| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Jeremy.
(This used to be commit df32eb70a45150e459997c2ae92c865cd0e083f6)
|
|
deref.
Jeremy.
(This used to be commit 0026fb0b2843271c27e9dc02a32e88d580bebbc3)
|
|
Jeremy.
(This used to be commit 76c4d5212bcb5f54472c9ceac2368078ebad7a3b)
|
|
Guenther
(This used to be commit 0ae3fddf95a95ec8a2f4d52e1276c1721b33ddfd)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
to make full use of the new talloc() interface. Discussed with Volker
and Jeremy.
* remove the internal mem_ctx and simply use the talloc()
structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
upcoming changes. Groups will most likely be replaced with a
'struct samg' in the future.
Note that there are now passbd API changes. And for the most
part, the wrapper functions remain the same.
While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs. The code also needs more testing under valgrind to
ensure it's not leaking memory.
But it's a start......
(This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
|
|
Guenther
(This used to be commit 290a581b7567eab82b18fbadae9aa2ab29e95069)
|
|
changereject.
Guenther
(This used to be commit 98d3c63e04e1317a0a2f100e89d9be65a98ecc7e)
|
|
Guenther
(This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
|
|
from Samba4 on how to decode the 532 byte password buffers.
Getting closer to passing samba4 RPC-SCHANNEL test.
Jeremy.
(This used to be commit 205db6968a26c43dec64c14d8053d8e66807086f)
|
|
Jeremy.
(This used to be commit 6f8334ad31ac773f5c13335f5d8c5bed62987466)
|
|
Implement 'net rpc shell account' -- An editor for account policies
nt_time_to_unix_abs changed its argument which to me seems wrong, and I could
not find a caller that depends on this. So I changed it. Applied some more
const in time.c.
Volker
(This used to be commit fc73690a7000d5a3f0f5ad34461c1f3a87edeac5)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
patch by Alex Deiter (tiamat@komi.mts.ru).
Introduces level 9 of getuserinfo and allows to successfully install MS SMS2003
on a member of a Samba domain. Also added support for this level in rpcclient.
The code for infolevel 9 is modelled upon Samba-TNG by Alex Deiter.
Jerry, we need this in 3.0.21b.
(This used to be commit 93461646ce2ad6e2f8b11d40ce98722d56a83b43)
|
|
it is. (SAM_UNK_INFO_1 should get a better name as well).
Guenther
(This used to be commit d94aaeb625c39b6205fe61c274aed57b1399bafc)
|
|
Guenther
(This used to be commit 0705fed566efdeab05d605dd239afe67ca5e9811)
|
|
Can anyone remember why we initialize groups only with 0x03 instead of 0x07 ?
Guenther
(This used to be commit 3282c7c458d390547fbaca44821eff376e8f9aaa)
|
|
Guenther
(This used to be commit a8bc4bc902075cfd009dc92674c4560a44a74277)
|
|
client behaviour (ie.:
open pipe/open SAMR handle/enumerate 0 - 1024
close SAMR handle, close pipe.
open pipe/open SAMR handle/enumerate 1024 - 2048...
close SAMR handle, close pipe.
And on ad-nausium. Amazing.... probably object-oriented
client side programming in action yet again.
This change should *massively* improve performance when
enumerating users from an LDAP database.
Jeremy.
(This used to be commit 8ce705d9cc1b6a79d710a10ff38f72a0f1006dda)
|
|
if changing to support samr_connect5 might help so quickly coded
it up. No it doesn't :-(. Don't merge this for 3.0.21 please.
Jeremy.
(This used to be commit bff1df678a8948d382f4555e83a1df23146a4b12)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
ldapsam code
(This used to be commit 62f9fb5e3a9bce539c9fedc5fdec1b8741a922c7)
|
|
not unix name)
(This used to be commit 8928575abde51f04d0596420a85381f697b66c58)
|
|
using USER_INFO_XX structs and functions where XX was sometimes
in hex and sometimes in decimal. Now it's all in decimal (should
be no functionality change).
Jeremy.
(This used to be commit 84651aca04cbcbf50ab2e78333cc9d9e49dd92f5)
|
|
MMC manage computer plugin.
(This used to be commit c43c1ec80cb52569ccabcdf95e4004386ecb29d6)
|
|
pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.
The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.
Volker
(This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
|
|
referencing unknown_6 from sam, because it's just fixed at 1260, the max
len of LOGON_HRS. Need to go in and mark it as "remove me" from passdb.
(This used to be commit ffac752875938d510446ebbeba6fc983f65cda1e)
|
|
should not say we are a PDC.
Guenther
(This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5)
|
|
Note that Samba3 does not yet support it server-side.
Guenther
(This used to be commit b2c8220931733593fd312fc25b6c73f440b4567a)
|
|
set the value "forcibly disconnect remote users from server when logon
hours expire" to "no", instead take the value from our account-policy
storage.
Guenther
(This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
|
|
based on samba4-idl.
This saves us an enormous amount of totally unnecessary ldap-traffic
when several hundreds of winbind-daemons query a Samba3 DC just to get
the fake SAM-sequence-number (time(NULL)) by enumerating all users, all
groups and all aliases when query-dom-info level 2 is used.
Note that we apparently never get the sequence number right (we parse a
uint32, although it's a uint64, at least in samba4 idl). For the time
being, I would propose to stay with that behaviour.
Guenther
(This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
|
|
comment string and not an unknown 12 byte structure...
Found after abartlet's smbtorture extended this string to
"Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET"
;-))
Volker
(This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
(This used to be commit 3ebfd137b2d8f393874561046ef79f4d9a8cae52)
|
|
Andrew Bartlett
(This used to be commit 61768f4cb3a268ce30911b15b30f82de36716b5f)
|
|
Volker
(This used to be commit 9ceff803278bdbc09cb5ab678a108cea24ab49a9)
|
|
Jeremy.
(This used to be commit b9e79004a4c1e4a472f0627d2c33c966af22ccd2)
|
|
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
|
|
Volker
(This used to be commit e597420421e085b17dcdc062c5900518d0d4e685)
|
|
group_info4 in set_dom_group_info also has the level in the record
itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can
still create a domain group on a samba machine.
Volker
(This used to be commit 76c75bb8a7ad2a2e719dbbe997abf8aefe2fbbb4)
|
|
Replace unknown_3 with fields_present. Also causes rpc_samr structure field changes.
(This used to be commit 1976843345efb6ca4f9cebd964a61acd8ae11d41)
|
|
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
|
|
* don't fall back to unmapped UNIX group for
get_local_group_from_sid()
* remove an extra become/unbecome_root() pair
from group enumeration
(This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
|
|
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
Jeremy.
(This used to be commit 703b1b76e25fc83b3b84767c0e1b64c97c21bf09)
|
|
<adegremont@idealx.com>with memory leak fixes by me.
Jeremy.
(This used to be commit e591854eda8568ed1a4ad6b9de64e523c02b4392)
|
|
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
This is not the case. Count it after conversion.
Jeremy.
(This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
|
|
fields, bad_password_count and logon_count. Ensure this is stored/fetched
in the various SAMs. As it replaces the unknown_5 field this fits
exactly into the tdb SAM without any binary problems. It also is added
to the LDAP SAM as two extra attributes. It breaks compatibility with
the experimental SAMs xml and mysql. The maintainers of these SAMs must
fix them so upgrades like this can be done transparently. I will insist
on the "experimental" status until this is solved.
Jeremy.
(This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
|
