| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
down failures.
Add a 'auto-add on modify' feature to guestsam
Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.
Make the 'private data' a bit more robust.
Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
|
|
- Try better to add the appropriate mapping between UID and SIDs, based
on Get_Pwnam()
- Look for previous users (lookup by SID) and correctly modify the existing
entry in that case
- Map the root user to the Admin SID as a 'well known user'
- Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update'
call on that user. This means that VL's very nice work on atomic LDAP
updates now really gets used properly!
- This also means that we know the right DN to update, without the extra
round-trips to the server.
Andrew Bartlett
(This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
|
|
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
- check error return for cli_full_connection() when trying to obtain
printer data
- check error return on ads_find_machine_acct()
- Minor reformatting to separate fetching printer data from publishing it
(This used to be commit 94fe3b2cdfa67c9d74edc00a436b5eacbf3e0dc4)
|
|
published printers.
At the moment we don't search using any parameters but this can be
fixed by changing the LDAP search string. Also we should contact
the global catalog at SRV _gc._tcp instead of the ldap server we
get back from ads_startup().
(This used to be commit 814519c5de7f962623163b732c8589abd355d845)
|
|
(This used to be commit 9324703066cfdcb65208420a12e4ab8f358ccc09)
|
|
(This used to be commit b401e78b6eb7efa2af74a7e645c3b34091041769)
|
|
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
the requested parts of the ACL.
Jeremy.
(This used to be commit c35a88201c619f0ebbaf38adbd0ec2af77e23981)
|
|
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
|
|
This isn't C++ - start your code *after* all the variables are declared...
Andrew Bartlett
(This used to be commit b7760faedc2181538ffc325e727808e6df8f943f)
|
|
groupmap'. The correct way to implement this stuff is via a function
table, as exampled in all the other parts of 'net'.
This also moves the idmap code into a new file. Volker, is this your
code? You might want to put your name on it.
Andrew Bartlett
(This used to be commit 477f2d9e390bb18d4f08d1cac9c981b73d628c4f)
|
|
(This used to be commit 897125a9dbbd3f921d944e7bb7c5694a130c5173)
|
|
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.
We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.
This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base
Simo.
(This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
|
|
(This used to be commit e21aab516b33b01536dd9ea067a16b94a38ff4b1)
|
|
a NT4 domain as a BDC with an existing workstation account (existing
bdc is fine), we fail. Print a friendly error message in this case.
The correct solution would probably be to delete the account and try
again. But even this makes us better than NT: NT4 fails in this
situation with an empty warning message box and an unusable BDC. It
has unsuccessfully tried to suck down the domain database, and thus
has no administrator account to log in after reboot....
Volker
(This used to be commit 1ddeea2179b11cedccf205c7ffea523ee6750b24)
|
|
Volker
(This used to be commit a4f76f2520515d820eb4a320036b998c88c596a8)
|
|
E.g if we are pointing at a win2k native mode domain we are returned
an NT_STATUS_NOT_SUPPORTED error.
(This used to be commit 6053c30f26cdf60f2bbfa6fb58ced6f7bcbd2e83)
|
|
(This used to be commit ac69b9c83cde306f89143fe43038adff876dd0b0)
|
|
from the output of 'net idmap dump'.
'net idmap dump' now also prints the USER/GROUP HWM.
Volker
(This used to be commit c0575be936572bb091a77c58361bd3a4fe9549ff)
|
|
the idmap and the SAM.
The basic idea is this: Lookup the user with GetPwnam(), and if they
exist then use that uid. This is what people expect. If the user does
not exist, try and run the right script.
This is also what people expect from previous Samba 3.0 behaviour, where
the Get_Pwnam() was at runtime.
If the idmap entry for this SID isn't valid, or isn't the right value,
modify the idmap to account for this mapping.
Also, the same logic is applied to the primary gid - if it has changed,
update the user's primary unix group.
This patch allows users to be added without a mapping - this is fine for
machine accounts, for example. I've given it a quick test against my
Win2k DC, and I *think* it's sane.
Andrew Bartlett
(This used to be commit d2a70bfff182352da50cd6c23ddfa80fe1b353c7)
|
|
(This used to be commit 18f3a5efea7c60d764d5ed82f3a83e1608f8c34e)
|
|
Volker
(This used to be commit e5664adc07307a066c5312d9224cef2c69a40f77)
|
|
Volker
(This used to be commit ec1a58d09e08583288b18747a0c82e5cf8139b63)
|
|
(This used to be commit dc69a638b9e12726f050d79b63f92f816c35fe8f)
|
|
(This used to be commit 21d92802781ac224f569a990df3ec1070f0da434)
|
|
join to the DC.
Andrew Bartlett
(This used to be commit af526fa9b39ab1f8483d5cee66321bc12f78ac05)
|
|
we wouldn't build.
(This used to be commit 0e9836c4e9e71494b10d71a5f3d5f7da2888c5ef)
|
|
(This used to be commit daf443757b62bd3c254a303d638bfd030b4acd2a)
|
|
packets, otherwise repeated components will not decode correctly.
Thanks to aliguori@us.ibm.com for the fix, and lukeh@padl.com for pointing
us to the right docs.
(This used to be commit a8d5d74cf80c6cae3eac1daa3f88d56373789560)
|
|
Jeremy.
(This used to be commit 43ca4b8a8425b97a6bea08b91420bac6cde807b3)
|
|
Jeremy.
(This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
Jump out of sam entry processing loop if the return value from
cli_netlogon_sam_sync() isn't OK or STATUS_MORE_ENTRIES.
(This used to be commit 47d8ee3679292ece5d86df11bc56c9b4d71f3d11)
|
|
(This used to be commit f67cc24acf37a9f46427c993574ecf261d7aec1a)
|
|
Also, we might be given a 0 length challenge, so don't smb_panic() for
smb_xmalloc() of zero size.
Andrew Bartlett
(This used to be commit 4842de04cf2e1528e726dfad070dfe3a82f46fa2)
|
|
command line.
Andrew Bartlett
(This used to be commit dd14da756640ba36834a05b9da4759a809c0bb37)
|
|
(This used to be commit ca2e453c7838b6d0ed2d0a45124d162073bbbf99)
|
|
PDCs running NT4SP1, NT4SP6 and Samba 3.0.
Volker
(This used to be commit 2143446043b2c29027cf69554caddf41274df709)
|
|
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
|
|
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
|
|
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.
In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.
In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...
(we might need to parse for unicode issues later).
In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!
Andrew Bartlett
(This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
|
|
users and groups.
(This used to be commit dcc6d9e76c737400aaffdd4f261fd0f191aaeea8)
|
|
(This used to be commit 045210e129e6e0aef8f847e7ed8714d0d9974e7f)
|
|
(This used to be commit 7f76eac5a0f93107d990b0fde651838c38970092)
|
|
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash
- auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash
- auth with ntlm and lm but deliberately break the ntlm hash
- auth with ntlm and lm but deliberately break the lm hash
My theory is that the NTLM or NTLMv2 field must be correct and if it is,
it doesn't matter what the value of the LM or LMv2 field is.
Fixed cosmetic test name display bug.
(This used to be commit 5dcde9451bd0d6a7462b77cf5ed137bfd691adaa)
|
|
Now the build farm will no doubt find more.
(This used to be commit e91e648c9b0841fbffbc8f39e71abade0996a1e7)
|
