1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-17 02:05:21 +03:00

607 Commits

Author SHA1 Message Date
Günther Deschner
83564b43e3 r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
Guenther
(This used to be commit e4e8f840605dfdf92ca60cc8fc6a4c85336565fb)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857 r22799: Fix the build.
Guenther
(This used to be commit 6e911c442bf9b076f43f99576f9b588df2c39233)
2007-10-10 12:21:59 -05:00
Günther Deschner
46c5da2fd6 r22798: Add the "apply group policy" access bit (as seen in type 0x05 ALLOWED OBJECT
ACEs).

Guenther
(This used to be commit e138cbc876e50ae25cb15c5109a42bc8b800c1ba)
2007-10-10 12:21:58 -05:00
Günther Deschner
9c170fce26 r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control.

Guenther
(This used to be commit 648df57e53ddabe74052e816b8eba95180736208)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e593e6659a618de66f659f579e71c07f7)
2007-10-10 12:21:51 -05:00
Gerald Carter
89fd4444af r22714: Prevent DNS lookup storms when the DNS servers are unreachable.
Helps when transitioning from offline to online mode.

Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
(This used to be commit 4f05c6fe26f4abd7ca71eac339fee2ef5e254369)
2007-10-10 12:21:49 -05:00
Gerald Carter
8ff276fcb0 r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping
(This used to be commit 2ab617fbbffbd6bf98ee02150f62b87a2610531f)
2007-10-10 12:21:47 -05:00
Günther Deschner
e468268335 r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
winbindd's kerberized pam_auth use that.

Guenther
(This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
2007-10-10 12:19:54 -05:00
Günther Deschner
116c1532e7 r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
codes directly out of the krb5_error edata.

Guenther
(This used to be commit dcd902f24a59288bbb7400d59c0afc0c8303ed69)
2007-10-10 12:19:53 -05:00
Günther Deschner
6288491e90 r22663: Restructure kerberos_kinit_password_ext() error path.
Guenther
(This used to be commit 997ded4e3f0dc2199b9a66a9485c919c16fbabc6)
2007-10-10 12:19:53 -05:00
Jeremy Allison
56a5d05b8b r22590: Make TALLOC_ARRAY consistent across all uses.
That should be it....
Jeremy.
(This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
2007-10-10 12:19:49 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10 12:19:49 -05:00
Günther Deschner
1ee9650a1d r22479: Add "net ads keytab list".
Guenther
(This used to be commit 9ec76c542775ae58ff03f42ebfa1acc1a63a1bb1)
2007-10-10 12:19:37 -05:00
Günther Deschner
56f6336fd4 r22460: Adding a generic ads_ranged_search() function.
Guenther
(This used to be commit b8828ea2516876fe5dd76083864418db2f042be0)
2007-10-10 12:19:35 -05:00
Günther Deschner
8040fec0ac r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
queries more generic. Michael, feel free to overwrite these and the following.

Guenther
(This used to be commit 0475b8eea99ebb467e52225ad54f4302a77376b9)
2007-10-10 12:19:35 -05:00
Stefan Metzmacher
78c57f59ac r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't critical
because we try "GSS-SPNEGO" first and all windows version support
that.

metze
(This used to be commit 34a5badbded0b2537ee854287931e2a7dc3aeb37)
2007-10-10 12:19:17 -05:00
Jeremy Allison
725fcf3461 r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
Jeremy.
(This used to be commit 7c45bd3a47fc2b24c5f1351a241ace2201c857d2)
2007-10-10 12:19:14 -05:00
Stefan Metzmacher
eceb926df9 r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
2007-10-10 12:19:10 -05:00
Jeremy Allison
4899c6b806 r22079: Tsk, tsk, Metze didn't compile before check-in :-).
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
(This used to be commit ab3150fe4ed2a629eb371db5f43ae09b9c583a64)
2007-10-10 12:19:09 -05:00
Stefan Metzmacher
98c300ab90 r22078: fix memory leak in not often used code, we only use it if the server
doesn't support GSS-SPNEGO in SASL

