summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_cm.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-1/+3
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13515: Make sure to store the correct domain name in the server affinity cache.Gerald Carter1-1/+1
(This used to be commit a918e4ac2426d4cb3cd526c4fad7480b832e6a12)
2007-10-10r13409: No functional changes, just some DEBUG cleanup.Günther Deschner1-1/+1
Guenther (This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-6/+20
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13310: first round of server affinity patches for winbindd & net ads joinGerald Carter1-25/+45
(This used to be commit 6c3480f9aecc061660ad5c06347b8f1d3e11a330)
2007-10-10r13232: defensive programming in an attempt to prevent crashes due to a PDC ↵Gerald Carter1-3/+5
rebooting (This used to be commit 994794383361cfe5d58098ae494489fb0164e1df)
2007-10-10r12193: Fix some typos.Günther Deschner1-1/+1
Guenther (This used to be commit 499224f02a8722eea0d4644ca81ca55da0e9a86b)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-2/+3
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11381: Correctly connect to 445 and 139 after a successful getdcname.Volker Lendecke1-3/+10
Volker (This used to be commit 440e7b3342e6b7b12208b789853962de72a9cac2)
2007-10-10r11338: Move knowledge of \\ needed into rpc_client/cli_netlogonJeremy Allison1-7/+1
(this is the way it's been done in other functions). Instead of moving this into the IDL, I think the best solution would be to write a wrapper function around any call that needs this (this is what we already do for many of the calls). Jeremy. (This used to be commit aeca4efa11728be53b81967bb5442b5b09d1a975)
2007-10-10r11328: Actually verify that the bind on a pipe succeeded with a samr_connect orVolker Lendecke1-167/+196
lsa_openpolicy and fall back appropriately. In particular an ntlmssp bind failure can not be detected before the first real rpc request, at least according to abartlet :-) Works for me against w2k3, w2k and nt4. Sooner or later I should test against samba4 ... :-) Volker (This used to be commit 48a9e35208ae7b6271508085f59833e5def640e8)
2007-10-10r11324: Re-formatting before I can get a very *narrow* focus on the bugs in ↵Volker Lendecke1-59/+61
here. ;-) We can only tell if the bind succeeded on the first real RPC call. So we have to decide according to success of samrconnect whether we have to fall back. Similarly for lsaopenpolicy. Volker (This used to be commit 0603e1c8456ee87b87b051e0303a35fdbfbcf7ca)
2007-10-10r11323: Fix usage of rpccli_netlogon_getdcname. Add some debug messages.Volker Lendecke1-3/+18
Volker (This used to be commit 770ad2a8a72ae7bfcdc1b86b72142e11f662d975)
2007-10-10r11253: Fix an annoying timeout when no nmbd is aroundVolker Lendecke1-8/+8
(This used to be commit 10fb32ec52b32b72a46a783b73c6dd1f24625d9b)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-204/+309
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10556: BUG 3083: patch from Alex Deiter <tiamat@komi.mts.ru> to fix ↵Gerald Carter1-1/+4
checking trusted account for winbindd running on a Samba PDC (This used to be commit 24b43af642c9d41c14b9ad64704e13cc9150378d)
2007-10-10r8800: grr...get logic right when checking #defineGerald Carter1-2/+2
(This used to be commit c2f69827de13a6e63077bfc4a62738c0f88e0835)
2007-10-10r8799: disabling schannel on samr and lsa until I figure outGerald Carter1-9/+15
the latest MS changes in 2003 sp1 and 2004 sp4 sr1 (This used to be commit 7588c32baa50994bdc6e351d79da3edff1fdc876)
2007-10-10r8796: disable schannel on the lsa client pipe for now to deal with Windows ↵Gerald Carter1-0/+7
2003 sp1 and Windows 2000 SP4 SR1 (This used to be commit bc1443837c81bebbac7894075a15fe96338f8b0a)
2007-10-10r7454: couple of winbindd fixesGerald Carter1-3/+11
* make sure to use our domain as the account name in the net_req_auth2() request when running on a Samba DC * make sure to lookup the correct domain (not default to ours) when getting an async getpwnam() call (This used to be commit c9c3e3c122a6a04847c448d298b6f1adb4f35a60)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-461/+509
