1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

421 Commits

Author SHA1 Message Date
Andrew Bartlett
1d0e2b9569 r6803: Try to bring in the correct GSSAPI headers for the krb5 mech. This
should allow us to ditch the local static storage for OIDs, as well as
fix the build on non-heimdal platforms.

Andrew Bartlett
(This used to be commit a7e2ecfac9)
2007-10-10 13:16:45 -05:00
Andrew Bartlett
5c6dd5e800 r6800: A big GENSEC update:
Finally remove the distinction between 'krb5' and 'ms_krb5'.  We now
don't do kerberos stuff twice on failure.  The solution to this is
slightly more general than perhaps was really required (as this is a
special case), but it works, and I'm happy with the cleanup I achived
in the process.  All modules have been updated to supply a
NULL-terminated list of OIDs.

In that process, SPNEGO code has been generalised, as I realised that
two of the functions should have been identical in behaviour.

Over in the actual modules, I have worked to remove the 'kinit' code
from gensec_krb5, and placed it in kerberos/kerberos_util.c.

The GSSAPI module has been extended to use this, so no longer requires
a manual kinit at the command line.  It will soon loose the
requirement for a on-disk keytab too.

The general kerberos code has also been updated to move from
error_message() to our routine which gets the Heimdal error string
(which may be much more useful) when available.

Andrew Bartlett
(This used to be commit 0101728d8e)
2007-10-10 13:16:45 -05:00
Jelmer Vernooij
15a8f0ff0a r6752: Patch by Steven Edwards to improve portability to mingw32
(This used to be commit 8d63cd33a2)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
2279d1ebfb r6747: first working version of cldapd server. It is missing 'sites' support, and
filling in some of the returned parameters is quite rough, but it seems to work OK
(This used to be commit e564e3e596)
2007-10-10 13:16:41 -05:00
Andrew Tridgell
7b18fcd847 r6725: the beginnings of a cldap server
(This used to be commit e51e0dffa8)
2007-10-10 13:16:38 -05:00
Rafal Szczesniak
44f981ad0b r6615: As usual, I forgot to commit new structure in this file...
rafal
(This used to be commit 3389cfb135)
2007-10-10 13:16:31 -05:00
Andrew Bartlett
8bf57cf8f5 r6573: Start on my project to implement an NT4 compatible BDC in Samba4.
This brings in a compatability layer for Samba3 in Samba4 - where we
will start to define file formats and similar details.

The 'net samdump' command uses 'password server = ' for now, and
performs a similar task to Samba3's 'net rpc samsync'.

Andrew Bartlett
(This used to be commit 550f17f992)
2007-10-10 13:16:27 -05:00
Andrew Bartlett
85e9412c47 r6565: Cludge, cludge, cludge...
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.

(Yes, jelmer objects to this inclusion of the kitchen sink ;-)

Andrew Bartlett
(This used to be commit 8ee208a926)
2007-10-10 13:16:26 -05:00
Andrew Bartlett
4e29d24b4c r6467: keep the compiler quiet with another entry in structs.h
Andrew Bartlett
(This used to be commit 106047032f)
2007-10-10 13:11:40 -05:00
Andrew Bartlett
0501a440be r6462: Move the arcfour sbox state into it's own structure, and allocate it
with talloc() for the NTLMSSP system.

Andrew Bartlett
(This used to be commit 7a93ac49c2)
2007-10-10 13:11:39 -05:00
Rafal Szczesniak
dea0c8729f r6414: Added composite user del function. Slightly broken still, but I don't
want it to hang around not commited.

rafal
(This used to be commit 98d98b9bc7)
2007-10-10 13:11:35 -05:00
Rafal Szczesniak
30cb6046cb r6382: New structure for useradd call.
rafal
(This used to be commit 3752122550)
2007-10-10 13:11:34 -05:00
Alexander Bokovoy
9779e6d670 r6352: Two new composite calls:
- qfsinfo (query file system information)
- appendacl (append an ACL to existing file's security descriptor and get new
full ACL)

The second one also includes an improvement to security descriptor handling
which allows to copy security descriptor. Written by Peter Novodvorsky
<peter.novodvorsky@ru.ibm.com>

Both functions have corresponding torture tests added. Tested under valgrind and
work against Samba 4 and Windows XP.

