summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2004-01-09fix some warnings from the Sun compilerGerald Carter1-14/+14
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett2-6/+22
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-06Fix segfualt caused by incorrect configuration. If lp_realm() was not set,Andrew Bartlett1-5/+9
but security=ADS, we would attempt to free the principal name that krb5 never allocated. Also fix the dump_data() of the session key, now that we use a data_blob to store that. Andrew Bartlett (This used to be commit 4ad67f13404ef0118265ad66d8bdfa256c914ad0)
2004-01-05Try to keep vl happy - shorten some of these lines.Andrew Bartlett1-6/+12
(This used to be commit 3a4c56e4c60854bbd291adc7d321d3869e6dedab)
2004-01-05There is some memory corruption hidden somewhere in our winbind code. If IAndrew Bartlett1-4/+8
could reproduce it, I would fix it, but for now just make sure we always SAFE_FREE() and set our starting pointers to NULL. Andrew Bartlett (This used to be commit c279e178bc122e1e2aa519f7a373a3d93672a3ac)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-17/+22
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-8/+130
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-05I'm not quite sure what happened here - but replace the ads_sid_to_dnAndrew Bartlett1-9/+9
function with one that compiles. Andrew Bartlett (This used to be commit 0d5b0345a60741ae50f6770d9cecf698864cd209)
2004-01-05Add a utilty function for converting a sid to a DN.Andrew Bartlett1-0/+74
Andrew Bartlett (This used to be commit 49a7a3fd17cfeef439e2049a51dbfcbc037f1a93)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-92/+8
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-8/+92
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31auth/auth_util.c:Andrew Bartlett1-1/+1
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-13Fix from ndb@theghet.to to allow an existing LDAP machine account to beJeremy Allison1-12/+29
re-used, rather than created from scratch. Jeremy. (This used to be commit 6d46e66ac2048352ca60f92fc384f60406024d4b)
2003-11-26Get rid of a const warningVolker Lendecke1-1/+1
Volker (This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-1/+1
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-17Add configure test for krb5_keytab_entry keyblock vs key member. Bug #636.Tim Potter1-4/+12
(This used to be commit 3daefe9d17fb2c7b1c4d21593465e6788555b0fb)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter2-2/+8
down; bug 437 (This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
2003-09-10Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not convertingJeremy Allison1-1/+10
to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-09-06revert retry loops in winbindd_ads as abartket points out, weGerald Carter1-2/+2
already have ads_search_retry() for this. However, neither domain_sid() nor sequence_nunber() used this function. So modify them to us ads_do_search_retry() so we can specify the base search DN and scope. (This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
2003-09-03Try to add memory keytab support. It also includes much of the genericJim McDonough1-1/+141
keytab support code, but it won't be enabled until we add that to smb.conf. Adapted from the work of Guenther Deschner (gd@suse.com). Please hammer on this... (This used to be commit a26fa5bee24c73cd835f59bb18162ab07760d76a)
2003-08-25Fix segfault. krb5_free_ticket does not check if it got a NULL ticket.Volker Lendecke1-1/+2
(This used to be commit 97e4778103744419ecaeb0058460041ef01b2e2a)
2003-08-20metze's autogenerate patch for version.hGerald Carter1-1/+1
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
2003-08-19 - Make 'net' use a single funciton for setting the 'use machine account' code.Andrew Bartlett1-9/+6
- Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett (This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
2003-08-15Don't print out error in ads_do_search_retry() when it suceeds.Tim Potter1-1/+4
(This used to be commit 617feab4223f5ba3cc5e090de5e63da72fce49df)
