summaryrefslogtreecommitdiff
path: root/source3/utils
AgeCommit message (Collapse)AuthorFilesLines
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett2-31/+24
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-07Add smbget utility, a simple wget-like utility that uses libsmbclient.Jelmer Vernooij1-0/+574
Supports recursive downloads and resume, progress indication and shows estimated time remaining. (This used to be commit 82bd1b45a4205706b57bae42c7b03974f8b44753)
2004-01-06Fix -s option to smbcontrol (#908)Jelmer Vernooij1-1/+1
(This used to be commit 7495395c1cc3b09b27d6eeb7dff6f214701d03d6)
2004-01-06Patch based on work from James Peach <jpeach@sgi.com> to convert over toJeremy Allison1-0/+6
using pread/pwrite. Modified a little to ensure fsp->pos is correct. Fix for #889. Jeremy. (This used to be commit 019aaaf0df091c3f67048f591e70d4353a02bb9b)
2004-01-02JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett2-5/+4
his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-1/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-11/+23
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-30Make the name of the NTLMSSP client more consistant before we lock it in stone.Andrew Bartlett1-2/+2
(This used to be commit 0fa268863b7352343eb7f211181a02f60848bd0c)
2003-12-30Remove testing hackAndrew Bartlett1-2/+0
(This used to be commit 96f3beb462a6d4a489e894c1f05c528107135b3a)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett1-54/+254
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-30Refactor our authentication and authentication testing code.Andrew Bartlett1-342/+181
The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)
2003-12-26Collecting some minor patches...Volker Lendecke1-8/+10
This adds the ability to specify the new user password for 'net ads password' on the command line. As this needs the admin password on the command line, the information leak is minimally more. Patch from gd@suse.de Volker (This used to be commit e6b4b956f68bfea69b2de3608b4c829250d24a7a)
2003-12-24Thanks to Serassio Guido for noticing issues in our Squid NTLMSSPAndrew Bartlett1-4/+9
implementation. We were not resetting the NTLMSSP state for new negotiate packets. Andrew Bartlett (This used to be commit e0a026c9b561893e5534923b18ca748e6177090e)
2003-12-01In the brief 'net rpc group' listing, don't cut off group names at 21 chars.Volker Lendecke1-3/+3
Volker (This used to be commit 5d0b8280f6c4990ee3a26c310efebfa859ee21be)
2003-12-01Beautify the net status help message a bitVolker Lendecke1-4/+4
Volker (This used to be commit e9391e206a8cdbcc08597a33b557b86f9a5d73ce)
2003-12-01I needed a decently parseable format of smbstatus. Looking at smbstatus codeVolker Lendecke3-0/+268
tells me that this should not be expanded, so I implemented net status [sessions|shares] [parseable] Volker (This used to be commit 63d877c6b4786dcddf5f389842f798857be282c0)
2003-11-28Implement 'net rpc group list [global|local|builtin]*' for a select listing ofVolker Lendecke2-0/+36
the respective user databases. Volker (This used to be commit 39e4ee0c5be9f8d5a26b03ae17865b8e576b0b62)
2003-11-27Fix for pdbedit error code returns (sorry, forgot who sent in the patch).Jeremy Allison1-2/+11
Jeremy. (This used to be commit 685097bc50a8ef387c5082401858d482329c37bc)
2003-11-27Only ask for 512 names at a time.Volker Lendecke1-8/+19
Volker (This used to be commit d5775b7106dc5d6326db89f7369d2ffd61646426)
2003-11-26Implement "net rpc group members": Get members of a domain group inVolker Lendecke2-0/+89
human-readable format. Volker (This used to be commit 4e3a2eb8e04c3a669d94e38d81e994606fa6ef9d)
2003-11-26Get rid of a const warningVolker Lendecke1-2/+2
Volker (This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
2003-11-22Add support for variable-length session keys in our client code.Andrew Bartlett2-5/+5
This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. (server-side support to follow shortly) Andrew Bartlett (This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-72/+112
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-12show locked files for -u <user>; bug 590Gerald Carter1-10/+41
(This used to be commit d72d77c42741714f2e32d0e24e706929242f1c62)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter3-4/+5
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-10-24Add shutdown abort try over initshutdown pipe first, then fall back toJim McDonough1-4/+49
winreg pipe if it doesn't work. Fixes bug #534. I will go back and add the same logic for the shutdown itself, even though that works so far against win2k (haven't tested all win clients). (This used to be commit e660b04e8f2446bb8a6590e9afcb5ab49f90a701)
2003-10-23Fix bug 451. Stop net -P from prompting for machine account password.Jim McDonough3-3/+4
Based on work by Ken Cross (kcross@nssolutions.com). (This used to be commit 8ef7ac22ef1a60dca0a2d01dc6ff4ba14bc1549a)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-11/+11
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-20Changed output so all debug output goes to stderr, and all file processingJohn Terpstra1-40/+40
