Age | Commit message (Collapse) | Author | Files | Lines |
|
in 3.0 (new SAM in HEAD). Nobody was referencing these fns...
(This used to be commit 386cc92dfa23b4e20172dff20fb14c2ad3172a58)
|
|
GUID formatting on ads dump
Allow rc4-hmac when available
.NET likes both forms of servicePrincipalName in machine account record
(This used to be commit 89e3a3da5d5bc9e6aedeaea5a87553d72fcaac99)
|
|
Jeremy.
(This used to be commit eadfd312ba92a780f655cf117c44b30457f007e8)
|
|
(i ignored the new SAMBA stuff, but the rest of this looks like it should
have been merged already).
(This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
|
|
- Fix segfaults in the 'net ads' commands when no password is provided
- Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the
old options, but the actual code is available on all ldap systems.
- Fix shadow passwords (as per work with vl)
- Fix sending plaintext passwords to unicode servers (again vl)
- Add a bit of const to secrets.c functions
- Fix some spelling and grammer by vance.
- Document the -r option in smbgroupedit.
There are more changes in HEAD, I'm only merging the changes I've been involved
with.
Andrew Bartlett
(This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
|
|
used to be commit eb5ce70e2f0e3ebf6bab168108b410174e42818b)
|
|
(This used to be commit 9615ab10c006d8027f6a8b7dd3770eb77304dbdc)
|
|
This module, primarilly the work of "Stefan (metze) Metzmacher"
<metze@metzemix.de>, uses the Active Directory schema to store the
user/group/other information. I've been testing it against a real AD server,
and it is intended to work with OpenLDAP as well.
I've moved a few functions around in our other libads code, which has made it
easier to tap into that existing code.
Also, I've made some changes to the SAM interface, I hope there are not too
many objections... To ensure we don't get silly bugs in the skel module, it
is now in the default compile. This way you should not forget to update it :-)
Andrew Bartlett
(This used to be commit 24fb0cde2f0b657df1c99474cd694438c94a566e)
|
|
(This used to be commit 2b54a2fc2c85ea139e2acdbbc2f14b969c0c6315)
|
|
like metze's sam_ads can also use them.
Also add error checking etc to a few more functions.
Andrew Bartlett
(This used to be commit c864edf4fbf8a6c37888a14b861d7c12cf503d4f)
|
|
sane prototype for the push_utf8_allocate code.
Andrew Bartlett
(This used to be commit ce00a3238ed8a82639c4d0ee3e960f7000b1a7b0)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
used to be commit 9a5541595f78f2cbba16030552c6e780f6fddcf6)
|
|
See mx-ldap.sf.net for his current progress.
(This used to be commit 9c62d1312fdf0aa7b1978e8bbb56fc076ba7e9d0)
|
|
back to NTLMSSP. We need to get the password out of the user, and this
eventually does.
Andrew Bartlett
(This used to be commit bb518a3bae3bf91a589021fcc5b1e715247c5ded)
|
|
the DC being out of sync with the local machine.
(This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
|
|
(This used to be commit 443d5ebafad46a9a62527642628aff8e5d9dc10c)
|
|
Oh well, here it is...
Andrew Bartlett
(This used to be commit 7c2a667640b01a0f19ddc3515c5ca7ac43d26e25)
|
|
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better
general infrustructure for his sam_ads work.
I've also added some extra failure mode DEBUG()s to parts of the code.
NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without
the final set of brakets, the test is essentially inverted - causing some
intersting 'error = success' messages...
Andrew Bartlett
(This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
|
|
(This used to be commit ad3c8da13b9d510f78fd56364cd0987de88a9b9f)
|
|
we now do this:
- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP
This change also means that we no longer rely on having a gssapi
library to do ADS.
todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
(This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
|
|
with non-const values - strsep not defined
(This used to be commit a5c59b2cd10016ecbd931531602ad1cb3660bbf9)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
we get a response from WINS for a PDC, if the PDC isn't responding.
