Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 4f97988dd652983b7cdbb2f2e5a85c9d97ec697e)
|
|
add static
smbd/uid.c:
remove unused function
Andrew Bartlett
(This used to be commit ab25af0e18d883757775a85f005775a79a86dcc8)
|
|
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
Volker
(This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
|
|
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
|
|
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
|
|
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean).
Andrew Bartlett
(This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
|
|
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
|
|
smb.conf
Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
|
|
(This used to be commit 934fb418a3a3628ee4cde699df872bc1035fc769)
|
|
Fix from Ken Cross.
(This used to be commit 45775b48a0d91390aa698b750d59cda0150cfbd0)
|
|
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
1) don't ask trusted DC's for a list of trusted domains. This causes
us to treat non-transitive ones as if they were transitive. Not
needed anyways
2) Fix dc lookup bug where we would always try to use DNS to resolve
the DC's for a domain (even if it was a trusted NT4 domain).
(This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
|
|
(This used to be commit 042492b862c4f2389086275dd8a0e044d7432537)
|
|
(we don't always get it back)
(This used to be commit 6e8f23d1b1dd5122691cd9363a5c572fcab182af)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
rafal
(This used to be commit 156554738cf4e4ffa5a811d9979acd19418e7908)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
Jeremy.
(This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
|
|
pre-2.2.4 tdb database format.
tx volker for your work on this
(This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
|
|
have a primary ADS domain and a secondary (trusted) NT4 domain. This
caused winbindd to be *really* slow for that setup.
- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
gid_to_sid(). When you make changes to winbind *PLEASE* test using
nsstest.
(This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
|
|
* quit obsessing over the sequence number so much
* share the updated sequence number between parent
and child winbindd processes in dual mode
(This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
from 2.2. if they still need them
(This used to be commit 237857a760974bb02000e5d3a776240ec73ca6b6)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
(This used to be commit 5cfb30551a713caa3d69406450c1eac4541a30fa)
|
|
(This used to be commit bf8bb62023bcd38e5bc53ef1ac2183360d6ff734)
|
|
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
|
|
(This used to be commit 4277262c74ef16971658f53edd403b335542d9f2)
|
|
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
|
|
(This used to be commit 3810f13682617d043d3cffaafe8a7cb7125c4ecd)
|
|
Jeremy.
(This used to be commit faf92207e71980aaaad8b5487f5c2d6a60f7ddd1)
|
|
Jeremy.
(This used to be commit 77d534f7fd9ad74ca6d5e74860b29bb8ad54268f)
|
|
- move winbindd client handling into accessor functions in
winbindd_util.c
- move some winbindd socket routines into accessor functions in
winbindd_utils.c
(The deadlock situation mentioned in the appliance branch is probably
not applicable since we don't clear the connection cache on SIGHUP.
Perhaps we should?)
(This used to be commit ee0e3d31a1d1bef70810aadcdafdf9678d21ea8f)
|
|
(This used to be commit 09c6f6329d6ae9327b7ef06de0ea78d24d805456)
|
|
* add some files missing from a previous commit
(This used to be commit 29159c97371c75327e377f9d13406dad46095568)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
(This used to be commit d5b5d3f8400a80c943809db9578a2d7317aa6d2d)
|
|
this means "xcopy /o" has a chance of working with ACLs that contain
ACEs that use SIDs that the Samba server has no knowledge of.
It's a bit hackish, Tim, can you look at my uid.c changes?
(This used to be commit fe2db3148587937aa7b674c1c99036d42a3776b3)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|