ToDo: document composite call creation process in prog_guide.txt
(This used to be commit 441cff62ac)
2007-10-10 13:11:34 -05:00
Andrew Tridgell
d9c15b0f28 r6342: fixed a bad union assumption that caused ACLs to fail on 64 bit machines
Thanks to lars and agruen for finding this
(This used to be commit 2acc069185)
2007-10-10 13:11:33 -05:00
Andrew Bartlett
6d1ae6d35a r6271: Don't zero the cli_credentials structure - instead allow valgrind to
track the use of un-initialised values.

This change will require a recompile from clean, as the enum
describing the status of each element now has a default of
CRED_UNINITIALISED.

Andrew Bartlett
(This used to be commit 83c2eb806d)
2007-10-10 13:11:29 -05:00
Andrew Tridgell
b0ca8ed455 r6247: added the server side code for receiving mailslot requests, and
parsing incoming netlogon requests. No replies are sent yet.
(This used to be commit 3b34df6a67)
2007-10-10 13:11:28 -05:00
Andrew Tridgell
6db5d09dba r6185: added LIBCLI_DGRAM to the list of libs to be built as part of LIBCLI
(This used to be commit 47e1452da0)
2007-10-10 13:11:24 -05:00
Stefan Metzmacher
3abce73193 r6179: - add new spoolss tests for all spoolss_Enum*() calls which didn't need
a handle as parameter,

  EnumPorts
  EnumPrinterDrivers
  EnumMonitors
  EnumPrintProcessors
  EnumPrinters

  we now do cross checks between the different info levels
  and sore the results in a global context,
  so that we later can add cross checks between the different object types

- add idl for EnumMonitors and EnumPrintProcessors

metze
(This used to be commit 92a3721bc7)
2007-10-10 13:11:23 -05:00
Jelmer Vernooij
848329b9a0 r6140: - Add configure option for enabling the socket-wrapper library, so it
can be enabled on the buildfarm without requiring --enable-developer
- Support tcp and udp being used on the same port
- FIx some portability issues (should fix the build on
							   some hosts on the buildfarm)
- Ignore setting TCP_NODELAY on (semi-)TCP sockets rather then complain about
  it not being supported (saves us from a couple of error messages for each
						  connection that is opened)
(This used to be commit 443fb7853b)
2007-10-10 13:11:21 -05:00
Jelmer Vernooij
44d7f4f238 r6139: Move socket_wrapper to a seperate directory
(This used to be commit a2ef9225f1)
2007-10-10 13:11:21 -05:00
Stefan Metzmacher
d2f2d5c798 r6134: add a new type dom_sid28 which is a 28 byte fixed buffer with a dom_sid in it
metze
(This used to be commit 460d1b089e)
2007-10-10 13:11:21 -05:00
Jelmer Vernooij
e91fb065fa r6088: Add the socket_wrapper library. This is a very simple library that
redirects traffic (currently just IP traffic) over unix domain sockets
if the SOCKET_WRAPPER_DIR environment variable has been set.
Aim is to use this for the Samba4 torture suite on the buildfarm.

The socket_wrapper library can only be used if Samba was compiled with
--enable-developer.

test_rpc.sh passes against a local smbd with SOCKET_WRAPPER_DIR set.
(and ethereal showed no traffic whatsoever)

Stuff that still needs to be fixed in socketwrapper:
 - Give ENETUNREACH if target is not localhost
 - A given port number can only be used for UDP /or/ TCP, not both.
 - Perhaps allow some calls to circumvent socketwrapper (do we need DNS?)
(This used to be commit f8a63a843c)
2007-10-10 13:11:18 -05:00
Andrew Bartlett
2eb3d68062 r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.

GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.

In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.

In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).

This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.

The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as.  This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.

To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.

In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module.  The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.

The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there.  This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.

The auth_domain module continues to be developed, but is now just as
functional as auth_winbind.  The changes here are consequential to the
schannel changes.

The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').