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6296: add message about known interoperability issue with Windows 2003 SP1 DCsGerald Carter1-0/+10
(This used to be commit 88c2ed1534d5239273458768b7b3f05102a2af16)
2007-10-10r6158: fix some misleading error messagesGerald Carter1-2/+2
(This used to be commit 91a8e1ac6debffe457624a625e0f407bdbbbcb15)
2007-10-10r6154: fix winbindd <-> Windows 2003 sp1 issue.Gerald Carter1-1/+5
Can't do LsaOpenPolicy() over schannel anymore. This is an interesting find as it could imply that there are other changes we haven't seen yet in sp1. Volker, You might want to look at this for trunk. (This used to be commit 82e3a9d9b526522376ea967c66c67b02f2c68dd8)
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-64/+86
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r4905: patch from abartlet to remove storing the auth-user credentials from ↵Gerald Carter1-4/+0
the cli* in cm_prepare_connection(). using credentials from a domain other thanour primary domain will cause the schannel setup to fail (This used to be commit a13e29b5f2f1e48225b5b5964bc0777948f16622)
2007-10-10r4749: Fix memleakVolker Lendecke1-0/+2
(This used to be commit a8aab6de7516b70cae6c096883874fa152777b13)
2007-10-10r4746: add server support for lsa_enum_acct_rights(); last checkin for the nightGerald Carter1-15/+0
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2007-10-10r4732: Even if we have 'password server' set, we need to look up the native ↵Volker Lendecke1-0/+6
DC name via netbios, as the user might have set an IP address or a fqdn. Volker (This used to be commit 61466f38429ba67ace3e84c870a0f913f64d122c)
2007-10-10r4575: adding extra debug to cm_prepare_connection()Gerald Carter1-0/+3
(This used to be commit 13a2aa50ea203cee9c2323bb0428f8c50a3c0f77)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3843: If a connection to a DC is requested, open connections ↵Volker Lendecke1-160/+424
simultaeneously to all DCs found. The first one to reply wins. Volker (This used to be commit 84ac54aef2bd56b5c889d3b05b8828aceb8ae00e)
2007-10-10r1532: Remove unused structure elementVolker Lendecke1-1/+0
(This used to be commit 128951cfe43e364970ec5760230a6450f54ae86d)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-11/+35
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-9/+71
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r153: Fix memleakVolker Lendecke1-0/+1
(This used to be commit fbeff419913b01bf0e814ada6ec55d56fe90f179)
2007-10-10r115: finally checking in tridge's winbindd_schannel patch for connectionsGerald Carter1-0/+34
(This used to be commit 1fae60ab20c5cbe396dc8af1c8c9a98d5683fdf4)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-3/+3
to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
2004-01-08fix a seg fault caused by abartlet's last checkin; there's no way this could ↵Gerald Carter1-1/+1
have been tested against an NT4 DC (This used to be commit 8e8a351cabb502f1a93b219fec064fb4eb094856)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-15/+88
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-06Ensure that for wbinfo --set-auth-user, we actually use the domain.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 93a5d8079a0291be14517e437f8f0c964c21e91d)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-34/+27
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05We can't possilby get 'ok' here, as the if statement above just checked for it.Andrew Bartlett1-2/+0
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-3/+2
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-0/+12
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-08-20fix small logic error in cm_open_connection() to work with non-krb5 connectionsGerald Carter1-7/+31
(This used to be commit 2d85612752daa26c0773b86bd40eb3430b1cce3b)
2003-08-19 - Make 'net' use a single funciton for setting the 'use machine account' code.Andrew Bartlett1-10/+80
- Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett (This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
2003-07-31working on transtive trusts issue:Gerald Carter1-6/+23
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison1-1/+2
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)