| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
if this parameter is not an account type
Andrew Bartlett
(This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c)
|
|
his book.
This prompted me to look at the code that reads the unix group list. This
code did a lot of name -> uid -> name -> sid translations, which caused
problems. Instead, we now do just name->sid
I also cleaned up some interfaces, and client tools.
Andrew Bartlett
(This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
|
|
script; patch from Jianliang Lu <j.lu@tiesse.com>
(This used to be commit 19a8dd523a4ee50ba9066efd60a29cf3ba9ae419)
|
|
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
|
|
* don't fall back to unmapped UNIX group for
get_local_group_from_sid()
* remove an extra become/unbecome_root() pair
from group enumeration
(This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
|
|
account flags of 0.
Andrew Bartlett
(This used to be commit 601120f335b69e5b8a003038dfac00f3f234a5c1)
|
|
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
|
|
DES based krb5 logins).
Andrew Bartlett
(This used to be commit 240b0d178e1b4a3556207bdf2e342c70155f64ee)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
(not /etc/group) even when doing local aliases
* remove "hide local users" parameter; we have this
behavior built into 3.0
(This used to be commit a7685a069766ac720f0b26fe01b0e17fc388fca3)
|
|
* revert the change that prevent the guest
account from being added to a passdb backend
since it broke the build farm.
* apply patch from Alex Deiter to fix the
"smbldap_open: cannot access when not root
error" messages when looking up group
information (bug 281)
(This used to be commit 9b8bf6a950186bd95abe952af4a7d35829b34ff8)
|
|
<adegremont@idealx.com>with memory leak fixes by me.
Jeremy.
(This used to be commit e591854eda8568ed1a4ad6b9de64e523c02b4392)
|
|
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
This is not the case. Count it after conversion.
Jeremy.
(This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
|
|
me to expose a type arguement to make_sec_desc(). We weren't copying
the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on
auto inherited checks.
Jeremy.
(This used to be commit 28b315a7501f42928d73efaa75f74146ba95cf2d)
|
|
ensure the desired access is read from the incoming RPC request.
Jeremy.
(This used to be commit fdc5dda44f0190af4e4b0782cb2c5c7de3506d12)
|
|
(This used to be commit f4ca4aae8ad0496b76c710cf79c791724bdaa4ec)
|
|
call.
(This used to be commit dd2cf4897ec3db25c24a2724ffdef4f905625f6a)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
Fixed by storing the access requested on the anonymous samr connect.
Restricted this to enum_domain|open_domain.
Added become/unbecome_root() around pdb_enum_group_mapping()
enum domain groups samr call.
(This used to be commit 36fc199e5f573fea9b7e2c1cf01ad42744a42f08)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
|
|
to allow UNIX password change scripts to work correctly. This is safe as
the old password has been checked as correct before invoking this.
Jeremy.
(This used to be commit 1734d43eb55561d46a6ffb5d806afedfd3746f9f)
|
|
time. )-:
(This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
|
|
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
|
|
first time.
(This used to be commit 6616485dbad74dab7506609c6bfd183fc9c1f93c)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries.
ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX
functions fail. Getting ready to add caching.
Jeremy.
(This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
|
|
available. Removed extra auth_init (thanks metze).
Jeremy.
(This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
|
|
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.
We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.
This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base
Simo.
(This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
|
|
This part of a fix to bug#45.
Volker
(This used to be commit 43d306011fe0497dabdf6f43a0d120900fd96e6d)
|
|
in add groupmem code.
Jeremy.
(This used to be commit f41eb9ce9af2075f62abaecd8792d30617d05818)
|
|
Jeremy.
(This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
lp_workgroup(), for all other server this is global_myname().
This is the name of the domain for accounts on *this* system, and getting
this wrong caused interesting bugs with 'take ownership' on member servers
and standalone servers at Snap.
(They lookup the username that they got, then convert that to a SID - but
becouse the domain out of the smbpasswd entry was wrong, we would fail the
lookup).
Andrew Bartlett
(This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
|
|
to the system. This means that we always run Get_Pwnam(), and can never add
FOO when foo exists on the system (the idea is to instead add foo into
the passdb, using it's full name, RID etc).
Andrew Bartlett
(This used to be commit bb79b127e02cefae13c822fd0fd165f1f214b740)
|
|
(This used to be commit c0807e21999ec718d722fc0be6b3353c9369db04)
|
|
for rpc_pull_string. If we had a NULL or zero-length string, we would use
uninitialised data in the result string.
Andrew Bartlett
(This used to be commit df10aee451b431a8a056a949a98393da256185da)
|
|
etc, move the SAMR create_user code back to using the 'pdb_init_sam_pw' method
to fill out the attributes.
This is basicly the same code, but we really didn't need the duplication.
Also, take advantage of the fact that RIDs will always be returned back into
the SAM_ACCOUNT on ADD, so we don't need to duplicate the 'get'.
This should also help in sites with replicated LDAP - the second fetch might
occour before the first is replicated back.
Andrew Bartlett
(This used to be commit 39714c24fd9da4701d4fe69ddd3d61a25254409f)
|
|
the credentials from secrets.tdb
(This used to be commit bb8b63b865b941abecc0d821e710702dd12866fe)
|
|
Give volker a hand, and let domain joins with existing user accounts work
a bit better.
This just sets the minimum possible attributes - if we are 'upgrading' an
LDAP based user account, the attributes will be there anyway. This matches
NT pretty well to.
This also fixes some use of unitialised values in the desired_access checking.
(found by valgrind).
Andrew Bartlett
(This used to be commit 536e24ee5b83eaa77be81dd50e3e1a5010b5abf4)
|
|
- user_ok() and user_in_group() now take a list of groups, instead of
looking for the user in the members of all groups.
- The 'server_info' returned from the authentication is now kept around
- in future we won't copy the sesion key, username etc, we will just
referece them directly.
- rhosts upgraded to use the SAM if possible, otherwise fake up based on
getpwnam().
- auth_util code to deal with groups upgraded to deal with non-winbind domain
members again.
Andrew Bartlett
(This used to be commit 74b5436c75114170ce7c780c19226103d0df9060)
|
|
(This used to be commit 7a4c87484237308cb3ad0d671687da7e0f6e733b)
|
|
suppport for the 'min password age' and 'min passwd len' concepts.
(This used to be commit d9417b08d1b649e598b44135bc57008f4e4f7769)
|
|
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
|
|
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
|
|
- change auth_sam to use the initialisation flags to determine if
the password attributes are set
- add const to secrets.c, cliconnect.c
- passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd
- SAMR: add debugs to show what fails for group enum.
Andrew Bartlett
(This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
|
|
Thanks to Andrew Brtlet for the diff :-)
(This used to be commit cf67981e73cf52803eae589a6b86e1274bf72d2c)
|
