1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

772 Commits

Author SHA1 Message Date
Günther Deschner
110e420196 r23651: Always, always, always compile before commit...
Guenther
(This used to be commit accb40446a)
2007-10-10 12:23:41 -05:00
Günther Deschner
3b1956f9d2 r23650: Fix remaining callers of krb5_kt_default().
Guenther
(This used to be commit b9d7a2962a)
2007-10-10 12:23:41 -05:00
Günther Deschner
a248672932 r23649: Fix the build (by moving smb_krb5_open_keytab() to clikrb5.c).
Guenther
(This used to be commit 19020d19dc)
2007-10-10 12:23:41 -05:00
Günther Deschner
a2618aa8d5 r23648: Allow to list a custom krb5 keytab file with:
net ads keytab list /path/to/krb5.keytab

Guenther
(This used to be commit a2befee3f2)
2007-10-10 12:23:41 -05:00
Günther Deschner
6fff735da0 r23647: Use smb_krb5_open_keytab() in smbd as well.
Guenther
(This used to be commit d22c0d291e)
2007-10-10 12:23:41 -05:00
Günther Deschner
df63172ad9 r23646: Generalize our internal keytab handling to support a broader range of default
keytabnames (like "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab"). This also
fixes keytab support with Heimdal (which supports the WRFILE pragma as well
now).

Guenther
(This used to be commit 7ca002f4cc)
2007-10-10 12:23:40 -05:00
Günther Deschner
47bd42ab1c r23607: Add legacy support for Services for Unix (SFU) 2.0.
Guenther
(This used to be commit 11b390309b)
2007-10-10 12:23:35 -05:00
Jeremy Allison
5a80fa5c0c r23514: Remove unused function ads_get_dn_from_extended_dn().
Jeremy.
(This used to be commit 03763bc528)
2007-10-10 12:23:24 -05:00
Gerald Carter
b4a39dc10e r23477: Build farm fix: Use int rather than MIT's krb5_int32 when setting context flags.
(This used to be commit 903145e957)
2007-10-10 12:23:19 -05:00
Gerald Carter
4caefdf348 r23474: Here's a small patch that disables the libkrb5.so replay cache
when verifying a ticket from winbindd_pam.c.

I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.

There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator.  Checked against MIT 1.5.1.  Have not
researched how Heimdal does it.

My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f7)
2007-10-10 12:23:19 -05:00
Gerald Carter
3272b1dd60 r23251: whoops! Fix compile error
(This used to be commit 22a3ea40ac)
2007-10-10 12:22:59 -05:00
Jeremy Allison
ad5ff1b809 r23147: Patch #4566 from jacob berkman <jberkman@novell.com>. Pass password data to krb5_prompter.
Jeremy.
(This used to be commit 232fc5d69d)
2007-10-10 12:22:48 -05:00
Jeremy Allison
71ee55f98d r23080: Fix bug #4637 - we hads missed some cases where
we were calling PRS_ALLOC_MEM with zero count.
Jeremy.
(This used to be commit 9a10736e6f)
2007-10-10 12:22:43 -05:00
Michael Adam
2753d30cbe r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.

Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36)
2007-10-10 12:22:05 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Günther Deschner
83564b43e3 r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
Guenther
(This used to be commit e4e8f84060)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857 r22799: Fix the build.
Guenther
(This used to be commit 6e911c442b)
2007-10-10 12:21:59 -05:00
Günther Deschner
46c5da2fd6 r22798: Add the "apply group policy" access bit (as seen in type 0x05 ALLOWED OBJECT
ACEs).

Guenther
(This used to be commit e138cbc876)
2007-10-10 12:21:58 -05:00
Günther Deschner
9c170fce26 r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control.

Guenther
(This used to be commit 648df57e53)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
2007-10-10 12:21:51 -05:00
Gerald Carter
89fd4444af r22714: Prevent DNS lookup storms when the DNS servers are unreachable.
Helps when transitioning from offline to online mode.

Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
(This used to be commit 4f05c6fe26)
2007-10-10 12:21:49 -05:00
Gerald Carter
8ff276fcb0 r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping
(This used to be commit 2ab617fbbf)
2007-10-10 12:21:47 -05:00
Günther Deschner
e468268335 r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
winbindd's kerberized pam_auth use that.

