Age | Commit message (Collapse) | Author | Files | Lines |
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
While writing documentation for metze's patch, it became clear that this is a
better name.
Andrew Bartlett
(This used to be commit 6f828ff3d3622c56ee732b976e7ab90b7897a8d3)
|
|
When smb.conf tells us to write to a read-only LDAP replica and we are
redirected by the LDAP server, the replication might take some seconds,
especially over slow links. This patch delays the next read after a rebind for
'ldap rebind sleep' milliseconds.
Metze, thanks for your patience.
Volker
(This used to be commit 63ffa770b67d700f138d19b4982da152f57674fc)
|
|
actually used.... 'afs username map' should not show up in the swat basic
view. :-)
Maybe I should use swat from time to time....
Volker
(This used to be commit d4e071d14b8ae622c1edbb33bb5677713df1f961)
|
|
(This used to be commit 25aa5df5c79070d0f1273a71617e64fba7831742)
|
|
Jeremy.
(This used to be commit 16097f2072085432f4c669d9e008023f36f7afbb)
|
|
are written out surrounded by single quotes. This means that
both double and single quotes are now used to surround
strings in smb.conf. This is a slight change from the previous
behavior but needed or else things like
printer admin = +ntadmin, 'VALE\Domain, Admin'
get written to smb.conf by SWAT.
(This used to be commit 5bf91c79d620e34ac71d72c80f74e47754d49dcb)
|
|
Jeremy.
(This used to be commit 48153f7a07cc04b849a79778fdc3e76af6c6eb13)
|
|
suffix values in SWAT; based on tpot's original patch; bug 328
(This used to be commit 12a06dd9807ea3a10f8220d6e7c33b4b79ae25b4)
|
|
(not /etc/group) even when doing local aliases
* remove "hide local users" parameter; we have this
behavior built into 3.0
(This used to be commit a7685a069766ac720f0b26fe01b0e17fc388fca3)
|
|
Jeremy.
(This used to be commit 3c19ac5f1c9e393780e57028808871dfdc77b170)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
bunch of updates to bug 413 from Monyo:
1) pick up proper strings to call msg strings for example to add
strings in wizard menu in web/swat.c, web/statuspage.c and
param/loadparm.c.
2) define N_() macro in include/intl.h to pick up some strings
in param/loadparm.c
3) quote all name and value tag with '"'
For example in swat.c:720 the "Edit Parameter Values" string is
displayd only as "Edit" because value tag is not quoted like:
value=Edit Parameter Values
These tags should be quoted though it sometimes works well
without quotation.
4) modify the msg strings not to contain HTML tags or other
non-message strings. For example
dprintf(_("test\n")); is modified to dprintf("%s\n", _("test"));
(This used to be commit 351d16956d8125bc689ca84adcb71e0a57d6b7cc)
|
|
(This used to be commit cd06472e420ba0647a73c6e04d180c088acdb626)
|
|
Volker
(This used to be commit a6c54cbe205a6882d49fc77c04ed21b4f1de4396)
|
|
afs share -- this is an AFS share, do AFS magic things
afs username map -- We need a way to specify the cell and possibly
weird username codings for several windows domains
in the afs cell
Volker
(This used to be commit 4a3f7a9356cd5068d9ed4fd6e2336d9bf7923fbd)
|
|
(This used to be commit 5c0c9d68b44f867bf6c2b24b9fd9ba2408b9f83c)
|
|
portion of NTLMv2 key exchange. Also revert the default for
'client ntlmv2 auth' to no. This caused no ends of grief in
different cases.
And based on abartlet's mail....
> All I care about at this point is that we use NTLMv2
> in our client code when connecting to a server that
> supports it.
There is *no* way to tell this. The server can't tell us, because it
doesn't know what it's DC supports. The DC can't tell us, because it
doesn't know what the trusted DC supports. One DC might be Win2k, and
the PDC could be an older NT4.
(This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503)
|
|
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db)
|
|
ability to use variables in paths for the [homes] service.
(This used to be commit 8fd13b63103b3c144bdd170edcb3b642dfd9bb54)
|
|
to walk to the end anyway.
Jeremy.
(This used to be commit 467cafdb1f7ddfb4278824f385b732975246a4f5)
|
|
for new home directories should be inheritied from the global defaults, not [homes]
(This used to be commit ea54bfc211f874c23b79572d8fb89bac73ec21a3)
|
|
(This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
|
|
iconv wasn't re-initialised on reading of "charset" parameters. This
caused workgroup name to be set incorrectly if it contained an
extended character.
Jeremy.
(This used to be commit 84ae44678a6c59c999bc1023fdd9b7ad87f4ec18)
|
|
(This used to be commit 9554a661c2400e9148f7572e4de20064faea5f2a)
|
|
(This used to be commit 1278d2496162c6427729a795dd940b9863261a6d)
|
|
Jeremy.
(This used to be commit 17b09eed96fa2793a5947fa811e8543a1b263d6f)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
- Fix WINS Server List in SWAT (bug #197)
- Don't segfault SWAT when adding shares (bug #254)
(This used to be commit dd43a29504fe2b6f9d13cdb9431347927548fc10)
|
|
Now we are:
1. Try to find correct name for default character sets for the platform
2. Use DEFAULT_{DOS|DISPLAY|UNIX}_CHARSET defines set during configure phase as defaults
This should fix CP850 problem on Solaris (at least) because it actually has IBM850 which
is the same but under different name
(This used to be commit 836b9fffa0eadc818019ba36ed764e97d4f9a801)
|
|
Jeremy.
(This used to be commit e66bfe212db1cec751f4024f631600fa2a3eb07c)
|
|
Volker
(This used to be commit d07f173767678187237c9fc767c0a05f0b8c7d32)
|
|
Jeremy.
(This used to be commit 729b468f7e0e5522dfdede481947826851842483)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
|
|
No change to what is displayed has been made at this time. I do intend to
change the display order before 3.0.0 ships.
(This used to be commit de7d3063d9e07255da2cc4e67afa50c1e2ddf321)
|
|
I think (my changes haven't affected this I believe). Initial support on the
server side for smbclient. Still doesn't work for w2k clients I think...
Work in progress..... (don't change).
Jeremy.
(This used to be commit e5714edc233424c2f74edb6d658f32f8e0ec9275)
|
|
sendfile when signing (I need to add this for readbraw/writebraw too...).
Jeremy.
(This used to be commit f2e84f1ba67b13ff29e24a38099b559d9033a680)
|
|
Ensure a server can't do a downgrade attack if client signing is mandatory.
Add a lp_server_signing() function and a 'server signing' parameter that
will act as the client one does.
Jeremy
(This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
|
|
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
available. Removed extra auth_init (thanks metze).
Jeremy.
(This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
Andrew Bartlett
(This used to be commit 3dd767841666068a1b32c71b03a8e7bc797087be)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
guest account != ""
Volker
(This used to be commit 21d330af107f744af9569b5577afc6e7ba6a269c)
|
|
- changed --enable-developer debug to use -gstabs as it makes the
samba binaries about 10x smaller and is still quite functional for
samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
Jeremy.
(This used to be commit 076d9a3c9bc264d9456a67da9366bd73d3ce69d5)
|
|
Jeremy.
(This used to be commit 036a551b10f1cb436ea36acbb40983249de8310d)
|