Age | Commit message (Collapse) | Author | Files | Lines |
|
Thanks to Michael Adam <ma@sernet.de>
hop, hop, hop... ;-)
Volker
(This used to be commit 47facab798bdc6e20b2620972f1b8f2338fac239)
|
|
net_ads_join.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 27cca861507afa9caf694ef89e543c86de01c2cd)
|
|
(This used to be commit a347f8a9c480cf09abac9144e04ab2b13457e3b0)
|
|
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit ea3a4142a0f2140d8743a50518ae94df2d84d972)
|
|
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit c4e10afadb39ff562287ab2294df0a1f83b28908)
|
|
NO_LOGON_SERVERS if no domain controller was found.
Thanks to Michael Adam <ma@sernet.de>.
Volker
(This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
|
|
some memory leaks on error paths in net_ads_join()
(This used to be commit 24de2d83ff1d27400a89985126edee588bc415f3)
|
|
and createcomputer options
(This used to be commit 87be77bf35635fc925e1be36073571f8c6ec3e81)
|
|
* createupn=[host_upn@realm]
* createcomputer=<ou path top to bottom> (this was previously
the only arg)
(This used to be commit 75054e984e5ca7249b1327630db9d09da974a54e)
|
|
Disable the one we created and whine.
(This used to be commit 1a7e81a4a8955e643d1c8a54365221a9e2ed8a12)
|
|
toolset.
In 3.0.23 all those commands have been limited to the DC of our primary
domain. Also distinguish calls that may go to remote DCs (search, info,
lookup, etc.) from those that should only go to our primary domain
(join, leave, etc.).
Guenther
(This used to be commit d573e64781667993478a289580fa65c34e847f64)
|
|
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Guenther
(This used to be commit 49fb1a3ebc44602302c347195752891bf28c7037)
|
|
int
in a format string.
Jeremy.
(This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
|
|
Guenther
(This used to be commit 689ae22c80a890278610d9ada1eb4fa5e37bd5ce)
|
|
(adapt to the new UPN/SPN scheme).
Guenther
(This used to be commit 8fc70d0df0c93c29b49f924bac9ff5d9857cfd9d)
|
|
Guenther
(This used to be commit 741602e03ad2404d4e38e55b9e5fd20b85fd205d)
|
|
(since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
|
|
the machine creds (just like WinXP)
(This used to be commit ae2bf464c47eb52ff24400d1cc362e74e77fbac5)
|
|
flags on the setuserinfo(), not the createuser info call
(This used to be commit d933ac273db5977fb41954175bdc228b688bfd6e)
|
|
(This used to be commit 00c795e3660a65419e707706abf48916dcd7f850)
|
|
Re-add the capability to specify an OU in which to create
the machine account. Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
|
|
* replace printf to stderr with DEBUG statements as they get printed in
daemons
* "net ads lookup" return code
Guenther
(This used to be commit 8dd925c5fbfcbe711c596d08e8eadc19607d5492)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|
|
(This used to be commit f21adc04f745a966dbe6ef0b4ffd9729afa3fa78)
|
|
locating AD DC's with out own DNS SRV queries.
Testing on Linux and Solaris.
(This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb)
|
|
objectClass which is not indexed on AD) in LDAP queries.
Guenther
(This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
|
|
(How did that get in there ?).
Jeremy
(This used to be commit 780b71d300da71acc8b4f0fe10c1ae78c71e23c4)
|
|
sid"); works in all AD versions I tested. Also add "net ads sid" search
tool.
Guenther
(This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
|
|
Guenther
(This used to be commit ba81b508caa4ab21a04d142f3621e43a55e859cf)
|
|
this is
sufficient to fix bug #3659.
Volker
(This used to be commit 0ef5e4372c45a60d66a902a6dbca58ae98529358)
|
|
(This used to be commit a6e88785e7116c1a88e1bfdfa2afadecd501bfb0)
|
|
Guenther
(This used to be commit 22b687589785051eca16a868e3475f066b647ea7)
|
|
Jeremy.
(This used to be commit 75be5c17bc74c86219c7cac749b52b7d43abb780)
|
|
Guenther
(This used to be commit d17712f9761589115e976e2240498396f36838ee)
|
|
(This used to be commit db00570535c03360bb2833f070878a33e94306b0)
|
|
All 'usage' messages are still printed to stdout.
Fix some compiler warnings for system() calls where we didn't used the
return code. Add appropriate error messages and return with the error
code we got from system() or NT_STATUS_UNSUCCESSFUL.
(This used to be commit f650e3bdafc4c6bcd7eb4bcf8b6b885b979919eb)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
Guenther
(This used to be commit afa8ae831a8d9cde8c6474c5fc807a9ca8155273)
|
|
version to 3.0.20pre1
(This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
|
|
(This used to be commit 81c1ac255ebf0adf3bdb96b077a34dcfab1812cf)
|
|
Volker
(This used to be commit 913c06ad3e752f2b185faa411d90a2f7aaf42291)
|
|
guard for disp_fields[0].
Jeremy.
(This used to be commit ee45f4b17e4131a9e0779046c49b24d1e35256d8)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
"qualifiers". The
whole of samba comiles warning-free with the default compiler flags.
Temporarily defined -Wall to locate other potential problems. Found an
unused static function (#ifdefed out rather than deleted, in case it's
needed for something in progress).
There are also a number of uses of undeclared functions, mostly krb5_*.
Files with these problems need to have appropriate header files included,
but they are not fixed in this update.
oplock_linux.c.c has undefined functions capget() and capset(), which need
to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>,
but that could potentially have other side effects, so that remains uncorrected
as well.
The flag -Wall should be added permanently to CFLAGS, and all warnings then
generated should be eliminated.
(This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
|
|
'disable netbios = yes'
(This used to be commit 77734120d30c64941e2046574c81653c5bca4220)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Jeremy.
(This used to be commit b356a8fdc5a1ac45f2f7f56a0836e794bdecddc6)
|
|
Jeremy.
(This used to be commit 0f3f7b035b37bfc51d3a59d0472003c3d4ac1511)
|