| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(This used to be commit 9d62f25f5d3c25d71d8b87801084d42ae9b66f8c)
|
|
winbind default domains, particulary now I understand whats going on a lot
better. This ensures that the RPC client code does as little 'magic' as
possible - this is up to the application/user. (Where - for to name->sid code
- it was all along). This leaves the change that allows the sid->name code to
return domains and usernames in seperate paramaters.
Andrew Bartlett
(This used to be commit 5dfba2cf536f761b0aee314ed9e30dc53900b691)
|
|
info3. These are RIDs, and it only makes sense to combine them with the domain
SID returned with them. This is important for trusted domains, where that sid
might be other than the one we currently reterive from the secrets.tdb.
Also remove the become_root()/unbecome_root() wrapper from around both
remaining TDB users: Both are now initialised at smbd startup.
Andrew Bartlett
(This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)
|
|
(This used to be commit 7c2d7205938ddd958b8399599febbf63ac4c8a88)
|
|
in clirap2.
(This used to be commit 935955b50ff503d18265f745e6e0df90d3e5dd4b)
|
|
(This used to be commit e67c7c5852624bcdd5c565ea5f00b143aaf7fee4)
|
|
case.
Thanks to Nigel Williams <nigel@wednesday.demon.co.uk> for spotting these!
Andrew Bartlett
(This used to be commit 20e0b562283f75606ac9a36f3f104c6aaa294c40)
|
|
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
|
|
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
|
|
(This used to be commit aca0edc819e892944c65b3feb60250994a79e88a)
|
|
(This used to be commit fb300e411bb385dcba2c3ca166598a71ed693b35)
|
|
Jeremy.
(This used to be commit 0fcca6c627a5c9c2219ec9714df5e0bc1a44cc29)
|
|
-> NT STATUS
maps. Fixes problem with disk full returning incorrect error.
Jeremy.
(This used to be commit 16fcbf3c1ccf1d704765653f68395dd596c0d841)
|
|
Jeremy.
(This used to be commit 794c3e2c76aae57d054e46b185def104ca02977c)
|
|
(This used to be commit cfac669017afa763100e335d1516fbed18049e00)
|
|
functions.
(This used to be commit e69a22290e5c923f31223906461df4874e3b2aac)
|
|
This work was sponsored by Optifacio Software Services, Inc.
Andrew Bartlett
(various e-mails announcements merged into some form of commit message below:)
This patch which adds basics of universal groups support
into Samba 3. Currently, only Winbind with RPC calls supports this, ADS
support requires additional (possibly huge) work on KRB5 PAC. However,
basic infrastructure is here.
This patch adds:
1. Storing of universal groups for particular user logged into Samba
software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array
of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb.
2. Fetching of unversal groups for given user rid and domain sid from
netlogon_unigrp.tdb.
Since this is used in both smbd and winbindd, main code is in
source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as
UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ.
This patch has had a few versions, the final version in particular:
Many thanks to Andrew Bartlett for critics and comments, and partly
rewritten code.
New:
- updated fetching code to changed byte order macros
- moved functions to proper namespace
- optimized memory usage by reusing caller's memory context
- enhanced code to more follow Samba coding rules
Todo:
- proper universal group expiration after timeout
(This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
|
|
Jeremy.
(This used to be commit 01ff6ce4963e1daff019f2b936cef218e1c93f67)
|
|
(This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47)
|
|
(This used to be commit 73a59170e6fab3b0f91938a74302750915a04a7a)
|
|
This fixes up a problem where a machine would join (or downgrade by trust
password change) to NT4 membership and not be able to regain full ADS
membership until a 'net ads leave'.
Andrew Bartlett
(This used to be commit ab8ff85f03b25a0dfe4ab63886a10da81207393c)
|
|
this is actually a workaround for old broken nmbd daemons, especially
from Samba 2.0
(This used to be commit 12021a8de6a1dc2e43cc62f094a57c57283dfaf4)
|
|
- put in some level 10 debugs so we can see what internal_resolve_name()
is doing
- remove duplicates from returned ip list of internal_resolve_name()
(This used to be commit 08d2bcef1a4fc77d28bc0fa9e4ff5f3131cedea5)
|
|
(invalid handle) though. )-:
(This used to be commit 7bfd1f35e4e194f8a2f07046e4a6c005c256c05b)
|
|
Make the offered and needed buffer size into parameters.
