Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 05dd3383010ba6f44370fc302ee00b7680937176)
|
|
Jeremy.
(This used to be commit e763a220f492bb8a9cacf31c07809c4866379bb6)
|
|
Volker
(This used to be commit 70b0fcdeec4810944a4e0d9bbaf6a979b2fb914a)
|
|
Fix segfualt caused by incorrect configuration. If lp_realm() was not set,
but security=ADS, we would attempt to free the principal name that krb5
never allocated.
Also fix the dump_data() of the session key, now that we use a data_blob to
store that.
Andrew Bartlett
(This used to be commit 24d7eed6cae8015e020ad34c13130ee8afc9052e)
|
|
Jeremy.
(This used to be commit a0dc10bed68ef961609c0a4a456b6a132e2e347b)
|
|
(This used to be commit 175c5c9faa8c1cb3577eb96598434e6097d408c7)
|
|
(This used to be commit 4c877ccc16bcb69490c4d34d2ef5f727bf98438e)
|
|
Volker
(This used to be commit 9f0292091b37cac637ba86cab6c8fd1800faef5c)
|
|
(This used to be commit 6e9c68217bec1e4138b5eb9a9ed85807b31bbdb8)
|
|
Andrew Bartlett
(This used to be commit f7d39c787771616ddb015bd77e3e6cd33f0c7a15)
|
|
Andrew Bartlett
(This used to be commit ec24c7f42ac344d14c0e29d4b49c07d8ce213448)
|
|
Changes include:
- header changes for better pre-compiled headers (tridge)
- get a list of sids for a given user (tridge)
- fix function prototype
and a few other minor things
Andrew Bartlett
(This used to be commit 60107efdc61247034424d008c6f1eb4d46a19881)
|
|
using pread/pwrite. Modified a little to ensure fsp->pos is correct.
Fix for #889.
Jeremy.
(This used to be commit 3a24dc868d95c9bcc2ac3a0dbd50e6e226ac0841)
|
|
I think this was tpot's originally:
Fix format types for 64 bit systems.
Andrew Bartlett
(This used to be commit 256b2da7c96e8313f4f98ce700fc7634eaccb72b)
|
|
Always call the auto-init funciton - this avoids tdb segfaulting under
us if we failed to open it earlier.
Andrew Bartlett
(This used to be commit 34f16eaeaa81a0cc6ae564f4be8a02752ee5624d)
|
|
Ensure that for wbinfo --set-auth-user, we actually use the domain.
Andrew Bartlett
(This used to be commit 8a63bed29315acb3fe9cc2973426ef8392987c8c)
|
|
Try to keep vl happy - shorten some of these lines.
--
Grumble... grumble... fix the build...
--
Show the sid type in name->sid translatons in a way that can be easily
understood by humans.
Andrew Bartlett
(This used to be commit c5d1e2112baa7d87cd6b9f0855c2fd8b006af01d)
|
|
Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
|
|
Add const.
Andrew Bartlett
(This used to be commit b08502a8fb1083cc49fd2976880b7bef3f14a72a)
|
|
There is some memory corruption hidden somewhere in our winbind code. If I
could reproduce it, I would fix it, but for now just make sure we always
SAFE_FREE() and set our starting pointers to NULL.
Andrew Bartlett
(This used to be commit a00f29624d10df7f31fa978b79bc71b40d696359)
|
|
Change (unused) structure parameter for cli_ds_enum_domain_trusts() cleanup.
Andrew Bartlett
(This used to be commit 3c02aad8b3a4b28ca492ca1abbbd594ba75975e4)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Add ads_sid_to_dn utility function
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 627d33d1667f0d4b1070f988494885b74c4c04dd)
|
|
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.
VL rewrote most of Güther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 08e851c7417d52a86e31982fcfce695c8a6360b7)
|
|
Even if the 'device type' is always an ascii string, use push_string to get
it out onto the wire. Avoids valgrind warnings because the fstrcpy() causes
part of the wire buffer to be 'marked'.
Andrew Bartlett
(This used to be commit 326becbde23c8039e1f0f00930bcab094bf91ed2)
|
|
Match Win2k, and return NT_STATUS_INVALID_PARAMETER
if this parameter is not an account type
Andrew Bartlett
(This used to be commit 43ee2e0b6a6f95ce2864befeb08b5de2ace41c7c)
|
|
Having no members of a group is a perfectly valid (if unusual) situation.
Andrew Bartlett
(This used to be commit bc77b586be6992a662422304dbefbd4b833818fb)
|
|
JHT came up with a nasty (broken) torture case in preparing examples for
his book.
