summaryrefslogtreecommitdiff
path: root/source3/libads/ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-70/+190
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-4/+5
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16862: Reverting accidential changes in ads_try_connect() from previous commit.Günther Deschner1-2/+2
Guenther (This used to be commit 6257f9af93f2391940b2c60fe39c0bf106de15dd)
2007-10-10r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.Günther Deschner1-3/+4
Guenther (This used to be commit 863aeb621afa7dcec1bfef8e503ef8ed363e3742)
2007-10-10r16836: When receiving a CLDAP reply make sure that we always store the correctGünther Deschner1-1/+3
netbios domain name in server affinity cache. Guenther (This used to be commit 08958411eeff430fb523d9b73e0259d060bac17b)
2007-10-10r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.Jeremy Allison1-7/+1
Jeremy. (This used to be commit d48655d9c0b31d15327655140c021de29873d2c5)
2007-10-10r16339: Fix Klocwork IDVolker Lendecke1-1/+7
277 278 (cmd_*) 485 487 488 (ldap.c) Volker (This used to be commit 5b1eba76b3ec5cb9b896a9a5641b4d83bdbdd4cf)
2007-10-10r16324: Klocwork #499. Allways check results from alloc.Jeremy Allison1-1/+19
Jeremy. (This used to be commit 2b69d436da7b2902ea419f3bcc45c7b5a5c571fb)
2007-10-10r16322: Klocwork #481., Don't deref null on malloc fail.Jeremy Allison1-2/+4
Jeremy. (This used to be commit dd31f3fc0e044fdae139aefcb21773249c30eb74)
2007-10-10r16190: Fix more memleaks.Günther Deschner1-1/+6
Guenther (This used to be commit dfebcc8e19bee06b7c03f88845314e9cfd6f398a)
2007-10-10r16117: Make winbindd work again in security=ads.Günther Deschner1-2/+6
We still used the old HOST/* UPN to get e.g. users, now we need samaccountname$@REA.LM. Guenther (This used to be commit f6516a799aec2db819f79b9a1e641637422a9b4c)
2007-10-10r15822: Add suggestion made by Ralf Haferkamp.Lars Müller1-1/+1
(This used to be commit 7c375fd540fa54ac8ae71c42ed07e01c593044b3)
2007-10-10r15701: change 'net ads leave' to disable the machine account in the domain ↵Gerald Carter1-184/+0
(since removal implies greater permissions that Windows clients require) (This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-16/+204
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-150/+0
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15696: Free LDAP search result.Günther Deschner1-0/+2
Guenther (This used to be commit ec26c355b3ef1d3d809c4fbe911ce6fcef5db955)
2007-10-10r15635: Fix a bogus gcc uninit variable messageVolker Lendecke1-1/+1
(This used to be commit 53f7104b4fbb4f59c18458f589e25e7b536642cb)
2007-10-10r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....Gerald Carter1-171/+25
Re-add the capability to specify an OU in which to create the machine account. Done via LDAP prior to the RPC join. (This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-203/+160
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15461: Free LDAP result in ads_get_attrname_by_oid().Günther Deschner1-1/+6
Guenther (This used to be commit f4af888282ff39665f186550b9ccbbf7a9128fc2)
2007-10-10r15250: dump some more sids.Günther Deschner1-0/+2
Guenther (This used to be commit 2922c7f5704e3cfcc80dc648bb3d6d9aa80aaf37)
2007-10-10r14931: Fix #1374: can't join an OU with name that contains '#'Jim McDonough1-2/+6
I had to eliminate "\" as an OU path separator, because it is the escape char in LDAP. We still accept "/", but using the escape char is just not a good choice. (This used to be commit 1953f63903e64e0a33eb981c51b8ca4beb673af2)
2007-10-10r14252: Fix Coverity #72: free alloc'ed storage before return. Also found oneJim McDonough1-1/+6
more that coverity didn't find from asprintf. (This used to be commit 37b6e2c8de41754a5a1a3a6f798d57aa5d533ada)
2007-10-10r14118: Fix coverity bug #24. Missing return statement meantJeremy Allison1-1/+1
a possible NULL ptr deref. Jeremy. (This used to be commit 78ac3f9cbdabc1df9480f75fb3910a3a108a0e91)
2007-10-10r13965: Make sure we always reset the userAccountControl bits when re-joiningGünther Deschner1-1/+1
with an existing account. Guenther (This used to be commit e4c12ab167ee83772a2bdd1946b8d73613fc0d7e)
2007-10-10r13951: Fix Coverity Bug #163.Volker Lendecke1-28/+0