Andrew Bartlett
(This used to be commit 2301a4b38a)
2007-10-10 13:11:15 -05:00
Andrew Bartlett
038c4c4c6a r6024: Some of the ordering constraints on the popt callbacks were getting
painful, so don't call lp_*() functions until the post stage (rather
than in the cli_credentails_init(), which is called in the pre stage),
and don't open the secrets.ldb looking for the machine account details
until we actually need them (well after popt is done, and we know we have the other things right).

Set the domain and realm, as well as the account and password for -P
(fetch machine password) operation.

Allow NETLOGON credentials to be stored in this structure - will allow
SCHANNEL to be made more generic.

Clarify why we don't do special checks for NULL pointers, particularly
in the anonymous check (it indicates a programmer error, not a
run-time condition).

Also make lib/credentials.c a little more consistant.

Andrew Bartlett
(This used to be commit 730e6056b7)
2007-10-10 13:11:15 -05:00
Andrew Bartlett
79f6bcd5ae r5988: Fix the -P option (use machine account credentials) to use the Samba4
secrets system, and not the old system from Samba3.

This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.

In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v().  The vast majority of this patch is the simple
rename that followed,

(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).

Andrew Bartlett
(This used to be commit e13c671619)
2007-10-10 13:11:12 -05:00
Jelmer Vernooij
13b0776f60 r5929: Use cli_credentials for the SMB functions as well.
Fix a couple of bugs in the new cli_credentials code
(This used to be commit 4ad481cfe5)
2007-10-10 13:11:09 -05:00
Jelmer Vernooij
05bc2d7b2c r5928: Use cli_credentials in:
- gtk+ (returned by GtkHostBindingDialog as well now)
 - torture/
 - librpc/
 - lib/com/dcom/
(This used to be commit ccefd78233)
2007-10-10 13:11:08 -05:00
Jelmer Vernooij
02075be0bb r5917: First step in using the new cli_credentials structure. This patch
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50)
2007-10-10 13:11:08 -05:00
Jelmer Vernooij
ef213b0248 r5866: Add InitShutdown IDL and torture test.
Implement push side of NDR_LEN4|NDR_NOTERM strings (pull side was already present)
(This used to be commit ea61ec1122)
2007-10-10 13:11:05 -05:00
Stefan Metzmacher
d7b5a565ef r5828: add some idl for DsAddEntry()
metze
(This used to be commit 3e6ec81128)
2007-10-10 13:11:04 -05:00
Stefan Metzmacher
55546176c6 r5800: fix recursiv printing in ndr_print_DsGetNCChangesInfo1()
metze
(This used to be commit 1084ad4bfc)
2007-10-10 13:11:04 -05:00
Stefan Metzmacher
736797ef7f r5737: add some error codes
metze
(This used to be commit f543eb4ede)
2007-10-10 13:11:01 -05:00
Steve French
020817e152 r5716: Add new Unix extensions defines for infolevels
(This used to be commit 7f6ea98e0f)
2007-10-10 13:11:00 -05:00
Jelmer Vernooij
77ec3f684d r5674: - Re-enable DCOM support.
- Always put IID in vtables (useful for asserts)
- Add table to keep track of DCOM proxy classes
- Bunch of smaller bug fixes
(This used to be commit 26d5a0b92c)
2007-10-10 13:10:59 -05:00
Simo Sorce
b1b14817ea r5585: LDB interfaces change:
changes:
- ldb_wrap disappears from code and become a private structure of db_wrap.c
  thanks to our move to talloc in ldb code, we do not need to expose it anymore

- removal of ldb_close() function form the code
  thanks to our move to talloc in ldb code, we do not need it anymore
  use talloc_free() to close and free an ldb database

- some minor updates to ldb modules code to cope with the change and fix some
  bugs I found out during the process
(This used to be commit d58be9e74b)
2007-10-10 13:10:55 -05:00
Alexander Bokovoy
95bb95715c r5538: Fix typo in comment -- non-existant constant name mentioned
(This used to be commit 1d033d9dba)
2007-10-10 13:10:53 -05:00
Rafal Szczesniak
1bee0173ec r5499: Commit forgotten change what tridge immediately pointed out
in his comments to new rpc composite code.

rafal
(This used to be commit 1294db747e)
2007-10-10 13:10:51 -05:00
Jelmer Vernooij
80d3047333 r5490: The big (D)COM commit! :-) Contains most of the changes described in the
DCOM paper in lorikeet. This is the result of 1.5 months work (mainly
figuring out how things *really* work) at the end of 2004.

