| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
metze
|
|
|
|
For add requests we need the add request messages, for modify requests we need
the modify request messages.
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
user.
Makes sure samAccountName has been specified before adding a
user. This happened while I was trying to add a user with the
posixAccount objectclass. I forgot to specify the user objectClass,
and samba segfaulted. It now returns LDB_ERR_CONSTRAINT_VIOLATION.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Rather than have a repeat of the bugs we found at the plugfest where
hexidecimal strings must be in upper or lower case in particular
places, ensure that each caller chooses which case they want.
This reverts most of the callers back to upper case, as things were
before tridge's patch. The critical call in the extended DN code is
of course handled in lower case.
Andrew Bartlett
|
|
|
|
According to abartlet's response on my post about "lp_workgroup" this should be
the right call.
|
|
And don't cut them out from the DNS hostname.
|
|
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
|
|
These additional debug messages were added to help us track down
w2k8->s4 domain join
|
|
The previous commit changed the wrong end - we must fix our server,
not our client.
Andrew Bartlett
|
|
Additional notes:
- Bump the level to Windows Server 2008 R2 (we should support always the latest
version - if we provision ourself)
- In "descriptor.c" the check for the "domainFunctionality" level shouldn't be
needed: ACL owner groups (not owner user) are supported since Windows 2000
Server (first AD edition)
- I took the argument from: http://support.microsoft.com/kb/329194
|
|
Some corrections which make the code a bit more readable (no functional changes here)
|
|
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.
We also use the functional level to determine if we should store AES
Kerberos keys.
Andrew Bartlett
|
|
Guenther
|
|
Windows 7 sets it's join password using the unicodePwd attribute (as a
quoted, utf16 string), and does so during the LDAPAdd of the object.
Previously, this code only handled unicodePwd for modifies.
Andrew Bartlett
|
|
The clients that do only lanman auth are on their way out, the
passwords are case insensitive, it does not support unicode and we
should not store such a poor hash of the password if we can avoid it.
Andrew Bartlett
|
|
|
|
consistency with Samba 3.
|
|
The Win7-beta domain process has changed. It no longer uses SAMR for
setting the password, and instead uses a ldap modify on a SASL
encrypted ldap connection. We didn't handle that as the unicodePwd
attribute has a dual use, holding the nt style MD4 hases for DRS
replication, but holding a UTF-16 plaintext password for a LDAP
modify.
This patch copes with the ldap unicodePwd modify by recognising the
format and creating the correct attributes on the fly. Note that this
assumes we will never get a unicodePwd attribute set in NT MD4 format
with the first 2 and last 2 bytes set to 0x22 0x00.
Andrew Bartlett is looking at a more robust solution, possibly using a
flag to say that this modify came via ldap, and not internal ldb
calls.
|
|
The only 2 modules escaping the rule so far are rootdse and partitions
|
|
This fixes the creation of the user object for incoming trusts
in dcesrv_lsa_CreateTrustedDomain_base().
And now w2k3 trust samba4 just fine:-)
metze
|
|
now to work out how to test this ...
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
3.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
metze
(This used to be commit fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6)
|
|
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
(This used to be commit 08618bbd508ede0bb9e1922fae562cffdca41cbd)
|
|
like windows
metze
(This used to be commit ca9cd81a1798fb15195566422b3cad7c282fce89)
|
|
metze
(This used to be commit 4ad73a0bf8952783d3d9a7339c0c4fd8ca28981a)
|
|
the hashes
metze
(This used to be commit 5edff84429ef0d03b47a438e18861d26c97e17b6)
|
|
metze
(This used to be commit 1bf552856f3a930c4716ceb73d9ba9adf7502d3d)
|
|
metze
(This used to be commit 19b8c8e37bafab050ab61266c35006efada2947c)
|
|
metze
(This used to be commit 5b860572686167d0291161f6597f143e538e2f3a)
|
|
metze
(This used to be commit 26e9169d454349795ad0bc64d7f65059541ab89e)
|
|
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
|
|
Andrew Bartlett
(This used to be commit d2b5f40d80008ca3269118915409333755b6eac3)
|
|
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
|
|
(This used to be commit ce332130ea77159832da23bab760fa26921719e2)
|
|
everywhere.
(This used to be commit 85c96a325867f7bcdb412ebc53f8a47dbf7cd89b)
|
|
(This used to be commit c863f4ebde8efa1a695b4469142d6719e30bc419)
|
|
library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
|
|
ndr_struct_push_blob().
(This used to be commit 61ad78ac98937ef7a9aa32075a91a1c95b7606b3)
|
|
(This used to be commit 6ac86f8be7d9a8c5ab396a93e6d1e6819e11f173)
|
|
(This used to be commit e53e79eebef3ece6978f0a2b4a1ee0a0814bb5d2)
|
|
(This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
|