This code was not used anyway :-) Volker (This used to be commit bbfb20569380529d60e3c61cd0be63a09eecfd17)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-1/+6
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13410: Dump a netbootGUID as a GUID.Günther Deschner1-0/+1
Guenther (This used to be commit 9b19a68456c7b576750aaf64c178ba5323d9a95e)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-0/+223
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13310: first round of server affinity patches for winbindd & net ads joinGerald Carter1-0/+4
(This used to be commit 6c3480f9aecc061660ad5c06347b8f1d3e11a330)
2007-10-10r12878: Don't use non-static array initialisers.James Peach1-1/+2
(This used to be commit 95b231f0285c65bcdc62cd453cea634f9f5e7f91)
2007-10-10r12196: patch from Krishna Ganugapati <krishnag@centeris.com>Gerald Carter1-1/+17
Use the subtree delete ldap control when running 'net ads leave' to ensure that the machine account is actually deleted. (This used to be commit e96000c16cd182b2e2cbdc1a287002306d2965e6)
2007-10-10r12043: It's amazing the warnings you find when compiling on a 64-bitJeremy Allison1-5/+5
box with gcc4 and -O6... Fix a bunch of C99 dereferencing type-punned pointer will break strict-aliasing rules errors. Also added prs_int32 (not uint32...) as it's needed in one place. Find places where prs_uint32 was being used to marshall/unmarshall a time_t (a big no no on 64-bits). More warning fixes to come. Thanks to Volker for nudging me to compile like this. Jeremy. (This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c)
2007-10-10r11875: Allow to use START_TLS (by manually setting "ldap ssl = start_tls") forGünther Deschner1-0/+5
LDAP connections to ADS (Windows 2003). Guenther (This used to be commit 95543fab0f6aa1c483b40247c16cde79cbc9c012)
2007-10-10r11863: BUG 3196: patch from Alex Deiter <tiamat@komi.mts.ru> to compile ↵Gerald Carter1-1/+7
against the Sun LDAP client libs. But not for AD support; just ldap support (This used to be commit a33e78acedb37df47905d326411e017794721250)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-2/+2
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r8048: Replace "done" with "failed".Günther Deschner1-5/+5
Guenther (This used to be commit 7285edc4fe71f47ab648c31760c357fc2af29ce7)
2007-10-10r8047: "oid" is defined in a heimdal header. With my gcc this generates a ton ofVolker Lendecke1-4/+4
shadowed variable warnings. Fix that. Volker (This used to be commit 3846c0afa1db96239b3aaf2e7ee2427b48f6e2f0)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-1/+95
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r6595: This is Volkers new-talloc patch. Just got the go-ahead fromJeremy Allison1-1/+1
Volker to commit. Woo Hoo ! Jeremy. (This used to be commit 316df944a456f150944761dab34add5e8c4ab699)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-4/+4
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r5956: more compile warngin fixes from the Mr. MaderGerald Carter1-3/+3
(This used to be commit f3f315b14d261fa56ab040db036a6f858ac06e65)
2007-10-10r5948: more compile cleanups from Jason MaderGerald Carter1-6/+1
(This used to be commit cc6c769c3c26164919dd13777d671abe02c084d9)
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-1/+1
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)Gerald Carter1-1/+1
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
2007-10-10r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.Jeremy Allison1-10/+10
Make all LDAP timeouts consistent. Jeremy. (This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
2007-10-10r4346: Fix cut-and-paste error - bugid #2189. Fixed by Buck Huppmann ↵Jeremy Allison1-1/+1
<buckh@pobox.com> Jeremy. (This used to be commit 5c22cb082c86088add0db21541a8079c516c9fd9)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-30/+30
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3841: Time out in ads search queries. Even AD servers can hang.Volker Lendecke1-7/+44
Volker (This used to be commit fc454c8ef6321fba9efa42a704c8e8c707361af3)
2007-10-10r3764: Ensure on failure that *res is always NULL.Jeremy Allison1-3/+8
Check for malloc fail. Fixes for bug #2036. Jeremy. (This used to be commit b815247747214ba413c054746e9732d5f2b10535)