(This used to be commit 9d9e7fb74d420913cda1c592765b498fd64384f0)
|
|
Patch from Alexander Bokovoy <a.bokovoy@sam-solutions.net>
(This used to be commit 6c42bf208976ed3020e57efff6281f984d9fe893)
|
|
- converted OpenPrinterEx and ClosePrinter to WERROR instead of NT_STATUS
- doc
(This used to be commit 248d114f856f1adb76c903b683e0927530771443)
|
|
(This used to be commit 87bc0a71ecb0fc047fec5e0d240045fab09dd5d0)
|
|
(This used to be commit 5c8f6be290e78c4e72c821abdc9f06b7150e68e7)
|
|
One day I'll get around to refactoring the DOS error handling so it mirrors
the NT error handling code.
(This used to be commit f4535721d350f3068e8dfb612331eb609ea03da0)
|
|
to NT_STATUS_UNSUCCESSFUL according to AB's funky new error map.
(This used to be commit 9c968fbb017d3369ac207e65348a9a22dbed0213)
|
|
(This used to be commit c6affae4bf749a67c90468702eb6d4eeb97a4363)
|
|
(This used to be commit 08bb2dfec2ca0282e9268d09da2b966d3bdf493a)
|
|
This applies only to the NT->Dos map, I'm still trying to come up with a way to
do the reverse.
(This used to be commit 323dd422bd4bdeeee72c9200821e28f86d3072c8)
|
|
(This used to be commit b2af4372b1dac2e8f283184191fbb0231409a625)
|
|
This new table is rather different to the old one (see diff posted to the
list for a sorted list of differences) and needs a *lot* of testing.
It does however seem to line up much better with what NT is using, as
exampled by the change to the OBJECT_NAME_COLLISION DOS error, it now matches
win2k where it didn't before.
I can't see any critical errors we now get wrong, and I know that the auth
errors are correct as per my on-the-wire observations.
This table was produced (and I hope to comment this better later) by
using the ERRMAPEXTRACT smbtorture tool, a Win2k domain member and the
'name_to_ntstatus' auth module on the HEAD PDC. This module returned
the username as the error, and the NT box was forced to give me a dos
error becouse thats all I negotiated on that connection. Hence the map.
Andrew Bartlett
(This used to be commit a855dfb2e0b899d03087860e5462c2aed3ca4cad)
|
|
stuck in an infinite loop.
(This used to be commit fe1fb6589a0a4b4cff7a0ee0267f6e09e10e2a85)
|
|
commands in rpcclient. Replacing ERROR_INSUFFICIENT_BUFFER with
NT_STATUS_BUFFER_TOO_SMALL fixes it. Yay!
I always thought the caller (i.e cmd_spoolss.c) should take care of the
whole requested/needed buffer size thingy though...
(This used to be commit 6c950db05a2772f11b20cc13c65a123ea8b878c2)
|
|
I'll post the changes to the actual map to the list for comment, but this fixes
the 'unknown' case.
Andrew Bartlett
(This used to be commit 024843a2cedb0b9f06a3351c5838caea372b6c5c)
|
|
code.
Andrew Bartlett
(This used to be commit f0089b089b319009576bb39a076397bb44aff628)
|
|
presupplied challange-response pairs, and only using the 'network' version.
This will be used to move the auth subsystem over to a libsmb (rather than
rpc_client) base.
Andrew Bartlett
(This used to be commit fe9d77791583737320f8c7560861168df7388c2f)
|
|
(This used to be commit 2d1612dd3560bb5ef35fa1eeee00e3d7976bcd62)
|
|
(This used to be commit 45042bef7cdede6f991572677654903bbf7d9144)
|
|
cli_reg.c - indentation
pdb_ldap.c - some checks on init fns parameters
pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure
(This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
|
|
(This used to be commit 79031b68ce6bdf882d9c9bd4f3310f597e0c1fda)
|
|
- don't display Domain=[] for auth protocols that don't give us a domain
(This used to be commit 20368455ea59e6e9b85632848bbe92069e7b0f38)
|
|
(This used to be commit 1da988456dbd885820093ae43c74e0ac66f72802)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
some cleanup of the lsa_open_policy and lsa_open_policy2 parser. the
length fields are not correct but that's what NT send. We don't anymore
underflow or overflow the decoding.
added the domain admins group to the default SD.
we are now checking the desired access flag in the lsa_open_policy_X()
calls and in most functions also.
J.F.
(This used to be commit a217c4e4ff4d13122703d22258792fe5e8e9f02f)
|
|
(This used to be commit 594634ff1a1d5f780ddb9909f5365ee3e420a76c)
|
