IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Fix winbind_lookup_name for the local domain, ie for aliases on a member
server.
Volker
(This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc)
Also remove the mem_ctx from the netsamlogon_cache_store() API.
Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
around failed query_user calls. This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.
As per comments on samba-technical, I still need to add
(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away
Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
of the Samba4 timezone handling code back into Samba3.
Gets rid of "kludge-gmt" and removes the effectiveness
of the parameter "time offset" (I can add this back
in very easily if needed) - it's no longer being
looked at. I'm hoping this will fix the problems people
have been having with DST transitions. I'll start comprehensive
testing tomorrow, but for now all modifications are done.
Splits time get/set functions into srv_XXX and cli_XXX
as they need to look at different timezone offsets.
Get rid of much of the "efficiency" cruft that was
added to Samba back in the day when the C library
timezone handling functions were slow.
Jeremy.
(This used to be commit 414303bc0272f207046b471a0364fa296b67c1f8)
message handler, the list of messages from retrieve_all_messages is not
properly freed. Not important, just confusing :-)
Volker
(This used to be commit d20388750dcfe7e0680246f7e3e6beb3a6d51a4a)
(this is the way it's been done in other functions). Instead
of moving this into the IDL, I think the best solution would
be to write a wrapper function around any call that needs
this (this is what we already do for many of the calls).
Jeremy.
(This used to be commit aeca4efa11728be53b81967bb5442b5b09d1a975)
lsa_openpolicy and fall back appropriately. In particular an ntlmssp bind
failure can not be detected before the first real rpc request, at least
according to abartlet :-)
Works for me against w2k3, w2k and nt4. Sooner or later I should test against
samba4 ... :-)
Volker
(This used to be commit 48a9e35208ae7b6271508085f59833e5def640e8)
We can only tell if the bind succeeded on the first real RPC call. So we have
to decide according to success of samrconnect whether we have to fall
back. Similarly for lsaopenpolicy.
Volker
(This used to be commit 0603e1c8456ee87b87b051e0303a35fdbfbcf7ca)
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
(This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
valgrind.
Jerry, if this patch proves to fix his problem, it is definitely a candidate
for the recommended patches page.
Volker
(This used to be commit 5232034b0daca8486fd55e53c2d910e4fbf0299d)
in question is still initializing overwrites domain->dcname. Only overwrite if
the parent actually has sent a dcname and thus really knows it. Second,
ntlm_auth needs the error code, not just the fact it failed.
Jerry, the 3_0 part might qualify as a "recommended patch".
Thanks,
Volker
(This used to be commit d79b179b7f9d2efa4f8ee47bfe386e90d8b58322)
It was already gone in trunk anyways.
working on fixing BUG 3000 which does work now but we are flying
without a cache.
(This used to be commit 4936d6d8b28edc59a3d17defcdf255ea6e0ba4e0)
pointer in get_cache() by requiring that all domain structure be
initialized with the set_dc_type_and_flags().
(This used to be commit c064609b942e88c70fe0a868e52c57ad1016850c)
