Age | Commit message (Collapse) | Author | Files | Lines |
|
- vorlan's hosts allow with DNS names patch
- use x_fileno() in debug.c, not the struct directly.
- check for server timeout on password change (was reporting success)
- better error/status loggin in both the pam_winbind client and winbindd_pam
server code.
- (pdb_ldap) don't set the ldap version twice - we do it on every bind anyway.
(This used to be commit 9fa1863d8e7788eda83911ca2610754486b33069)
|
|
that app-head does.
Jeremy.
(This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f)
|
|
Jeremy.
(This used to be commit 9225054179b6642ae8be790d35e6590aefa46dd3)
|
|
Jeremy.
(This used to be commit 7634a58ec83ed7b40fe8ac95b0486b1ac00c59e4)
|
|
(This used to be commit 028477e35208e76fedbc7c743426fd9be94b7cf0)
|
|
- Fix segfaults in the 'net ads' commands when no password is provided
- Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the
old options, but the actual code is available on all ldap systems.
- Fix shadow passwords (as per work with vl)
- Fix sending plaintext passwords to unicode servers (again vl)
- Add a bit of const to secrets.c functions
- Fix some spelling and grammer by vance.
- Document the -r option in smbgroupedit.
There are more changes in HEAD, I'm only merging the changes I've been involved
with.
Andrew Bartlett
(This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
|
|
Jeremy.
(This used to be commit d8d351eb01ea7c84828dbc96224d7b13d643b558)
|
|
Jeremy.
(This used to be commit aea64f1c300b1ec5ec1c5d637f456f025ec12821)
|
|
Jeremy.
(This used to be commit 28d2eb934318818a3b0527e391987ea139dbf4a3)
|
|
(This used to be commit 5b451ce6f096d699a80c10f48bde5ee224e29ccf)
|
|
want to include the globally installed libsmbclient.h - found by jht
(This used to be commit a7a54fc2c8b26c92ab0e3499531919debca3fe64)
|
|
(This used to be commit 9d9f7bbf87bf9a0e003e6da482615fe040d00852)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
used to be commit 6938b5b98abd9ba055a46583a05c4fc07e32f529)
|
|
Tridge suggested a generic caching mechanism for Samba to avoid the
proliferation of little cache files hanging around limpet like in the
locks directory. Someone should probably implement this at some
stage.
(This used to be commit dad31483b3bd1790356ef1e40ac62624a403bce8)
|
|
from win2k AND still use SPNEGO (provided you don't build with kerberos...I
still have to fix that, as we are not properly falling back).
(This used to be commit 1f9b3d46c7c99e84b2983220f79613b7420c5ced)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
name status query to 14 bytes, so we could not join a DC who had a
netbios name of 15 bytes in length.
(This used to be commit a7588f21c24dac833f098c48e2337c100cf75ba4)
|
|
(This used to be commit cb946b5dadf3cfd21bf584437c6a8e9425f6d5a7)
|
|
When this option is disabled we should not do *any* netbios
operations. You should also not start nmbd at all. I have put initial
checks in at the major points we do netbios operations in smbd but
there are bound to be more needed. Right now I've disabled all netbios
name queries, all WINS lookups and node status queries in smbd and
winbindd.
I've been testing this option and the most noticable thing is how much
more responsive things are! wthout those damn netbios timeouts things
certainly are much slicker.
(This used to be commit 12e7953bf2497eeb7c0bc6585d9fe58b3aabc240)
|
|
there were 2 bugs:
1) we were sending a null challenge when we should have sent an empty
challenge
2) the password can be in unicode if unicode is negotiated. This means
our client code was wrong too :(
(This used to be commit 1a6dfddf6788b30fc81794b1bfe749693183b2c1)
|
|
(This used to be commit a5a0ff8bd7ee4a3586647d14fd750ec6df73efa8)
|
|
again, and has added 'net rpc trustdom list' support.
This lists the trusted and trusting domains of a remote PDC.
I've applied these almost directly, just fixing some special
case code for when there are *no* trusting domains. We still
have some parse errors in this case however.
Andrew Bartlett.
From mimir's e-mail:
Here are another patches adding trust relationship features.
More details:
Better error reporting in cli_lsa_enum_trust_dom().
Implementation of cli_samr_enum_dom_users() which cli_samr.c
lacked.
More "consts" -- one of arguments in net_find_dc().
Modified implementation of run_rpc_command() -- now it
allows to reuse already opened connection (if it is passed)
to remote server's IPC$ (e.g. as part of longer exchange
of rpc calls). I'm sure Andrew will argue ;-)
More neat version of rpc_trustdom_list() function.
