summaryrefslogtreecommitdiff
path: root/source4/libnet/libnet_join.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13104: Migrate and set secrets keytab values in the 'net join' code. ThisAndrew Bartlett1-0/+30
avoids falling back to in-memory keytabs. Andrew Bartlett (This used to be commit 59fbce01c6814b8e411e7de6ee66739161520a3c)
2007-10-10r12976: Patch from Brad Henry <j0j0@riod.ca>:Andrew Bartlett1-169/+2
This patch pulls the AD site name generation and site join code from libnet/libnet_join.c and puts it into a new file, libnet/libnet_site.c. This way, a common means for site name, configuration dn and server dn generation exists so it doesn't need to be rewritten in new code (such as the future libnet_leave for example). I've made a couple of changes, but nothing dramatic. Nice work Brad! Andrew Bartlett (This used to be commit 45f67b3f6d506cc8cb9922184a8c0c9b59a8f702)
2007-10-10r12930: Fix ADS join: I wasn't filling in the flag 'realm' variable any more.Andrew Bartlett1-3/+1
Andrew Bartlett (This used to be commit 5c5a2974c94ae6b929ada7aaa2cd12a15b7468b8)
2007-10-10r12903: Factor out a new routine libnet_RpcConnectDCInfo, to both connect toAndrew Bartlett1-182/+68
the remote sever, and to query it for domain information. Provide and use this information in the SamSync/Vampire callbacks, to allow a parallel connection to LDAP, if we are talking to AD. This allows us to get at some important attributes not exposed in the old protocol. With this, we are able to do a all-GUI vampire of a AD domain from SWAT, including getting all the SIDs, servicePrincipalNames and the like correct. Andrew Bartlett (This used to be commit 918358cee0b4a1b2c9bc9e68d9d53428a634281e)
2007-10-10r12886: Rename 'secure_channel_type' parameter to domain join as 'join_type'.Andrew Bartlett1-6/+6
Andrew Bartlett (This used to be commit a3b3e09a9acc66dff7baf1a4ba0ea913bccdbd7d)
2007-10-10r12883: Fix the build...Andrew Bartlett1-3/+1
Andrew Bartlett (This used to be commit 8f7d14048fe29fd2c8b3e3c7aa73b4a854615016)
2007-10-10r12882: Allow the netbios name to be specified at all times.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f4f4dcf217314980aa114d61a1546d2c18b55baa)
2007-10-10r12865: Upgrade the librpc and libnet code.Andrew Bartlett1-7/+4
In librpc, always try SMB level authentication, even if trying schannel, but allow fallback to anonymous. This should better function with servers that set restrict anonymous. There are too many parts of Samba that get, parse and modify the binding parameters. Avoid the extra work, and add a binding element to the struct dcerpc_pipe The libnet vampire code has been refactored, to reduce extra layers and to better conform with the standard argument pattern. Also, take advantage of the new libnet_Lookup code, so we don't require the silly 'password server' smb.conf parameter. To better support forcing traffic to be sealed for the vampire operation, the dcerpc_bind_auth() function now takes an auth level parameter. Andrew Bartlett (This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
2007-10-10r12858: This moves the libnet_LookupPdc code to use a GetDC request to findAndrew Bartlett1-9/+13
the remote server's name, or in the absence of a local nbt_server to communicate with (or without root access), a node status request. The result is that we are in a better position to use kerberos, as well as to remove the 'password server' mandatory parameter for the samsync and samdump commands. (I need this to put these into SWAT). The only problem I have is that I must create a messaging context, which requires a server ID. As a client process, I don't expect to get messages, but it is currently required for replies, so I generate a random() number. We probably need the servers to accept connections on streamed sockets too, for client-only tasks that want IRPC. Because I wanted to test this code, I have put the NET-API-* tests into our test scripts, to ensure they pass and keep passing. They are good frontends onto the libnet system, and I see no reason not to test them. In doing so the NET-API-RPCCONNECT test was simplified to take a binding string on the command line, removing duplicate code, and testing the combinations in the scripts instead. (I have done a bit of work on the list shares code in libnet_share.c to make it pass 'make test') In the future, I would like to extend the libcli/findds.c code (based off volker's winbind/wb_async_helpers.c, which is why it shows up a bit odd in the patch) to handle getting multiple name replies, sending a getdc request to each in turn. (posted to samba-technical for review, and I'll happily update with any comments) Andrew Bartlett (This used to be commit 7ccddfd3515fc2c0d6f447c768ccbf7a220c3380)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-3/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12510: Change the DCE/RPC interfaces to take a pointer to aJelmer Vernooij1-8/+4
