1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-17 02:05:21 +03:00

644 Commits

Author SHA1 Message Date
Volker Lendecke
301d51e13a r13494: Merge the stuff I've done in head the last days.
Volker
(This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10 11:10:06 -05:00
Gerald Carter
75ef18fa75 r13460: by popular demand....
* remove pdb_context data structure
* set default group for DOMAIN_RID_GUEST user as RID 513 (just
  like Windows)
* Allow RID 513 to resolve to always resolve to a name
* Remove auto mapping of guest account primary group given the
  previous 2 changes
(This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10 11:10:04 -05:00
Gerald Carter
f351b9c6eb r13382: added server affinity cache stores for 'net rpc join' and trusted domain code
(This used to be commit 9eb743584d32cdb67e0512ac915c34565bce1c01)
2007-10-10 11:09:57 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10 11:06:23 -05:00
Jeremy Allison
5a4881bf39 r12522: Try and fix bug #2926 by removing setlocale(LC_ALL, "C")
and replace calls to isupper/islower/toupper/tolower with
ASCII equivalents (mapping into _w variants).
Jeremy.
(This used to be commit c2752347eb2deeb2798c580ec7fc751a847717e9)
2007-10-10 11:05:58 -05:00
Volker Lendecke
28fb5b6f97 r12313: Introduce yet another copy of the string_sub function:
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.

realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.

Volker
(This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2007-10-10 11:05:53 -05:00
Jeremy Allison
10b5609a14 r12279: unix_mask_match has been broken for *ever*... (How).
Ensure it returns a BOOL.
Jerry (and anyone else) please check this, I think
all uses are now correct but could do with another
set of eyes. Essential for 3.0.21 release.
Jeremy.
(This used to be commit 0c7b8a7637e760fcb6629092f36b610b8c71f5c9)
2007-10-10 11:05:51 -05:00
Gerald Carter
143103954c r12174: Simple patch to work around the current lack of BUILTIN
nested group support.  Always add the BUILTIN\Administrators
SID to a Domain Admins token.

This solves the extra steps of establishing a group map for
the local Administrators SID in order to control services.
Windows also tends to expect the Administrators group to be
usable when setting up security permissions on shares.

Volker's work will probably fix this long term, but this
gets us past some of the setup hurdles for 3.0.21.
(This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2)
2007-10-10 11:05:48 -05:00
Volker Lendecke
05ac2de0df r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm
reacts :-)

Volker
(This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10 11:05:43 -05:00
Volker Lendecke
5cc200ae55 r11916: auth_get_sam_account is only used in auth_rhosts.c -- move it there
(This used to be commit 8e5bea3f84c61ea312278cbbb70542664be7bd14)
2007-10-10 11:05:35 -05:00
Jim McDonough
43600a1d58 r11886: Fix 3187: logon hours restrictions were off corresponding to our offset from
GMT.  Use gmtime() instead of localtime() in the calc, but still use
localtime() in displaying it.
(This used to be commit 9b34f2d0f4bfc623eaec9c1334e34fa3965ba25b)
2007-10-10 11:05:33 -05:00
Gerald Carter
a4d729bdfa r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.
Also remove the mem_ctx from the netsamlogon_cache_store() API.

Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10 11:05:23 -05:00
Gerald Carter
ce0a1fa159 r11652: Reinstate the netsamlogon_cache in order to work
around failed query_user calls.  This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.

As per comments on samba-technical, I still need to add

(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away

Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10 11:05:23 -05:00
Jeremy Allison
fcceedd67c r11573: Adding Andrew Bartlett's patch to make machine account
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10 11:05:20 -05:00
Jeremy Allison
5678e4abb0 r11492: Fix bug #3224 (I hope). Correctly use machine_account_name
and client_name when doing netlogon credential setup.
Jeremy.
(This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10 11:05:18 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10 11:05:02 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10 11:04:48 -05:00
Jeremy Allison
418e92d06d r10234: Add new auth module "auth_script" to allow valid users to
be provisioned on demand - calls script with domain,
username, challenge and LM and NT responses - passing
the info through a pipe.
Jeremy.
(This used to be commit 67be4ee41cd244bcc0445cac7c9e1e2d40e93c9b)
2007-10-10 11:03:38 -05:00
Gerald Carter
dab71bed4e r9588: remove netsamlogon_cache interface...everything seems to work fine. Will deal with any fallout from special environments using a non-cache solution
(This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10 11:03:22 -05:00
Jeremy Allison
2ab5b8594e r9252: 2 type fixes from Luke Mewburn <lukem@NetBSD.org>. Bugid #2934.
Jeremy.
(This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
2007-10-10 11:00:29 -05:00
Volker Lendecke
e9c7079afe r8889: Another warning
(This used to be commit 9ae1098d211f5e687786abb8474b1c4210413f0f)
2007-10-10 11:00:19 -05:00
Jim McDonough
e7c48884a5 r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and login
scripts to be executed.

We were filling in our name as the server which processed the login, even
when it was done by a trusted DC.

Thanks to John Janosik <jpjanosi@us.ibm.com> for the fix.
(This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c)
2007-10-10 11:00:05 -05:00
Jeremy Allison
a8961434c0 r7956: Spelling mistake.
Jeremy.
(This used to be commit f318c371077f28ace52f7d2b1517df0d15a0f05a)
2007-10-10 10:58:04 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10 10:58:00 -05:00
Gerald Carter
958624a9fc r7450: fix my bone head mistake with ntlm authentcation and 'map to guest = bad uid'; make sure the authentication suceeds
(This used to be commit 5de1ffce2f2a0a340f6591939b8f63a3d96a627e)
2007-10-10 10:57:09 -05:00
Gerald Carter
377f947930 r7395: * new feature 'map to guest = bad uid' (based on patch from
aruna.prabakar@hp.com).

