summaryrefslogtreecommitdiff
path: root/source3/libads
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16955: Fix an uninitialized var -- Jerry, please check.Volker Lendecke1-2/+2
(This used to be commit bf701f51294dacd0d4077b5304772c40119460eb)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter5-734/+510
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison3-6/+9
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16862: Reverting accidential changes in ads_try_connect() from previous commit.Günther Deschner1-2/+2
Guenther (This used to be commit 6257f9af93f2391940b2c60fe39c0bf106de15dd)
2007-10-10r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.Günther Deschner2-7/+10
Guenther (This used to be commit 863aeb621afa7dcec1bfef8e503ef8ed363e3742)
2007-10-10r16836: When receiving a CLDAP reply make sure that we always store the correctGünther Deschner1-1/+3
netbios domain name in server affinity cache. Guenther (This used to be commit 08958411eeff430fb523d9b73e0259d060bac17b)
2007-10-10r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.Jeremy Allison1-7/+1
Jeremy. (This used to be commit d48655d9c0b31d15327655140c021de29873d2c5)
2007-10-10r16589: Fix Klocwork #1999. Although it should be impossible toJeremy Allison1-0/+5
get duplicate OID's returned in the oids_out list it is still good programming practice to clear out a malloc'ed string before re-writing it (especially in a loop). Jeremy (This used to be commit ae02c05bfca46eb6a8ba25b124c18a358a759cb5)
2007-10-10r16452: Fix memleak in the CLDAP processing (found by valgrind).Günther Deschner1-0/+3
Guenther (This used to be commit 479dec68459df606ff566ac86eb3b4bbbd2ca77a)
2007-10-10r16339: Fix Klocwork IDVolker Lendecke1-1/+7
277 278 (cmd_*) 485 487 488 (ldap.c) Volker (This used to be commit 5b1eba76b3ec5cb9b896a9a5641b4d83bdbdd4cf)
2007-10-10r16326: Klocwork #509. Always check return allocs.Jeremy Allison1-0/+9
Jeremy. (This used to be commit 7e397b534a5ca5809facf5aa84acbfb0b8c9a5b4)
2007-10-10r16324: Klocwork #499. Allways check results from alloc.Jeremy Allison1-1/+19
Jeremy. (This used to be commit 2b69d436da7b2902ea419f3bcc45c7b5a5c571fb)
2007-10-10r16322: Klocwork #481., Don't deref null on malloc fail.Jeremy Allison1-2/+4
Jeremy. (This used to be commit dd31f3fc0e044fdae139aefcb21773249c30eb74)
2007-10-10r16272: Fix memleak.Günther Deschner1-1/+2
Guenther (This used to be commit afdb1189029e01a132f16fea48624126ec65cd77)
2007-10-10r16268: Add TCP fallback for our implementation of the CHANGEPW kpasswd calls.Günther Deschner1-104/+166
This patch is mainly based on the work of Todd Stecher <tstecher@isilon.com> and has been reviewed by Jeremy. I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal 0.7.2 and 0.6.1rc3. Guenther (This used to be commit 535d03cbe8b021e9aa6d74b62d81b867c494c957)
2007-10-10r16201: Fix Klocwork 439Volker Lendecke1-1/+3
(This used to be commit b369d0891afe8b777b837eaac317131232568ca7)
2007-10-10r16199: Fix Klocwork #1 - ensure we test the firstJeremy Allison1-10/+12
strtok for NULL. Jeremy. (This used to be commit 98751e8190317416de56b4a19a489c5f4b7d6bc9)
2007-10-10r16190: Fix more memleaks.Günther Deschner1-1/+6
Guenther (This used to be commit dfebcc8e19bee06b7c03f88845314e9cfd6f398a)
2007-10-10r16117: Make winbindd work again in security=ads.Günther Deschner1-2/+6
We still used the old HOST/* UPN to get e.g. users, now we need samaccountname$@REA.LM. Guenther (This used to be commit f6516a799aec2db819f79b9a1e641637422a9b4c)
2007-10-10r16115: Make "net ads changetrustpw" work again.Günther Deschner1-7/+3
(adapt to the new UPN/SPN scheme). Guenther (This used to be commit 8fc70d0df0c93c29b49f924bac9ff5d9857cfd9d)
2007-10-10r15980: Correctly destroy talloc_ctx when the LDAP posix attribute query hasGünther Deschner1-7/+8
failed. Noticed by Bob Gautier. Guenther (This used to be commit 7327f94546a90df25c688dcafd42e0993133057a)
2007-10-10r15822: Add suggestion made by Ralf Haferkamp.Lars Müller1-1/+1
(This used to be commit 7c375fd540fa54ac8ae71c42ed07e01c593044b3)
2007-10-10r15704: Prefer LDAP error codes in ads_search_retry_sid().Günther Deschner1-2/+2
Guenther (This used to be commit 6cfc65ea20793a72ff1666759bd4e8e446247071)
2007-10-10r15701: change 'net ads leave' to disable the machine account in the domain ↵Gerald Carter1-184/+0
(since removal implies greater permissions that Windows clients require) (This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner2-21/+238
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner3-155/+334
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15696: Free LDAP search result.Günther Deschner1-0/+2
Guenther (This used to be commit ec26c355b3ef1d3d809c4fbe911ce6fcef5db955)
