summaryrefslogtreecommitdiff
path: root/source3/utils/net_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r19766: Fix a const-warning. Jerry, what did you want to fix with this line?Volker Lendecke1-1/+0
Volker (This used to be commit 55dc4741cfead0f21deb7ea2d28afb240505686b)
2007-10-10r19762: libaddns/*[ch] code fixes donated by Centeris CorporationGerald Carter1-62/+144
(http://www.centeris.com/) under my copyright. * Rework error reporting to use DNS_ERROR instead of int32 * Convert memory allocation to use talloc() * Generalize the DNS request/response packet marshalling * Fix the secure update requests (This used to be commit c78798333616c3f823514df0f58da2eb3a30a988)
2007-10-10r19754: * When using a krb5 session setup, we don't fill in the server_nameGerald Carter1-27/+22
string the clis_state struct. So call saf_store() after we have the short domain name in the lsa_query_inof_policy code. * Remove unused server string in saf_delete() (This used to be commit 3eddae2f2080f8dafec883cb9ffa2e578c242607)
2007-10-10r19651: Fix interesting bug with the automatic site coverage in Active ↵Günther Deschner1-1/+1
Directory: When having DC-less sites, AD assigns DCs from other sites to that site that does not have it's own DC. The most reliable way for us to identify the nearest DC - in that and all other cases - is the closest_dc flag in the CLDAP reply. Guenther (This used to be commit ff004f7284cb047e738ba3d3ad6602e8aa84e883)
2007-10-10r19528: Fix container handling for "net ads user" and "net ads group" functionsGünther Deschner1-8/+19
along with some memleaks. Guenther (This used to be commit 4bad52c5b3a983418d4216a2c3f5e04926e37e94)
2007-10-10r19527: Fix double free in "net ads group add".Günther Deschner1-1/+0
Guenther (This used to be commit 08db3d3b04d91238b739e88e817bd3f800b768ee)
2007-10-10r19525: Fix the same error in "net ads group delete".Günther Deschner1-3/+4
Guenther (This used to be commit 94ed3e9de8671d677451d2a16977caeeb7e744d1)
2007-10-10r19524: Stop "net ads user delete" from doing funny things.Günther Deschner1-3/+4
Guenther (This used to be commit a20e7c0315f9a06ce2139f99d035b409b066d722)
2007-10-10r19493: There is no point in prompting for a user's password in "net ads" whenGünther Deschner1-0/+8
we can't find a domain controller at all. Guenther (This used to be commit e691ae7da3620a7d4c0e0b1217aaae44db0b8db3)
2007-10-10r19257: Janitor for Guenther - as well as a little massaging to makeJeremy Allison1-37/+74
his patch fit SAMBA_3_0. (This is guenthers code). Make site support work correctly in net ads join. Jeremy. (This used to be commit 47352b5398e67eb8f4f383dafce31c922626ae99)
2007-10-10r19039: Do not segfault in "net ads printer info" when a requested printserverGünther Deschner1-1/+2
does not exist. Guenther (This used to be commit 359315021df3a4dbfe5142e529e3efdbc49e405c)
2007-10-10r19003: Finally activate "net ads gpo".Günther Deschner1-1/+1
For those who are interested, try net ads gpo refresh mybox$ to get your machine related GPOs downloaded to /var/lib/samba/gpo_cache. Detailed information about GPOs is currently only printed when setting a higher debuglevel then 0. Guenther (This used to be commit d086babf9d2592f041cc35db3d60b4452ea953f5)
2007-10-10r18817: Enable the build of the gpo tool but do not make it available yet.Günther Deschner1-1/+2
Guenther (This used to be commit 927cda5d31e9cb02105df3cfc06f5cb273233747)
2007-10-10r18467: Some sites allow an account to be deleted, but notJeremy Allison1-12/+15
disabled. Cope with both - print appropriate messages. Jeremy. (This used to be commit 2c003a4463ff59c477fa2558f869444cfa75e3a8)
2007-10-10r18446: Add the ldap 'leave domain' code - call this asJeremy Allison1-3/+14
a non-fatal error path if the 'disable machine account' code succeeded. Jeremy. (This used to be commit f47bffa21ec1caf5ec3a6ec77af801df0b63d83a)
2007-10-10r18170: Make sure to actually get the printing data before trying to publish itGünther Deschner1-2/+5
