1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00

55520 Commits

Author SHA1 Message Date
Günther Deschner
360868b6e8 s3-schannel: remove remaining code that was using "struct dcinfo".
Guenther
2009-08-27 15:55:20 +02:00
Günther Deschner
a3c6e02748 s3-credentials: remove unused code.
Guenther
2009-08-27 15:55:20 +02:00
Günther Deschner
b089506136 s3-schannel: upgrade old format schannel_store.tdb.
Guenther
2009-08-27 15:55:20 +02:00
Günther Deschner
21a93c2ddc s3-netlogon: use shared credential and schannel storage infrastructure for netlogon server.
Guenther
2009-08-27 15:55:19 +02:00
Günther Deschner
2d8157fb9e s3-netlogon: add netr_creds_server_step_check() convenience wrapper.
Guenther
2009-08-27 15:55:19 +02:00
Günther Deschner
a09b627ecc s3-schannel: add simple wrappers to fetch and store schannel auth info.
Guenther
2009-08-27 15:55:19 +02:00
Günther Deschner
7c972d83d2 s3-schannel: make open_schannel_session_store() public.
Guenther
2009-08-27 15:55:19 +02:00
Günther Deschner
04310cc1c5 libcli/auth: add tdb backend for schannel state.
Guenther
2009-08-27 15:55:19 +02:00
Günther Deschner
699266920b libcli/auth: move netlogon_creds_CredentialState out of libcli.
Guenther
2009-08-27 15:55:18 +02:00
Günther Deschner
5a15778848 schannel: add netlogon_creds_CredentialState to IDL.
Guenther
2009-08-27 15:55:18 +02:00
Günther Deschner
17d3800e92 s4-schannel: add ldb suffix to schannel functions.
Guenther
2009-08-27 15:55:18 +02:00
Günther Deschner
a18d6839ac libcli/auth: rename schannel_state.c to schannel_state_ldb.c.
Guenther
2009-08-27 15:55:18 +02:00
Günther Deschner
5981272598 s3-build: add SCHANNEL_OBJ to Makefile.in.
Guenther
2009-08-27 15:55:18 +02:00
Volker Lendecke
1d8d3fd7c3 s3:winbind: Convert WINBINDD_GETUSERSIDS to the new API 2009-08-27 15:04:09 +02:00
Volker Lendecke
5a1240deac s3:winbind: Fix a typo 2009-08-27 15:04:09 +02:00
Volker Lendecke
c4a95f900a s3:winbind: Remove the manual caching for the async wb_ functions
The generic NDR-based cache in winbindd_dual_ndr.c replaces this.
2009-08-27 15:04:09 +02:00
Volker Lendecke
94948f7a40 s3:winbind: Some calls are not cacheable 2009-08-27 15:04:09 +02:00
Volker Lendecke
2f16bf5445 s3:winbind: Factor out wcache_store_seqnum() 2009-08-27 15:04:09 +02:00
Volker Lendecke
f3d71d3e8c s3:winbind: Add a generic cache for NDR based parent-child requests 2009-08-27 15:04:09 +02:00
Volker Lendecke
3532c8b9d8 s3:winbind: Factor out wcache_fetch_seqnum 2009-08-27 15:04:09 +02:00
Günther Deschner
3f0c8772f1 s4-smbtorture: do not hard code BDC secure channel type into RPC-NETLOGON tests.
Guenther
2009-08-27 13:41:50 +02:00
Günther Deschner
d368c73f95 s4-smbtorture: add test_SetPassword_flags to RPC-NETLOGON-S3 testsuite.
Guenther
2009-08-27 13:41:02 +02:00
Andrew Bartlett
160c197b84 s4:python Add helper to get at the domain SID 2009-08-27 19:40:21 +10:00
Steven Danneman
6c55518d47 s3/smbd: open the share_info.tdb on startup instead of tconx
This is a small performance optimization.  Instead of opening the tdb
on every smb connection in the forked child process, we now open it in
the parent and share the fd.

This also reduces the total fd usage in the system.
2009-08-26 16:34:10 -07:00
Steven Danneman
bc4b253b2c s3/debug: make SPENGO OID list appear under one debug header 2009-08-26 16:34:09 -07:00
Steven Danneman
5469866242 s3/winbindd: Remove unnecessary check for NULL SID
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.

Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b.  Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.

I've removed it and added a clarifying comment to the child process.

