summaryrefslogtreecommitdiff
path: root/source3/utils/net_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2003-03-16Changes to help the kerberos change password code work on systems thatAndrew Bartlett1-0/+9
have some of the labels 'duplicated' (ie, the defines double-up). Also, to an ads_connect() to try and find our KDC. (So we don't segfualt *every* time) Andrew Bartlett (This used to be commit 56dce7ddad118051c93c62507234efca3920bc9b)
2003-03-15Minor fixes.Andrew Bartlett1-1/+1
- signed/unsigned - quieten warning about assignment as truth value - whitespace Andrew Bartlett (This used to be commit a13ce0df4b4a776fa635a1fb804dd00d195f58d0)
2003-03-12Patch from Ken Cross <kcross@nssolutions.com> to take a username in the formAndrew Bartlett1-0/+11
of user@realm for kerberos logins. Andrew Bartlett (This used to be commit ce013dc13e9e77b5cb9b2d5a4b76d54f91614e6c)
2003-02-25For some reason some attributes in ADS do not appear (and are not available)Andrew Bartlett1-1/+63
in general searches, but only if searching for the DN only. In my case, it was the tokenGroups attribute that caused me trouble, hence this patch. Andrew Bartlett (This used to be commit 8a0cc4c2beb5d6ad7e44bf47bf0f9ec4a3ffdb96)
2003-02-24Whenever we have a password, use the in-memory ccache. This fixes a bug whereAndrew Bartlett1-2/+3
we were overwriting the user's ccache with the machine password (the -P option). Andrew Bartlett (This used to be commit 231d2f84ef36b30be98baf3b56ebf4a5cd8dad11)
2003-02-21Fixed another compiler warning.Tim Potter1-1/+1
(This used to be commit d15b7425d408f17505c4f3a91ec68bcfc4472c16)
2003-02-15Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enableAndrew Bartlett1-2/+14
users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett (This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett1-1/+7
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2003-01-15* removed unused variable from rpcclient codeGerald Carter1-2/+2
* added container option to net command (patch from SuSE) * Makefile patch for examples/VFS from SuSE (This used to be commit 4a6d8280ea27ca7a6998219aacc4b15b1227a659)
2003-01-14add help text for 'net ads lookup'Andrew Tridgell1-0/+2
(This used to be commit 2a642a1169a3c09988daa9623dcb4f21b0a2ad1f)
2003-01-02BIG patch...Andrew Bartlett1-7/+13
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-2/+2
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-23jcmd really should run with a higher compiler warning level more often :-).Jeremy Allison1-1/+1
Jeremy. (This used to be commit 0ac3af1a27b8f1b9935bbcb6f3ec0b11d01bfcbd)
2002-11-18Back out some goofs that accidentally checked in with printer publishing.Jim McDonough1-3/+3
(This used to be commit 6b51934616d8dd4280ce3013378f7ddd5569f267)
2002-11-18Next step of printer publishing.Jim McDonough1-34/+37
net ads printer publish <printername> [servername] Will retreive the DsSpooler and DsDriver info by rpc for a remote server then publish it. Next comes doing it within smbd (This used to be commit 64951938cc5666a757683cbe9bee3a2c20a05323)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-26/+19
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-14/+12
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-06Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de>Andrew Bartlett1-1/+1
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
2002-08-30convert the LDAP/SASL code to use GSS-SPNEGO if possibleAndrew Tridgell1-0/+4
we now do this: - look for suported SASL mechanisms on the LDAP server - choose GSS-SPNEGO if possible - within GSS-SPNEGO choose KRB5 if we can do a kinit - otherwise use NTLMSSP This change also means that we no longer rely on having a gssapi library to do ADS. todo: - add TLS/SSL support over LDAP - change to using LDAP/SSL for password change in ADS (This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
2002-08-19added a 'net ads lookup' command that does a CLDAP NetLogon query to aAndrew Tridgell1-0/+26
win2000 server. It does seem to work, and win200 sends us a valid reply, but we don't parse it yet. Maybe tomorrow :) (This used to be commit 6352508c54cee333ed7c0e3ebc372be7cd60ed62)
2002-08-06fixed 'net ads chostpass' for new ads structuresAndrew Tridgell1-1/+11
(This used to be commit 3b0e60e522b669bad77e70d9c6f484a08ff84612)
2002-08-05added 'net rpc testjoin' and 'net ads testjoin' commandsAndrew Tridgell1-0/+42
unfortuately we don't seem to be able to auto-test the ADS join due to a rather nasty property of the GSSAPI library. (This used to be commit 87c34a974a91e940bd26078a68dd84f4341d6913)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-29/+59
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-31make sure that 'net ads info' gives info on the server we specify, notAndrew Tridgell1-0/+4
our smb.conf setup. (This used to be commit cffa881092e48db10a712575a8671f695e8ef813)
2002-07-30net ads info now reports the IP of the LDAP server as well as its name - ↵Andrew Tridgell1-0/+1
very useful in scripts (This used to be commit fc0d5479b575c1f495b9251413eed18ec1e37e02)
2002-06-24Support utf8 on the wire for ads ldap. DN's are converted, as well as strings,Jim McDonough1-10/+20
though it is up to the calling function to decide whether values are strings or not. Attributes are not converted at this point, though support for it would be simple. I have tested it with users and groups using non-ascii chars, and if the check for alphanumeric user/domain names is removed form sesssetup.c, even a user with accented chars can connect, or even login (via winbind). I have also simplified the interfaces to ads_mod_*, though we will probably want to expand this by a few functions in the near future. We just had too many ways to do the same thing... (This used to be commit f924cb53580bc081ff34e45abba57629018c68d6)
