1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

218 Commits

Author SHA1 Message Date
Andrew Bartlett
34aa19cafe r13317: Create a new function messaging_client_init() which can be used when
we don't have a server messaging context.  We should replace the
datagram messages with stream sockets in this case, so we don't have
to create a unique socket.

Andrew Bartlett
(This used to be commit fd974fb647)
2007-10-10 13:51:43 -05:00
Andrew Bartlett
fc29c3250a r13104: Migrate and set secrets keytab values in the 'net join' code. This
avoids falling back to in-memory keytabs.

Andrew Bartlett
(This used to be commit 59fbce01c6)
2007-10-10 13:51:25 -05:00
Andrew Bartlett
8641271e65 r12979: Grr, I forgot to commit this file (from Brad Henry's libnet_site
patch) before the power went out :-)

Andrew Bartlett
(This used to be commit 352d6493bb)
2007-10-10 13:51:13 -05:00
Andrew Bartlett
1f72942873 r12976: Patch from Brad Henry <j0j0@riod.ca>:
This patch pulls the AD site name generation and site join code from
libnet/libnet_join.c and puts it into a new file, libnet/libnet_site.c.
This way, a common means for site name, configuration dn and server dn
generation exists so it doesn't need to be rewritten in new code (such
as the future libnet_leave for example).

I've made a couple of changes, but nothing dramatic.  Nice work Brad!

Andrew Bartlett
(This used to be commit 45f67b3f6d)
2007-10-10 13:51:13 -05:00
Andrew Bartlett
243e07cfa2 r12930: Fix ADS join: I wasn't filling in the flag 'realm' variable any more.
Andrew Bartlett
(This used to be commit 5c5a2974c9)
2007-10-10 13:51:08 -05:00
Andrew Bartlett
f3db23ac75 r12928: This patch improves the interaction between the vampire and provsion code.
Previously, we had to know (or guess) the host and domain guid at the
provision stage.  Now we query the database post-provision, to extract
the values and fill in the zone file.

This allows us to generate a correct zone file in the Windows migration case.

In an effort to make SWAT easier to use, I have removed and renamed
some of the provision options.

I have also fixed a nasty issue in my js code.  I had implictly
declared a global variable of the name 'join', with disasterious
results for any subsequent user of the string utility function:

esp exception - ASSERT at lib/appweb/ejs/ejsParser.c:2064, 0

Backtrace:
        [ 0]       substitute_var:20   ->               list[i] = join("", list2)
        [ 1]           setup_file:9    ->       data = substitute_var(data, subobj)

Andrew Bartlett
(This used to be commit a38ceefd11)
2007-10-10 13:51:07 -05:00
Andrew Bartlett
dcd63b9770 r12926: Syncronsise GUIDs on users and domains from the server. These also
appear in DNS, so need to match.

Andrew Bartlett
(This used to be commit d092b0493d)
2007-10-10 13:51:07 -05:00
Andrew Bartlett
b15582ed81 r12903: Factor out a new routine libnet_RpcConnectDCInfo, to both connect to
the remote sever, and to query it for domain information.

Provide and use this information in the SamSync/Vampire callbacks, to allow a
parallel connection to LDAP, if we are talking to AD.  This allows us
to get at some important attributes not exposed in the old protocol.

With this, we are able to do a all-GUI vampire of a AD domain from
SWAT, including getting all the SIDs, servicePrincipalNames and the
like correct.

Andrew Bartlett
(This used to be commit 918358cee0)
2007-10-10 13:51:00 -05:00
Andrew Bartlett
17402db4df r12894: Add more detail to error messages.
Andrew Bartlett
(This used to be commit 31fd39f356)
2007-10-10 13:50:59 -05:00
Andrew Bartlett
1460719b6a r12893: Filling in *error_string is critical for SWAT, as the errors otherwise
do not propogate back to the user, they just end up in the logfile.

Andrew Bartlett
(This used to be commit 7c9f8e524b)
2007-10-10 13:50:59 -05:00
Andrew Bartlett
58f78fa182 r12892: Add a 'Migrate from Windows' page to our installation section in SWAT.
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.

This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'.  This should prevent it
being broken again.

Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.

The js credentials interface now handles the 'set machine account' flag.

New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).

