Age | Commit message (Collapse) | Author | Files | Lines |
|
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
|
|
* bug #280 (my fault) - initialize sambaNextUserRid and
sambaNextGroupRid
* Unix users shared vis LDAP or NIS between a samba domain member
of a Samba domain are not seen as domain users on the member servers.
not as local users.
(This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
|
|
fixed buffer by me).
Jeremy.
(This used to be commit 6f68b8de4760a2103eae0a51b2aca356990ea526)
|
|
Jeremy.
(This used to be commit a4d2dd1d40f6b1322e69d430023aa89dac86fda3)
|
|
(This used to be commit 502b45b55d7ab1c32c9dbc3301f025b2eec620a4)
|
|
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
|
|
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
|
|
(This used to be commit 44bae9da9e03a1df738367f8d86adb0f315da41f)
|
|
connections. Overrides smb.conf parameter if set.
Jeremy.
(This used to be commit 879309671df6b530e0bff69559422a417da4a307)
|
|
nsswitch modules. Add required libraries to get rid of undefined
functions for libns_winbind.so and libns_wins.so
(This used to be commit cec5bf5f99ca98b0f5ee84636fc18f0cb3079683)
|
|
sysquotas interface detected (Linux at least) using native Windows tools. Also move default quota support for NT quotas to VFS module default_quota. Code by Metze
(This used to be commit e856a96c2c42c39843e5e1a3a6b0d538e7179900)
|
|
to contain multibyte charcters, as these should have been stripped.
Andrew Bartlett
(This used to be commit 0f7c1dda222d583212b8be2febe95ce7e1c0ba24)
|
|
Andrew Bartlett
(This used to be commit 605a89493e971f653413b06eda4bbca75029072b)
|
|
Remove strdup_upper/strdup_lower from their old file, now that they have
been moved to charcnv.c
Note that string_replace assumes that s is a pstring. (doco change only)
Andrew Bartlett
(This used to be commit 6c9056029bb3dfadb244f301598e12e69493fff9)
|
|
- Treat the NMB names in the 'session request' packet as 'ASCII'. This means
that we do not get invalid multibyte from the wire, even if we truncate
in the conversion. (Otherwise we panic when we try to strupper_m it).
- Remove acnv_uxu2(), as it was duplicated by push_ucs2_allocate()
- Remove acnv_dosu2(), as it is not used.
- In push_ucs2(), with the STR_UPPER flag, do the case conversion *after*
the UCS2 conversion, when it we know that the length can't change. Also
faster, as we don't need to do another 2 UCS2 conversions.
Andrew Bartlett
(This used to be commit 912035af1178424583d0bf887a391a0cac2acd87)
|
|
expire
(This used to be commit 833bc5c06018043cf0eb6bdcbb96922964286559)
|
|
(This used to be commit 850f4fafdbaf19ea13273a8bf82433ba50a11868)
|
|
time. )-:
(This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
|
|
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
|
|
Final bit for bug 187.
(This used to be commit 13840704f5434bedef0ce21242e2dff7c2a0bddb)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
the build farm machines that I don't have direct access to (hpntc9I).
(This used to be commit b01965823341bbabb74dcbc09d379b43db2ec680)
|
|
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
|
|
(This used to be commit 8b818ce381595cdcb36631a2440d6aa0038805f1)
|
|
This fix results in
- we no longer use fixed-size buffers in StrCaseCmp (previously limited to
a pstring)
- we return strcmp(s, t) if either of the strings is invalid
- for non-ascii cases, we call iconv twice, not 4 times.
The basic idea with this fix is that if a string is not valid in the currnet
charset, then (unless it is byte-equivilant) it cannot be case-equivilant
to any other string.
This should address the majority of our smb_panic() cases on this matter. It
will not fix them all - we still call unix_strupper(), aka strupper_m()
elsewhere, but this was being called on every file in the directory when
we performed unix_convert().
Tested with the stf unit tests for this routine.
Andrew Bartlett
(This used to be commit 9918fa73145a22b1d7adf001f0a9cf0e1bda4136)
|
|
Not strictly a bugfix, but it should considerably reduce the load we
put on LDAP servers given that at least nss_ldap on Linux keeps a
connection open.
And it should also stress our reconnect-code a bit more ;-)
Thanks to metze for this!
Volker
(This used to be commit e68d8eabeb9c64dc45d057619f9b3dd0cd507444)
|
|
Jeremy.
