summaryrefslogtreecommitdiff
path: root/source3/lib
AgeCommit message (Collapse)AuthorFilesLines
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett1-0/+11
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14Undo 'Fix compiler warning'. It didn't work because the value of inbuf ↵Tim Potter1-21/+11
changes so we end up freeing a pointer we didn't mallocate. Also, calling strdup() in a frequently called function just to clear up a const compiler warning seems inelegant and inefficient. (This used to be commit a0da5ae1198082d0cf18707ed2cf05f728b00d0b)
2003-07-13Fix compiler warning.Rafal Szczesniak1-11/+21
(This used to be commit 3a71b4873034b3fe9dc7b23a95e56c865e857507)
2003-07-11moving more code around.Gerald Carter1-0/+148
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-10Add constVolker Lendecke1-1/+1
(This used to be commit 2f7658d9ba1f43fb2d14adc4af7b681634ab5cb2)
2003-07-07and so it begins....Gerald Carter2-3/+3
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+4
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+37
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison5-24/+24
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-02Added fix for Japanese case names in statcache - these can changeJeremy Allison2-2/+49
size on upper casing. Based on patch from monyo@home.monyo.com. Jeremy. (This used to be commit 72e382e99b92666acdaf50a040b14aa16d48b80d)
2003-07-02Fix poptOption definition for --no-pass and --kerberos options. The 'value'Tim Potter1-2/+2
field for an option should be set to an identifier to use in a switch statement or zero if the the arg field is to be updated only. This fixes smbclient -k always prompting for a password which we don't need. (This used to be commit 0744e2dad372904a554019146ff6f6e31ca1b2d2)
2003-07-01Different fix for memleak just committed. This belongs intoVolker Lendecke1-2/+0
tdb_search_list_free. Volker (This used to be commit 0f3822c8e71426983b960ad49511efa8707159f9)
2003-07-01Fix two memory leaks. tdb_search_keys allocates space for the keyVolker Lendecke1-0/+2
strings. Running 'net cache list' or secrets_get_trusted_domains through valgrind gives a *huge* amount of invalid reads of one byte beyond the indicated string length in libc's strncpy. Annoying... Volker (This used to be commit 0f8933ae778064ff58cdc832ce52c843631435bb)
2003-07-01Fix a segfault found by metze & valgrind...Volker Lendecke1-3/+5
Don't overwrite past the end of a string. Volker (This used to be commit f036368efdcbe576552ea85a78e5e6199a2b2c6d)
2003-07-01* fix the trustdom_cache to work when winbindd is not running.Gerald Carter1-0/+21
smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
2003-06-30fix for platforms that don't have unsetenv().Gerald Carter1-2/+2
we now have to check the value for _NO_WINBINDD. "1" enables, and != "1" disables (use "0" by convention). (This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
2003-06-30- added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug #122)Andrew Tridgell1-0/+24
- changed --enable-developer debug to use -gstabs as it makes the samba binaries about 10x smaller and is still quite functional for samba debugging (This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-3/+21
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-25large change:Gerald Carter3-26/+54
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-4/+729
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter1-6/+7
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-23/+46
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-1/+2
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-17Const fixes by metzeVolker Lendecke2-6/+6
Volker (This used to be commit c0e35f3be8a33f19823826c5a84c885764c62508)
2003-06-16reverted locale patch put in by jht (originally from vorlon).Andrew Tridgell1-37/+0
There are lots of things wrong with this patch, including: 1) it overrides a user chosen configuration option 2) it adds lots of complexity inside a loop when a tiny piece of code outside the loop would do the same thing 3) it does no error checking, and is sure to crash on some systems If you want this functionality then try something like this at the end of charset_name(): #ifdef HAVE_NL_LANGINFO if (strcasecmp(ret, "LOCALE") == 0) { const char *ln = nl_langinfo(CODESET); if (ln) { DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln)); return ln; } } #endif then users can set 'display charset = LOCALE' to get the locale based charset. You could even make that the default for systems that have nl_langinfo(). (This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
2003-06-15Patch from vorlon@debian.org, see bugzilal #122John Terpstra1-0/+37