Andrew Bartlett
(This used to be commit a5e7c17c34)
2007-10-10 13:50:59 -05:00
Andrew Bartlett
d790d8d6ed r12886: Rename 'secure_channel_type' parameter to domain join as 'join_type'.
Andrew Bartlett
(This used to be commit a3b3e09a9a)
2007-10-10 13:50:58 -05:00
Andrew Bartlett
f2df13958c r12883: Fix the build...
Andrew Bartlett
(This used to be commit 8f7d14048f)
2007-10-10 13:50:57 -05:00
Andrew Bartlett
e15136af9e r12882: Allow the netbios name to be specified at all times.
Andrew Bartlett
(This used to be commit f4f4dcf217)
2007-10-10 13:50:57 -05:00
Andrew Bartlett
7d90b3f802 r12881: Hard-coded defaults are silly. We have smb.conf for a reason.
Andrew Bartlett
(This used to be commit c9402f9227)
2007-10-10 13:50:57 -05:00
Andrew Bartlett
99125b6510 r12873: Fix valgrind-found uninitialised value.
Andrew Bartlett
(This used to be commit 38e8a6477a)
2007-10-10 13:50:56 -05:00
Andrew Bartlett
e0f69bf1d3 r12872: Add some more detail to debug message.
Andrew Bartlett
(This used to be commit cefba10bd5)
2007-10-10 13:50:56 -05:00
Andrew Bartlett
a5a79e8b8c r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous.  This should better
function with servers that set restrict anonymous.

There are too many parts of Samba that get, parse and modify the
binding parameters.  Avoid the extra work, and add a binding element
to the struct dcerpc_pipe

The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern.  Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.

To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.

Andrew Bartlett
(This used to be commit d65b354959)
2007-10-10 13:50:55 -05:00
Andrew Bartlett
4b2ed199ca r12861: Cope when we are not supplied the messaging context. This is just
another case where we have to fallback to the node status request.

Andrew Bartlett
(This used to be commit 181064dbcf)
2007-10-10 13:50:54 -05:00
Andrew Bartlett
b135f4467f r12858: This moves the libnet_LookupPdc code to use a GetDC request to find
the remote server's name, or in the absence of a local nbt_server to
communicate with (or without root access), a node status request.

The result is that we are in a better position to use kerberos, as well
as to remove the 'password server' mandatory parameter for the samsync
and samdump commands.  (I need this to put these into SWAT).

The only problem I have is that I must create a messaging context, which
requires a server ID.  As a client process, I don't expect to get
messages, but it is currently required for replies, so I generate a
random() number.  We probably need the servers to accept connections on
streamed sockets too, for client-only tasks that want IRPC.

Because I wanted to test this code, I have put the NET-API-* tests into
our test scripts, to ensure they pass and keep passing.  They are good
frontends onto the libnet system, and I see no reason not to test them.

In doing so the NET-API-RPCCONNECT test was simplified to take a
binding string on the command line, removing duplicate code, and
testing the combinations in the scripts instead.

(I have done a bit of work on the list shares code in libnet_share.c
to make it pass 'make test')

In the future, I would like to extend the libcli/findds.c code (based
off volker's winbind/wb_async_helpers.c, which is why it shows up a bit
odd in the patch) to handle getting multiple name replies, sending a
getdc request to each in turn.

(posted to samba-technical for review, and I'll happily update with
any comments)

Andrew Bartlett
(This used to be commit 7ccddfd351)
2007-10-10 13:50:54 -05:00
Stefan Metzmacher
af5032acfd r12724: fix warnings
metze
(This used to be commit 4ca1a9a606)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
4bfe2907e7 r12719: Rename unicodePwd -> sambaPassword.
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name.  It may cause problems later when we get
replication form windows.

I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.

Andrew Bartlett
(This used to be commit 097d9d0b7f)
2007-10-10 13:49:45 -05:00
Jelmer Vernooij
63d718e243 r12696: Reduce the size of include/structs.h
(This used to be commit 6391761601)
2007-10-10 13:49:40 -05:00
Jelmer Vernooij
78c50015bb r12694: Move some headers to the directory of the subsystem they belong to.
(This used to be commit c722f665c9)
2007-10-10 13:49:39 -05:00
Jelmer Vernooij
bc4aebfaec r12670: Make a couple of dependencies stricter
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force
specific modules to always be included
(This used to be commit f9eede3d40)
2007-10-10 13:49:35 -05:00
Stefan Metzmacher
ba76f23df9 r12611: fix compiler warnings
metze
(This used to be commit 50940879f6)
2007-10-10 13:49:04 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
773d5e0af0 r12538: Clarify why we are doing the delete here.
Andrew Bartlett
(This used to be commit 6d8405038f)
2007-10-10 13:47:53 -05:00
Jelmer Vernooij
acd6a086b3 r12510: Change the DCE/RPC interfaces to take a pointer to a
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.

This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).

This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.

I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
2007-10-10 13:47:48 -05:00
Jelmer Vernooij
d8e35f8828 r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not using
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583ed)
2007-10-10 13:47:45 -05:00
Andrew Bartlett
7448b93a2e r12430: Clarify libnet_join code. Add/fix comments.
Andrew Bartlett
(This used to be commit a3372935ee)
2007-10-10 13:47:37 -05:00
Andrew Bartlett
758873b9fb r12423: Remove DEBUG(0) printouts in favor of more information to the caller.
I assume this works better with SWAT and the like anyway.