dcerpc_interface_table struct rather then a tuple of interface name, UUID and version. This removes the requirement for having a global list of DCE/RPC interfaces, except for these parts of the code that use that list explicitly (ndrdump and the scanner torture test). This should also allow us to remove the hack that put the authservice parameter in the dcerpc_binding struct as it can now be read directly from dcerpc_interface_table. I will now modify some of these functions to take a dcerpc_syntax_id structure rather then a full dcerpc_interface_table. (This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
2007-10-10r12430: Clarify libnet_join code. Add/fix comments.Andrew Bartlett1-10/+10
Andrew Bartlett (This used to be commit a3372935eee12c99d8c4a29eda45e8d0f1039896)
2007-10-10r12423: Remove DEBUG(0) printouts in favor of more information to the caller.Andrew Bartlett1-5/+3
I assume this works better with SWAT and the like anyway. Andrew Bartlett (This used to be commit b11975703d5e32f6f3ad10079106b1345fa56b5c)
2007-10-10r12421: Handle the case where we are a joining as different account types ↵Andrew Bartlett1-32/+78
far better. Andrew Bartlett (This used to be commit 0ce82e8a41f0fdea9928e3e341680232cc640e18)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-3/+4
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-0/+35
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11567: Ldb API change patch.Simo Sorce1-7/+8
This patch changes the way lsb_search is called and the meaning of the returned integer. The last argument of ldb_search is changed from struct ldb_message to struct ldb_result which contains a pointer to a struct ldb_message list and a count of the number of messages. The return is not the count of messages anymore but instead it is an ldb error value. I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good amount of places. I also tried to double check all my changes being sure that the calling functions would still behave as before. But this patch is big enough that I fear some bug may have been introduced anyway even if it passes the test suite. So if you are currently working on any file being touched please give it a deep look and blame me for any error. Simo. (This used to be commit 22c8c97e6fb466b41859e090e959d7f1134be780)
2007-10-10r11410: Fix rejoin as a BDC by modifying, rather than trying to recreate, theAndrew Bartlett1-2/+37
server reference. Andrew Bartlett (This used to be commit 302219928f47cdc3822c3a7d9444339092d9d33c)
2007-10-10r11407: Push 'recreate account' logic into libnet/libnet_join.c. We don'tAndrew Bartlett1-2/+33
return the pesky USER_EXISTS 'error' code any more, and it is much easier to handle this inline. Andrew Bartlett (This used to be commit a7eb796cf544db3fe16986d8e233d2defe7a7d1b)
2007-10-10r11349: Actually add all the new spns...Andrew Bartlett1-12/+6
Andrew Bartlett (This used to be commit 63eede2ad3f0238e1a925325c0be08d79f48c33b)
2007-10-10r11348: Fixes for 'net join':Andrew Bartlett1-18/+19
- Add more servicePrincipalNames - Always add them, not just for BDC accounts, and not just the first time the account is created (it might be an upgrade from an NT4 account). This should fix us for being a domain member in ADS again. (This used to be commit 3821821d4cb459edd331d40be8b84b3c82616a0a)
2007-10-10r11287: Understand the new behaviour of the LSA pipe on ncacn_ip_tcp in ↵Andrew Bartlett1-48/+66
Win2k3 SP1. Only a few operations are supported (LookupSids3 and LookupNames4), and these are only supported under schannel. This appears to be the operations Win2k3 SP1 uses to verify part of the PAC back to the server. The test is setup to pass, but not enforce (so far) this new behaviour. Andrew Bartlett (This used to be commit e15e39866e9775ba662f669a19836d33f7633f6f)
2007-10-10r11197: indentAndrew Bartlett1-2/+2
(This used to be commit a432ba105cbf2ea7b9010365c0a7d1dcc9ff5f7f)
2007-10-10r11094: Connect to SAM, implement getdcnameVolker Lendecke1-1/+1
(This used to be commit a14398715eceecf204caf815a8769ba8214d0576)
2007-10-10r10913: This patch isn't as big as it looks ...Andrew Tridgell1-3/+3
most of the changes are fixes to make all the ldb code compile without warnings on gcc4. Unfortunately That required a lot of casts :-( I have also added the start of an 'operational' module, which will replace the timestamp module, plus add support for some other operational attributes In ldb_msg_*() I added some new utility functions to make the operational module sane, and remove the 'ldb' argument from the ldb_msg_add_*() functions. That argument was only needed back in the early days of ldb when we didn't use the hierarchical talloc and thus needed a place to get the allocation function from. Now its just a pain to pass around everywhere. Also added a ldb_debug_set() function that calls ldb_debug() plus sets the result using ldb_set_errstring(). That saves on some awkward coding in a few places. (This used to be commit f6818daecca95760c12f79fd307770cbe3346f57)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-0/+2
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10701: Ensure we return the right user handle.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 732b247a498e0b90b9f0c711baaac51ad6402496)
