Age | Commit message (Collapse) | Author | Files | Lines |
|
to winbindd_cm about this
(This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
|
|
<john.klinger@lmco.com>
(This used to be commit 40b7d863dc246ea23ff3d9cdc167f1fb96166e1d)
|
|
The reason for this are:
(a) the set_dc_type_and_flags() cannot tell the different
between connecting to an NT4 domain and an NT4 BDC
of a mixed mode domain.
(b) the connection management for the rpc backend only
provides on named pipe per cli_state. So it is possible
to connect to an NT4 BDC for netlogon and an AD mixed mode
DC for lsarpc. RPC is the lowest common demonimator here.
(c) Issue with the sequence number value between the
highestCommittedUSN LDAP attribute and the seq_num returned
via RPC.
We will revisit this later, but the changes need to make this
work right now are too broad and risky.
(This used to be commit 1ed2e521536108229d153c2996f4757d89461166)
|
|
Andrew Bartlett
(This used to be commit b0b2010461d8554334b033c4f07d78c308e73e7f)
|
|
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
|
|
metze
(This used to be commit 12d6bc3bd0684646e990c2fc6485fe1a92ac98fb)
|
|
(This used to be commit 65b01f67d5725bc54e6bc19b6e84beef38e372f8)
|
|
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
|
|
have been tested against an NT4 DC
(This used to be commit 8e8a351cabb502f1a93b219fec064fb4eb094856)
|
|
Andrew Bartlett
(This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
find_domain_from_name(lp_workgroup()).
(as find_domain_from_name() can change the data in lp_workgroup())
Andrew Bartlett
(This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
|
|
(This used to be commit 703f101136b8e9bbc16f57a37cd9d9d739606a84)
|
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
just use one function for both places.
Andrew Bartlett
(This used to be commit 85da181e8a0ade839f6d595fabdf4cea606f82e1)
|
|
(This used to be commit fac5e05ca1b56cb6e3ab6537d0848fa373c00831)
|
|
Andrew Bartlett
(This used to be commit 93a5d8079a0291be14517e437f8f0c964c21e91d)
|
|
Volker
(This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
|
|
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
|
|
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)
|
|
understood by humans.
Andrew Bartlett
(This used to be commit 3d91b0a0060f18d49b2fdd9f93ef310e2ea7779d)
|
|
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
|
|
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
|
|
This introduces range retrieval of ADS attributes.
VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
|
|
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
|
|
Volker
(This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
|
|
a double-free(), and the resultant malloc heap corruption.
This may be one of our lurking winbind segfaults.
Andrew Bartlett
(This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
|
|
Andrew Bartlett
(This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)
|
|
Volker
(This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
|
|
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
|
|
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
|
|
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean).
Andrew Bartlett
(This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
|
|
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
|
|
Push the unix username into utf8 for it's trip across the socket.
Andrew Bartlett
(This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
|
|
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
Andrew Bartlett
(This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
|
|
(This used to be commit 46b2fb4db5c7e273a9b43c59340a0a47ade5bd5e)
|
|
(This used to be commit 9c70e4b44e0dda8f2af4172b928437bd9d3e8b7c)
|
|
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
|
|
Let the build farm chew on it for a bit.
(This used to be commit 41e4b036dff0af7be69bf95ea3d64dfccd3a4b8e)
|
|
the full name in gecos field; bug 587
(This used to be commit 329065d7cddb52c52667c93e0a0218c0e89938be)
|
|
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
winbind functions to be accessed via NSS. This provides a much cleaner
way for applications that need (for example) to provide name->sid
mappings to do this via NSS rather than having to know the winbindd
pipe protocol (as this might change).
This patch also adds a varient of the winbindd_getgroups() call called
winbindd_getusersids() that provides direct SID->SIDs listing of a
users supplementary groups. This is enough to allow non-Samba
applications to do ACL checking.
A test program for the new functionality will be committed shortly.
I also added the 'wbinfo --user-sids' option to expose the new
function in wbinfo.
(This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
UNIX entity foo to DOMAIN\foo instead of SERVER\foo
on members of a Samba domain when all UNIX accounts
are shared via NIS, et. al.
* allow winbindd to match local accounts to domain SID
when 'winbind trusted domains only = yes'
* remove code in idmap_ldap that searches the user
suffix and group suffix. It's not needed and
provides inconsistent functionality from the tdb backend.
This has been tested. I'm still waiting on some more feedback
but This needs to be in 3.0.1pre2 for widespread use.
(This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
|
|
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
|
|
functions.
(This used to be commit 7710232ba21305a1e3c9523ace82a5a419526b50)
|