summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2009-10-01s3: update comment about (deprecated) a6 recordsBjörn Jacke1-1/+2
2009-09-17spnego: share spnego_parse.Günther Deschner1-0/+1
Guenther
2009-08-26Add a parameter to disable the automatic creation of krb5.conf filesVolker Lendecke1-1/+6
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of transitive AD trusts. The workaround is to add a [capaths] directive to /etc/krb5.conf, which we don't automatically put into the krb5.conf winbind creates. The alternative would have been something like a "krb5 conf include", but I think if someone has to mess with /etc/krb5.conf at this level, it should be easy to add the site-local KDCs as well. Next alternative is to correctly figure out the [capaths] parameter for all trusted domains, but for that I don't have the time right now. Sorry :-)
2009-08-25Do an early TALLOC_FREEVolker Lendecke1-1/+2
2009-07-28(Hopefully) fix the problem Kai reported withJeremy Allison1-1/+1
net ads leave and IPv6. Ensure all DC lookups prefer IPv4. Jeremy.
2009-07-28Added prefer_ipv4 bool parameter to resolve_name().Jeremy Allison1-12/+25
W2K3 DC's can have IPv6 addresses but won't serve krb5/ldap or cldap on those addresses. Make sure when we're asking for DC's we prefer IPv4. If you have an IPv6-only network this prioritizing code will be a no-op. And if you have a mixed network then you need to prioritize IPv4 due to W2K3 DC's. Jeremy.
2009-07-15Remove gencache_init/shutdownVolker Lendecke1-8/+0
gencache_get/set/del/iterate call gencache_init() internally anyway. And we've been very lazy calling gencache_shutdown, so this seems not really required.
2009-07-09Make escape_ldap_string take a talloc contextVolker Lendecke1-3/+3
2009-06-08Replace the "ipv4" specific strings in libcli/cldap/cldap.c with "ip". CLDAP canJeremy Allison1-15/+6
run over IPv4/IPv6, even though some of the netlogon messages are IPv4 specific. Fix the new ads_cldap_netlogon() to be IPv6/IPv4 agnostic. This compiles but I don't have a good test env. for this (although as the previous code was *completely* broken over IPv6 this will expose previously hidden bugs if it's broken :-). Jeremy.
2009-05-31Fix some nonempty blank linesVolker Lendecke1-60/+59
2009-05-30Move ads flags mapping to lib/Volker Lendecke1-133/+5
2009-05-28Make sid_binstring & friends take a talloc contextVolker Lendecke1-2/+2
2009-05-28Add smbldap_pull_sidVolker Lendecke1-13/+1
2009-04-28s3-cldap: check for zero ip address in ads_cldap_netlogon().Günther Deschner1-0/+7
Guenther
2009-04-27s3:registry: replace typedef REGISTRY_VALUE by struct regval_blobMichael Adam1-8/+8
Michael
2009-04-27s3:registry: replace typedef REGVAL_CTR by struct regval_ctr.Michael Adam1-1/+1
This paves the way for hiding the typedef and the implementation from the surface. Michael
2009-04-23samba3/ldb: Update the ldb_dn API to match that of the Samba 4 LDB:Jelmer Vernooij1-10/+9
* ldb_dn_new() now takes an initial DN string * ldb_dn_string_compose() -> ldb_dn_new_fmt() * dummy ldb_dn_validate(), since LDB DNs in the current implementation are always valid if they could be created.
2009-04-23ldb/samba3: Support event context argument to ldb_init().Jelmer Vernooij1-0/+3
This argument is ignored (Samba3's LDB is synchronous) but having it there is useful for API compatibility with the LDB used by Samba 4 and available on some systems.
2009-04-23Fix coverity #901 - uninitialized data.Jeremy Allison1-1/+1
Jeremy.
2009-04-22Add comment explaining the previous fix.Jeremy Allison1-0/+6
Jeremy.
2009-04-22Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning ↵Jeremy Allison1-0/+4
LDAP_SUCCESS but not returning a result. Jeremy
2009-04-20Remove smb_mkstemp() - libreplace will now provide a secure mkstemp() ifJelmer Vernooij1-1/+1
the system one is broken.