goes to stdout. Note: This change permits use of testparm processing of smb.conf to be redirected into a file that can be used as an smb.conf file. ie: All information that should not be in smb.conf will be on stderr, all pertinent smb.conf info will go to stdout. Example of use: A fully documented smb.conf.master file can be maintained. To create smb.conf do: testparm -s > smb.conf (This used to be commit 0450dc97731d95c7cd3b2c8a54721991fd6165df)
2003-10-14Break out of samsync loop on error.Tim Potter1-0/+3
(This used to be commit f8994483484cab47f0d6a6934979f69402dba894)
2003-10-14Set errno = ENOSYS if mmap not supported.Tim Potter1-0/+1
From Joachim Schmitz <schmitz@hp.com> (This used to be commit 22655a65ab73576557487e73c550b45296e534ec)
2003-10-02Portability fixes from schmitz@hp.com (Joachim Schmitz). Bug #549.Jeremy Allison1-1/+7
Jeremy. (This used to be commit 93669f329eccec34d4a1da6239ae9759f067fb8b)
2003-09-29Testparm fixes:Jelmer Vernooij1-3/+9
- Also check global 'hosts allow'/'hosts deny' when checking access to share - Warn when user specifies 2 arguments instead of 1 or 3. Patch from Jay Fenlason <fenlason@redhat.com> (This used to be commit 2690c185f01b8fb4307dc803fb90c00400f2da69)
2003-09-26Fix to parse the level-2 strings. From Anthony Liguori aliguor@us.ibm.com.Jeremy Allison1-16/+4
Jeremy. (This used to be commit e4c955c98e90901b047c475f204af93a57578248)
2003-09-23This only touches the fake kaserver support. It adds two parameters:Volker Lendecke1-3/+3
afs share -- this is an AFS share, do AFS magic things afs username map -- We need a way to specify the cell and possibly weird username codings for several windows domains in the afs cell Volker (This used to be commit 4a3f7a9356cd5068d9ed4fd6e2336d9bf7923fbd)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter2-4/+3
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
2003-09-21Fix typoJelmer Vernooij1-1/+1
(This used to be commit 37db75fc95aec2510a0ead0c97f44e80b00696d9)
2003-09-19Ensure that dup_sec_desc copies the 'type' field correctly. This causedJeremy Allison1-3/+3
me to expose a type arguement to make_sec_desc(). We weren't copying the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on auto inherited checks. Jeremy. (This used to be commit 28b315a7501f42928d73efaa75f74146ba95cf2d)
2003-09-15Fix from gregory@networksentry.co.za, don't clobber the comment if itJeremy Allison1-2/+2
exists. Jeremy. (This used to be commit c8bfde5be9f0a3603f7333ff4266ad19c20cb9f9)
2003-09-15Fixed test and wording for long share names.Christopher R. Hertel1-3/+4
The RAP NetShareEnum() call has a length limit of 12 characters (not 8, as previously tested). Took DaveCB's suggested and added a note listing some of the client systems that might be affected. (This used to be commit be06e52ce05e88f3872563a61ae29f62afd614fc)
2003-09-15fix online helpSimo Sorce1-1/+1
-w option need the password on the command line (This used to be commit fa7dea1710bac38f5f68be2e56a24ef5cca09ff5)
2003-09-11Fix error message when calling namedtogid() fails adding a group mapTim Potter1-1/+1
entry. Bug #431. (This used to be commit bc8a181477866d0d97324bf45431bcdff895ad18)
2003-09-10Fix error return path memory leaks in vampire code for creating users.Tim Potter1-3/+8
Display an error if we can't create a posix account for the user (e.g no add user/machine script was specified; bug #323). (This used to be commit 0c35ba2cd65ff64c5db2b20d5528a0d486cba51e)
2003-09-10Use opt_target_workgroup instead of lp_workgroup() in vampire code soTim Potter1-2/+2
we can override the value in smb.conf with the -w option. Migrating accounts from another domain can now be done like: # bin/net join bdc -w nt4dom -Uadministrator%password # bin/net rpc vampire -w nt4dom -U administrator%password (This used to be commit d7bd3c1efbd02a7ca01ad9a4b242ea4cc4a63c1f)
2003-09-10Formatting fixups for help output.Tim Potter1-2/+2
(This used to be commit c030d1401950b6efcbdf30ad899c25a61efb1814)
2003-09-08Fix for incorrect error message - found by Alex Davis <alex14641@yahoo.com>.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 28631ef23f855ce91740fd144e3dc235a3ae7af6)
2003-09-07Nobody complained on the team-list, so commit it ...Volker Lendecke2-0/+50
This implements some kind of improved AFS support for Samba on Linux with OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile into secrets.tdb with 'net afskey'. If this is done, on each tree connect smbd creates a Kerberos V4 ticket suitable for use by the AFS client and gives it to the kernel via the AFS syscall. This is meant to be very light-weight, so I did not link in a whole lot of libraries to be more platform-independent using the ka_SetToken function call. Volker (This used to be commit 5775690ee8e17d3e98355b5147e4aed47e8dc213)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-2/+41
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-09-05Fix for bug #73. Name types can be specified using name#type notation.Tim Potter1-7/+31
Also added shortcut so that 'net lookup foo#1b' works. (This used to be commit f38679201e301d66473e74506f07812590d19fa4)
2003-09-04Check in Andrew's fix for bug #305 (always use lp_realm() )Gerald Carter1-2/+7
Also make sure thet ads_startup uses lp_realm instead of just relying on the workgroup name. Fixes bug in net ads join when the workgroup defaults to "WORKGROUP" and we ignore the realm name. (This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)