Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
(This used to be commit ecb632a1534d5178602b9143bb17712559fe2e4f)
|
|
Guenther
(This used to be commit e7cae9bbae2848ca1088a822883563062dd3f612)
|
|
Jeremy.
(This used to be commit e568271af2b5c20cff70b72b8ab4b1b704122b40)
|
|
Jeremy.
(This used to be commit 03e1078b459531af5a2336b584b3c886c5dd1e29)
|
|
Jeremy.
(This used to be commit f8984fa8b706bb76559e447b30a201e1cc2871b6)
|
|
Fix a C++ compat warning.
Volker
(This used to be commit 351e583f66714562eca1f40429bfee70f06d281c)
|
|
(This used to be commit 86db85423027d34cb053fc068159ddd2226e90ec)
|
|
a non-fatal error path if the 'disable machine
account' code succeeded.
Jeremy.
(This used to be commit f47bffa21ec1caf5ec3a6ec77af801df0b63d83a)
|
|
Guenther
(This used to be commit 6f301b2dc3dd64b4396e1d0307b3d539bda67d45)
|
|
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb46698b3834c7caf5ee0cfe628086b5)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8)
|
|
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
|
|
Jeremy.
(This used to be commit 638d53e2ad524dfe4666b79d36997dea8a44c8cd)
|
|
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
|
|
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
|
|
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
|
|
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e9c5fd192c5514cbe9451b938f9cd5d)
|
|
deref null. Make interface explicit.
Jeremy.
(This used to be commit 4e99606ec16b978a76219b5362a23a7b06ee5468)
|
|
get_sorted_dc_list
return NTSTATUS.
If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.
Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?
Volker
(This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
|
|
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.
It's still got some warts, but non-secure updates do
currently work. There are at least four things left to
really clean up.
1. Change the memory management to use talloc() rather than
malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
(and under the LGPL).
A few notes:
* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
issues.
(This used to be commit 36f04674aeefd93c5a0408b8967dcd48b86fdbc1)
|
|
NO_LOGON_SERVERS if no domain controller was found.
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
|
|
inspired
by Christian M Ambach <CAMBACH1@de.ibm.com>.
Volker
(This used to be commit cf7c83d462dc766fa6f48728d0a4e8d534cc2bd4)
|
|
(This used to be commit 0f483cf66c203d8590998b83cbeeb236ba06ab63)
|
|
Jerry, please check.
Thanks,
Volker
(This used to be commit b87c4952216b6302b0e1f22689b5a36b6aa65349)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Guenther
(This used to be commit 6257f9af93f2391940b2c60fe39c0bf106de15dd)
|
|
Guenther
(This used to be commit 863aeb621afa7dcec1bfef8e503ef8ed363e3742)
|
|
netbios domain name in server affinity cache.
Guenther
(This used to be commit 08958411eeff430fb523d9b73e0259d060bac17b)
|
|
Jeremy.
(This used to be commit d48655d9c0b31d15327655140c021de29873d2c5)
|
|
277 278 (cmd_*)
485 487 488 (ldap.c)
Volker
(This used to be commit 5b1eba76b3ec5cb9b896a9a5641b4d83bdbdd4cf)
|
|
Jeremy.
(This used to be commit 2b69d436da7b2902ea419f3bcc45c7b5a5c571fb)
|
|
Jeremy.
(This used to be commit dd31f3fc0e044fdae139aefcb21773249c30eb74)
|
|
Guenther
(This used to be commit dfebcc8e19bee06b7c03f88845314e9cfd6f398a)
|
|
We still used the old HOST/* UPN to get e.g. users, now we need
samaccountname$@REA.LM.
Guenther
(This used to be commit f6516a799aec2db819f79b9a1e641637422a9b4c)
|
|
(This used to be commit 7c375fd540fa54ac8ae71c42ed07e01c593044b3)
|
|
(since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
Guenther
(This used to be commit ec26c355b3ef1d3d809c4fbe911ce6fcef5db955)
|
|
(This used to be commit 53f7104b4fbb4f59c18458f589e25e7b536642cb)
|
|
Re-add the capability to specify an OU in which to create
the machine account. Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|
|
Guenther
(This used to be commit f4af888282ff39665f186550b9ccbbf7a9128fc2)
|
|
Guenther
(This used to be commit 2922c7f5704e3cfcc80dc648bb3d6d9aa80aaf37)
|
|
I had to eliminate "\" as an OU path separator, because it is the escape
char in LDAP. We still accept "/", but using the escape char is just
not a good choice.
(This used to be commit 1953f63903e64e0a33eb981c51b8ca4beb673af2)
|
|
more that coverity didn't find from asprintf.
(This used to be commit 37b6e2c8de41754a5a1a3a6f798d57aa5d533ada)
|
|
a possible NULL ptr deref.
Jeremy.
(This used to be commit 78ac3f9cbdabc1df9480f75fb3910a3a108a0e91)
|
|
with an existing account.
Guenther
(This used to be commit e4c12ab167ee83772a2bdd1946b8d73613fc0d7e)
|