If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
2009-08-26 16:34:09 -07:00
Günther Deschner
32f9d20dff s3-selftest: enable running RPC-NETLOGON-S3 against samba3.
Guenther
2009-08-26 23:04:22 +02:00
Günther Deschner
46184692ad s4-smbtorture: add RPC-NETLOGON-S3 to test samba3 netlogon server.
Guenther
2009-08-26 23:04:18 +02:00
tprouty
17829cbc82 s3 onefs: Canonicalize the ACL in the correct order 2009-08-26 10:41:55 -07:00
tprouty
3ad9d108a7 s3: Allow full_audit to play nice with smbd if it's using syslog
Explictly pass the facility from both smbd and full_audit to syslog.
Really the only major change is to not call openlog() in full_audit if
WITH_SYSLOG is defined, which implies that smbd is already using
syslog.  This allows full audit to piggy-back on the same ident as
smbd, while still differentiating the logging via the facility.
2009-08-26 10:41:54 -07:00
tprouty
22ee1cd7db s3 audit: Change create_file in full_audit to print whether a directory or file was requested
full_audit will now print out whether the createfile was requested for
a file or directory.  The create disposition is also printed out.
2009-08-26 10:41:54 -07:00
Volker Lendecke
d49ab9226f s3:winbind: Fix Coverity ID 942: Resource Leak 2009-08-26 18:20:06 +02:00
Stefan Metzmacher
f2fa9e6246 s4:heimdal_build: lib/hcrypto/evp-aes-cts.o belongs to HEIMDAL_HCRYPTO
metze
2009-08-26 16:32:48 +02:00
Günther Deschner
2cbacd5e10 s3-netlogon: let get_md4pw() return a struct dom_sid.
Guenther
2009-08-26 15:45:09 +02:00
Günther Deschner
9930a12cf5 schannel: add generated files.
Guenther
2009-08-26 15:43:11 +02:00
Günther Deschner
aabe577396 schannel: move schannel.idl to main directory.
Guenther
2009-08-26 15:43:05 +02:00
Günther Deschner
91ef692d7d netlogon: make netr_NegotiateFlags a public bitmap.
Guenther
2009-08-26 15:42:57 +02:00
Volker Lendecke
b824b1b7bf Add a parameter to disable the automatic creation of krb5.conf files
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.

The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.

Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
2009-08-26 15:28:06 +02:00
Jeff Layton
da99e3a724 cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).

That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26 06:26:02 -04:00
Jeff Layton
3544e685ad cifs.upcall: switch to getopt_long
...to allow long option names.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2009-08-26 06:15:42 -04:00
Andrew Bartlett
1a97bd915d s4:provision Ensure that @OPTIONS is mirrored into each partition
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process.  This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.

Andrew Bartlett
2009-08-26 17:37:01 +10:00
Andrew Bartlett
425386ff61 s4:ldb Add ldb_ldif_write_string() and python wrappers
This allows us to turn a python LdbMessage back into a string.

Andrew Bartlett
2009-08-26 15:59:00 +10:00
Andrew Bartlett
3ed33813bb s4:ldb Add hooks to get/set the flags on a ldb_message_element
Also add tests to prove that we got this correct, and correct the
existing tests which used the wrong constants.

Andrew Bartlett
2009-08-26 15:07:50 +10:00
Andrew Bartlett
74218726e8 s4:schema Rework dsdb_write_prefixes_from_schema_to_ldb() to use talloc
This changes dsdb_write_prefixes_from_schema_to_ldb() to use an
internal talloc hirarchy, so we can safely give it a NULL context from
the python.

It also fixes manual construction of the ldb_message - we now use the
right helper functions.

Andrew Bartlett
2009-08-26 13:49:10 +10:00
Andrew Bartlett
a1da91174b s4:provison Add prefixes to ldb using same code a later modify will use
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.

Andrew Bartlett
2009-08-26 13:49:10 +10:00
Andrew Bartlett
b9ec6bb1eb s4:provision Only create references to our server DN after the self join
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.

Andrew Bartlett
2009-08-26 13:48:35 +10:00
Andrew Bartlett
a52e7a2c65 s4:scheam quiet a 'const' warning 2009-08-26 12:32:47 +10:00
Andrew Bartlett
7e54b5e568 s4:dsdb Rework dsdb_write_prefixes_to_ldb() to take a schema
The aim is to create a function that is more easily wrapped for
python, so that we can write the updated prefixMap in an upgrade
script.

Andrew Bartlett
2009-08-26 12:29:45 +10:00
Andrew Bartlett
cda99a202d s4:dsdb Use helper function to add 'show deleted' control
This revises tridge's commit 61ca4c491e1c13eb7d97847f743b0f540f1117c4
to use ldb_request_add_control() instead of a manual construction.

Andrew Bartlett
2009-08-26 11:10:51 +10:00
Günther Deschner
a77b036f3b s3-netlogon: fix default case when _netr_LogonSamLogon is called from other opcodes.
Guenther
2009-08-26 01:06:36 +02:00