(This used to be commit f0890026820ee3e432147130b46de4610e583381)
|
|
patches:
Andrew Bartlett
From his e-mail:
Below I attach the following patches as a result of my work
on trusted domains support:
1) srv_samr_nt.c.diff
This fixes a bug which caused to return null string as
the first entry of enumerated accounts list (no matter what
entry, it was always null string and rid) and possibly
spoiled further names, depeding on their length.
I found that while testing my 'net rpc trustdom list'
against nt servers and samba server.
2) libsmb.diff
Now, fallback to anonymous connection works correctly.
3) smbpasswd.c.diff
Just a little fix which actually allows one to create
a trusting domain account using smbpasswd
4) typos.diff
As the name suggests, it's just a few typos fix :)
(This used to be commit 888d595fab4f6b28318b743f47378cb7ca35d479)
|
|
(This used to be commit f4f2b613a2a804a6d2e5e78cc7dd7f3482675fcd)
|
|
as they're no longer new!
(This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc)
|
|
distinction between uchar and char).
Lots of const etc.
Andrew Bartlett
(This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
|
|
wrappers.
Andrew Bartlett
(This used to be commit 95519d408caa7da00dbb2a8323cc4374a517cd69)
|
|
authentication - we can have an NT hash in the LM hash feild.
(I need to double-check this fix with tpot, who discovered it).
Also remove silly casts back and forth between uchar and char.
Andrew Bartlett
(This used to be commit 07e2b36311f91d7a20865a2ccc94716772e53fd7)
|
|
(This used to be commit 8b769bf5bbbe54b1a39fd85cc24db09c1ab7faab)
|
|
(This used to be commit 04de6bbc8055e5547af41b10e284b722f40e726d)
|
|
generating a warning
(This used to be commit cd82ba41b8df024f034fcfa24e967ed8c3c8d035)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
used to be commit b8d39651fb90ef170055735412417239a63afc5d)
|
|
it turns out this is tricky to get right for both win9x and w2k with
and without unicode. This patch seems to do the trick.
(This used to be commit 01ebe5fff2b3cb29f083afb224b1257364ac5d80)
|
|
(This used to be commit 146ba3eb49bade732d57691d8ce181ef6608e0cb)
|
|
(This used to be commit 753df0b89767261420f242da21d5dfb5403c966b)
|
|
(This used to be commit 5706e6af168b14a40cb1e306c2911182260ff0d3)
|
|
(This used to be commit 481a70f4f005a778a24e2193f8e760217ee3c946)
|
|
(This used to be commit d3fdce07ab5955abd1f923127ae9eb5006aea505)
|
|
(This used to be commit 07de8418369dad1f015369e70e9303fea4130295)
|
|
(This used to be commit dd46ff7619129782963ec6ea727e5d731370ee7d)
|
|
and appear to be functions for internal use.
Richard: please check.
Andrew Bartlett
(This used to be commit cb61e61a113dede4a0b0f5d31d0ec89c4b6ecd65)
|
|
(This used to be commit 2d7eccbeb258b4fdd14323a40f9537eb265f73e1)
|
|
code
(This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
|
|
(This used to be commit 514b91827a970a0041314af341b8c66a01668e4a)
|
|
broadcast addresses. This makes it far more likely that we will try to
talk to an interface that is routable from one of our interfaces.
(This used to be commit bc1a0506868266088ae585a7a5dcb1ac8ca3474d)
|
|
bytes which follow the header, not the full packet size.
[Yes, the length field is either 17-bits, or (per the RFCs) it is a
16-bit length field preceeded by an 8-bit flags field of which only
the low-order bit may be used. If that bit is set, then add 65536 to
the 16-bit length field. (In other words, it's a 17-bit unsigned
length field.)
...unless, of course, the transport is native TCP [port 445] in which
case the length field *might* be 24-bits wide.]
Anyway, the change is a very minor one. We were including the four bytes
of the header in the length count and, as a result, sending four bytes of
garbage at the end of the SESSION REQUEST packet.
Small fix in function cli_session_request().
(This used to be commit d08471688b65371eb3de73b03a8ffaee86659ba0)
|
|
bytes which follow the header, not the full packet size.
[Yes, the length field is either 17-bits, or (per the RFCs) it is a
16-bit length field preceeded by an 8-bit flags field of which only
the low-order bit may be used. If that bit is set, then add 65536 to
the 16-bit length field. (In other words, it's a 17-bit unsigned
length field.)
...unless, of course, the transport is native TCP [port 445] in which
case the length field *might* be 24-bits wide.]
Anyway, the change is a very minor one. We were including the four bytes
of the header in the length count and, as a result, sending four bytes of
garbage at the end of the SESSION REQUEST packet.
Small fix in function cli_session_request().
(This used to be commit cd2b1357066a712efcf87ac61922ef871118e8de)
|