can someone please review this, maybe it's also for 3.0.25

metze
(This used to be commit 8c6930b7013b185af0530b04a7d5a49bc2ce7831)
2007-10-10 12:19:09 -05:00
Jeremy Allison
9d34ee1c8b r21968: Don't use gss-types in proto headers.
Jeremy.
(This used to be commit 829580414d89ff4aa0f45906e455849c55f508b1)
2007-10-10 12:18:53 -05:00
Jeremy Allison
3adeddcc4a r21967: Add conversion from gss errors to nt status.
Jeremy
(This used to be commit 8ba138efd097b08dcfe98f99b67c77579babf250)
2007-10-10 12:18:53 -05:00
Jeremy Allison
8c395be5e5 r21922: Fixed the build by rather horrid means. I really need
to restructure libsmb/smb_signing.c so it isn't in
the base libs path but lives in libsmb instead (like
smb_seal.c does).
Jeremy.
(This used to be commit 1b828f051d0782201f697de15ff973bd6b097d5b)
2007-10-10 12:18:49 -05:00
Jeremy Allison
42b2ddec8f r21863: Fix debug messages with incorrect function name.
Jeremy.
(This used to be commit d432d81c8321a4444b970169a5c7c3c5709de8e5)
2007-10-10 12:18:39 -05:00
Günther Deschner
b067d986b4 r21855: Fix a memleak in the krb5 locator and comment out gfree_all() which doesn't
make sense as long as it doesn't work as an lp_unload().

Guenther
(This used to be commit 128ea9bebbb215e41d2f0576e1a73c6a362b7467)
2007-10-10 12:18:38 -05:00
Jeremy Allison
b74cb6740f r21850: After Jerry explained to me the HORRIBLE way in which
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
(This used to be commit 1a2be06d4a1131952a97f94b05ae69b1dce4c300)
2007-10-10 12:18:38 -05:00
Jeremy Allison
7d77dd9db6 r21847: Fix memory leaks in error paths (and in main code path in one case...)
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
(This used to be commit 89bdd30e4b2bb9dbc2ab57c54be8c6d01cae5a26)
2007-10-10 12:18:37 -05:00
Jeremy Allison
edccfc9192 r21845: Refactor the sessionsetupX code a little to allow us
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
(This used to be commit c426340fc79a6b446033433b8de599130adffe28)
2007-10-10 12:18:37 -05:00
Volker Lendecke
f56da0890f r21831: Back out r21823 for a while, this is going into a bzr tree first.
Volker
(This used to be commit fd0ee6722ddfcb64b5cc9c699375524ae3d8709b)
2007-10-10 12:18:37 -05:00
Volker Lendecke
aa6055debd r21823: Let secrets_store_machine_password() also store the account name. Not used
yet, the next step will be a secrets_fetch_machine_account() function that
also pulls the account name to be used in the appropriate places.

Volker
(This used to be commit f94e5af72e282f70ca5454cdf3aed510b747eb93)
2007-10-10 12:18:36 -05:00
Günther Deschner
0e702698f9 r21822: Adding experimental krb5 lib locator plugin.
This is a starting point and may get changed. Basically we need follow the
exact same path to detect (K)DCs like other Samba tools/winbind do. In
particular with regard to the server affinity cache and the site-awarness for
DNS SRV lookups.

To compile just call "make bin/smb_krb5_locator.so", copy to
/usr/lib/plugin/krb5/ (Heimdal HEAD) or /usr/lib/krb5/plugins/libkrb5/ (MIT)
and you should immediately be able to kinit to your AD domain without having
your REALM with kdc or kpasswd directives defined in /etc/krb5.conf at all.

Tested with todays Heimdal HEAD and MIT krb5 1.5.