2009-04-20Make gpo_ldap.c compatible with samba 4. Add ads_get_ldap_server_name() ↵Wilco Baan Hofman1-0/+5
function to samba 3. Move prototypes to root libgpo where appropriate. gpo_ldap.c now compiles for both samba 3 and 4. Signed-off-by: Günther Deschner <gd@samba.org>
2009-04-14Convert Samba3 to use the common lib/util/charset APIAndrew Bartlett1-8/+8
This removes calls to push_*_allocate() and pull_*_allocate(), as well as convert_string_allocate, as they are not in the common API To allow transition to a common charcnv in future, provide Samba4-like strupper functions in source3/lib/charcnv.c (the actual implementation remains distinct, but the API is now shared) Andrew Bartlett
2009-04-07s3:kerberos Rework smb_krb5_unparse_name() to take a talloc contextAndrew Bartlett4-21/+22
Signed-off-by: Günther Deschner <gd@samba.org>
2009-04-07s3-libads: avoid NULL talloc context with ads_get_dn().Günther Deschner1-8/+8
Guenther
2009-04-06s3:libads Make ads_get_dn() take a talloc contextAndrew Bartlett1-40/+29
Also remove ads_memfree(), which was only ever a wrapper around SAFE_FREE, used only to free the DN from ads_get_ds(). This actually makes libgpo more consistant, as it mixed a talloc and a malloc based string on the same element. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-20s3-krb5: Fix Coverity #762 (REVERSE_INULL).Günther Deschner1-6/+6
Guenther
2009-03-19s3:libads: use libcli/cldap codeStefan Metzmacher1-229/+67
metze
2009-03-19fix build on old Heimdal based systemsBjörn Jacke1-5/+3
Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18s3: remove POLICY_HND.Günther Deschner1-1/+1
Guenther
2009-03-18s3-spoolss: use rpccli_spoolss_enumprinterdataex in ldap_printer.c.Günther Deschner1-26/+43
Guenther
2009-03-01Eliminate two duplicate SEC_ACE_TYPE constants already provided byJelmer Vernooij1-4/+4
security.idl.
2009-02-10s3-rpcclient: use rpccli_spoolss_openprinter_ex helper.Günther Deschner1-5/+5
Guenther
2009-02-10s3-spoolss: fix memleak in get_remote_printer_publishing_data().Günther Deschner1-2/+8
Guenther
2009-02-09s3-rpcclient: use srv_name_slash instead of formating servername again and ↵Günther Deschner1-4/+3
again. Guenther
2009-02-06s3-spoolss: use rpccli_spoolss_ClosePrinter.Günther Deschner1-1/+1
Guenther
2009-02-06s3: use pidl to pull a KRB5_EDATA_NTSTATUS.Günther Deschner1-36/+6
Guenther
2009-02-05s3/libads: Change "ldap ssl:ads" parameter to "ldap ssl ads".Karolin Seeger1-1/+1
Karolin
2009-02-03s3-kerberos: use KRB5_KT_KEY compat macro.Günther Deschner1-7/+1
Guenther
2009-02-03s3-kerberos: fix ads_dedicated_keytab_verify_ticket with heimdal.Günther Deschner1-3/+10
Guenther
2009-02-03Revert "fix for commit d96248a9b46 which broke Heimdal builds"Günther Deschner1-6/+0
This does not build. This reverts commit af736923a541df1a37afeb72b8a5652932c4c69c.
2009-02-02fix for commit d96248a9b46 which broke Heimdal buildsBjörn Jacke1-0/+6
2009-02-01Add two new parameters to control how we verify kerberos tickets. Removes ↵Dan Sledz1-17/+112
lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket.
2009-01-29s3: fix bug #6073: prevent ads_connect() from using SSL unless explicitly ↵Michael Adam1-3/+5
requested This fixes "net ads join". It copes with the changed default "ldap ssl = start tls". A new boolean option "ldap ssl : ads" is added to allow for explicitly requesting ssl with ads. Michael
2009-01-16ads_connect: Return immediately on a failed GC connection.Gerald (Jerry) Carter1-3/+14
ads_connect_gc() feeds an explicit server to ads_connect(). However, if the resulting connection fails, the latter function was attempting to find a DC on its own and continuing the connection. This resulting in GC searches being sent over a connection using port 389 which would fail when using the base search suffix outside of the domain naming context. The fix is to fail immediately in ads_connect() since the GC lookup ordering is handled already in ads_connect_gc().
2009-01-16s3:libads: use lock_path for creating paths to local krb5.conf filesMichael Adam1-2/+3
instead of manually doing an asprintf with lp_lockdir() Michael squash
2009-01-16s3:libads: give create_local_private_krb5_conf_for_domain() a common exit pointMichael Adam1-30/+20
Michael
2009-01-04Async wrapper for open_socket_out_send/recvVolker Lendecke1-12/+19
2009-01-03open_socket_out is always used with SOCK_STREAM, remove argument "type"Volker Lendecke1-1/+1