IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
What a difference a name makes... :-). Just because something is missnamed
SAMR_ACCESS_OPEN_DOMAIN, when it should actually be SAMR_ACCESS_LOOKUP_DOMAIN,
don't automatically use it for a security check in _samr_OpenDomain().
Jeremy.
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
We absolutely need to avoid messing with the sync_context as that breaks the
stream of replication data coming from the DC (only replicates ~350 instead of
~4000 groups).
Guenther
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
version.h changes rather frequently. Since it is included via includes.h,
this means each C file will be a cache miss. This applies to the following
situations:
* When building a new package with a new Samba version
* building in a git branch after calling mkversion.sh
after a new commit (i.e. virtually always)
This patch improves the situation in the following way:
* remove inlude "version.h" from includes.h
* Use samba_version_string() instead of SAMBA_VERSION_STRING
in files that use no other macro from version.h instead of
SAMBA_VERSION_STRING.
* explicitly include "version.h" in those files that use more
macros from "version.h" than just SAMBA_VERSION_STRING.
Michael
"I believe I have found two bugs in the 3.2 code and one bug that
carried on to the 3.3 branch. In the 3.2 code, everything is
located in the utils/net_rpc_samsync.c file. What I believe is the
first problem is that fetch_database() is calling
samsync_fix_delta_array() with rid_crypt set to true, which means
the password hashes are unencrypted from the RID encryption.
However, I believe this call is redundant, and the corresponding
call for samdump has rid_crypt set to false. So I think the
rid_crypt param should be false in fetch_database().
If you follow the code, it makes its way to sam_account_from_delta()
where the password hashes are decrypted a second time by calling
sam_pwd_hash(). I believe this is what is scrambling my passwords.
These methods were refactored somewhere in the 3.3 branch. Now the
net_rpc_samsync.c class calls rpc_vampire_internals, which calls
libnet/libnet_samsync.c, which calls samsync_fix_delta_array() with
rid_crypt always set to false. I think that's correct. But the
second bug has carried through in the sam_account_from_delta()
function:
208 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
209 sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
210 pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
211 }
212
213 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
214 sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
215 pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
If you look closely you'll see that the nt hash is going into the
lm_passwd variable and the decrypted value is being set in the lanman
hash, and the lanman hash is being decrypted and put into the nt hash
field. So the LanMan and NT hashes look like they're being put in
the opposite fields."
Fix this by removing the rid_crypt parameter.
Jeremy.
This is a workaround for the cases where you want to join under a netbios name
that is different from your hostname, i.e. a name that can not be found in
/etc/hosts or dns. In these cases, name_to_fqdn fails or gives invalid results.
With gcc 4.1.3 on Ubuntu 7.10 the following build warning occurs:
Compiling libnet/libnet_samsync_keytab.c
cc1: warnings being treated as errors
libnet/libnet_samsync_keytab.c: In function ‘fetch_sam_entries_keytab’:
libnet/libnet_samsync_keytab.c:102: warning: ‘entry.enctype’ is used uninitialized in this function
Fixed by initializing to ENCTYPE_NULL
Use the libnet_dssync_context as a talloc context for the
result_message and error_message string members.
Using the passed in mem_ctx makes the implicit assumption
that mem_ctx is at least as long-lived as the libnet_dssync_context,
which is wrong.
Michael
(This used to be commit 635baf6b7d)
Initialize it to false.
And pass it down to the libnet_keytab context in
libnet_dssync_keytab.c:keytab_startup().
Unused yet.
Michael
Note: This might not be not 100% clean design to put this into the
toplevel dssync context while it is keytab specific. But then, on the
other hand, other imaginable backends might want to use this flag, too...
(This used to be commit 12e884f227)
to allow for removing all entries with given principal and enctype without
repecting the kvno (i.e. cleaning "old" entries...)
This is called with ignore_kvno == false from libnet_keytab_add_entry() to
keep the original behaviour.
Michael
(This used to be commit 6047f7b685)
I.e. only the passwords and keys of those objects whose dns are provided
are written to the keytab file. Others are skippded.
Michael
(This used to be commit a013f926ae)
Just specify several DNs separated by spaces on the command line of
"net rpc vampire keytab" to get the passwords for each of these
accouns via single object replication.
Michael
(This used to be commit 6e53dc2db8)
Untangle parsing of results and processing.
Make loop logic more obvious.
Call finishing operation after the loop, not inside.
Michael
(This used to be commit 47c8b3391c)
When retreiving a diff replication, the sAMAccountName attribute is usually
not replicated. So in order to build the principle, we need to store the
sAMAccounName in the keytab, referenced by the DN of the object, so that
it can be retrieved if necessary.
It is stored in the form of SAMACCOUNTNAME/object_dn@dns_domain_name
with kvno=0 and ENCTYPE_NONE.
Michael
(This used to be commit 54e2dc1f4e)
This makes libnet_keytab_remove_entries static and moves it up.
libnet_keytab_add_entry() now removes the duplicates in advance.
No special handling neede for the UTDV - this is also needed
for other entries...
Michael
(This used to be commit 3c46374544)
This is a stripped down version of smb_krb5_kt_add_entry() that
takes one explicit enctype instead of an array. And it does
not neither salting of keys nor cleanup of old entries.