Guenther
(This used to be commit 0f436eab5b)
2007-10-10 12:19:54 -05:00
Günther Deschner
116c1532e7 r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
codes directly out of the krb5_error edata.

Guenther
(This used to be commit dcd902f24a)
2007-10-10 12:19:53 -05:00
Günther Deschner
6288491e90 r22663: Restructure kerberos_kinit_password_ext() error path.
Guenther
(This used to be commit 997ded4e3f)
2007-10-10 12:19:53 -05:00
Jeremy Allison
56a5d05b8b r22590: Make TALLOC_ARRAY consistent across all uses.
That should be it....
Jeremy.
(This used to be commit 603233a98b)
2007-10-10 12:19:49 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b)
2007-10-10 12:19:49 -05:00
Günther Deschner
1ee9650a1d r22479: Add "net ads keytab list".
Guenther
(This used to be commit 9ec76c5427)
2007-10-10 12:19:37 -05:00
Günther Deschner
56f6336fd4 r22460: Adding a generic ads_ranged_search() function.
Guenther
(This used to be commit b8828ea251)
2007-10-10 12:19:35 -05:00
Günther Deschner
8040fec0ac r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
queries more generic. Michael, feel free to overwrite these and the following.

Guenther
(This used to be commit 0475b8eea9)
2007-10-10 12:19:35 -05:00
Stefan Metzmacher
78c57f59ac r22153: fix LDAP SASL "GSSAPI" bind against w2k3, this isn't critical
because we try "GSS-SPNEGO" first and all windows version support
that.

metze
(This used to be commit 34a5badbde)
2007-10-10 12:19:17 -05:00
Jeremy Allison
725fcf3461 r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
Jeremy.
(This used to be commit 7c45bd3a47)
2007-10-10 12:19:14 -05:00
Stefan Metzmacher
eceb926df9 r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f9)
2007-10-10 12:19:10 -05:00
Jeremy Allison
4899c6b806 r22079: Tsk, tsk, Metze didn't compile before check-in :-).
Merge the memory leak fix (with fix :-) to 3.0.25.
Jeremy.
(This used to be commit ab3150fe4e)
2007-10-10 12:19:09 -05:00
Stefan Metzmacher
98c300ab90 r22078: fix memory leak in not often used code, we only use it if the server
doesn't support GSS-SPNEGO in SASL

can someone please review this, maybe it's also for 3.0.25

metze
(This used to be commit 8c6930b701)
2007-10-10 12:19:09 -05:00
Jeremy Allison
9d34ee1c8b r21968: Don't use gss-types in proto headers.
Jeremy.
(This used to be commit 829580414d)
2007-10-10 12:18:53 -05:00
Jeremy Allison
3adeddcc4a r21967: Add conversion from gss errors to nt status.
Jeremy
(This used to be commit 8ba138efd0)
2007-10-10 12:18:53 -05:00
Jeremy Allison
8c395be5e5 r21922: Fixed the build by rather horrid means. I really need
to restructure libsmb/smb_signing.c so it isn't in
the base libs path but lives in libsmb instead (like
smb_seal.c does).
Jeremy.
(This used to be commit 1b828f051d)
2007-10-10 12:18:49 -05:00
Jeremy Allison
42b2ddec8f r21863: Fix debug messages with incorrect function name.
Jeremy.
(This used to be commit d432d81c83)
2007-10-10 12:18:39 -05:00
Günther Deschner
b067d986b4 r21855: Fix a memleak in the krb5 locator and comment out gfree_all() which doesn't
make sense as long as it doesn't work as an lp_unload().

