summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2009-02-02fix for commit d96248a9b46 which broke Heimdal buildsBjörn Jacke1-0/+6
2009-02-01Add two new parameters to control how we verify kerberos tickets. Removes ↵Dan Sledz1-17/+112
lp_use_kerberos_keytab parameter. The first is "kerberos method" and replaces the "use kerberos keytab" with an enum. Valid options are: secrets only - use only the secrets for ticket verification (default) system keytab - use only the system keytab for ticket verification dedicated keytab - use a dedicated keytab for ticket verification. secrets and keytab - use the secrets.tdb first, then the system keytab For existing installs: "use kerberos keytab = yes" corresponds to secrets and keytab "use kerberos keytab = no" corresponds to secrets only The major difference between "system keytab" and "dedicated keytab" is that the latter method relies on kerberos to find the correct keytab entry instead of filtering based on expected principals. The second parameter is "dedicated keytab file", which is the keytab to use when in "dedicated keytab" mode. This keytab is only used in ads_verify_ticket.
2009-01-29s3: fix bug #6073: prevent ads_connect() from using SSL unless explicitly ↵Michael Adam1-3/+5
requested This fixes "net ads join". It copes with the changed default "ldap ssl = start tls". A new boolean option "ldap ssl : ads" is added to allow for explicitly requesting ssl with ads. Michael
2009-01-16ads_connect: Return immediately on a failed GC connection.Gerald (Jerry) Carter1-3/+14
ads_connect_gc() feeds an explicit server to ads_connect(). However, if the resulting connection fails, the latter function was attempting to find a DC on its own and continuing the connection. This resulting in GC searches being sent over a connection using port 389 which would fail when using the base search suffix outside of the domain naming context. The fix is to fail immediately in ads_connect() since the GC lookup ordering is handled already in ads_connect_gc().
2009-01-16s3:libads: use lock_path for creating paths to local krb5.conf filesMichael Adam1-2/+3
instead of manually doing an asprintf with lp_lockdir() Michael squash
2009-01-16s3:libads: give create_local_private_krb5_conf_for_domain() a common exit pointMichael Adam1-30/+20
Michael
2009-01-04Async wrapper for open_socket_out_send/recvVolker Lendecke1-12/+19
2009-01-03open_socket_out is always used with SOCK_STREAM, remove argument "type"Volker Lendecke1-1/+1
2008-12-31Replace a static variable and alarm() calls by using sys_select()Volker Lendecke1-23/+24
Günther, please check!
2008-12-31Fix some nonempty blank linesVolker Lendecke1-5/+5
2008-12-30Fix more "ignore return value" warnings from gcc 4.3.Jeremy Allison1-9/+22
Jeremy
2008-12-23Fix more asprintf warnings and some error path errors.Jeremy Allison1-2/+10
Jeremy.
2008-12-23More asprintf warning fixes.Jeremy Allison3-8/+28
Jeremy.
2008-12-23More asprintf warning fixes.Jeremy Allison1-9/+18
Jeremy.
2008-12-23Fix more asprintf errors and error code paths.Jeremy Allison2-9/+31
Jeremy.
2008-12-13s3:libads/ldap.c: store the dc name in the saf cache as in all other placesStefan Metzmacher1-3/+2
metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit 543fa85a711337e979c7b631bda5db95d109ef59)
2008-12-13s3:libads/ldap.c: if the client belongs to no site at all any dc is the closestStefan Metzmacher1-0/+5
metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit f86ef9b53a903485deba94febf90dd4e657cc02b)
2008-12-13s3:libads/ldap.c: pass the real workgroup name to get_dc_name()Stefan Metzmacher1-1/+10
metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit c2d4a84abe1b6cbf68d6e9f1bb1f8974d0b628fc)
2008-12-13s3: libads: use get_dc_name() instead of get_sorted_dc_list() in the LDAP caseStefan Metzmacher1-1/+25
We use get_dc_name() for LDAP because it generates the selfwritten krb5.conf with the correct kdc addresses and sets KRB5_CONFIG. For CLDAP we need to use get_sorted_dc_list() to avoid recursion. metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit d2f7f81f4d61bae9c4be65cbc1bf962b6c24a31f)
2008-12-13s3: correctly detect if the current dc is the closest oneStefan Metzmacher1-1/+0
ads->config.tried_closest_dc was never set. metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> (cherry picked from commit dfe5b00db35e1e7c7bb3ba36729fc3f97eb48db3)
2008-12-03s3: Change sockaddr util function names for consistencyTim Prouty1-3/+3
Also eliminates name conflicts with OneFS system libraries
2008-12-02s3-net: allow to list a keytab generated using net rpc vampire.Günther Deschner1-2/+5
Guenther
2008-11-24s3:libads/ldap.c: return an error instead of crashing when no realm is givenStefan Metzmacher1-4/+4
The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't ex and "disable netbios = yes". metze Signed-off-by: Michael Adam <obnox@samba.org>
2008-11-18Fix extended DN parse error when AD object does not have a SID.Steven Danneman1-24/+38
Some AD objects, like Exchange Public Folders, can be members of Security Groups but do not have a SID attribute. This patch adds more granular return errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse error occured because of bad input, or the DN was valid but contained no SID. I updated all callers to ignore SIDless objects when appropriate. Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18Whitespace and >80 column cleanups.Steven Danneman1-12/+12
2008-11-01Rename dos_errstr() to win_errstr() for consistency with Samba 4.Jelmer Vernooij1-3/+3
2008-10-23Use sockaddr_storage only where we rely on the size, use sockaddrJelmer Vernooij1-4/+5
otherwise (to clarify we can also pass in structs smaller than sockaddr_storage, such as sockaddr_in).