Michael
(This used to be commit c83e54f1eb)
Not really used yet.
Note: callers use ENCTYPE_ARCFOUR_HMAC enctype for UTDV (for now).
This is what is currently stored. This is to be changed
to ENCTYPE_NULL.
Michael
(This used to be commit cb91d07413)
Still unused by the libnet_keytab_add() function.
This will follow.
In preparation of supporting multiple encryption types in libnet_dssync_keytab.
Michael
(This used to be commit 447b8b1122)
This is triggered by setting the new "single" flag in the dssync_context
and filling the "object_dn" member with the dn of the object to be
fetched.
This call is accomplished by specifying the DRSUAPI_EXOP_REPL_OBJ
extended operation in the DsGetNCCHanges request. This variant does
honor an up-to-date-ness vectore passed in, but the answer does not
return a new up-to-dateness vector.
Call this operation as "net rpc vampire keytab /path/keytab object_dn" .
Michael
(This used to be commit f4a01178a3)
Also store the new uptodateness vector in the backend after completion
and retrieve the old vector before sending the DsGetNCChanges request.
This effectively accomplishes differential replication.
Michael
(This used to be commit a2a88808df)
This extracts the info24 data in case this is what was returned (instead of info28).
E.g. windows 2000 returns info24.
Michael
(This used to be commit 61b41aa615)
The startup operation should get the old up-to-date-ness vector from the backend
and the finish operation should store the new vector to the backend after replication.
This adds the change of the signatures of the operations ot the dssync_ops struct
and the implementation for the keytab ops. The up-to-date-ness vector is stored
under the principal constructed as UTDV/$naming_context_dn@$dns_domain_name.
The vector is still uninterpreted in libnet_dssync_process().
This will be the next step...
This code is essentially by Metze.
Michael
(This used to be commit 01318fb27a)
This remove static a variable for the keytab context in the keytab
processing function and simplifies the signature. The keytab context
is instead in the new private data member of the dssync_context struct.
This is in preparation of adding support for keeping track of the
up-to-date-ness vector, in order to be able to sync diffs instead
of the whole database.
Michael
(This used to be commit c51c3339f3)
Previously this was done at token creation time if the Administrators and Users
builtins hadn't been created yet. A major drawback to this approach is that if
a customer is joined to a domain and decides they want to join a different
domain, the domain groups from this new domain will not be added to the
builtins.
It would be ideal if these groups could be added exclusively at domain join
time, but we can't rely solely on that because there are cases where winbindd
must be running to allocate new gids for the builtins. In the future if there
is a way to allocate gids for builtins without running winbindd, this code
can be removed from create_local_nt_token.
- Made create_builtin_users and create_builtin_administrators non-static so
they can be called from libnet
- Added a new function to libnet_join that will make a best effort to add
domain administrators and domain users to BUILTIN\Administrators and
BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be
running to allocate new gids, but if the builtins already exist, the domain
groups will be added even if winbindd is not running. In the case of a
failure the error will be logged, but the join will not be failed.
- Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing.
(This used to be commit e92faf5996)
Thanks obnox, now we can net ads join and net ads leave with zero
configuration changes if "config backend = registry".
Guenther
(This used to be commit 9003881773)
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0)
libnetjoin now supports Computers/Servers/Unix as well as
ou=Computers,ou=Servers,ou=Unix,dc=ber,dc=realm,dc=com.
Guenther
(This used to be commit c0be84c96d)
This is passed to the module init routines.
In case of the registry, this is the path of the
basekey in registry, that is to be used, defaulting
to KEY_SMBCONF (HKLM\software\samba\smbconf), when
NULL is given. This is the only case currently used.
In order to support other keys, registry initialization
for smbconf has to be changed to support different keys.
Michael
(This used to be commit 96434d9dc7)
The libnet_conf code to access the registry based configuration has
become more of a library used in several places in samba (e.g. loadparm)
than an abstraction of "net conf". So I move it to a location lib/smbconf/.
In the same breath, the api is fixed (not generated by make proto anymore).
Michael
(This used to be commit 5315ef41f4)
This is to provide a change sequence number to users, so that they
can use it to detect change in the config and trigger a reload.
Michael
(This used to be commit a0b12f4d81)
Also remove the "convenience function" section comment.
The set_global_parameter function now has a right to exist
in the api.
Michael
(This used to be commit fd99c1804a)
Günther, I wanted to have this as atomic as possible.
I will add this behaviour to libnet_conf_set_global_parameter() next
with the justification that [global] should exist transparently.
Michael
(This used to be commit e2b34e9c02)
The libnet_conf_ctx stores the information necessary to interoperate
with the configuration. It is created by calling libnet_conf_open()
and destroyed by calling libnet_conf_close(). The context is passed
to all the libnet_conf functions. It currently stores the token to
access the registry. Later, it could store more data, e.g. the server
to connect to, credentials, and so on. For support of other backends
than registry or support of remote configuration, only the open
function will have to be changed.
In net_conf, the calls to the actual net_conf functions is wrapped
into a function that calls libnet_conf_open()/_close(). Thus an
individual variant of net_conf_runfunction2() and functable2 is
used to cope with functions being called by the wrapper with the
additional libnet_conf_ctx argument.
Michael
(This used to be commit c2a9346faa)