Guenther
(This used to be commit 128ea9bebb)
2007-10-10 12:18:38 -05:00
Jeremy Allison
b74cb6740f r21850: After Jerry explained to me the HORRIBLE way in which
the MIT gss libraries *SUCK*, move the frees to the end
of the function so MIT doesn't segfault.....
Add a comment so that another engineer knows why I did
this.
Jeremy.
(This used to be commit 1a2be06d4a)
2007-10-10 12:18:38 -05:00
Jeremy Allison
7d77dd9db6 r21847: Fix memory leaks in error paths (and in main code path in one case...)
in sasl bind. Wonder why coverity didn't find these ?
Jeremy.
(This used to be commit 89bdd30e4b)
2007-10-10 12:18:37 -05:00
Jeremy Allison
edccfc9192 r21845: Refactor the sessionsetupX code a little to allow us
to return a NT_STATUS_TIME_DIFFERENCE_AT_DC error to
a client when there's clock skew. Will help people
debug this. Prepare us for being able to return the
correct sessionsetupX "NT_STATUS_MORE_PROCESSING_REQUIRED"
error with associated krb5 clock skew error to allow
clients to re-sync time with us when we're eventually
able to be a KDC.
Jeremy.
(This used to be commit c426340fc7)
2007-10-10 12:18:37 -05:00
Volker Lendecke
f56da0890f r21831: Back out r21823 for a while, this is going into a bzr tree first.
Volker
(This used to be commit fd0ee6722d)
2007-10-10 12:18:37 -05:00
Volker Lendecke
aa6055debd r21823: Let secrets_store_machine_password() also store the account name. Not used
yet, the next step will be a secrets_fetch_machine_account() function that
also pulls the account name to be used in the appropriate places.

Volker
(This used to be commit f94e5af72e)
2007-10-10 12:18:36 -05:00
Günther Deschner
0e702698f9 r21822: Adding experimental krb5 lib locator plugin.
This is a starting point and may get changed. Basically we need follow the
exact same path to detect (K)DCs like other Samba tools/winbind do. In
particular with regard to the server affinity cache and the site-awarness for
DNS SRV lookups.

To compile just call "make bin/smb_krb5_locator.so", copy to
/usr/lib/plugin/krb5/ (Heimdal HEAD) or /usr/lib/krb5/plugins/libkrb5/ (MIT)
and you should immediately be able to kinit to your AD domain without having
your REALM with kdc or kpasswd directives defined in /etc/krb5.conf at all.

Tested with todays Heimdal HEAD and MIT krb5 1.5.

Guenther
(This used to be commit 34ae610bd5)
2007-10-10 12:18:36 -05:00
James Peach
98e58694ee r21779: I missd a call to krb5_get_init_creds_opt_alloc in r21778.
(This used to be commit 4f6c2826aa)
2007-10-10 12:18:32 -05:00
James Peach
3adeb42742 r21778: Wrap calls to krb5_get_init_creds_opt_free to handle the different
calling convention in the latest MIT changes.  Apparantly Heimdal
is also changing to this calling convention.
(This used to be commit c29c69d2df)
2007-10-10 12:18:32 -05:00
Jeremy Allison
aab1dd4ddb r21755: Memory leak fixes from Zack Kirsch <zack.kirsch@isilon.com>.
Jeremy.
(This used to be commit 02d08ca0be)
2007-10-10 12:18:28 -05:00
Jeremy Allison
fae01b4899 r21608: Fix a couple of memleaks in error code paths before
Coverity finds them :-)
Jeremy.
(This used to be commit cbe725f1b0)
2007-10-10 12:18:16 -05:00
Simo Sorce
e9e6af5951 r21606: Implement escaping function for ldap RDN values
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs

revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.

- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).

- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.

DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries

DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.

Simo.
(This used to be commit 5b4838f62a)
2007-10-10 12:18:16 -05:00
Günther Deschner
81e4a28718 r21561: It makes absolutely no sense to call krb5_kt_resolve() two times
directly after another.

Guenther
(This used to be commit 76ba11d777)
2007-10-10 12:18:13 -05:00
Günther Deschner
4e00351fd4 r21558: Safe more indent, again no code changes.
Guenther
(This used to be commit 7b18a4730d)
2007-10-10 12:18:13 -05:00
Günther Deschner
59e8bd617b r21557: indent only fix. No code change.
Guenther
(This used to be commit 8ff0903a17)
2007-10-10 12:18:13 -05:00
Günther Deschner
3e946cbb85 r21556: Remove superfluos return check in ads_keytab_verify_ticket().
Guenther
(This used to be commit 020601ea0a)
2007-10-10 12:18:13 -05:00
Günther Deschner
5aa3b27949 r21352: Let ads_upn_suffixes() return a pointer to an array of suffixes.
Guenther
(This used to be commit 7ad7847e5b)
2007-10-10 12:17:57 -05:00
Günther Deschner
08726ffcd4 r21349: Fix memleak in ads_upn_suffixes().
Guenther
(This used to be commit 8462f323cf)
2007-10-10 12:17:57 -05:00
Gerald Carter
763a553046 r21273: * Protect the sasl bind against a NULL principal string
in the SPNEGO negTokenInit
(This used to be commit fe70c22496)
2007-10-10 12:17:53 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b722)
2007-10-10 12:17:50 -05:00
Günther Deschner
aad88ee34f r21238: Fix tab indent in self-written krb5.confs.
Guenther
(This used to be commit 4df582fa10)
2007-10-10 12:17:50 -05:00
Günther Deschner
1898eaddb8 r21110: Fix kinit with Heimdal (Bug #4226).
Guenther
(This used to be commit ea38e1f836)
2007-10-10 12:17:38 -05:00
Gerald Carter
594ab518a5 r21046: Backing out svn r20403 (Andrew's krb5 ticket cleanup
as this is causing the WRONG_PASSWORD error in the SetUserInfo()
call during net ads join).

