Age | Commit message (Collapse) | Author | Files | Lines |
|
This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 20 15:30:00 CEST 2013 on sn-devel-104
|
|
This needs to be a talloc child of struct wbsrv_domain
otherwise the cleanup of a broken connection doesn't work.
The following command can trigger the leak on a domain controller.
root@dc:~/samba# ls -l /var/lib/samba/sysvol/samba.private/
total 16
drwxrwx---+ 5 root 3000000 4096 May 14 14:46 Policies
drwxrwx---+ 2 root 3000000 4096 May 14 11:45 scripts
gid 3000000 belongs to Builtin\Administrators.
The code triggers a ncacn_np: connection to the local smbd
and complains that domain BUILTIN is not available:
[2013/05/29 17:28:03, 2] ../source4/winbind/wb_init_domain.c:376(init_domain_recv_queryinfo)
Expected domain name BUILTIN, DC dc.samba.private said SAMBA
In that case the connection was not closed, which is fixed by this commit.
Using ncalrpc: for all local SIDs and serving the BUILTIN domain is
a project for another day...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 4 11:05:09 CEST 2013 on sn-devel-104
|
|
This will protect the netlogon_creds later.
metze
|
|
controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.
To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.
Andrew Bartlett
|
|
That avoids recursion if "smbd" is used as file server.
metze
|
|
Windows Server 2008 returns NT_STATUS_DOWNGRADE_DETECTED if you call
netrServerAuthenticate2 during a domain join without setting the strong
keys flag (128bit crypto).
Only for NT4 we need to do a downgrade to the returned negotiate flags.
See also 0970369ca0cb9ae465cff40e5c75739824daf1d0.
|
|
w2k8r2
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun 22 19:40:47 CEST 2011 on sn-devel-104
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
dcerpc_binding_handle stubs
metze
|
|
metze
|
|
|
|
During the creation of the 3 RPC pipes in winbind we try to steal the
RPC binding structure to be a child of the pipe once the pipe is
established. This fails with a talloc warning as the rpc connection
code already holds a reference to the binding.
The fix is to use talloc_reparent() instead.
|
|
|
|
This reverts commit 102028ec722d942d7f91eb92e8da4f1480d140d1.
state->ctx is the composite_context, which is a temporary context!
metze
|
|
|
|
|
|
metze
|
|
Guenther
|
|
The problem was that we would do a blocking wait for the LDAP server,
which was also blocking on us returning (because we were in single
process mode).
The LDAP connection being made here is useless anyway, and will need
to be an async ldb_connect() before anybody reintroucues it (nobody in
their right mind would program a winbindd backend on pure LDAP, when
the ldb abstraction is available).
Andrew Bartlett
(This used to be commit 23280b2e6ed5afb968bf0b8c40febb085eed38a1)
|
|
state->domain->netlogon_binding is a child of ctx, and ctx is freed by
the composite_is_ok failure callback
(This used to be commit 3c217518ba9a7b64fe6c842187499f1ee5189567)
|
|
(This used to be commit 4d7fc946b2ec50e774689c9036423b6feef99b8e)
|
|
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
|
|
(This used to be commit 5d589a0d94bd76a9b4c9fc748854e8098ea43c4d)
|
|
(This used to be commit 17637e4490e42db6cdef619286c4d5a0982e9d1a)
|
|
(This used to be commit eeb2251d22b3d6e0379444a73af69d1014692b07)
|
|
wbsrv_connection.
(This used to be commit 7c008664238ed966cb82adf5b25b22157bb50730)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
metze
(This used to be commit 84651aee81aaabbebf52ffc3fbcbabb2eec6eed5)
|
|
metze
(This used to be commit 184a7cfc36860e16f9483347ae70a053a5823e83)
|
|
return full SIDs for the user SID and primary group sid.
This should help kai with his getpwnam work in winbind.
Andrew Bartlett
(This used to be commit 078671d5015c63e4bcd96815e150dae918763b83)
|
|
We need to set the access_mask and the domain name, or else libnet
will try to do this itself.
This seems to fix the issues Kai was having.
Andrew Bartlett
(This used to be commit 44c193272b05959c756ee0078d666bcdf1374023)
|
|
We now setup a libnet_ctx for each domain. We should then be able to
replace/merge some more of the winbind code with libnet calls,
referencing domain->libnet_ctx.
Andrew Bartlett
(This used to be commit bad2dc14d704be59300f619c84694c11620559e0)
|
|
Add a test for wbinfo -a to test_member.sh
Reimplement the server-side 'pam_auth' and 'pam_auth_crap' calls to
use the same SamLogon code as auth_winbind uses.
In my previous code, we did not bind to the LSA and SAMR pipes, before
attempting operations. We now do this (how we passed any tests before
is beyond me).
This required some rework, particularly to make it easier to setup
secondary connections. The new rpc_secondary_auth_connection()
function also performs the bind.
The dcerpc_connect.c file was getting to big, so things have been
merged into dcerpc_secondary.c.
Andrew Bartlett
(This used to be commit 365778a993b7d76af6d53ba2a598b7e271741dc5)
|
|
are a DC.
Next step is to make it work...
Andrew Bartlett
(This used to be commit a1b6c9ecb9a6f17bcbabf81a8128398df6447490)
|
|
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
|
|
Andrew Bartlett
(This used to be commit 6ecb3cb0b337260f31abd257e9f900661de4cfd2)
|
|
(I created finddcs() from the winbind code a while back, so this
finishes that work)
Andrew Bartlett
(This used to be commit 218b279a46a4ca739597936f0b67573599e6d375)
|
|
decided to clean it up a little.
We now use SPNEGO for authentication if possible, and common routines
shared with the rest of the librpc codebase. Rather than make a
connection to IPC$, then connect the pipes to it, we instead have the
lsa and samr pipes as 'secondary connections'.
Andrew Bartlett
(This used to be commit 86654056b22245a57396544d572de6401069b9e5)
|
|
rename private -> private_data
metze
(This used to be commit 58551f2f28fce8f1fcd04736c47ecd7458f32ea2)
|
|
way to go, as this has bitrotted over the past months.
This change in particular catches winbind up with the next
composite_create() function.
We also needed to remove an unused flags field, and fill in the lm
response.
Andrew Bartlett
(This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea)
|
|
using the pattern in the clilsa code, it didn't fill in the p->binding
structure. This affects nearly all users of dcerpc_pipe_open_smb(), so
the simplest fix is to ensure that dcerpc_pipe_open_smb() initialises
the binding if its not already there.
- re-enable the RAW-ACLS test
(This used to be commit d8875c286d2be49c01703d8fd58bbc1842054bd9)
|
|
library. Even though we don't like to that library, it gets loaded via
nss-ldap, which means nss-ldap calls into the samba ldap lib with the
wrong parameters, and crashes.
We really need to use a completely different namespace in libcli/ldap/
(This used to be commit c440e0eed9afae5fe69995a7416971e7c8560779)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
|
|
metze
(This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf)
|
|
(This used to be commit f7312dab3b9aba2b2b82e8a6e0c483a32a03a63a)
|
|
try to include just the BASENAME.h files (containing only structs)
(This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
|
|
(This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109)
|