Age | Commit message (Collapse) | Author | Files | Lines |
|
we now do this:
- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP
This change also means that we no longer rely on having a gssapi
library to do ADS.
todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
(This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
|
|
win2000 server. It does seem to work, and win200 sends us a valid
reply, but we don't parse it yet. Maybe tomorrow :)
(This used to be commit 6352508c54cee333ed7c0e3ebc372be7cd60ed62)
|
|
(This used to be commit 3b0e60e522b669bad77e70d9c6f484a08ff84612)
|
|
unfortuately we don't seem to be able to auto-test the ADS join due to
a rather nasty property of the GSSAPI library.
(This used to be commit 87c34a974a91e940bd26078a68dd84f4341d6913)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
our smb.conf setup.
(This used to be commit cffa881092e48db10a712575a8671f695e8ef813)
|
|
very useful in scripts
(This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02)
|
|
though it is up to the calling function to decide whether values are
strings or not. Attributes are not converted at this point, though support
for it would be simple.
I have tested it with users and groups using non-ascii chars, and if the
check for alphanumeric user/domain names is removed form sesssetup.c, even
a user with accented chars can connect, or even login (via winbind).
I have also simplified the interfaces to ads_mod_*, though we will probably
want to expand this by a few functions in the near future. We just had
too many ways to do the same thing...
(This used to be commit f924cb53580bc081ff34e45abba57629018c68d6)
|
|
Samba LDAP code.
I have found using 'ldapsearch' rather frustrating, particularly with
kerberos authentication. Using 'net ads search' makes it easier to
track down ADS problems.
(This used to be commit 55cad87424787fc5f140d307888f4c557dc2b345)
|
|
rpc and rap too. Anyone know what key I'm supposed to use to encrypt
it for the rap one?
(This used to be commit 033faaa8cbfe7e368c554b26e7a506098d06fa02)
|
|
Also update some of the help info.
(This used to be commit fde62de7a1735b2ef2d9593b38ffa5c7ea2e0d67)
|
|
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
|
|
server sort controls. Also put option externs in the net.h include.
(This used to be commit b69f11170c2b27016c44a98bc603d1c94ad7d4c2)
|
|
also filter out users that end in '$', which gives us the same results as
the net rpc user and net rap user.
(This used to be commit e3a813831276ec2aafa0caa4f4fed0785dcdb749)
|
|
- Added net_help.c for unified help when possible
- Added net rpc user listing, delete, info commands
- Unified net user command to autodetect ads/rpc/rap (try in that order)
- Added generic routine for detecting rpc (protocol > PROTOCOL_NT1)
- I'm sure I forgot something.
(This used to be commit 9daa5788c822cf1ad20dc703e7f03b9ee82987bf)
|
|
to make a connection (which stores the password in a global so it can be
used by rpc or rap function if ads fails) and close it to verify if ads
method should be used.
(This used to be commit 093297a27db9834cf8aea34302246af8997d9c66)
|
|
(This used to be commit dd7c20e5331116fd8cf9656a0f2406957b812bbb)
|
|
(This used to be commit d7317ca8da4b04804f4d01752cef56ec5a9c3418)
|
|
consistent with rap version.
(This used to be commit f6eb7c0c7ec83a3674d56f0e222b900887327319)
|
|
ads_process_results function. Also made sure net rap user and net ads
user display the same thing, to make auto-transport-detection smoother.
(This used to be commit 4cf42c07ec5deb14921fabfbd52a8a3345a730c9)
|
|
(This used to be commit 57645fd85b7789d7807a5ffb5b2572c6d5f9e3de)
|
|
(This used to be commit 98769f08e723c616a98a2f0c427e9b0e22b28be9)
|
|
(This used to be commit 7ba235c0fb4755092605743d575357602fd1ce05)
|
|
(This used to be commit 87ee4832312c9c65377500efd617bac086164834)
|
|
allowing more than 1000 (or whatever the query limit is on the server) objects to be returned. Printers will come next.
(This used to be commit 9c447920dfbae2e2d2343600401c1d860dad863b)
|
|
(This used to be commit 2a42e91397d7871d326abed0e99af297e71dd77e)
|
|
(This used to be commit 0511589088dc3e990f7b1a38a06489814c49ec1b)
|
|
[PATCH] net ads error
Date:
Fri, 15 Feb 2002 20:03:32 +0200
From:
Alexander Bokovoy <a.bokovoy@sam-solutions.net>
To:
samba-technical@samba.org
Greetings!
Attached patch fixes a problem with non-working 'net ads -Uuser%pass'
in CVS HEAD.
(This used to be commit a21a951ff9493a6e33e4ff8388a95facdeacf7b4)
|
|
in the directory. Only publishes required fields right now.
(This used to be commit 1d326f8b7e68bcad6c35488f77b05c598ebaad5d)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
a username on the commandline. Also don't continue past the kinit if a password is entered and fails because existing tickets would be used, which may not be desired if the username was specified.
(This used to be commit 7e5d7dfa834c0161460bde8a2f0d4824c0a0d1fe)
|
|
(This used to be commit 7e876057d5e392f85e6fdb0f2c233b0fe76df688)
|
|
(This used to be commit dfbe442c668480d88cb8b385c6b89f8e198ca500)
|
|
(This used to be commit 412e79c448bf02e3097b5c14a36fe0172d8d2895)
|
|
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
|
|
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
|
|
(This used to be commit f1231c2b54cac9d4fda7fa9d45fd329f1fd7b779)
|
|
(This used to be commit b107ecef7097e4b3b870f51fa6628b870703b4de)
|
|
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
|
|
This moves the rest of the functionality into the 'net rpc join' code.
Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.
I have also fixed up the smbpasswd -a -m bug in the process.
We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.
With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).
Andrew Bartlett
(This used to be commit 575897e879fc175ba702adf245384033342c903d)
|
|
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
|
|
(This used to be commit ea76a687fc2614912fd6b0458622495f9920749e)
|
|
This allows us to use automagically obtained values in future, and the value
from krb5.conf now.
Also fix mem leaks etc.
Andrew Bartlett
(This used to be commit 8f9ce717819235d98a1463f20ac659cb4b4ebbd2)
|
|
(This used to be commit 8227f6909cca67fcc1a8455f4b386df7778ef2e7)
|
|
(This used to be commit b390d6eef95ee6094eb193006bc2f23c40291026)
|
|
(This used to be commit 720c50a7514febdd7cfd6ce40b7b5a0c5cc0abf8)
|
|
(This used to be commit f482583139eedb75a23c7a720dca4e8fb7070fd5)
|
|
(This used to be commit ae0eabd04c97320c2cf3c4575263c53cf61d03ea)
|
|
(This used to be commit 2f8fa175b189c2d11676245b01d3201c0a4f0826)
|