We are now back to always list RC4-HMAC first if supported by
the krb5 libraries.
(This used to be commit 4fb57bce87)
2007-10-10 12:17:29 -05:00
Günther Deschner
8751923635 r21021: Fix memleak.
Guenther
(This used to be commit 4e622572eb)
2007-10-10 12:17:28 -05:00
Günther Deschner
4b147350b8 r21003: Display LDAP base in debug statement.
Guenther
(This used to be commit fb5830f87a)
2007-10-10 12:17:25 -05:00
Gerald Carter
b9b26be174 r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code.  The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.

The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2)
2007-10-10 12:17:23 -05:00
Jeremy Allison
9d19e52940 r20880: Fix memory leak in new sitename code. You got *really*
close Guenther, then you forgot to use "key" :-) :-).
Jeremy.
(This used to be commit 56842b59d0)
2007-10-10 12:17:17 -05:00
Günther Deschner
e9c294b926 r20874: We need to distinguish client sitenames per realm. We were overwriting
the stored client sitename with the sitename from each sucessfull CLDAP
connection.

Guenther
(This used to be commit 6a13e878b5)
2007-10-10 12:17:16 -05:00
Günther Deschner
a99840e59e r20862: When in disconnected mode there is no need to try a fallback to a site
less DNS query. This speeds up offline detection slightly.

Guenther
(This used to be commit eda76ecf07)
2007-10-10 12:17:14 -05:00
Günther Deschner
f3ad8bb00a r20860: Adding some small tweaks. When we have no sitename, there is no need to
ask for the list of DCs twice.

Guenther
(This used to be commit a9baf27e13)
2007-10-10 12:17:14 -05:00
Jeremy Allison
bfd099e148 r20857: Silence gives assent :-). Checking in the fix for
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89a)
2007-10-10 12:17:14 -05:00
Günther Deschner
f3a85fb152 r20536: In the offline PAM session close case the attempt to delete a
non-existing krb5 credential cache should not generate an error.

Guenther
(This used to be commit 11c6f573af)
2007-10-10 12:16:55 -05:00
Gerald Carter
d3fc370fb9 r20487: Remove the unused dn2ad_canonical() call
(This used to be commit 86e6ae6a9f)
2007-10-10 12:16:52 -05:00
Gerald Carter
725cb5d7c9 r20486: Always upper case the "host/<sAMAccoutnName>" entry in the keytab file
so apps will know which one to look for,
(This used to be commit d4a5dc3ad5)
2007-10-10 12:16:52 -05:00
Andrew Bartlett
76cdf68ee9 r20403: Cleaning out my Samba 3.0 tree:
As discussed with jerry at the CIFS conf: overriding the
administrator's wishes from the krb5.conf has only every given me
segfaults.  We suggest leaving this up to the defaults from the
libraries anyway.

Andrew Bartlett
(This used to be commit 0b72c04906)
2007-10-10 12:16:47 -05:00
Günther Deschner
2d34900088 r20273: Map KRB5_KDCREP_SKEW to NT_STATUS_TIME_DIFFERENCE_AT_DC.
This gives much nicer error messages when failing to join due to clock
skew.

