Age | Commit message (Collapse) | Author | Files | Lines |
|
on the samba-technical ml.
I'll add a 'net ads set attribute=value' utility later
rather than the original 'net ads setmachineupn' patch that
was also posted to the tech ml.
(This used to be commit 5035778ae4b3a5e445faa535c5caf00bc8d220d8)
|
|
Patch from Zack Kirsch <zack.kirsch@isilon.com>.
Jeremy.
(This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
|
|
Coverity finds them :-)
Jeremy.
(This used to be commit cbe725f1b09f3d0edbdf823e0862edf21e16d336)
|
|
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
|
|
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
|
|
(This used to be commit ff8f27108d247aa9e46176f2b29fc8d2da103906)
|
|
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
|
|
* Fix DNS updates for multi-homed hosts
* Child domains often don't have an NS record in
DNS so we have to fall back to looking up the the NS
records for the forest root.
* Fix compile warning caused by mismatched 'struct in_addr'
and 'in_addr_t' parameters called to DoDNSUpdate()
(This used to be commit 3486acd3c3ebefae8f98dcc72d1c3d6b06fffcc7)
|
|
and properly use backslashes in "net ads join computername="
(This used to be commit cc26e2f9a155529b8ac2122bd2bec401bb516264)
|
|
Volker
(This used to be commit 55dc4741cfead0f21deb7ea2d28afb240505686b)
|
|
(http://www.centeris.com/) under my copyright.
* Rework error reporting to use DNS_ERROR instead
of int32
* Convert memory allocation to use talloc()
* Generalize the DNS request/response packet marshalling
* Fix the secure update requests
(This used to be commit c78798333616c3f823514df0f58da2eb3a30a988)
|
|
string the clis_state struct. So call saf_store() after we
have the short domain name in the lsa_query_inof_policy code.
* Remove unused server string in saf_delete()
(This used to be commit 3eddae2f2080f8dafec883cb9ffa2e578c242607)
|
|
Directory:
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.
Guenther
(This used to be commit ff004f7284cb047e738ba3d3ad6602e8aa84e883)
|
|
along with some memleaks.
Guenther
(This used to be commit 4bad52c5b3a983418d4216a2c3f5e04926e37e94)
|
|
Guenther
(This used to be commit 08db3d3b04d91238b739e88e817bd3f800b768ee)
|
|
Guenther
(This used to be commit 94ed3e9de8671d677451d2a16977caeeb7e744d1)
|
|
Guenther
(This used to be commit a20e7c0315f9a06ce2139f99d035b409b066d722)
|
|
we can't find a domain controller at all.
Guenther
(This used to be commit e691ae7da3620a7d4c0e0b1217aaae44db0b8db3)
|
|
his patch fit SAMBA_3_0. (This is guenthers code). Make
site support work correctly in net ads join.
Jeremy.
(This used to be commit 47352b5398e67eb8f4f383dafce31c922626ae99)
|
|
does not exist.
Guenther
(This used to be commit 359315021df3a4dbfe5142e529e3efdbc49e405c)
|
|
For those who are interested, try
net ads gpo refresh mybox$
to get your machine related GPOs downloaded to /var/lib/samba/gpo_cache.
Detailed information about GPOs is currently only printed when setting a
higher debuglevel then 0.
Guenther
(This used to be commit d086babf9d2592f041cc35db3d60b4452ea953f5)
|
|
Guenther
(This used to be commit 927cda5d31e9cb02105df3cfc06f5cb273233747)
|
|
disabled. Cope with both - print appropriate messages.
Jeremy.
(This used to be commit 2c003a4463ff59c477fa2558f869444cfa75e3a8)
|
|
a non-fatal error path if the 'disable machine
account' code succeeded.
Jeremy.
(This used to be commit f47bffa21ec1caf5ec3a6ec77af801df0b63d83a)
|
|
in AD.
Guenther
(This used to be commit 1bb29acb3bf40afdb5bc196ab7dbc642e2fdd680)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
Jeremy.
(This used to be commit b8cedcac933fef9370bd42d1ff7c35c5c27103d1)
|
|
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e9c5fd192c5514cbe9451b938f9cd5d)
|
|
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.
It's still got some warts, but non-secure updates do
currently work. There are at least four things left to
really clean up.
1. Change the memory management to use talloc() rather than
malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
(and under the LGPL).
A few notes:
* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
issues.
(This used to be commit 36f04674aeefd93c5a0408b8967dcd48b86fdbc1)
|
|
Thanks to Michael Adam <ma@sernet.de>
hop, hop, hop... ;-)
Volker
(This used to be commit 47facab798bdc6e20b2620972f1b8f2338fac239)
|
|
net_ads_join.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 27cca861507afa9caf694ef89e543c86de01c2cd)
|
|
(This used to be commit a347f8a9c480cf09abac9144e04ab2b13457e3b0)
|
|
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit ea3a4142a0f2140d8743a50518ae94df2d84d972)
|
|
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit c4e10afadb39ff562287ab2294df0a1f83b28908)
|
|
NO_LOGON_SERVERS if no domain controller was found.
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
|
|
some memory leaks on error paths in net_ads_join()
(This used to be commit 24de2d83ff1d27400a89985126edee588bc415f3)
|
|
and createcomputer options
(This used to be commit 87be77bf35635fc925e1be36073571f8c6ec3e81)
|
|
* createupn=[host_upn@realm]
* createcomputer=<ou path top to bottom> (this was previously
the only arg)
(This used to be commit 75054e984e5ca7249b1327630db9d09da974a54e)
|
|
Disable the one we created and whine.
(This used to be commit 1a7e81a4a8955e643d1c8a54365221a9e2ed8a12)
|
|
toolset.
In 3.0.23 all those commands have been limited to the DC of our primary
domain. Also distinguish calls that may go to remote DCs (search, info,
lookup, etc.) from those that should only go to our primary domain
(join, leave, etc.).
Guenther
(This used to be commit d573e64781667993478a289580fa65c34e847f64)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Guenther
(This used to be commit 49fb1a3ebc44602302c347195752891bf28c7037)
|
|
int
in a format string.
Jeremy.
(This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
|
|
Guenther
(This used to be commit 689ae22c80a890278610d9ada1eb4fa5e37bd5ce)
|
|
(adapt to the new UPN/SPN scheme).
Guenther
(This used to be commit 8fc70d0df0c93c29b49f924bac9ff5d9857cfd9d)
|
|
Guenther
(This used to be commit 741602e03ad2404d4e38e55b9e5fd20b85fd205d)
|
|
(since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
|
|
the machine creds (just like WinXP)
(This used to be commit ae2bf464c47eb52ff24400d1cc362e74e77fbac5)
|
|
flags on the setuserinfo(), not the createuser info call
(This used to be commit d933ac273db5977fb41954175bdc228b688bfd6e)
|