2008-10-22s3-asn1: make all of s3 asn1 code do a proper asn1_init() first.Günther Deschner2-96/+110
Guenther
2008-10-22s3: use shared asn1 code.Günther Deschner2-7/+7
Guenther
2008-10-20s3-build: no need to duplicate generated ndr_ prototypes.Günther Deschner1-0/+1
Guenther
2008-10-19Add TALLOC_CTX pointer to generate_random_str(), for consistency withJelmer Vernooij1-1/+1
Samba 4.
2008-10-15kerberos: fix some heimdal build warnings.Günther Deschner1-4/+4
Guenther
2008-10-14Use GUID_string rather than smb_uuid_string().Jelmer Vernooij2-6/+6
2008-10-13fix build warnings.Günther Deschner1-1/+1
Guenther
2008-10-12Use common strlist implementation in Samba 3 and Samba 4.Jelmer Vernooij1-2/+2
2008-10-11Cope with changed signature of http_timestring().Jelmer Vernooij1-2/+2
2008-10-04Fix an unlikely memleak found by the IBM checkerVolker Lendecke1-0/+2
2008-10-04Fix an uninitialized variable found by the IBM CheckerVolker Lendecke1-0/+1
2008-10-02The IRIX compiler does not like embedded unnamed unionsVolker Lendecke1-1/+1
2008-09-24s3-nbt: use the new generated nbt.Günther Deschner2-99/+20
Guenther
2008-09-23s3: fix NETLOGON_NT_VERSION version flags.Günther Deschner1-10/+10
Guenther
2008-09-23s3: use samba4 prototype for ndr_push/pull_struct_blob.Günther Deschner2-8/+8
Guenther
2008-09-16* Allow an admin to define the "uid" attribute for a RFC2307Gerald (Jerry) Carter1-3/+12
user object in AD to be the username alias. For example: $ net ads search "(uid=coffeedude)" distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org sAMAccountName: gcarter memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org uid: coffeedude uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/gcarter loginShell: /bin/bash $ ssh coffeedude@192.168.56.91 Password: coffeedude@orville:~$ id uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers) $ getent passwd PINK\\gcarter coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent passwd coffeedude coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent group PINK\\Unixusers PINK\unixusers:x:10000:coffeedude
2008-09-04kerberos: fix indent of enc type lines in generated krb5.conf files.Günther Deschner1-3/+3
Guenther (This used to be commit 18a26f08b6fab4119a1421a7ca59c32dde8bb8cb)
2008-08-29kerberos: use KRB5_KT_KEY macro where appropriate.Günther Deschner1-9/+2
Guenther (This used to be commit a042dffd7121bda3dbc9509f69fcfae06ed4cc22)
2008-08-20libads: remove unused vars.Günther Deschner1-3/+0
Guenther (This used to be commit ea9fc3bea31b11e715d9524defc18b75e5943842)
2008-07-30Fix uninitialized variables.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 1db7e00a5400863fd5dbb81c1a4c6ea6092d0495)
2008-07-18kerberos: make smb_krb5_kt_add_entry() static.Günther Deschner1-6/+6
Guenther (This used to be commit 04b1847f87d166819dfe0f8c27c8cd9fc062544f)
2008-07-11Revert "Pass NULL to gencache_get when we are not interested in the timeout ↵Volker Lendecke1-1/+2
value" This reverts commit 16062dfc3dcc8f1ca0024a3ae21effb889c7ffc0. (This used to be commit 114ca8577568cdb5a81d8734f1d1d096f1b36c36)
2008-07-03Pass NULL to gencache_get when we are not interested in the timeout valueVolker Lendecke1-2/+1
(This used to be commit 16062dfc3dcc8f1ca0024a3ae21effb889c7ffc0)