summaryrefslogtreecommitdiff
path: root/source3/utils
AgeCommit message (Collapse)AuthorFilesLines
2003-07-07and so it begins....Gerald Carter2-22/+22
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+6
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-37/+44
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-0/+6
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison4-11/+11
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03Some fixes for ads printer publish:Tim Potter1-6/+26
- check error return for cli_full_connection() when trying to obtain printer data - check error return on ads_find_machine_acct() - Minor reformatting to separate fetching printer data from publishing it (This used to be commit 94fe3b2cdfa67c9d74edc00a436b5eacbf3e0dc4)
2003-07-03Implemented 'net ads printer search' which searches the directory forTim Potter1-0/+32
published printers. At the moment we don't search using any parameters but this can be fixed by changing the LDAP search string. Also we should contact the global catalog at SRV _gc._tcp instead of the ldap server we get back from ads_startup(). (This used to be commit 814519c5de7f962623163b732c8589abd355d845)
2003-07-02#ifdef out apparently unused function.Tim Potter1-0/+4
(This used to be commit 9324703066cfdcb65208420a12e4ab8f358ccc09)
2003-06-30Yet more shadow variable warnings.Tim Potter1-3/+3
(This used to be commit b401e78b6eb7efa2af74a7e645c3b34091041769)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison3-27/+26
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-25large change:Gerald Carter3-13/+11
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-24Fixes from Martin Dorey <mdorey@bluearc.com> to only ask for and changeJeremy Allison1-7/+6
the requested parts of the ACL. Jeremy. (This used to be commit c35a88201c619f0ebbaf38adbd0ec2af77e23981)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-2/+2
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21(fixing bug in my last commit)Andrew Bartlett1-6/+6
This isn't C++ - start your code *after* all the variables are declared... Andrew Bartlett (This used to be commit b7760faedc2181538ffc325e727808e6df8f943f)
2003-06-21This removes the StrCaseCmp() stuff from 'net idmap' and 'netAndrew Bartlett4-178/+202
groupmap'. The correct way to implement this stuff is via a function table, as exampled in all the other parts of 'net'. This also moves the idmap code into a new file. Volker, is this your code? You might want to put your name on it. Andrew Bartlett (This used to be commit 477f2d9e390bb18d4f08d1cac9c981b73d628c4f)
2003-06-20Fix bug #136. Add message about erroneous empty "passdb backend" parameter.Jim McDonough1-0/+4
(This used to be commit 897125a9dbbd3f921d944e7bb7c5694a130c5173)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce4-44/+13
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-16Replace all use of bzero with memset ...Richard Sharpe1-15/+15
(This used to be commit e21aab516b33b01536dd9ea067a16b94a38ff4b1)
2003-06-16This glosses over John's problem at SambaXP 2003. When we want to joinVolker Lendecke1-3/+17
a NT4 domain as a BDC with an existing workstation account (existing bdc is fine), we fail. Print a friendly error message in this case. The correct solution would probably be to delete the account and try again. But even this makes us better than NT: NT4 fails in this situation with an empty warning message box and an unusable BDC. It has unsuccessfully tried to suck down the domain database, and thus has no administrator account to log in after reboot.... Volker (This used to be commit 1ddeea2179b11cedccf205c7ffea523ee6750b24)
2003-06-16Fix misleading debug message.Volker Lendecke1-1/+1
Volker (This used to be commit a4f76f2520515d820eb4a320036b998c88c596a8)
2003-06-16Make net rpc vampire return an error if the sam sync RPC returns an error.Tim Potter1-9/+29
E.g if we are pointing at a win2k native mode domain we are returned an NT_STATUS_NOT_SUPPORTED error. (This used to be commit 6053c30f26cdf60f2bbfa6fb58ced6f7bcbd2e83)
2003-06-16another improved debug statementAndrew Tridgell1-1/+1
(This used to be commit ac69b9c83cde306f89143fe43038adff876dd0b0)
2003-06-14Add 'net idmap restore'. This restores a broken idmap fileVolker Lendecke2-0/+73
from the output of 'net idmap dump'. 'net idmap dump' now also prints the USER/GROUP HWM. Volker (This used to be commit c0575be936572bb091a77c58361bd3a4fe9549ff)
2003-06-14This patch modifies 'net rpc vampire' to add new and existing users to bothAndrew Bartlett2-20/+43
the idmap and the SAM. The basic idea is this: Lookup the user with GetPwnam(), and if they exist then use that uid. This is what people expect. If the user does not exist, try and run the right script. This is also what people expect from previous Samba 3.0 behaviour, where the Get_Pwnam() was at runtime. If the idmap entry for this SID isn't valid, or isn't the right value, modify the idmap to account for this mapping. Also, the same logic is applied to the primary gid - if it has changed, update the user's primary unix group. This patch allows users to be added without a mapping - this is fine for machine accounts, for example. I've given it a quick test against my Win2k DC, and I *think* it's sane. Andrew Bartlett (This used to be commit d2a70bfff182352da50cd6c23ddfa80fe1b353c7)