in AD. Guenther (This used to be commit 1bb29acb3bf40afdb5bc196ab7dbc642e2fdd680)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-16/+16
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r17941: Fix print out of client site name.Jeremy Allison1-1/+1
Jeremy. (This used to be commit b8cedcac933fef9370bd42d1ff7c35c5c27103d1)
2007-10-10r17928: Implement the basic store for CLDAP sitenameJeremy Allison1-2/+2
support when looking up DC's. On every CLDAP call store the returned client sitename (if present, delete store if not) in gencache with infinate timeout. On AD DNS DC lookup, try looking for sitename DC's first, only try generic if sitename DNS lookup failed. I still haven't figured out yet how to ensure we fetch the sitename with a CLDAP query before doing the generic DC list lookup. This code is difficult to understand. I'll do some experiments and backtraces tomorrow to try and work out where to force a CLDAP site query first. Jeremy. (This used to be commit ab3f0c5b1e9c5fd192c5514cbe9451b938f9cd5d)
2007-10-10r17798: Beginnings of a standalone libaddns library released underGerald Carter1-3/+176
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>. Additional work by me. It's still got some warts, but non-secure updates do currently work. There are at least four things left to really clean up. 1. Change the memory management to use talloc() rather than malloc() and cleanup the leaks. 2. Fix the error code reporting (see initial changes to dnserr.h) 3. Fix the secure updates 4. Define a public interface in addns.h 5. Move the code in libads/dns.c into the libaddns/ directory (and under the LGPL). A few notes: * Enable the new code by compiling with --with-dnsupdate * Also adds the command 'net ads dns register' * Requires -luuid (included in the e2fsprogs-devel package). * Has only been tested on Linux platforms so there may be portability issues. (This used to be commit 36f04674aeefd93c5a0408b8967dcd48b86fdbc1)
2007-10-10r17603: Make net_ads_join_ok return NTSTATUS.Volker Lendecke1-7/+12
Thanks to Michael Adam <ma@sernet.de> hop, hop, hop... ;-) Volker (This used to be commit 47facab798bdc6e20b2620972f1b8f2338fac239)
2007-10-10r17602: Make check_ads_config return NTSTATUS, set some error codes in ↵Volker Lendecke1-10/+18
net_ads_join. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 27cca861507afa9caf694ef89e543c86de01c2cd)
2007-10-10r17591: machine_account is unused, and ctx must be freed. Thanks MichaelVolker Lendecke1-3/+2
(This used to be commit a347f8a9c480cf09abac9144e04ab2b13457e3b0)
2007-10-10r17585: Don't let ads_status throw away the error information.Volker Lendecke1-38/+45
Thanks to Michael Adam <ma@sernet.de>. Volker (This used to be commit ea3a4142a0f2140d8743a50518ae94df2d84d972)
2007-10-10r17557: Change net_join_domain to return NTSTATUS instead of int.Volker Lendecke1-15/+16
Thanks to Michael Adam <ma@sernet.de>. Volker (This used to be commit c4e10afadb39ff562287ab2294df0a1f83b28908)
2007-10-10r17551: Move some DEBUG to d_printf in interactive functions and returnVolker Lendecke1-7/+10
NO_LOGON_SERVERS if no domain controller was found. Thanks to Michael Adam <ma@sernet.de>. Volker (This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
2007-10-10r17383: Patch from Michael Adams <ma@sernet.de> to catchGerald Carter1-17/+17
some memory leaks on error paths in net_ads_join() (This used to be commit 24de2d83ff1d27400a89985126edee588bc415f3)
2007-10-10r17258: Cleanup the 'net ads help join' output and document createupnGerald Carter1-35/+46
and createcomputer options (This used to be commit 87be77bf35635fc925e1be36073571f8c6ec3e81)
2007-10-10r17158: Add two new options to 'net ads join'Gerald Carter1-12/+114
* createupn=[host_upn@realm] * createcomputer=<ou path top to bottom> (this was previously the only arg) (This used to be commit 75054e984e5ca7249b1327630db9d09da974a54e)
2007-10-10r17149: Fail the join if we cannot set any SPNs for the machine account.Gerald Carter1-24/+18