In general:
- Clearer distinction between COM and DCOM. DCOM is now merely
  the glue between DCE/RPC+ORPC and COM. COM can also work without
  DCOM now. This makes the code a lot clearer.
- Clearer distinction between NDR and DCOM. Before, NDR had a couple of
  "if"s to cope with DCOM, which are now gone.
- Use "real" arguments rather then structures for function arguments in
  COM, mainly because most of these calls are local so packing/unpacking
  data for every call is too much overhead (both speed- and code-wise)
- Support several mechanisms to load class objects:
  - from memory (e.g. part of the current executable, registered at start-up)
  - from shared object files
  - remotely
- Most things are now also named COM rather then DCOM because that's what it
  really is. After an object is created, it no longer matters whether it
  was created locally or remotely.

There is a very simple example class that contains
both a class factory and a class that implements the IStream interface.
It can be tested (locally only, remotely is broken at the moment)
by running the COM-SIMPLE smbtorture test.

Still to-do:
 - Autogenerate parts of the class implementation code (using the coclass definitions in IDL)
 - Test server-side
 - Implement some of the common classes, add definitions for common interfaces.
(This used to be commit 71fd3e5c3a)
2007-10-10 13:10:50 -05:00
Stefan Metzmacher
6b4cac2c00 r5489: hide handwritten pull/push/print code from the caller
for the spoolss_Enum* functions

metze
(This used to be commit bfcc86e706)
2007-10-10 13:10:50 -05:00
Andrew Tridgell
42d6a4c4f0 r5451: - added separate wrepl_associate(), wrepl_pull_table() and wrepl_pull_names() functions, with reasonable
parameters, so callers don't need to deal directly with wins replication packet structures

- converted the NBT-WINSREPLICATION torture test to use the new APIs
(This used to be commit cec1672662)
2007-10-10 13:10:47 -05:00
Andrew Tridgell
a6878f6c6e r5414: - added libcli/wins/, a basic client library for WINS replication
- added a new IDL type "udlongr", which is like udlong, but with the
  two uint32 halves reversed

- modified the winsrepl.idl to cope with a wider range of packets
(This used to be commit bc8d60c918)
2007-10-10 13:10:43 -05:00
Andrew Tridgell
40d117a893 r5372: fixed the build
(This used to be commit 2899d28945)
2007-10-10 13:09:48 -05:00
Andrew Tridgell
e199f4cef2 r5358: - added initial WINS server code. It passes most of the NBT-WINS test, but doesn't yet
do secure server WACK responses

- added a ldap_string_to_time() function, for converting a LDAP
  formatted time to a time_t
(This used to be commit 9aa3313b3f)
2007-10-10 13:09:45 -05:00
Andrew Bartlett
6f01a68faa r5334: Bah, it's all to hard...
Andrew Bartlett
(This used to be commit a28ca320dc)
2007-10-10 13:09:43 -05:00
Andrew Bartlett
c8ca613e93 r5330: Remove #include <sys/time.h> from includes.h.
Add #include "system/time.h" back (it was removed in some of these
places because the definitions were provided by <sys/time.h> on tridge's
platform.)

Andrew Bartlett
(This used to be commit 34b1da7303)
2007-10-10 13:09:43 -05:00
Andrew Tridgell
a0e6f6c05b r5309: removed ads.h from includes.h
(This used to be commit 196c45b834)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
75ddf59ea1 r5308: trimmed back a lot of the old macros from smb_macros.h
(This used to be commit bf43c9bdcf)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
a5bd1ccada r5307: removed db_wrap.h from includes.h
(This used to be commit 826baec7b3)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
6aa6dce3f7 r5306: removed all the unused mutex functions from mutex.c. When (if?) we
decide to reinstate the mutex code for the threads process model, I'd
like to do it a little differently. At least this gets it out of
includes.h for now.
(This used to be commit cfee0fb02e)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
501379431c r5305: removed libcli/ldap/ldap.h from includes.h
(This used to be commit 0df3fdd817)
2007-10-10 13:09:39 -05:00