(This used to be commit 57916316ffc70b0b6659f3ad9d14aad41fad4c71)
|
|
(This used to be commit 2ee0abb50f25e5a4529d8c9409c979a7a00e5984)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
from some of the callers.
Andrew Bartlett
(This used to be commit eb3354aa6c7293df9a728565a6774049b2e6d57f)
|
|
very useful in scripts
(This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02)
|
|
without any 'realm =' or 'ads server =' options at all, as long as DNS
is working right.
(This used to be commit d3fecdd04241ed7b9248e52415693cd54a1faecf)
|
|
(and yes, some of these are real bugs)
In particular, the samr code was doing an &foo of various types, to a function
that assumed uint32. If time_t isn't 32 bits long, that broke.
They are assignment compatible however, so use that and an intermediate
variable.
Andrew Bartlett
(This used to be commit 30d0998c8c1a1d4de38ef0fbc83c2b763e05a3e6)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
used to be commit b8d39651fb90ef170055735412417239a63afc5d)
|
|
same name as the machine name exists. (we ended up setting the users
password, not the machines password!)
(This used to be commit fe1e6233c6f0a5654bcc3ab34f65bb570efc69b1)
|
|
membership from an ADS server. We now use a 'member' query on the
group and do a separate call to convert the resulting distinguished
name to a name, rid etc. This is *much* faster for very large numbers
of groups (on a quantum test system with 10000 groups it drops the
time from an hour to about 35 seconds).
strangely enough, this actually *increases* the amount of ldap
traffic, its just that the MS LDAP server answers these queries much
faster.
(This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
|
|
a char** isn't quite the same thing as a struct berval** :)
(This used to be commit a92834ea9460bc49be99d6d5b0d41a817e6f0824)
|
|
broken
(This used to be commit 022073d140bae960613127a6d9422e443a8098c6)
|
|
Also remove unused line which incremented pointer by the wrong length anyway.
Provided by Anthony Liguori (aliguori@us.ibm.com).
(This used to be commit 47b7a3e0f3d101a3bcffd33db6ef4c0672b57ae0)
|
|
(This used to be commit 1de04ec4735c19ec21cdef6e679cea17c734c5f6)
|
|
code
(This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
|
|
this fixes the huge number of struct berval warnings on non-ads
compiles
(This used to be commit e7f588d8156856109623b5f5a3841c5d096b1185)
|
|
str_list_copy(). Perhaps its proto should be fixed.
(This used to be commit b81bc2b34b620c24a148435d9913bd1a1528c983)
|
|
(This used to be commit b361089360068b91e9f4d221abdc3c8351596a7f)
|
|
Now smbclient, net, and swat use their own proto files - now the global
proto.h
The change to libads/kerberos.c was to break up the dependency on secrets.c -
we want to be able to write an ADS client that doesn't need local secrets.
I have other breakups in the works - I will remove the dependency of
rpc_parse on passdb (and therefore secrets.c) shortly.
(NOTE: This patch does *not* break up includes.h, or other such forbidden
actions).
Andrew Bartlett
(This used to be commit edb41dad2df0ae3db364dbc3896cc75956262edf)
|
|
though it is up to the calling function to decide whether values are
strings or not. Attributes are not converted at this point, though support
for it would be simple.
I have tested it with users and groups using non-ascii chars, and if the
check for alphanumeric user/domain names is removed form sesssetup.c, even
a user with accented chars can connect, or even login (via winbind).
I have also simplified the interfaces to ads_mod_*, though we will probably
want to expand this by a few functions in the near future. We just had
too many ways to do the same thing...
(This used to be commit f924cb53580bc081ff34e45abba57629018c68d6)
|
|
(This used to be commit 5a04ea1f0c41965bc735f38f4892dc37571734d6)
|
|
(This used to be commit b84882a628b3f2f0890322f25694c1932aa3e5ec)
|
|
(This used to be commit 180311a48cfa808ea9edc9f32558554b243b10eb)
|
|
changes ...
(This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
|
|
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
|
|
libraries with handling blank passwords.
(This used to be commit 59d755ffb57c322a104ff8f52819956cafff1bac)
|