Age | Commit message (Collapse) | Author | Files | Lines |
|
from APP_HEAD
(This used to be commit 1cfd2ee433305e91e87804dd55d10e025d30a69e)
|
|
(i ignored the new SAMBA stuff, but the rest of this looks like it should
have been merged already).
(This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
|
|
- Fix segfaults in the 'net ads' commands when no password is provided
- Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the
old options, but the actual code is available on all ldap systems.
- Fix shadow passwords (as per work with vl)
- Fix sending plaintext passwords to unicode servers (again vl)
- Add a bit of const to secrets.c functions
- Fix some spelling and grammer by vance.
- Document the -r option in smbgroupedit.
There are more changes in HEAD, I'm only merging the changes I've been involved
with.
Andrew Bartlett
(This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
|
|
(This used to be commit a1c4a16267653375fbbc73de9234ddadbe92a396)
|
|
(This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
|
|
(This used to be commit e026b84815ad1a5fa981c24fff197fefa73b4928)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
used to be commit 9a5541595f78f2cbba16030552c6e780f6fddcf6)
|
|
getsid, then join as a BDC, and then watch net rpc vampire suck out
the good stuff out of a PDC :-). It's not perfect, but it does quite a
bit for me. Watch out for more.
Volker
(This used to be commit f0d7ac9feb5844c93789344285b1d66f480209ba)
|
|
(This used to be commit b53547bf663ed1714326f9b0e74215e012e728af)
|
|
(This used to be commit 08c3e2b824cd2c93ca548fa18ea16a18f5b197e5)
|
|
When creating a group you have to take care of the fact that the
underlying unix might not like the group name. This change gets around
that problem by giving the add group script the chance to invent a
group name. It then must only return the newly created numerical gid.
Volker
(This used to be commit b959419ed38e66a12b63cad3e5fbfa849f952acc)
|
|
(This used to be commit 42774a7753eb8be1ec04bcb5dda089910a1b6d0b)
|
|
Volker
(This used to be commit f6ed429838cc0140c0d033875012c7a999891549)
|
|
Volker
(This used to be commit 8c41b5cd1b8b0c2639def9552bd20b8aca39785c)
|
|
positive name for this. It creates users and global groups. More to come.
Volker
(This used to be commit 0c1fadd9e024ef886542d362a7f119968552852d)
|
|
(This used to be commit a8dc1464ea2d05eb2a26afdd433cdb6b69002259)
|
|
the DC being out of sync with the local machine.
(This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
|
|
(This used to be commit 05a202c287f5daeb1ccbaf9479aa93e7928e93db)
|
|
(This used to be commit 6f0561acadd139e37f86e30a2bbf10f428178eaf)
|
|
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>
It includes a conversion of make_user_info*() to NTSTATUS and some minor
changes to other files.
It also picks up on a nasty segfault that can occour in some security=domain
cases.
Andrew Bartlett
(This used to be commit d1e1fc3e4bf72717b3593685f0ea5750d676952a)
|
|
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better
general infrustructure for his sam_ads work.
I've also added some extra failure mode DEBUG()s to parts of the code.
NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without
the final set of brakets, the test is essentially inverted - causing some
intersting 'error = success' messages...
Andrew Bartlett
(This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
|
|
(This used to be commit 26bee60a419593a5afe4e48614f7f3fc414596a5)
|
|
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch.
pass also the negociation flags all the way.
all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient.
in the future we will be able to call auth_2 or auth_3 as we want.
J.F.
(This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
|
|
we now do this:
- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP
This change also means that we no longer rely on having a gssapi
library to do ADS.
todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
(This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
|
|
I get all the groups at least.
Volker
(This used to be commit 23a4f6991e93797afad0043689737a1b20c67f60)
|
|
(This used to be commit c1e00f5f160985323f5a9ade42f2ebb2a798b17c)
|
|
Volker
(This used to be commit f76a5431f0448efbc879aee965c643e2e362632a)
|
|
might be ugly, etc - please don't blame me for anything but instead try to fix
the code :-). Compiling of the new sam system can be enabled with the
configure option --with-sam
Removing passdb/passgrp.c as it's unused
fix typo in utils/testparm.c
(This used to be commit 4b7de5ee236c043e6169f137992baf09a95c6f2c)
|
|
bound to a given driver
(This used to be commit e913d508d4f894eb3f0e59b9c28b0fc5b56962ec)
|
|
(This used to be commit 228fc518da0404fe770175d5277fe5f5b08f9c67)
|
|
samsync operations (as a BDC)
(This used to be commit e4cb106d2e3e6a41529369545a7a6ce5fe6d8986)
|
|
options.
Andrew Bartlett
(This used to be commit 4cd822d9e4e5f35a47b0837bfa73c8a457e6cc85)
|
|
(This used to be commit addf29e6765393b25c35bd833d29e29e4581c233)
|
|
user SIDs correctly.
Volker
(This used to be commit 287b7bda11100c42f2cdea36a20a81f6ea397f43)
|
|
(This used to be commit 2df34c9bfc76ee832e5005a2ad0ff0b6abb98034)
|
|
Print domain SID on 'net rpc info'
Volker
(This used to be commit 12fd889a3f0e3eeeb27a51cdd7f648a59083f2ba)
|
|
(This used to be commit 169e784f4829ef356ed6232ace950d43cac1d467)
|
|
Volker
(This used to be commit 5af5326f1311a49d3c8316e1dcc27037b831065a)
|
|
(This used to be commit 8aae10bcdc05fca4e0281ac91a7679c60b791534)
|
|
couple of unknown fields we still need to work out.
(This used to be commit 67b4dbd5c9f2665d5e6157b8cd522ebff4b8a4ea)
|
|
we still need to parse the core of the structure
(This used to be commit 6780ae25bf7ca291f612682dec7ee7ff44c24bef)
|
|
win2000 server. It does seem to work, and win200 sends us a valid
reply, but we don't parse it yet. Maybe tomorrow :)
(This used to be commit 6352508c54cee333ed7c0e3ebc372be7cd60ed62)
|
|
(This used to be commit 1b83b78e332b9d28914eff155530e81cf2073a58)
|
|
(This used to be commit cb72eead70509eddaa051571f3eed3c46304b5f8)
|
|
(This used to be commit aa93db5abed75b5c9a032a080c07473fafa53a43)
|
|
future.
This moves us from fstrcpy() and global variables to 'get' and 'set' functions.
In particular, the 'set' function sainity-checks the input, in the same way as
we always have.
Andrew Bartlett
(This used to be commit e57a896f06b16fe7e336e1ae63a0c9e4cc75fd36)
|
|
(This used to be commit 3b0e60e522b669bad77e70d9c6f484a08ff84612)
|
|
unfortuately we don't seem to be able to auto-test the ADS join due to
a rather nasty property of the GSSAPI library.
(This used to be commit 87c34a974a91e940bd26078a68dd84f4341d6913)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|