Disable the one we created and whine. (This used to be commit 1a7e81a4a8955e643d1c8a54365221a9e2ed8a12)
2007-10-10r17086: Re-add ability to contact remote domain controllers with the "net ads"Günther Deschner1-37/+62
toolset. In 3.0.23 all those commands have been limited to the DC of our primary domain. Also distinguish calls that may go to remote DCs (search, info, lookup, etc.) from those that should only go to our primary domain (join, leave, etc.). Guenther (This used to be commit d573e64781667993478a289580fa65c34e847f64)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-15/+56
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-5/+6
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16453: Fix another memleak.Günther Deschner1-0/+1
Guenther (This used to be commit 49fb1a3ebc44602302c347195752891bf28c7037)
2007-10-10r16284: Start fixing up gcc4 -O6 warnings on an x86_64 box. size_t != unsignedJeremy Allison1-2/+2
int in a format string. Jeremy. (This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
2007-10-10r16261: Smaller fixes for net ads password.Günther Deschner1-2/+2
Guenther (This used to be commit 689ae22c80a890278610d9ada1eb4fa5e37bd5ce)
2007-10-10r16115: Make "net ads changetrustpw" work again.Günther Deschner1-4/+4
(adapt to the new UPN/SPN scheme). Guenther (This used to be commit 8fc70d0df0c93c29b49f924bac9ff5d9857cfd9d)
2007-10-10r15703: Fix d_printf call.Günther Deschner1-1/+1
Guenther (This used to be commit 741602e03ad2404d4e38e55b9e5fd20b85fd205d)
2007-10-10r15701: change 'net ads leave' to disable the machine account in the domain ↵Gerald Carter1-212/+55
(since removal implies greater permissions that Windows clients require) (This used to be commit ad1f947625612ef16adb69fc2cfeffc68a9a2e02)
2007-10-10r15680: use the user creds when calling net_set_machine_spn() rather than ↵Gerald Carter1-64/+15
the machine creds (just like WinXP) (This used to be commit ae2bf464c47eb52ff24400d1cc362e74e77fbac5)
2007-10-10r15597: more ads join fixes -- we can only set the PWDNOEXP and DES_ONLY acb ↵Gerald Carter1-7/+9
flags on the setuserinfo(), not the createuser info call (This used to be commit d933ac273db5977fb41954175bdc228b688bfd6e)
2007-10-10r15561: Should re-fix older systems without RC4-HMAC supportGerald Carter1-15/+6
(This used to be commit 00c795e3660a65419e707706abf48916dcd7f850)
2007-10-10r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....Gerald Carter1-5/+71
Re-add the capability to specify an OU in which to create the machine account. Done via LDAP prior to the RPC join. (This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
2007-10-10r15559: Smaller fixes for the new cldap code:Günther Deschner1-2/+1
* replace printf to stderr with DEBUG statements as they get printed in daemons * "net ads lookup" return code Guenther (This used to be commit 8dd925c5fbfcbe711c596d08e8eadc19607d5492)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-119/+550
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15471: Clarify error messageVolker Lendecke1-2/+2
(This used to be commit f21adc04f745a966dbe6ef0b4ffd9729afa3fa78)
2007-10-10r15462: replace the use of OpenLDAP's ldap_domain2hostlist() forGerald Carter1-1/+5
locating AD DC's with out own DNS SRV queries. Testing on Linux and Solaris. (This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb)
2007-10-10r15460: Prefer to use the indexed objectCategory attribute (instead ofGünther Deschner1-2/+2
objectClass which is not indexed on AD) in LDAP queries. Guenther (This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
2007-10-10r15336: Unknown escape sequence: '\305' - should have been '\n'.Jeremy Allison1-1/+1
(How did that get in there ?). Jeremy (This used to be commit 780b71d300da71acc8b4f0fe10c1ae78c71e23c4)
2007-10-10r15305: Let winbind search by sid directly (or in windows terms: "bind to aGünther Deschner1-0/+68
sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)