Guenther
(This used to be commit 34ae610bd5b9fd1210f16beac07a1c5984144ca7)
2007-10-10 12:18:36 -05:00
James Peach
98e58694ee r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.
(This used to be commit 4f6c2826aa1ac240b02122a40fe9a1ccabaaaf27)
2007-10-10 12:18:32 -05:00
James Peach
3adeb42742 r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the different
calling convention in the latest MIT changes.  Apparantly Heimdal
is also changing to this calling convention.
(This used to be commit c29c69d2df377fabb88a78e6f5237de106d5c2c5)
2007-10-10 12:18:32 -05:00
Jeremy Allison
aab1dd4ddb r21755: Memory leak fixes from Zack Kirsch <zack.kirsch@isilon.com>.
Jeremy.
(This used to be commit 02d08ca0be8c374e30c3c0e665853fa9e57f043a)
2007-10-10 12:18:28 -05:00
Jeremy Allison
fae01b4899 r21608: Fix a couple of memleaks in error code paths before
Coverity finds them :-)
Jeremy.
(This used to be commit cbe725f1b09f3d0edbdf823e0862edf21e16d336)
2007-10-10 12:18:16 -05:00
Simo Sorce
e9e6af5951 r21606: Implement escaping function for ldap RDN values
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs

revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.

- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).

- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.

DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries

DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.

Simo.
(This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-10-10 12:18:16 -05:00
Günther Deschner
81e4a28718 r21561: It makes absolutely no sense to call krb5_kt_resolve() two times
directly after another.

Guenther
(This used to be commit 76ba11d7770bac7c6db2eb1640139bbe270d82c3)
2007-10-10 12:18:13 -05:00
Günther Deschner
4e00351fd4 r21558: Safe more indent, again no code changes.
Guenther
(This used to be commit 7b18a4730d61c04867fc11df8980943d422589d8)
2007-10-10 12:18:13 -05:00
Günther Deschner
59e8bd617b r21557: indent only fix. No code change.
Guenther
(This used to be commit 8ff0903a17cfd8c09b73ef637484a72719e82071)
2007-10-10 12:18:13 -05:00
Günther Deschner
3e946cbb85 r21556: Remove superfluos return check in ads_keytab_verify_ticket().
Guenther
(This used to be commit 020601ea0abeb15f2aef9da354fcf6d7d5459710)
2007-10-10 12:18:13 -05:00
Günther Deschner
5aa3b27949 r21352: Let ads_upn_suffixes() return a pointer to an array of suffixes.
Guenther
(This used to be commit 7ad7847e5bbdd90fa6ae9ce91e5962f524ac2890)
2007-10-10 12:17:57 -05:00
Günther Deschner
08726ffcd4 r21349: Fix memleak in ads_upn_suffixes().
Guenther
(This used to be commit 8462f323cf86f90b1bdf14a3953c5a4bda1b9533)
2007-10-10 12:17:57 -05:00
Gerald Carter
763a553046 r21273: * Protect the sasl bind against a NULL principal string
in the SPNEGO negTokenInit
(This used to be commit fe70c224964bf15d626bfd4e0cc6d060e45bba87)
2007-10-10 12:17:53 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug .
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10 12:17:50 -05:00
Günther Deschner
aad88ee34f r21238: Fix tab indent in self-written krb5.confs.
Guenther
(This used to be commit 4df582fa1049afe96bbee7e8cab93cfa82208ba3)
2007-10-10 12:17:50 -05:00
Günther Deschner
1898eaddb8 r21110: Fix kinit with Heimdal (Bug ).
Guenther
(This used to be commit ea38e1f8362d75e7ac058a7c4aa06f1ca92ec108)
2007-10-10 12:17:38 -05:00
Gerald Carter
594ab518a5 r21046: Backing out svn r20403 (Andrew's krb5 ticket cleanup
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).

We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
(This used to be commit 4fb57bce87588ac4898588ea4988eadff3a7f435)
2007-10-10 12:17:29 -05:00
Günther Deschner
8751923635 r21021: Fix memleak.
Guenther
(This used to be commit 4e622572eb7939c6aa8e99fd9595bf28836bd5a3)
2007-10-10 12:17:28 -05:00
Günther Deschner
4b147350b8 r21003: Display LDAP base in debug statement.
Guenther
(This used to be commit fb5830f87a16dbec16893348080bcdfc61e27ab0)
2007-10-10 12:17:25 -05:00
Gerald Carter
b9b26be174 r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code.  The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.

The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10 12:17:23 -05:00