2002-06-03added a 'net ads search' command, similar to 'ldapsearch' but using theAndrew Tridgell1-7/+70
Samba LDAP code. I have found using 'ldapsearch' rather frustrating, particularly with kerberos authentication. Using 'net ads search' makes it easier to track down ADS problems. (This used to be commit 55cad87424787fc5f140d307888f4c557dc2b345)
2002-05-23Allow initial password set on net ads user add. I need to do this onJim McDonough1-3/+30
rpc and rap too. Anyone know what key I'm supposed to use to encrypt it for the rap one? (This used to be commit 033faaa8cbfe7e368c554b26e7a506098d06fa02)
2002-05-09Add ads group add and delete, allowing converged net group command.Jim McDonough1-16/+106
Also update some of the help info. (This used to be commit fde62de7a1735b2ef2d9593b38ffa5c7ea2e0d67)
2002-04-18fixed the fallback to a BDC for ADS connectionsAndrew Tridgell1-5/+4
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
2002-04-10Rename of ads_do_search_all2() to ads_do_search_all() and removal ofJim McDonough1-23/+11
server sort controls. Also put option externs in the net.h include. (This used to be commit b69f11170c2b27016c44a98bc603d1c94ad7d4c2)
2002-04-05Use the new ads_do_search_all2 function. It provides sorted results. We nowJim McDonough1-30/+18
also filter out users that end in '$', which gives us the same results as the net rpc user and net rap user. (This used to be commit e3a813831276ec2aafa0caa4f4fed0785dcdb749)
2002-04-05Lots more net consistency work:Jim McDonough1-10/+1
- Added net_help.c for unified help when possible - Added net rpc user listing, delete, info commands - Unified net user command to autodetect ads/rpc/rap (try in that order) - Added generic routine for detecting rpc (protocol > PROTOCOL_NT1) - I'm sure I forgot something. (This used to be commit 9daa5788c822cf1ad20dc703e7f03b9ee82987bf)
2002-04-04More updates for auto-detecting server connection method. Added net_ads_check()Jim McDonough1-5/+38
to make a connection (which stores the password in a global so it can be used by rpc or rap function if ads fails) and close it to verify if ads method should be used. (This used to be commit 093297a27db9834cf8aea34302246af8997d9c66)
2002-04-04Add non-ads version of net_ads_help for build on non-ads machines.Jim McDonough1-0/+6
(This used to be commit dd7c20e5331116fd8cf9656a0f2406957b812bbb)
2002-04-04Correct error string function call to ads_errstr()Jim McDonough1-3/+3
(This used to be commit d7317ca8da4b04804f4d01752cef56ec5a9c3418)
2002-04-04Add net ads user subcommands: add delete info. Also make user listing formatJim McDonough1-12/+169
consistent with rap version. (This used to be commit f6eb7c0c7ec83a3674d56f0e222b900887327319)
2002-03-29Re-implemented net ads user and net ads group to use the newJim McDonough1-14/+50
ads_process_results function. Also made sure net rap user and net ads user display the same thing, to make auto-transport-detection smoother. (This used to be commit 4cf42c07ec5deb14921fabfbd52a8a3345a730c9)
2002-03-21make net ads info work with -SAndrew Tridgell1-4/+5
(This used to be commit 57645fd85b7789d7807a5ffb5b2572c6d5f9e3de)
2002-03-19make "net ads user" and "net ads group" also use the new paged interfaceAndrew Tridgell1-30/+16
(This used to be commit 98769f08e723c616a98a2f0c427e9b0e22b28be9)
2002-03-16Fix build for non-ads caseJim McDonough1-0/+5
(This used to be commit 7ba235c0fb4755092605743d575357602fd1ce05)
2002-03-15Expose net_ads_join to allow for auto-transport-detection for net joinJim McDonough1-1/+1
(This used to be commit 87ee4832312c9c65377500efd617bac086164834)
2002-03-14Add paged search requests to net ads user and net ads group commands, ↵Jim McDonough1-21/+32
allowing more than 1000 (or whatever the query limit is on the server) objects to be returned. Printers will come next. (This used to be commit 9c447920dfbae2e2d2343600401c1d860dad863b)
2002-03-10try to use our workstation account password for ADS leaveAndrew Tridgell1-4/+11
(This used to be commit 2a42e91397d7871d326abed0e99af297e71dd77e)
2002-02-16dont strdup() possibly null values.Andrew Bartlett1-1/+3
(This used to be commit 0511589088dc3e990f7b1a38a06489814c49ec1b)
2002-02-15Subject:Andrew Bartlett1-1/+1
[PATCH] net ads error Date: Fri, 15 Feb 2002 20:03:32 +0200 From: Alexander Bokovoy <a.bokovoy@sam-solutions.net> To: samba-technical@samba.org Greetings! Attached patch fixes a problem with non-working 'net ads -Uuser%pass' in CVS HEAD. (This used to be commit a21a951ff9493a6e33e4ff8388a95facdeacf7b4)
2002-02-02Add support for net ads printer to publish, remove, or display printer info ↵Jim McDonough1-0/+167
in the directory. Only publishes required fields right now. (This used to be commit 1d326f8b7e68bcad6c35488f77b05c598ebaad5d)
2002-01-30Removed version number from file header.Tim Potter1-1/+0
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-25Enable net ads commands to use existing tickets if the user doesn't specify ↵Jim McDonough1-4/+19
a username on the commandline. Also don't continue past the kinit if a password is entered and fails because existing tickets would be used, which may not be desired if the username was specified. (This used to be commit 7e5d7dfa834c0161460bde8a2f0d4824c0a0d1fe)
2002-01-16much better support for organisational units in ADS joinAndrew Tridgell1-3/+7
(This used to be commit 7e876057d5e392f85e6fdb0f2c233b0fe76df688)