IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.
In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.
But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
d8c54fddda,
5cd4b7b7c0, and
fbca269239)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.
So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)
I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.
Michael
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.
This fix was being circumvented in the case where the client passed
a NULL domain. Vista clients do this. In that case smbd was always
remapping the name to the machine workgroup. The NULL domain case
should also be mapped to the global sam name.
Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.
Patch from Jeremy.
With this patch, I was able to join Windows 7 RC to a Samba3 DC, and login into a
Samba 3 Domain.
There are still two registry settings required:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Do *not* modify the other netlogon registry parameters that were passed around,
they weaken security.
Guenther
(cherry picked from commit b5097d54cb)
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
This fix is very subtle. If a server is configured with "security = share"
and "guest ok = yes" and winbindd is running authorization will fail during
tree connect.
This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid
through sid_to_uid(). Winbindd is unaware of the hard coded mapping
between this sid and whatever uid the name in lp_guestaccount() is assigned.
So sid_to_uid() fails and we exit create_token_from_username() without
ever calling pdb_getsampwsid() which IS aware of the hard coded mapping.
This patch just reorganizes the code, moving sid_to_uid() down to the
block of code in which it is needed, avoiding this early failure.
After the discussion on samba-technical, it was decided that the best
answer for now was to revert this change. The right way to do this is
to rewrite the token api to use opaque tokens with pluggable modules.
This reverts commit 8e19a28805.
This new backend is custom tailored to onefs' unique requirements:
1) No fallback logic
2) Does not validate the domain of the user
3) Handles unencrypted passwords
When set to yes, "force username map" forces every user, even AD
users, through an NSS lookup. This allows the token to be overridden
with information from NSS in certain broken environments.
After a lot of testing against various Windows servers (W2K, W2K3, W2K8),
within an AD domain it seems that unknown domains will only be translated
to the local account domain, not the netbios name of the member server's
domain. This makes samba act more like Windows.
A somewhat more elegant fix than I could use for 3.2.x or 3.0.x.
Turns out the only part of check_user_ok() that needs to change
for share level security is the VUID cache pieces, so I can just
always use check_user_ok() for all lp_security() cases.
Jeremy
This is an orthogonality measure to make clear this pointer now belongs to the
cache.
(cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting
to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should
be deleted when their parent context is deleted, so freeing them at some arbitrary point later
will be a double-free.
Jeremy.
str_list_make(). From Dan Sledz <dan.sledz@isilon.com>:
In samba 3.2 passing NULL or an empty string returned NULL.
In master, it now returns a list of length 1 with the first string set
to NULL (an empty list).
Jeremy.