2003-08-15s/OM_uint32//uint32/gGerald Carter2-3/+3
(This used to be commit f8a092e7b42cd157cf86240984be40badd0afd87)
2003-08-15get rid of more compiler warningsHerb Lewis4-12/+12
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-15Fix memleaks.Volker Lendecke2-7/+14
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-14In ads_verify_realm, all we use in the ADS_STRUCT is theVolker Lendecke1-2/+2
auth.realm. So directly pass that instead of setting up and tearing down the ADS_STRUCT. Volker (This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough4-4/+4
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
2003-07-31working on transtive trusts issue:Gerald Carter1-71/+0
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-30Don't revert something until you've seen if volker has already fixed it :-).Jeremy Allison1-4/+0
Jeremy. (This used to be commit d57d9b99dfc2a83d91b952a11eb1ae4cf37e6467)
2003-07-30Comment out mutex until I get dependencies sorted out...Jeremy Allison1-0/+4
Jeremy (This used to be commit 382d1732ca8e4d0909eb5a95f7327213913da37b)
2003-07-29Put mutex around access of replay cache for krb5 tickets. krb5 replay cacheJeremy Allison1-4/+13
is not multi-process safe. Jeremy. (This used to be commit 9e0534a1b69bbd4f21b4925337cbab127d060fc6)
2003-07-29Typo on my part. I typed KRB5_KDB_BAD_ENCTYPE when I meant to type ↵Jeremy Allison1-1/+1
KRB5_BAD_ENCTYPE. Heimdal has the latter, not the former. Jeremy. (This used to be commit e8425df77c2e917c819592d93833a164ee3b5338)
2003-07-29Fix the build on Heimdal. KRB5_KDB_BAD_ENCTYPE doesn't exist on Heimdal, andJim McDonough1-1/+1
it's a different rc than KRB5_BAD_ENCTYPE (which exists on both MIT and Heimdal). This will just make the debug show up at level 3 always. Jeremy, you may want to revisit this, but it's probably not worth the hassle. (This used to be commit 4ff322ccf9c8485bcfe67e658d48f190f03547b0)
2003-07-29Improved debug messages whilst trying to track down kerb issues.Jeremy Allison1-13/+20
Jeremy. (This used to be commit 29dd71ddea480f6163ebbc9d8860a7930ae84066)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison2-2/+3
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-25fix case where no realm or workgroup means to use our ownGerald Carter1-2/+19
(This used to be commit 6edc7e0a744a5d8c6332758b800a2646ef16dd77)
2003-07-23connect to the right realm or domain for trusted AD domainsGerald Carter1-8/+4
(This used to be commit 83376671c511be4bb10d3fca8e49e5f6ef792b9c)
2003-07-12Fixed memory leaks, added krb5 replay cache. Now I need to add code to checkJeremy Allison1-17/+72
the incoming addresses.... Jeremy. (This used to be commit 4e9359a1f67a44b2981579383327ba774e1c31f9)
2003-07-10Fix shadow parameter warning.Tim Potter1-4/+4
(This used to be commit 8d8d85ecd62dba075d90e54ec75da9b1328784fb)
2003-07-07Call the synchronous version of the ldap delete function otherwise we end upTim Potter1-1/+1
treating the returned message id as an error code. (This used to be commit 42fdcef324d7a04e69c0078482e1a6b8a67ade94)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison3-7/+7
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03Implemented 'net ads printer search' which searches the directory forTim Potter1-1/+14
published printers. At the moment we don't search using any parameters but this can be fixed by changing the LDAP search string. Also we should contact the global catalog at SRV _gc._tcp instead of the ldap server we get back from ads_startup(). (This used to be commit 814519c5de7f962623163b732c8589abd355d845)
2003-07-03Fix bug in doxygen comments for ads search functions.Tim Potter1-4/+4
(This used to be commit ae6c05ea726da13fc1a18398d1ffe56f34e1edb9)
2003-06-30Fix shadow variable warnings.Tim Potter1-8/+8
(This used to be commit 5ffb8e0920be2da19ac3f442b9bf56c159011822)
2003-06-25* fix typos in a few debug statementsGerald Carter1-3/+9
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25large change:Gerald Carter2-120/+48
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-0/+3
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)