summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2003-11-22(merge from 3.0)Andrew Bartlett1-1/+1
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-10-30More GUID->struct uuid changes.Jim McDonough1-2/+4
Printer publishing now uses struct uuid. Also changes ads_pull_guid to unpack it from the wire format. (This used to be commit 671b434cc4b422144ab8f5858ae9c2179de701e1)
2003-10-30First round of merging various UUID structures.Jim McDonough1-9/+3
This eliminates RPC_UUID. It creates the following struct: struct uuid { uint32 time_low; uint16 time_mid; uint16 time_hi_and_version; uint8 clock_seq[2]; uint8 node[6]; }; which replaces RPC_UUID and various random struct uuid definitions and a flat version: #define UUID_FLAT_SIZE 16 typedef struct uuid_flat { uint8 info[UUID_FLAT_SIZE]; } UUID_FLAT; which pretty much looks like GUID (which I will start eliminating). I want us to use the FLAT one only on the wire (perhaps in files, too?), and I want it to be obvious to the coder that it is the FLAT version. This leaves a couple of compiler warnings, where GUID isn't completely replaced by FLAT_UUID yet...I'll get to those soon. (This used to be commit 1532b5d2e3c61df232b16394acedf6eac387588b)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
2003-10-21Merge of krb5_keytab entry key vs keyblock member check from HEAD.Tim Potter1-4/+12
(This used to be commit 720f5e5629c54e851c3e9026dc88676795e44c8e)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter2-2/+8
down; bug 437 (This used to be commit 9da4d1f7dbb289dd1db5e57a4fd78004bbfbd26b)
2003-09-15Merge from Samba 3.0:Tim Potter1-1/+10
>Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting >to/from utf8 for some calls. The libads code gets this right. Wonder why >the passdb code doesn't use it ? >Jeremy. (This used to be commit 258c106e2243f19c77fe35edd6dcba816a8fc8ee)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter7-36/+184
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce6-96/+59
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-23connect to the right realm or domain for trusted AD domainsGerald Carter1-8/+4
(This used to be commit ae14f8364398f07fc3e7c7861cd39fe528f3fe7a)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter9-239/+211
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-05-15Patch from Luke Howard <lukeh@PADL.COM> to recognise local groups.Jeremy Allison1-0/+2
Jeremy. (This used to be commit 626116b738927660c3cf0070fc73222e46412187)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett3-7/+11
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-14decode_pac_data() needs a talloc ctx as an argument.Tim Potter1-1/+1
(This used to be commit eeeae14fed62ad9d15f2c5a8fa9357da4bb7b3a1)
2003-04-09Complete what I've seen (and then some)t of the PAC.Jim McDonough1-5/+124
I haven't seen the rid+attr arrays for group membership, nor sids or the same kind of arrays for resource domains, so I don't know how that will work. Also, the PAC info type 10 is now decoded, but I don't know what it's for. It has an NTTIME, a 16-bit name length, and a username. According to M$, it's not needed, because they didn't doc it... (This used to be commit 28ab8504cf6c181866106e5cc626a5896283d0a9)
2003-04-07Decode the PAC! This patch just decodes it and then frees it, so it's justJim McDonough2-0/+501
for doc purposes right now (you can see it in the debug logs). (This used to be commit 046c2087a11b9ce7a02aece34ffb129ce0d66b08)
2003-03-25- Support building all auth modules as .so'sJelmer Vernooij2-38/+38
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>) (This used to be commit 71b05cd14ae6df8340730e7bad1c783dc278c5d3)
2003-03-16Changes to help the kerberos change password code work on systems thatAndrew Bartlett1-37/+29
have some of the labels 'duplicated' (ie, the defines double-up). Also, to an ads_connect() to try and find our KDC. (So we don't segfualt *every* time) Andrew Bartlett (This used to be commit 56dce7ddad118051c93c62507234efca3920bc9b)
2003-03-12 - Fix a double-free (I can't say I understand the code, but it matches the ↵Andrew Bartlett1-6/+5
other cases and keeps valgrind quiet). - Add static Andrew Bartlett (This used to be commit e9da9c500b96a828d744e7a1c64427fc01153310)
2003-03-05More const fixes.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 7b945e10a6c636c0b0aabc841803bf44405cb2ae)
2003-02-25tokenGroups are SIDs, so dump them as such.Andrew Bartlett1-0/+1
(This used to be commit 43f07e9de70ad9993265e28a54239caba0121ab6)
2003-02-24Patch from Luke Howard to add mutual kerberos authentication, and SMB sessionAndrew Bartlett1-6/+26
keys for kerberos authentication. Andrew Bartlett (This used to be commit 8b798f03dbbdd670ff9af4eb46f7b0845c611e0f)
2003-02-24Always initialiseAndrew Bartlett1-2/+2
(This used to be commit ff2b5b2f85f2d9dade67077cea1b68719cf65352)
2003-02-22Fix a DEBUG() formatting, add some more debug to our SID pulling code andAndrew Bartlett1-18/+33