(This used to be commit 61fc9a7b2eafdf8cbed1f8d9aae016b828c91a08)
|
|
(This used to be commit 7d63b690004a59316a70059db0d9ad0ea9001288)
|
|
(This used to be commit 6770d69942a8841fb25448a8a238af7987ec860c)
|
|
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
|
|
changes so
we end up freeing a pointer we didn't mallocate.
Also, calling strdup() in a frequently called function just to clear up a
const compiler warning seems inelegant and inefficient.
(This used to be commit a0da5ae1198082d0cf18707ed2cf05f728b00d0b)
|
|
(This used to be commit 3a71b4873034b3fe9dc7b23a95e56c865e857507)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
(This used to be commit 2f7658d9ba1f43fb2d14adc4af7b681634ab5cb2)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
- Try better to add the appropriate mapping between UID and SIDs, based
on Get_Pwnam()
- Look for previous users (lookup by SID) and correctly modify the existing
entry in that case
- Map the root user to the Admin SID as a 'well known user'
- Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update'
call on that user. This means that VL's very nice work on atomic LDAP
updates now really gets used properly!
- This also means that we know the right DN to update, without the extra
round-trips to the server.
Andrew Bartlett
(This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
|
|
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
size on upper casing. Based on patch from monyo@home.monyo.com.
Jeremy.
(This used to be commit 72e382e99b92666acdaf50a040b14aa16d48b80d)
|
|
field for an option should be set to an identifier to use in a switch
statement or zero if the the arg field is to be updated only.
This fixes smbclient -k always prompting for a password which we don't need.
(This used to be commit 0744e2dad372904a554019146ff6f6e31ca1b2d2)
|
|
tdb_search_list_free.
Volker
(This used to be commit 0f3822c8e71426983b960ad49511efa8707159f9)
|
|
strings.
Running 'net cache list' or secrets_get_trusted_domains through
valgrind gives a *huge* amount of invalid reads of one byte beyond the
indicated string length in libc's strncpy. Annoying...
Volker
(This used to be commit 0f8933ae778064ff58cdc832ce52c843631435bb)
|
|
Don't overwrite past the end of a string.
Volker
(This used to be commit f036368efdcbe576552ea85a78e5e6199a2b2c6d)
|
|
smbd will update the trustdom_cache periodically after locking
the timestamp key
(This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
|
|
we now have to check the value for _NO_WINBINDD.
"1" enables, and != "1" disables (use "0" by convention).
(This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
|
|
- changed --enable-developer debug to use -gstabs as it makes the
samba binaries about 10x smaller and is still quite functional for
samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
|
|
to handle domain trusts. Jeremy and I talked about this
and it's going in as working code. It keeps winbind clean
and solves the trust problem with minimal changes.
To summarize, there are 2 basic cases where the deadlock would
occur. (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.
o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
the username includes the 'winbind separator'.
o Case #2 is handled by adding checks in winbindd to return failure
if we are a DC and the domain matches our own.
This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain'). The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.
Other misc fixes:
* we need to fix check_ntlm_password() to be able to determine
if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
etc...). I worked around my specific situation, but this needs to be
fixed. the winbindd auth module was causing delays.
* fix named server mutex deadlock between trust domain auth module
and winbindd looking up a uid
* make sure SAM_ACCOUNT gets stored in the server_info struct for the
_net_sam_logon() reply.
Configuration details:
The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.
* set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
* create domain trusts like normal
* join winbind on the pdc to the Samba domain using 'net rpc join'
* add normal parameters to smb.conf for winbind
* set 'auth method = guest sam winbind'
* start smbd, nmbd, & winbindd
Problems that remain:
* join a Windows 2k/XP box to a Samba domain.
* create a 2-way trust between the Samba domain
and an NT domain
* logon to the windows client as a user from theh trusted
domain
* try to browse server in the trusted domain (or other
workstations). an NT client seems to work ok, but 2k
and XP either prompt for passwords or fail with errors.
apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
The functions are unchanged. Next step is to make idmap_ldap use them.
Andrew Bartlett
(This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
|
|
failure
* Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains
( does no one ever test this? )
* add in LDAP code to get the sequence number for rpc based seqnum update.
( this is needed if the DC is upgraded and samba is not reconfigured
to use security = ads; it's not pretty but it works (from app_head) )
* fix bug that caused us to enumerate domain local groups in domains
other than our own
(This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
|