fc3d47ccdfabc691)
2003-05-20remove WITH_TDB_SAM & USE_SMBPASS_DBGerald Carter1-4/+0
(This used to be commit 1f98ced3163e26818c12829801729bc28f858de7)
2003-05-19Fix macros for next and opaque quota ops. Spotted by metzeAlexander Bokovoy1-4/+4
(This used to be commit 46e6621b2ebe7a8d1bd0c05197667aaa4e078efd)