inline the call to prs_copy_all_data_out() so that we can know we are not overrunning our buffer. Also check more return values. Andrew Bartlett (This used to be commit e3b73d5d658584428c81c9ef3ccf024687a56e2f)
2003-02-19libads/krb5_setpw.cJim McDonough1-1/+2
(This used to be commit 4c52d7bd933f61bdba3d4159a204fe16db3d4f0f)
2003-02-19Fix segv in net ads join...an extra & was the culpritJim McDonough1-1/+1
(This used to be commit 9874b233d55a0b1aea7eb033848f4b63a531833b)
2003-02-19Check return values of various join-related functions, and ensure we alwaysAndrew Bartlett1-9/+16
compare push_* returns with (size_t)-1, not < 0. Andrew Bartlett (This used to be commit 63f5e92536c6bcac54b796d6e91b755e7d328f66)
2003-02-19Try to get heimdal working with HEAD.Jim McDonough1-20/+7
- Provide generic functions for - get valid encryption types - free encryption types - Add encryption type parm to generic function create_kerberos_key_from_string() - Try to merge the two versions (between HEAD and SAMBA_3_0) of kerberos_verify.c I think this should work for both MIT and heimdal, in HEAD. If all goes smooth, I'll move it over to 3.0 soon... (This used to be commit 45e409fc8da9f26cf888e13d004392660d7c55d4)
2003-02-18Fix of two warnings.Rafal Szczesniak1-5/+3
pull_ucs2_talloc function takes char** pointer, not (here explicitly casted) void** one. Rafal (This used to be commit e77c44efd95d42a8194f5c3d36c043f8e84dfd1d)
2003-02-15Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enableAndrew Bartlett4-132/+337
users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett (This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-5/+11
Needed to move to disk based i/o later. Jeremy. (This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
2003-02-12add a note about a better method for finding netbios name of workgroupAndrew Tridgell1-0/+7
(not implemented yet) (This used to be commit 8a8cca78adebba640c6ce971d8888515bf0ea4be)
2003-02-04Mem alloc failure checks.Jeremy Allison3-23/+59
Jeremy. (This used to be commit 4e33e3f37fd548b9b1ed3c84f673a853b0dc4818)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett3-10/+39
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2003-01-21More fixes getting us closer to full Heimdal compile....Jeremy Allison1-11/+7
Jeremy. (This used to be commit 193cc4f4fc876c66e97ea6b82bae431d0247c1fa)
2003-01-21sanity checks from Ken CrossGerald Carter2-3/+7
(This used to be commit ec26877f0b4fbe2c651a6069d22b9ac0637aa2d1)
2003-01-15* removed unused variable from rpcclient codeGerald Carter1-5/+5
* added container option to net command (patch from SuSE) * Makefile patch for examples/VFS from SuSE (This used to be commit 4a6d8280ea27ca7a6998219aacc4b15b1227a659)
2003-01-11Patch from Nik Conwell <nik@bu.edu>. Don't reference free()ed data when tryingAndrew Bartlett1-1/+3
to figure out if we have got our ticket yet. Andrew Bartlett (This used to be commit a66ced2cf69145c0a5be5ed91ac306db50c313d1)
2003-01-02BIG patch...Andrew Bartlett3-8/+8
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-30Catching up with old patches. Add define for VERITAS quota support.Jeremy Allison1-0/+2
Check return in ldap. Jeremy. (This used to be commit e789edbb287319f52f49f2999917a610565144d9)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison2-9/+9
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-13More printer publishing code.Jim McDonough1-0/+26
- Add published attribute to info2, needed for win clients to work properly - Return proper info on getprinter 7 This means you can now look at the sharing tab of a printer and get correct info about whether it is published or not, and change it. (This used to be commit adda04379ee46f105436262663652f3f576fa3cf)
2002-12-05More printer data to publishJim McDonough1-0/+1
(This used to be commit 82f3a786bf01878629fe4c05b028ae8d58eb4394)
2002-12-03Stop using hardcoded key/value strings, be more forgiving of ↵Jim McDonough1-70/+74
dsspooler/dsdriver info existence. (This used to be commit ca8735532cb656a09c1586326cdce33984fe38b4)
2002-11-23[merge from APP_HEAD]Gerald Carter1-1/+2
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-18Don't pass a function to ADS_ERR_OK().Jim McDonough1-6/+13
(This used to be commit a148e4c290820a48c8b51e0e0459b2171b32c258)
2002-11-18Next step of printer publishing.Jim McDonough1-106/+242
net ads printer publish <printername> [servername] Will retreive the DsSpooler and DsDriver info by rpc for a remote server then publish it. Next comes doing it within smbd (This used to be commit 64951938cc5666a757683cbe9bee3a2c20a05323)
2002-11-15Include the hostname we are trying to match with $@, to allow easier debugging.Andrew Bartlett1-1/+1
(This used to be commit f5d8afc626b8f7792aa7dd7fa7082f55725b539c)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison4-27/+26
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-10make sure that if kerberos fails we can fall back on NTLMSSP for SASLAndrew Tridgell1-2/+5
(This used to be commit 69dba08c40c9739137b4f01d38be5228edc6dd6e)