2003-06-13Trivial extension to 'net' to dump current local idmap.Volker Lendecke2-0/+62
(This used to be commit 18f3a5efea7c60d764d5ed82f3a83e1608f8c34e)
2003-06-12Fix for bug#3. Show comments when doing 'net group -l'.Volker Lendecke1-16/+80
Volker (This used to be commit e5664adc07307a066c5312d9224cef2c69a40f77)
2003-06-12Working on bug#3. We want all of the aliases, so start with 0.Volker Lendecke1-0/+2
Volker (This used to be commit ec1a58d09e08583288b18747a0c82e5cf8139b63)
2003-06-10More updates on editreg.c to bring it better in line with the Samba source.Richard Sharpe1-21/+21
(This used to be commit dc69a638b9e12726f050d79b63f92f816c35fe8f)
2003-06-10use lp_realm() to find the default realm for 'net ads password'Andrew Tridgell1-10/+24
(This used to be commit 21d92802781ac224f569a990df3ec1070f0da434)
2003-06-08Make sure that we use schannel (if configured) when checking for a validAndrew Bartlett1-12/+13
join to the DC. Andrew Bartlett (This used to be commit af526fa9b39ab1f8483d5cee66321bc12f78ac05)
2003-05-30Fix bug #137: krb5_set_password is already defined in MIT 1.3 libs, soJim McDonough1-1/+2
we wouldn't build. (This used to be commit 0e9836c4e9e71494b10d71a5f3d5f7da2888c5ef)
2003-05-29Setting account policy values is done using -C, not -V. Fixes bug #120Jelmer Vernooij1-1/+1
(This used to be commit daf443757b62bd3c254a303d638bfd030b4acd2a)
2003-05-20Fix bug #96: Use DNS decompression to properly parse cldap netlogonJim McDonough1-110/+132
packets, otherwise repeated components will not decode correctly. Thanks to aliguori@us.ibm.com for the fix, and lukeh@padl.com for pointing us to the right docs. (This used to be commit a8d5d74cf80c6cae3eac1daa3f88d56373789560)
2003-05-15Patch from "Alex Deiter" <tiamat@komi.mts.ru> to fix incorrect error check.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 43ca4b8a8425b97a6bea08b91420bac6cde807b3)
2003-05-12Fix obvious compiler warnings.Jeremy Allison2-2/+1
Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
2003-05-12And finally IDMAP in 3_0Simo Sorce2-37/+27
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12Re-enable secure channel for net rpc vampire.Tim Potter1-8/+13
Jump out of sam entry processing loop if the return value from cli_netlogon_sam_sync() isn't OK or STATUS_MORE_ENTRIES. (This used to be commit 47d8ee3679292ece5d86df11bc56c9b4d71f3d11)
2003-05-12Fix up a bit of my sloppy C.Andrew Bartlett1-3/+2
(This used to be commit f67cc24acf37a9f46427c993574ecf261d7aec1a)
2003-05-12Give up on the idea of avoiding lp_load() in ntlm_auth....Andrew Bartlett1-8/+18
Also, we might be given a 0 length challenge, so don't smb_panic() for smb_xmalloc() of zero size. Andrew Bartlett (This used to be commit 4842de04cf2e1528e726dfad070dfe3a82f46fa2)
2003-05-12Make it possible to actually use --user-SID and --group-SID on a standard ↵Andrew Bartlett1-2/+2
command line. Andrew Bartlett (This used to be commit dd14da756640ba36834a05b9da4759a809c0bb37)
2003-05-11Fix compile.Andrew Bartlett1-1/+1
(This used to be commit ca2e453c7838b6d0ed2d0a45124d162073bbbf99)
2003-05-11Set the password for a newly created trustdom account. Tested againstVolker Lendecke1-3/+34
PDCs running NT4SP1, NT4SP6 and Samba 3.0. Volker (This used to be commit 2143446043b2c29027cf69554caddf41274df709)
2003-05-10Reverse previous patch from Stefan and me after comments by Andrew BartlettJelmer Vernooij15-34/+0
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
2003-05-10Patch from metze and me that adds dummy smb_register_*() functions soJelmer Vernooij15-0/+34
that is now possible to, for example, load a module which contains an auth method into a binary without the auth/ subsystem built in. (This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
2003-05-09Finally get NTLMv2 working on the client!Andrew Bartlett1-84/+29
With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
2003-05-09Fix bug #4 for net rap. Allow more than 50 chars for long form listings of ↵Jim McDonough1-2/+2
users and groups. (This used to be commit dcc6d9e76c737400aaffdd4f261fd0f191aaeea8)
2003-05-09Sync up to head ...Richard Sharpe1-34/+100
(This used to be commit 045210e129e6e0aef8f847e7ed8714d0d9974e7f)
2003-05-09Sync to the changes in head ...Richard Sharpe1-1/+1
(This used to be commit 7f76eac5a0f93107d990b0fde651838c38970092)
2003-05-09Added some more diagnostic tests to check out a theory that having either hashTim Potter1-12/+174
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash - auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash - auth with ntlm and lm but deliberately break the ntlm hash - auth with ntlm and lm but deliberately break the lm hash My theory is that the NTLM or NTLMv2 field must be correct and if it is, it doesn't matter what the value of the LM or LMv2 field is. Fixed cosmetic test name display bug. (This used to be commit 5dcde9451bd0d6a7462b77cf5ed137bfd691adaa)
2003-05-09Fix up a bunch of problems in editreg.cRichard Sharpe1-16/+16
Now the build farm will no doubt find more. (This used to be commit e91e648c9b0841fbffbc8f39e71abade0996a1e7)