Andrew Bartlett
(This used to be commit b11975703d)
2007-10-10 13:47:36 -05:00
Andrew Bartlett
8e0948bbad r12421: Handle the case where we are a joining as different account types far better.
Andrew Bartlett
(This used to be commit 0ce82e8a41)
2007-10-10 13:47:35 -05:00
Andrew Bartlett
221c1512a8 r12411: Add 'net samdump keytab <keytab>'.
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.

For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:

password server = ncacn_np:mypdc

Andrew Bartlett
(This used to be commit 272013438f)
2007-10-10 13:47:35 -05:00
Jelmer Vernooij
ab31a44216 r12254: Add some (hopefully correct) descriptions for libraries that are installed.
Install pkg-config files.
(This used to be commit a86abe84e2)
2007-10-10 13:47:24 -05:00
Andrew Bartlett
a1827a1deb r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldb
backend.

The idea is that every time we open an LDB, we can provide a
session_info and/or credentials.  This would allow any ldb to be remote
to LDAP.  We should also support provisioning to a authenticated ldap
server.

(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).

Andrew Bartlett
(This used to be commit ae2f3a64ee)
2007-10-10 13:47:22 -05:00
Rafal Szczesniak
25f82c19f6 r12105: Formatting.
rafal
(This used to be commit 13d7b8fa43)
2007-10-10 13:47:10 -05:00
Andrew Bartlett
9c6b7f2d62 r11995: A big kerberos-related update.
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.

In particular, the credentials system now supplies GSS client and
server credentials.  These are imported into GSS with
gss_krb5_import_creds().  Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.

Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls.  Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.

To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass.  The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.

This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().

We can now (in theory) use a system-provided /etc/krb5.keytab, if

krb5Keytab: FILE:/etc/krb5.keytab

is added to the secrets.ldb record.  By default the attribute

privateKeytab: secrets.keytab

is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df4)
2007-10-10 13:46:56 -05:00
Rafal Szczesniak
1b415f7b8e r11815: A bit more comments and spaces for better readability.
rafal
(This used to be commit 1e831aead1)
2007-10-10 13:46:32 -05:00
Rafal Szczesniak
78a328bef8 r11813: Const-ify name resolution method list and use string list
utilities to set the context field.

rafal
(This used to be commit 5da8b457c3)
2007-10-10 13:46:32 -05:00
Andrew Tridgell
f8391489bf r11794: - fixed a valgrind error in libnet, caused by using a stack variable
after the function has returned (the *address variable was assigned
  into the state).

- changed libnet to use event_context_find() instead of
  event_context_init(), so it works as a child of existing code that
  uses a event context
(This used to be commit 47ceb2d355)
2007-10-10 13:46:28 -05:00
Rafal Szczesniak
7bfe1d29dd r11750: More comments.
(This used to be commit d277b13ced)
2007-10-10 13:46:22 -05:00
Rafal Szczesniak
d6017d3969 r11749: 1) Buffer allocation's been moved and isn't needed here.
2) Connect to a server instead of pdc after locating it.

rafal
(This used to be commit a7bf9ada34)
2007-10-10 13:46:21 -05:00
Rafal Szczesniak
e1bea4eaf5 r11747: Move buffer allocation to libnet_Lookup function so that the
caller is not required to ensure it.

rafal
(This used to be commit 85456e6c0b)
2007-10-10 13:46:21 -05:00
Rafal Szczesniak
5da7edac6d r11708: Fix allocation of too small buffer to hold ip address.
Thanks metze for catching that.

rafal
(This used to be commit 5114ef8d1c)
2007-10-10 13:46:16 -05:00
Rafal Szczesniak
dfd5b1b020 r11705: Fix segfaulting create user function.
rafal
(This used to be commit 6b0c083c9b)
2007-10-10 13:46:15 -05:00
Simo Sorce
5c95905871 r11567: Ldb API change patch.
This patch changes the way lsb_search is called and the meaning of the returned integer.
The last argument of ldb_search is changed from struct ldb_message to struct ldb_result
which contains a pointer to a struct ldb_message list and a count of the number of messages.
The return is not the count of messages anymore but instead it is an ldb error value.

I tryed to keep the patch as tiny as possible bu as you can guess I had to change a good
amount of places. I also tried to double check all my changes being sure that the calling
functions would still behave as before. But this patch is big enough that I fear some bug
may have been introduced anyway even if it passes the test suite. So if you are currently
working on any file being touched please give it a deep look and blame me for any error.

Simo.
(This used to be commit 22c8c97e6f)
2007-10-10 13:45:53 -05:00
Andrew Bartlett
56d3064db6 r11410: Fix rejoin as a BDC by modifying, rather than trying to recreate, the
server reference.

Andrew Bartlett
(This used to be commit 302219928f)
2007-10-10 13:45:33 -05:00
Andrew Bartlett
4e65f39ca9 r11409: The use of 'password server = ' here is still bogus, but for now at
least don't allow binding to become uninitialised.

Andrew Bartlett
(This used to be commit e754234a17)
2007-10-10 13:45:33 -05:00