2007-10-10r15635: Fix a bogus gcc uninit variable messageVolker Lendecke1-1/+1
(This used to be commit 53f7104b4fbb4f59c18458f589e25e7b536642cb)
2007-10-10r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....Gerald Carter1-171/+25
Re-add the capability to specify an OU in which to create the machine account. Done via LDAP prior to the RPC join. (This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
2007-10-10r15559: Smaller fixes for the new cldap code:Günther Deschner1-5/+5
* replace printf to stderr with DEBUG statements as they get printed in daemons * "net ads lookup" return code Guenther (This used to be commit 8dd925c5fbfcbe711c596d08e8eadc19607d5492)
2007-10-10r15558: Do not wait endless for a CLDAP reply when the LDAP server isGünther Deschner1-1/+21
unavailable; use "ldap timeout" handling. Jerry, please check. Guenther (This used to be commit 821bbb4566c4b3f9798054ed3bf772db0c9ae3f2)
2007-10-10r15544: make sure to define NS_PACKETSZ for Bind 4 interfaces (fix build on us4)Gerald Carter1-1/+6
(This used to be commit 18f2e1a4e19a83afec6573a020f3a913f07d19dc)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter3-206/+441
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-1/+6
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15492: Without this patch, the LDAP client libs will call abort() inAndrew Bartlett1-9/+19
ldap_get_values_len, because they were handed a NULL msgs pointer, for example in ads_pull_sid(). This occurs when the AD server fails at the connect stage. (The toubled AD server is actually Samba4 in my example). Andrew Bartlett (This used to be commit 221a6de7d028f5c9bb9da038650868582d44e7e5)
2007-10-10r15464: fix dns build breakage on IRIX and OpenBSDGerald Carter1-5/+10
(This used to be commit 43f5d09a164ae111807222bdcbef949206766097)
2007-10-10r15463: compile fix for new DNS code for machine using Bind 4 libs (old IRIX ↵Gerald Carter1-0/+8
host) (This used to be commit b0160f893393a446927c751961d101ddbcba4db4)
2007-10-10r15462: replace the use of OpenLDAP's ldap_domain2hostlist() forGerald Carter1-0/+353
locating AD DC's with out own DNS SRV queries. Testing on Linux and Solaris. (This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb)
2007-10-10r15461: Free LDAP result in ads_get_attrname_by_oid().Günther Deschner1-1/+6
Guenther (This used to be commit f4af888282ff39665f186550b9ccbbf7a9128fc2)
2007-10-10r15392: In most cases, this mapping is more appropriate. (I know, it is still aGünther Deschner1-1/+1
mess, but there is no way the get NTSTATUS from the edata yet). Guenther (This used to be commit be2bd3945c057a4ad72251f809cffbe4694a7e3d)
2007-10-10r15305: Let winbind search by sid directly (or in windows terms: "bind to aGünther Deschner2-104/+25
sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
2007-10-10r15250: dump some more sids.Günther Deschner1-0/+2
Guenther (This used to be commit 2922c7f5704e3cfcc80dc648bb3d6d9aa80aaf37)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-2/+24
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15210: Add wrapper functions smb_krb5_parse_name, smb_krb5_unparse_name,Jeremy Allison5-41/+37
smb_krb5_parse_name_norealm_conv that pull/push from unix charset to utf8 (which krb5 uses on the wire). This should fix issues when the unix charset is not compatible with or set to utf8. Jeremy. (This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
2007-10-10r14931: Fix #1374: can't join an OU with name that contains '#'Jim McDonough1-2/+6
I had to eliminate "\" as an OU path separator, because it is the escape char in LDAP. We still accept "/", but using the escape char is just not a good choice. (This used to be commit 1953f63903e64e0a33eb981c51b8ca4beb673af2)
2007-10-10r14682: Small cleanup in ads_verify_ticket.Günther Deschner1-6/+5
Guenther (This used to be commit 90df68634b508b0a58f0a15ab62e9cead85765b6)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-10/+0
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner2-5/+21
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14576: Skip remaining keytab entries when we have a clear indication thatGünther Deschner1-1/+23
krb5_rd_req could decrypt the ticket but that ticket is just not valid at the moment (either not yet valid or already expired). (This also prevents an MIT kerberos related crash) Guenther (This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
2007-10-10r14512: Guenther, This code breaks winbind with MIT krb1.3.Gerald Carter1-2/+12
I'm disabling it for now until we have en effective means of dealing with the ticket request flags for users and computers. (This used to be commit 635f0c9c01c2e389ca916e9004e9ea064bf69cbb)