2007-10-10r10696: Return the realm to the caller, not NULL...Andrew Bartlett1-2/+1
Also return an indication of if the join was of a new account, or reworking an existing account. Andrew Bartlett (This used to be commit b6e4b36c4f1f90e42dd0543538956a1d89e3724b)
2007-10-10r10566: Clean up error messages to provide more accurate info.Andrew Bartlett1-5/+10
Andrew Bartlett (This used to be commit 640815008b78ca19a73beb523e6823dd61feffa5)
2007-10-10r10486: This is a merge of Brad Henry's 'net join' rework, to better performAndrew Bartlett1-367/+880
an ADS join, particularly as a DC. This represents the bulk of his Google SOC work, and I'm very pleased to intergrate it into the tree. (Metze will intergrate the DRSUAPI work later). Both metze and myself have also put a lot of time into this patch, and in mentoring Brad in general. In return, Brad has been a very good student, and has taken the comments well. Since it's last appearance on samba-technical@, I have made correctness and valgrind fixups, as well as adding a new 'BINDING' mode to the libnet_rpc routines. This allows the exact binding string to be passed down from the torture code, including options and exact target host. Andrew Bartlett (This used to be commit d6fa105fdabbeb83a9b0e50dad49d1649afdb2a4)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce1-12/+16
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r8981: Add comments, fix typos (in attribute names) and check for errors inAndrew Bartlett1-4/+35
SamSync and 'net join'. Andrew Bartlett (This used to be commit 257240b0e29da14f7a2e660182b367304a5fa530)
2007-10-10r8970: Add 'ADS' join support to Samba4.Andrew Bartlett1-4/+70
We now fill in the servicePrincipalName over LDAP, just like XP does, and store the kvno in our local db. Andrew Bartlett (This used to be commit 5547c4e6f6a0c163aa38fa4d4ed8c627ae12bf80)
2007-10-10r8952: Partial work commit to find the DN of the new machine account - weAndrew Bartlett1-1/+108
will use ldb to add servicePrincipalNames to this. Andrew Bartlett (This used to be commit c1f8cab3e3d3eaf4af372675656fe1a4da68a9f8)
2007-10-10r8847: Rework the Samba4 'net join' code. I'm trying to get this closer toAndrew Bartlett1-210/+297
what WinXP does when joining an AD domain, but in the meantime this removes the excess unions, and uses the LSA pipe in same way XP does. Andrew Bartlett (This used to be commit d2789c426090c325f6535cdce380ac0f4e22c3c7)
2007-10-10r8248: Make these comments more accurate.Andrew Bartlett1-4/+6
Andrew Bartlett (This used to be commit 00e1cf79410eb7d31958ba272d87eb2d379c3613)
2007-10-10r8232: remove samr_String and netr_String as they are the same as lsa_StringStefan Metzmacher1-3/+3
metze (This used to be commit e601042c07d7b6eed0dc34e5b136d9266b8a0f81)
2007-10-10r8077: Propagate changes in rpc connect routine to functions using itRafal Szczesniak1-18/+18
(it's quite common). rafal (This used to be commit 798b00c24ae30a08ac81342d13130a6a2f9d3a08)
2007-10-10r7203: Fill in the error message and fail if we can't open the secrets database.Andrew Bartlett1-0/+6
Andrew Bartlett (This used to be commit 27257170f4ad08c1a86be9c2a5edfa0b3da0b7a0)
2007-10-10r6525: Remove incorrect comment.Andrew Bartlett1-2/+0
Andrew Bartlett (This used to be commit 7c8a0d86d4c486198ed2cf52fad2a878ed635c8b)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett1-2/+3
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5983: Start support for being a domain member in Samba4.Andrew Bartlett1-2/+2
This adds the auth_domain module to the auth subsystem, and cleans up some small details around the join process (ensuring all the right info is in the DB). Andrew Bartlett (This used to be commit 858cbfb8210239aa85a01da95e5beb9546a998a5)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett1-1/+1
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5900: Use flatname to specify the netbios domain name (matches what win2k3Andrew Bartlett1-3/+3
uses for trusted domain records) in the secrets join records. Andrew Bartlett (This used to be commit a6c502832c4ef471bd423b795f210abf3bb96ca5)
2007-10-10r5585: LDB interfaces change:Simo Sorce1-1/+1
changes: - ldb_wrap disappears from code and become a private structure of db_wrap.c thanks to our move to talloc in ldb code, we do not need to expose it anymore - removal of ldb_close() function form the code thanks to our move to talloc in ldb code, we do not need it anymore use talloc_free() to close and free an ldb database - some minor updates to ldb modules code to cope with the change and fix some bugs I found out during the process (This used to be commit d58be9e74b786a11a57e89df36081d55730dfe0a)
2007-10-10r5364: Rename string fields called 'domain' and 'name' to be 'domain_name'.Tim Potter1-1/+1
(This used to be commit 6749b9404d4e9876ecd964e038c608f05d2c0b69)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-2/+2
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-1/+1
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)