Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
|
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
|
|
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
|
|
This introduces range retrieval of ADS attributes.
VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
|
|
Volker
(This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
|
|
a double-free(), and the resultant malloc heap corruption.
This may be one of our lurking winbind segfaults.
Andrew Bartlett
(This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
|
|
Volker
(This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
(This used to be commit 5eca81c66096a01eda1731892d044c09d4c18556)
|
|
down; bug 437
(This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
|
|
ads_search_XXX() calls.
(This used to be commit 74c02e5fbc411d6fd1b13a1e21599da030897efe)
|
|
already have ads_search_retry() for this. However, neither
domain_sid() nor sequence_nunber() used this function. So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
(This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
|
|
smb.conf
Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
|
|
(This used to be commit e3f5afb83142f44369dcd341d6e66ed2fe51248f)
|
|
Ken Cross. Sometimes ads conenction get stale but we don't know
they are dead until we try them. This patch may need some optimization
after people bang on it for a while.
(This used to be commit 7021cf63a4501c90620cf6a5f117eef345bbd291)
|
|
Also make sure thet ads_startup uses lp_realm instead of
just relying on the workgroup name. Fixes bug in net ads join
when the workgroup defaults to "WORKGROUP" and we ignore the
realm name.
(This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
|
|
failure
* Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains
( does no one ever test this? )
* add in LDAP code to get the sequence number for rpc based seqnum update.
( this is needed if the DC is upgraded and samba is not reconfigured
to use security = ads; it's not pretty but it works (from app_head) )
* fix bug that caused us to enumerate domain local groups in domains
other than our own
(This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
|
|
have a primary ADS domain and a secondary (trusted) NT4 domain. This
caused winbindd to be *really* slow for that setup.
- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
gid_to_sid(). When you make changes to winbind *PLEASE* test using
nsstest.
(This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
|
|
Jeremy.
(This used to be commit 4161a122b74b75b0ed1758e3491e69bb9f1e8390)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|
|
- new kerberos code, allowing the account to change it's own password
without special SD settings required
- NTLMSSP client code, now seperated from cliconnect.c
- NTLMv2 client code
- SMB signing fixes
Andrew Bartlett
(This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
|
|
winbindd build again.
(This used to be commit c4f46890fe7f0dc16520cd5ed0fd06dcd7682703)
|
|
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
|
|
domain)
(This used to be commit ff4b2411d146b72f5f578b2e78701f125fec8f08)
|
|
(This used to be commit 5a2f1edb5848dc054cfaa71b0fb3b473ad930b7d)
|
|
(i ignored the new SAMBA stuff, but the rest of this looks like it should
have been merged already).
(This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
I think its caused by a rpc operation failing and us giving invalid
data back to the cache layer. Using talloc_zero() should solve this.
(This used to be commit dfa990170bb9a665ba48443258e2a87f50baa75c)
|
|
(This used to be commit be399f5823bb8dfe6cc28d58aaeceb51f1b7382b)
|
|
(This used to be commit 41e1560798b7eb19575b0d97a5e489eb170bcfd5)
|
|
(This used to be commit 1aaa2091d54e7e50cf75927d658e57776792d6ae)
|
|
reconnecting
(This used to be commit 58b79c0dc882fa402423e44a594e30c27177f490)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
|
|
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
|
|
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
|
|
domain is ADS
(This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
|
|
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
|