This re-enables the Samba 2.2 behavior where a user that was
successfully authenticated by a remote DC would be mapped
to the guest account if there was not existing UNIX account
for that user and we could not create one.
(This used to be commit b7455fbf81f4e47c087c861f70d492a328730a9b)
2007-10-10 10:57:08 -05:00
Gerald Carter
b279ee16e9 r7372: abartet's patch for BUG 2391 (segv caused by free a static pointer)
(This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb)
2007-10-10 10:57:06 -05:00
Volker Lendecke
5084d49052 r7243: Don't look at gencache.tdb for the trusted domains if winbind is around.
Volker
(This used to be commit 94acb93f57b963bf137c6ddd644a147f4d0b5175)
2007-10-10 10:57:05 -05:00
Gerald Carter
450e8d5749 r7130: remove 'winbind enable local accounts' code from the 3.0 tree
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10 10:57:01 -05:00
Gerald Carter
cc6df2e9cf r7024: reverting mistaken commit
(This used to be commit c70c5c4ee9b14fbdb174f542607aceebe0e88470)
2007-10-10 10:57:00 -05:00
Gerald Carter
af52df2f1f r7020: fixing printer ace values and getting rid of false compiler warning about unitialized variable
(This used to be commit 3a91b20e4bcc78c91932e6c4394b3f6f153b2ff5)
2007-10-10 10:57:00 -05:00
Volker Lendecke
2e0cac8e3e r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for
--enable-developer=yes?

Volker
(This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
2007-10-10 10:56:41 -05:00
Volker Lendecke
83e11ba86c r6263: Get rid of generate_wellknown_sids, they are const static and initializable
statically.

Volker
(This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10 10:56:33 -05:00
Herb Lewis
978ca84860 r6225: get rid of warnings from my compiler about nested externs
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10 10:56:30 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10 10:55:54 -05:00
Volker Lendecke
140752fd35 r5647: Caches are good for performance, but you get a consistency problem.
Fix bug # 2401.

Volker
(This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687)
2007-10-10 10:55:53 -05:00
Gerald Carter
c7a00987e3 r5562: * bump version to 3.0.12pre2
* change special character in gd's valid workstation
  check to a '+' to be more in line with the characters
  used by valid users
(This used to be commit 8bff0486508b9952c192345302b9313ac0b2270e)
2007-10-10 10:55:47 -05:00
Günther Deschner
051d9d7894 r5528: Expand the invalid-workstation-scheme. Workstation-Names with leading
'@'-sign are expanded on-the-fly as posix-groups of workstations. This
allows optional, more flexible login-control in larger networks.

Guenther
(This used to be commit 8f143b6800e0b6964c8ba4ba9607dc74da12ae59)
2007-10-10 10:55:45 -05:00
Gerald Carter
732f09990f r5431: couple of cimpile fixes from Jason Mader <jason@ncac.gwu.edu> -- BUGS 2341 & 2342
(This used to be commit 0edcfc7fa20fd8e3273b29c8f1a97cb7c7179fb6)
2007-10-10 10:55:40 -05:00
Gerald Carter
467da937c7 r5385: when operating in security = domain, allow domain admins to manage rigths assignments
(This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f)
2007-10-10 10:55:39 -05:00
Volker Lendecke
aa9132cc55 r5331: Support SIDs as %s replacements in the afs username map parameter.
Add 'log nt token command' parameter. If set, %s is replaced with the user
sid, and %t takes all the group sids.

Volker
(This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
2007-10-10 10:55:37 -05:00
Günther Deschner
5f54cc9bd3 r5264: Log with loglevel 0 when account-administration scripts fail.
Guenther
(This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10 10:55:35 -05:00
Günther Deschner
9b1e5a7118 r4972: Fix a warning and some debugging-outputs.
Guenther
(This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
2007-10-10 10:55:10 -05:00
Gerald Carter
46e5effea9 r4805: Last planned change to the privileges infrastructure:
* rewrote the tdb layout of privilege records in account_pol.tdb
  (allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
  structure.  The latter is now used for parsing routines mainly.

Still need to incorporate some client support into 'net' so
for setting privileges.  And make use of the SeAddUserPrivilege
right.
(This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10 10:53:55 -05:00
Gerald Carter
d94d87472c r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10 10:53:51 -05:00
Gerald Carter
be606e8eeb r4579: small changes to allow the members og the Domain Admins group on the Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing
(This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
2007-10-10 10:53:48 -05:00
Günther Deschner
992ad28485 r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting
acct_flags with bizarre values, breaking a lot of things.

This patch is successfully running in a production environment for quite
some time now and is required to finally allow Exchange 5.5 to access
another Exchange Server when both are running on NT4 in a
samba-controlled domain. This also allows Exchange Replication to take
place, Exchange Administrator to access other Servers in the network,
etc. Fixes Bugzilla #1136.

Thanks abartlet for helping me with that one.

Guenther
(This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10 10:53:41 -05:00
Jeremy Allison
54fdd5c7dc r4236: More *alloc fixes.
Jeremy.
(This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b)
2007-10-10 10:53:39 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10 10:53:32 -05:00
Volker Lendecke
f9e87b9ba6 r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!

We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.

The parameter to activate this ldapsam behaviour is

ldapsam:trusted = yes

Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10 10:53:15 -05:00