This prompted me to look at the code that reads the unix group list. This
code did a lot of name -> uid -> name -> sid translations, which caused
problems. Instead, we now do just name -> sid
I also cleaned up some interfaces, and client tools.
Andrew Bartlett
(This used to be commit cc535a6c70d8dcf677322e31b24dec58b23d80f0)
|
|
Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
|
|
auth/auth_util.c:
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
--
Jerry rightly complained that we can't assume that the first domain is
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind
structures, make clean).
--
Forgot to commit this for the 'get our primary domain' change.
Andrew Bartlett
(This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
|
|
Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
--
Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.
Andrew Bartlett
(This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)
|
|
Remove testing hack
Make the name of the NTLMSSP client more consistant before we lock it in stone.
Andrew Bartlett
(This used to be commit 273dcda9ce62eb04c9cce673bb49b41982b26d98)
|
|
Move our basic password checking code from inside the authentication
subsystem into a seperate file - ntlm_check.c.
This allows us to call these routines from ntlm_auth. The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind. This should allow for easier debugging.
ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's
work)
Andrew Bartlett
(This used to be commit 2f196bb31ac83cf7922583063c74a5f679ca5be7)
|
|
Refactor our authentication and authentication testing code.
The next move will be to remove our password checking code from the SAM
authentication backend, and into a file where other parts of samba can use
it.
The ntlm_auth changes provide for better use of common code.
Andrew Bartlett
(This used to be commit 0d97b10248347398fbee66767baac0c7adf6889d)
|
|
Add the alignment required before all 2-byte quantities in NDR. Allows us
to correctly parse plaintext netlogon calls with odd-length passwords
Andrew Bartlett
(This used to be commit 39d8a9e488eb31796e8e7eca42fe27f8218ce5d6)
|
|
Shutting down the connection closes outstanding sessions, so we don't need
to do it twice...
Amdrew Bartlett
(This used to be commit 77b3515981ebe972a4c78e14b205d0c70a34b69f)
|
|
Check the return value of string_to_sid in a few more places. (But
string_to_sid also needs to be less permissive on what it thinks are
valid sids...)
Andrew Bartlett
(This used to be commit 74ea8682e4b5c78f456cc9284e953e35e4146a8b)
|
|
Show the error message for failure to set the ldap password.
(For 'ldap password sync = yes')
Andrew Bartlett
(This used to be commit ef5d2309c2252c9d6111738075f863b69b616722)
|
|
Based on patch by Petri Asikainen <paca@sci.fi> fix bug #387 and #330.
This patch will change order how attributes are modified
from: add, delete
to: delete, add
This is needed to update single valued attributes in Novell NDS and
should not harm anyone else.
(This used to be commit e925cae0f3846ea95633d38afd652e0f3d8acfb9)
|
|
HAVE_SYS_ATTRIBUTES_H to fix AIX compile.
Jeremy.
(This used to be commit 1d90cc2034c023755981a07a49c3d9958b60fb74)
|
|
(This used to be commit cca2afecd505881412df65c21c0389a0079cf023)
|
|
(This used to be commit 61cbd5c9be1962d0c33c28ff472a2f82d3aa2a80)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit d32f47fedcff3fdf46f42926d1cd84433e7ab487)
|
|
Volker
(This used to be commit 6121a866659c3b81e790a79432b6d89d7865fbd3)
|
|
Volker
(This used to be commit a2e384262d0203772a6237b566c294f15bfd8948)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit a2aa6e41e552abfb6d1056ab3a7c75e8fd0a150c)
|
|
objects from the print handle cache. Fixes bug that
caused smbd to consume large amounts of RAM when
(a) a printer handle was kept open over an extended
period of time, and
(b) the client issued frequent requests that resulted
in a call to get_a_printer()
(This used to be commit b84ea23f99481f9260dedbe8dd715112ccdc7d7a)
|
|
is not significant in windows user names we should not lose information by
lower-casing the name before handing it to AFS.
Volker
(This used to be commit 097e8d44b4a6eb49f36debae1f2cc8af7565b0eb)
|
|
Volker
(This used to be commit 1f0e045502f802f819738d1b89574b07dfaa6bc6)
|
|
solves the problem for me here, I can still successfully set up signing using
NTLMSSP against w2k3 and it does not show a signing error anymoe when the
password was wrong.
Jeremy, you might want to take a further look at it as this is not
particularly elegant.
Volker
(This used to be commit 8a82060e3aee6d5ef38b1448035d865f9bce63a7)
|
|
As broken as it might be, smbwrapper.so should be put into the
libdir and not bindir.
Volker
(This used to be commit c374fd982e63209cf555fe8fbf15cfae0f79aca1)
|