Age | Commit message (Collapse) | Author | Files | Lines |
|
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 91878f9b6fbe5187fb7d0464008ea0abe7f11a73)
|
|
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.
It's still got some warts, but non-secure updates do
currently work. There are at least four things left to
really clean up.
1. Change the memory management to use talloc() rather than
malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
(and under the LGPL).
A few notes:
* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
issues.
(This used to be commit 36f04674aeefd93c5a0408b8967dcd48b86fdbc1)
|
|
error. Fix our DNS SRV lookup code to deal with multi-homed hosts.
We were noly remembering one IP address per host from the Additional
records section in the SRV response which could have been an unreachable
address.
(This used to be commit 899179d2b9fba13cc6f4dab6efc3c22e44e062bc)
|
|
Michael Adam/Volker, please check.
Guenther
(This used to be commit d0feb85781f69325ee70aff98370cfac037c4cc2)
|
|
(This used to be commit 09e7c010f03ac3c621f7a7fad44685d278c1481a)
|
|
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 6e641c90b8f52a822a83701cdf305c60416d7f0c)
|
|
(This used to be commit de76217cfb9d20431189e838999a634e4de067a9)
|
|
NO_LOGON_SERVERS if no domain controller was found.
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
|
|
inspired
by Christian M Ambach <CAMBACH1@de.ibm.com>.
Volker
(This used to be commit cf7c83d462dc766fa6f48728d0a4e8d534cc2bd4)
|
|
(This used to be commit 0f483cf66c203d8590998b83cbeeb236ba06ab63)
|
|
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
|
|
is not an A record for each SRV name
(This used to be commit 42608b8bb974e1bd88cf2105bf1774622c045458)
|
|
segv in the DNS SRV lookups dur to calling rand()
(This used to be commit be12519fd8a7ccd8400fd298e05921eda56b4e16)
|
|
* add code to lookup NS records (in prep for later coe that
does DNS updates as part of the net ads join)
(This used to be commit 36d4970646638a2719ebb05a091c951183535987)
|
|
Jerry, please check.
Thanks,
Volker
(This used to be commit b87c4952216b6302b0e1f22689b5a36b6aa65349)
|
|
check this is your new code.
Jeremy.
(This used to be commit 144067783d1c56b574911532f074bdaa7cea9c6e)
|
|
when fetching the DES salting principal
(This used to be commit baf554c7934cbd591635196453c19d402358e073)
|
|
(This used to be commit bf701f51294dacd0d4077b5304772c40119460eb)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Guenther
(This used to be commit 6257f9af93f2391940b2c60fe39c0bf106de15dd)
|
|
Guenther
(This used to be commit 863aeb621afa7dcec1bfef8e503ef8ed363e3742)
|
|
netbios domain name in server affinity cache.
Guenther
(This used to be commit 08958411eeff430fb523d9b73e0259d060bac17b)
|
|
Jeremy.
(This used to be commit d48655d9c0b31d15327655140c021de29873d2c5)
|
|
get duplicate OID's returned in the oids_out list it is
still good programming practice to clear out a malloc'ed
string before re-writing it (especially in a loop).
Jeremy
(This used to be commit ae02c05bfca46eb6a8ba25b124c18a358a759cb5)
|
|
Guenther
(This used to be commit 479dec68459df606ff566ac86eb3b4bbbd2ca77a)
|
|
277 278 (cmd_*)
485 487 488 (ldap.c)
Volker
(This used to be commit 5b1eba76b3ec5cb9b896a9a5641b4d83bdbdd4cf)
|
|
Jeremy.
(This used to be commit 7e397b534a5ca5809facf5aa84acbfb0b8c9a5b4)
|
|
Jeremy.
(This used to be commit 2b69d436da7b2902ea419f3bcc45c7b5a5c571fb)
|
|
Jeremy.
(This used to be commit dd31f3fc0e044fdae139aefcb21773249c30eb74)
|
|
Guenther
(This used to be commit afdb1189029e01a132f16fea48624126ec65cd77)
|
|
This patch is mainly based on the work of Todd Stecher
<tstecher@isilon.com> and has been reviewed by Jeremy.
I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal
0.7.2 and 0.6.1rc3.
Guenther
(This used to be commit 535d03cbe8b021e9aa6d74b62d81b867c494c957)
|
|
(This used to be commit b369d0891afe8b777b837eaac317131232568ca7)
|
|
strtok for NULL.
Jeremy.
(This used to be commit 98751e8190317416de56b4a19a489c5f4b7d6bc9)
|
|
Guenther
(This used to be commit dfebcc8e19bee06b7c03f88845314e9cfd6f398a)
|
|
We still used the old HOST/* UPN to get e.g. users, now we need
samaccountname$@REA.LM.
Guenther
(This used to be commit f6516a799aec2db819f79b9a1e641637422a9b4c)
|
|
(adapt to the new UPN/SPN scheme).
Guenther
(This used to be commit 8fc70d0df0c93c29b49f924bac9ff5d9857cfd9d)
|
|
failed. Noticed by Bob Gautier.
Guenther
(This used to be commit 7327f94546a90df25c688dcafd42e0993133057a)
|
|
(This used to be commit 7c375fd540fa54ac8ae71c42ed07e01c593044b3)
|
|
Guenther
(This used to be commit 6cfc65ea20793a72ff1666759bd4e8e446247071)
|
|
(since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
Guenther
(This used to be commit ec26c355b3ef1d3d809c4fbe911ce6fcef5db955)
|
|
(This used to be commit 53f7104b4fbb4f59c18458f589e25e7b536642cb)
|
|
Re-add the capability to specify an OU in which to create
the machine account. Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
|
|
* replace printf to stderr with DEBUG statements as they get printed in
daemons
* "net ads lookup" return code
Guenther
(This used to be commit 8dd925c5fbfcbe711c596d08e8eadc19607d5492)
|
|
unavailable; use "ldap timeout" handling.
Jerry, please check.
Guenther
(This used to be commit 821bbb4566c4b3f9798054ed3bf772db0c9ae3f2)
|
|
(This used to be commit 18f2e1a4e19a83afec6573a020f3a913f07d19dc)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|