Samba should preferentially use the locale information from the native system, and only fall back on 'display charset' if this is unavailable or unsupported. (This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
2003-06-13Rename some uuid functions so as not to conflict with systemTim Potter1-3/+3
versions. Fixes bug #154. (This used to be commit 986eae40f7669d15dc75aed340e628aa7efafddc)
2003-06-09applied patch from bug#140Andrew Tridgell1-1/+2
this fixes a timestamp problem with 64 bit machines (This used to be commit 0ce6eddad8e148bc6d195ddefb773326339d06e6)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter1-6/+93
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06Fix for valgrind - when doing a srvstr_push we must zero fillJeremy Allison1-0/+13
any extra bytes, not clobber region them - otherwise valgrind thinks they are invalid on send() or write(). Jeremy. (This used to be commit 8aa5f7a65c71fb89ed05e71a2465e61385e80c2b)
2003-06-06Use filedes as first argument to fsetxattr, not the undefined variable ↵Jelmer Vernooij1-1/+1
'path' :-) (This used to be commit d3c02b40c48921f842c92fa1beed1924897ce160)
2003-06-06- the 8.3 name in BOTH_DIRECTORY_INFO is supposed to be always unicodeAndrew Tridgell1-1/+1
(to match win2003 behaviour) - added the STR_TERMINATE_ASCII flag from samba4 so we can get the string termination right for the case where it is supposed to be non-terminated for UCS2 and terminated when ASCII (This used to be commit 791a4cc7cf84eca77116bca00aeb5f95560f6705)
2003-06-05Get ready for EA code... Add Linux interface.Jeremy Allison1-0/+125
Jeremy. (This used to be commit 48853140749b74053f1a7857a983397b6e9a0234)
2003-06-05working draft of the idmap_ldap code.Gerald Carter1-0/+259
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-05-30Remove module_path_get_name() - it's not used anywhere anymore and was a bad ↵Jelmer Vernooij1-23/+0
idea anyway. (This used to be commit b45a67e7a9d0fab5b4af701a9fd483cc4897ab7f)
2003-05-29Get the events API right. Patch from metze with some minor modifications.Jelmer Vernooij1-51/+103
(This used to be commit 2aad5736256968f27c42a6f94bdbc7a22c236c19)
2003-05-27Fixed unused variable warning.Tim Potter1-1/+2
(This used to be commit cdbe47a5d517eea95186aecdc3327160236a5d09)
2003-05-14Evolve quotas configure check more. Patch from Stefan (metze) Metzemacher. ↵Alexander Bokovoy1-0/+7
Now we are defaulting to --with-quotas=no but anyway trying to test them in configure. This is done to get information about as much quota API variations as possible -- when --with-quotas=no this does not affect build but provides us with more detailed information on build farm. (This used to be commit 3786695c72e6ff6a52a527382ac77142e236971b)
2003-05-14*****LDAP schema changes*****Gerald Carter1-9/+9
New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14Move some #ifdefs and function prototypes around to avoid a compilerTim Potter1-13/+14
warning when we have a working version of snprintf() (This used to be commit 4836c0c0fcbf4be5f52bba60cc8843e8551b59b8)
2003-05-12And finally IDMAP in 3_0Simo Sorce4-3/+34
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12Add NT quota support. Patch from Stefan (metze) MetzemacherAlexander Bokovoy3-0/+991
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab 2. Disabled by default and when requested, will be probed and enabled only on Linux where it works 3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far Documentation to follow (This used to be commit 4bf022ce9e45be85609426762ba2644ac2031326)
2003-05-09When checking if a SID is in a domain, make sure that indeed the user RID isAndrew Bartlett1-0/+3
one element longer than the domain sid. Andrew Bartlett (This used to be commit c61e5e38776d2de53d120b592a6685158e79ebb8)
2003-05-08fixed bug #75; add check for non-zero destlenGerald Carter1-1/+1
(This used to be commit 83bb84f13121267992e78f2d005257932c711f23)
2003-05-08Another attempt at undoing my bogus patch 1.55.2.19Tim Potter1-0/+2
(This used to be commit 05a684b3be1525aad3589ded9e59c3f012b5ef20)
2003-05-07Whoops - that wasn't a whitespace syncup after all.Tim Potter1-0/+2
(This used to be commit 42d0414ed244b92b665cb231f6756f60391861dd)
2003-05-06Remove unused variablesJelmer Vernooij1-4/+0
(This used to be commit 2f631769f836baeec669456f786ecb38c81d9a23)
2003-05-06Patch from metze to add exit and interval events. Useful for modulesJelmer Vernooij1-1/+110
(This used to be commit 3033a63cefb5f28d4460885f7f4e4ecaed95443c)
2003-05-05Fixed typo introduced in reverted patch from version 1.12.4.5Tim Potter1-1/+1
(This used to be commit 4fccc1f16da74ac9e98bd58c7f11674c48c4dbac)
2003-05-03Add a comment about the use of string functions in the modules code, andAndrew Bartlett1-4/+9
add \n to the end of the non-dlopen case DEBUGs. Andrew Bartlett (This used to be commit ce4ff4cc8e5f5d461797e42b2148b2827c058380)