Age | Commit message (Collapse) | Author | Files | Lines |
|
Get this out of the server credentials, and push it down to ldb via an
opaque pointer.
Andrew Bartlett
(This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
|
|
This fixes a problem I had with kpasswd, as the account had 'expired'
due to the old pwdLastSet, hardcoded in the ldif.
Andrew Bartlett
(This used to be commit 1a9992e56a777771ad963af87481ce4ffb8cbf56)
|
|
Andrew Bartlett
(This used to be commit 660fc3ff4e26873710b35c8f52fe3a697764ec98)
|
|
module is perhaps not the most efficient, but I think it is
reasonable.
This should restore operation of MMC against Samba4 (broken by the
templating fixes).
Andrew Bartlett
(This used to be commit 41948c4bdbfca1160a01a92994324f9e22422afe)
|
|
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
|
|
We need to add to the multivalued objectClass, not ignore it because
the user has already specified a value.
Also rename the template again.
This was caught by more stringent tests in the unicodePwd module, but
breaks MMC. A later commit will sort the objectClass.
Andrew Bartlett
(This used to be commit 0aaff059ba76c7eee86f37bfd74735c1c365d55f)
|
|
i guess this shows that MS clients ignore the port number in SRV replies
(This used to be commit ce070ef50f3aca6f911f6f51688d7cd9fc17ff67)
|
|
different computer account types. (Earlier code changes removed the
BDC case).
We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif
Andrew Bartlett
(This used to be commit c4520ba2e6fad42a137983a2e1dbcd9c26db74e9)
|
|
(This used to be commit 566bbfd067f43d86eacc1e867e6f64bac85e285d)
|
|
require the isSynchronized flag in the rootDSE.
Andrew Bartlett
(This used to be commit e48464c8844b4af1976d8379aef8db9baddd3687)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
Andrew Bartlett
(This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
|
|
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
|
|
module in @MODULES
(This used to be commit cfab88fcc2c740a6d3fd456a009fbb60061b3a53)
|
|
the core elements of a Samba4 domain
(This used to be commit bee45531eaa1f7b96f123c146af3bc30681ebdec)
|
|
needed for mmc management of Samba4.
(This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
|
|
in provision.
Andrew Bartlett
(This used to be commit 8ed61562803f92eb110742ac45cff36c8fe8eca3)
|
|
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
|
|
list should be from the dnsdomain (ie lowercae).
Andrew Bartlett
(This used to be commit 10d692a1c216134b301b5851ce1e71ed93cc6164)
|
|
and remove now duplicated unwrap_pac().
Andrew Bartlett
(This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
|
|
Andrew Bartlett
(This used to be commit 7e01ff11fdcd70b54e30b438076bf1293638c61e)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
- randpass() is now in the random ejs module, not global
- don't dereference the undefined variable on getopt failure
(This used to be commit 7e338c23f5ac351b362a9e07fd81ec07bc700484)
|
|
so you can use them in search filters,
only for administration not used inside the winserver code
- fix the samba3 ugrade scripts to create a correct samba4 wins.ldb
metze
(This used to be commit 9f3b6746d86583c48097da48c28f50f075bbd3e3)
|
|
as users in mmc.
The problem was that the samdb module was auto-adding objectClass=user
for these accounts. That would be OK, as computer accounts are
supposed to be in that objectClass, but mmc cares about the order of
the values in the objectClass attribute! It looks for the last value,
and takes that as the value to use when deciding how to manipulate the record.
So, this patch adds an explicit objectClass=user to the record when it
gets created, which tells the samdb module to not add it as well. That
fixes the order. I suspect we are missing something else though - is
objectClass supposed to auto-sort based on the schema?
(This used to be commit 68c5f807fdb99fd605154d455e61a08293cbd2d0)
|
|
- removed the timestamps module, replacing it with the operational module
- added a ldb_msg_copy_shallow() function which should be used when a module
wants to add new elements to a message on add/modify. This is needed
because the caller might be using a constant structure, or may want to
re-use the structure again
- enabled the UTC time attribute syntaxes in the operational module
(This used to be commit 61e8b010223ac6a0573185008f3719ba29574688)
|
|
default SPN alias.
Andrew Bartlett
(This used to be commit e4fe5802dae544f4dabf0c6d04a55be1144d8820)
|
|
the list:
This patch removes the 'domain logon' and 'domain master' controls from
Samba4, in favour of a 'server role =' that users can actually
understand.
We can expand the list of roles as needed, and nobody has to figure out
what a 'domain master' actually means.
Andrew Bartlett
(This used to be commit 31e755c2ced64dbd2681d5f6ef021a87dbeda689)
|
|
(This used to be commit 87f25fe49caa78422582337c5208a331ef5b8c15)
|
|
Convert Samba3 policy "refuse machine pw change" to registry value.
(This used to be commit a143234ac7622ef3ef87c80224927551a1452e4b)
|
|
(This used to be commit 7666993fa96916d9d849a636a1b30ca7f77354a2)
|
|
(This used to be commit d2db164d6f674cada470e871c558c75f98244141)
|
|
(This used to be commit 96ccbd6402fa37338c49d9a55919a360e940bc48)
|
|
Add 'paths' object to provision code.
(This used to be commit 488d737fb0ebbc2535d0ec17c14f0dc1eaf2a578)
|
|
Write out new smb.conf file. Parameters that have disappeared
between Samba 3 and 4 will optionally be prefixed with 'samba3:'
(This used to be commit 27eefbd9059fe0a3daca15a71da7b4cb88ed22ec)
|
|
(This used to be commit b7c09df9e506f8048f69c4bdd1c3351e3b554e18)
|
|
Move samba3sam to dsdb/
(This used to be commit eb9d615bcd49328131613f64745760a90553b7f2)
|
|
Upgrading using SWAT should work as well now.
(This used to be commit 8baa2ac377315ae8b365f58c2bda0bf3d0c5aec3)
|
|
- [ldb_map] Support storing non-mappable data in a fallback LDB
(This used to be commit 435e4c6389b9d9b545beec8036289620ee5883db)
|
|
Samba3 data (both console and SWAT)
(This used to be commit d569465dc4def55c27878028f2fc762960f453d8)
|
|
(This used to be commit 804f2485d059d60c4a41b6094c4cf568e6989397)
|
|
except of popt help (-h) option (unexpected ?).
rafal
(This used to be commit 1990793b23d6198a85ce1bdf6ad43e12015db203)
|
|
thanks to Hotarut for spotting this
(This used to be commit 3f30c6118ba22fbf52068630f48bcde82182b8a6)
|
|
parts
(This used to be commit f8949869bc114590c9260ab7b9d97f71a552a6a7)
|
|
Andrew Bartlett
(This used to be commit e6abd9f70449e9c5716cd36565442873bdc7d44c)
|
|
and fix howto.txt.
rafal
(This used to be commit 5bf5559e0f71455ddf62eef11956de12d104459b)
|
|
has changed.
rafal
(This used to be commit a59594d2d84417bc0c87be953daf9152b968c61a)
|
|
code. Especially as this is a new language for most Samba developers,
it is far better to err strongly on the side of readability rather
than trying to save a line of code by using fancy tricks
(This used to be commit 3228644cf898cc9b3386675f40f2f7e52f69e5c0)
|
|
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)
The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.
Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.
Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong. Many of these should perhaps be hooked
into an error string.
Andrew Bartlett
(This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)
|
|
in each smb login
(This used to be commit f6d24d063ad1a96c326ce6a60adfc224d905afc6)
|