Age | Commit message (Collapse) | Author | Files | Lines |
|
code.
Previously, we had to know (or guess) the host and domain guid at the
provision stage. Now we query the database post-provision, to extract
the values and fill in the zone file.
This allows us to generate a correct zone file in the Windows migration case.
In an effort to make SWAT easier to use, I have removed and renamed
some of the provision options.
I have also fixed a nasty issue in my js code. I had implictly
declared a global variable of the name 'join', with disasterious
results for any subsequent user of the string utility function:
esp exception - ASSERT at lib/appweb/ejs/ejsParser.c:2064, 0
Backtrace:
[ 0] substitute_var:20 -> list[i] = join("", list2)
[ 1] setup_file:9 -> data = substitute_var(data, subobj)
Andrew Bartlett
(This used to be commit a38ceefd11f8b748f30383ef36a4752f178bfca1)
|
|
password'.
Andrew Bartlett
(This used to be commit e13cb0ab175069eb670c8b2f57379ababacfcce3)
|
|
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.
This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'. This should prevent it
being broken again.
Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.
The js credentials interface now handles the 'set machine account' flag.
New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).
Andrew Bartlett
(This used to be commit a5e7c17c348c45e61699cc1626a0d5eae2df4636)
|
|
Andrew Bartlett
(This used to be commit 7b169aad3f94f1695b1f99cc91ff928cb2ca0389)
|
|
main provision script a bit, as the argument list was getting out of
control. (It has been replaced in part with an object).
This also returns the session_info from the auth code into ejs.
We still need access control allowing only root to re-provision.
Andrew Bartlett
(This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
|
|
Andrew Bartlett
(This used to be commit a6028558dc19b0d105b1bfe4126a2b24afaf8dd2)
|
|
structure around, so the auth code knows where the request came from.
Andrew Bartlett
(This used to be commit 7a7b2668c00d4d22bcf8aa3ba256af88f70c38c4)
|
|
structure that is more generic than just 'IP/port'.
It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).
This passes 'make test' as well as kerberos use (not currently in the
testsuite).
The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again. It also removes nbt_peer_addr, which was being used
for a similar purpose.
It is a large change, but worthwhile I feel.
Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
|
|
Andrew Bartlett
(This used to be commit 42cdad5e3f06c307baf80396fd8449b803ef84c3)
|
|
This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:
- SYSTEM and Administrators can read all.
- Users and anonymous cannot read passwords, can read everything else
- list of 'password' attributes is hard-coded
Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)
Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
|
|
the cmdline credentials if we ask for it.
Andrew Bartlett
(This used to be commit 874dd09759eb0243988f39363c94785ae2e68485)
|
|
This should allow us to provision to a 'normal' LDAP server.
Also add in 'session info' hooks (unused). Both of these need to be
hooked in on the webserver.
Andrew Bartlett
(This used to be commit b349d2fbfefd0e0d4620b9e8e0c4136f900be1ae)
|
|
Andrew Bartlett
(This used to be commit 0f8c162211662de59f42a96fe5bdf56ed5be883f)
|
|
Andrew Bartlett
(This used to be commit 964f7fc6ca4ac7578ca0d467392d4e174211b6e2)
|
|
(This used to be commit 5884a7effff0b11e82c9d273dbd0407b0f2eb02d)
|
|
Gunderson)
(This used to be commit 4c562c42b43d98f4c6bdbacc5cb1dd5e65bc3418)
|
|
Gunderson).
this still doesn't work as a bug in ldb causes it to not understand
escaped characters in DNs when parsing DNs
(This used to be commit 10da56fb6cc57b6c0650a8dc81ded5faa643a96e)
|
|
(This used to be commit 3d70ebca0b706ae22bc7a3f48c2247c450c42026)
|
|
(This used to be commit f4ac7d6359b5a6de04a6ea518dec99f4c9b49b3d)
|
|
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
|
|
dependencies
with proto.h
(This used to be commit 9e0ba380374db028358158b9e4457dd930b5ab13)
|
|
subsystems.
This allows Samba libraries to be used by other projects (and parts of
Samba to be built as shared libraries).
(This used to be commit 44f0aba715bfedc7e1ee3d07e9a101a91dbd84b3)
|
|
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
|
|
Andrew Bartlett
(This used to be commit 2853ccfc8ad58c6af751e01487b8a9e7e68a01e7)
|
|
(This used to be commit ca8db1a0cd77682ac2c6dc4718f5d753a4fcc4db)
|
|
with debugging!
Andrew Bartlett
(This used to be commit fe36cb6767ce99432e2778037aad334170dca173)
|
|
lookups in load_interfaces(). The reason was my eth0 interface was
down, and it was being interpreted as a DNS name.
This patch changes load_interfaces() to happening automatically when
interfaces are first needed instead of on the startup of every samba
binary. This means that (for example) ldbadd doesn't call
load_interfaces(), which means no slow DNS lookups.
I also reduced the number of static globals in interface.c to 1, and
changed from malloc to talloc
When you want to force a reload of the interfaces list, you now call
unload_interfaces(), which means the next call that needs the
interfaces list will reload it
(This used to be commit f79d90bd1364b970adb2981b2572e77066431f1e)
|
|
(This used to be commit 832a1092c9c11c293b5748e2e78da872fcba2a42)
|
|
(This used to be commit b46eeba9fcb059ef83743de8be7dab26f9ef21b2)
|
|
Be a bit more strict when checking for duplicate interfaces
(This used to be commit b1286a6d27e2b5aa26f288f6aff70601b0d8ae74)
|
|
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
|
|
now that it is guaranteed that the smbcalls modules are always initialized
after the EJS subsystem itself.
(This used to be commit 1e8670874bb7415c3e00a42516680fdb4ee2fca1)
|
|
'librpc'
are the only two subsystems left to convert.
(This used to be commit f6bbc72996aeee8607fc583140fd60be0e06e969)
|
|
(This used to be commit c92ace494f92084ddf178626cdf392d151043bc7)
|
|
(This used to be commit 7ca00cd918760dccc51e56234126ead8535a22ef)
|
|
(This used to be commit b27d81dca9fd07c83b11a5bb3a883ec3f28cca6a)
|
|
its own credentials element
(This used to be commit de8975bdd3dc9b4f4d65000e126bbd11c43b3f06)
|
|
server. Now to try another one...
Andrew Bartlett
(This used to be commit 175f616d74ac3567a35713343be0c63c96c5aede)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
(This used to be commit ba913b86e866a67402785d9177711beb16db2cab)
|
|
This is one of the last places using the latter function.
rafal
(This used to be commit c95d30d38c4969c070766d320ed52e332e131195)
|
|
to match all other _recv functions we have
metze
(This used to be commit bd4f85ab5f60c7430ac88062fa6a9f6cffa9596f)
|
|
metze
(This used to be commit 4d35c2b8e671cc8fe44971cf2a577236afd1abbd)
|
|
metze
(This used to be commit e5654f9791a2786e45108216344b2daea3ad9d91)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
|
|
2) Set credentials workstation name, otherwise rpc bind function
segfaults on auth stage
rafal
(This used to be commit 6dc67ba6a30e6fc3fc21821d009ea940b093eec2)
|
|
smbsrv_connection
metze
(This used to be commit acd3e644e030a3544ddc6cdcd4e0ec9617732cba)
|
|
of smb.conf.
rafal
(This used to be commit 739169e8eda74ad53d728fe6d11a30513c218853)
|
|
rafal
(This used to be commit 90db7f13bc0df0a276dc736d2f9439616cb3b2f7)
|