Guenther
(This used to be commit 5c5a761102)
2007-10-10 12:16:38 -05:00
Gerald Carter
db7bf9a6b6 r20173: DNS update fixes:
* Fix DNS updates for multi-homed hosts
* Child domains often don't have an NS record in
  DNS so we have to fall back to looking up the the NS
  records for the forest root.
* Fix compile warning caused by mismatched 'struct in_addr'
  and 'in_addr_t' parameters called to DoDNSUpdate()
(This used to be commit 3486acd3c3)
2007-10-10 12:16:29 -05:00
Herb Lewis
dc06fda6c7 r20132: get rid of defined but not used warning - static function only used
inside the #ifdef HAVE_KRB5
(This used to be commit c6cdf76c58)
2007-10-10 12:16:26 -05:00
Volker Lendecke
bae1fcd20f r19687: Fix uninitialized variables found by Coverity (and gcc -O1... ;-))
Volker
(This used to be commit b7dc9b8169)
2007-10-10 12:15:47 -05:00
Günther Deschner
61a38bd4b8 r19651: Fix interesting bug with the automatic site coverage in Active Directory:
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.

Guenther
(This used to be commit ff004f7284)
2007-10-10 12:15:44 -05:00
Günther Deschner
e513fb27d6 r19646: Fix memleak in the default_ou_string handling. Thanks to David Hu
<david.hu@hp.com>. Fixes #4212.

Guenther
(This used to be commit 4ec896cdbe)
2007-10-10 12:15:43 -05:00
Günther Deschner
31a63ab19f r19528: Fix container handling for "net ads user" and "net ads group" functions
along with some memleaks.

Guenther
(This used to be commit 4bad52c5b3)
2007-10-10 12:15:41 -05:00
Günther Deschner
6b65a1c26d r19526: Fix minor memleak.
Guenther
(This used to be commit 61ebedc82e)
2007-10-10 12:15:40 -05:00
Günther Deschner
424d7640b8 r19263: Be more accurate in telling what the sitename problem is in this DEBUG
statement.

Guenther
(This used to be commit 62928734b8)
2007-10-10 12:15:26 -05:00
Günther Deschner
ac080e3184 r19039: Do not segfault in "net ads printer info" when a requested printserver
does not exist.

Guenther
(This used to be commit 359315021d)
2007-10-10 12:15:04 -05:00
Günther Deschner
73f4ac012a r18982: Move the gpo related functions to "libgpo".
Guenther
(This used to be commit 1308a84271)
2007-10-10 12:14:53 -05:00
Günther Deschner
296b450f16 r18941: Minor cleanup in ads_parse_gpo().
Guenther
(This used to be commit 7579a91f81)
2007-10-10 12:14:49 -05:00
Günther Deschner
f7633eca18 r18923: Fix more memleaks.
Guenther
(This used to be commit ecb632a153)
2007-10-10 12:14:47 -05:00
Günther Deschner
dd992469dd r18902: Also dump mS-DS-CreatorSID.
Guenther
(This used to be commit e7cae9bbae)
2007-10-10 12:14:44 -05:00
Günther Deschner
82bf0da9d3 r18879: Fix crash for "net ads gpo list".
Guenther
(This used to be commit 7df5808d8b)
2007-10-10 12:14:41 -05:00
Andrew Tridgell
78f2900a16 r18869: two build fixes for systems without ldap
the first is to not enable the ldap ldb backend just yet. This will
need configure tests to conditionally include. We should be able to
use the m4 files from lib/ldb/

The 2nd is to fix libads/gpo.o not to publicly prototype a function
that needs ldap.h
(This used to be commit 1cf17edc14)
2007-10-10 12:14:39 -05:00
Günther Deschner
846aa881cd r18853: Fix remaining warnings. Volker, should be fine now.
Guenther
(This used to be commit 40a6169ace)
2007-10-10 12:01:04 -05:00
Günther Deschner
7fdd258c39 r18820: Comment out some unused functions.
Guenther
(This used to be commit cdc81927db)
2007-10-10 12:01:03 -05:00
Günther Deschner
a6bb76765a r18819: Fix build without LDAP.
Guenther
(This used to be commit a0aedee1c9)
2007-10-10 12:01:03 -05:00
Günther Deschner
0d12a35e6b r18817: Enable the build of the gpo tool but do not make it available yet.
Guenther
(This used to be commit 927cda5d31)
2007-10-10 12:01:03 -05:00
Günther Deschner
314d563b12 r18816: Fix some build warnings.
Guenther
(This used to be commit b70ed9e483)
2007-10-10 12:01:03 -05:00
Jelmer Vernooij
4db7642caa r18745: Use the Samba4 data structures for security descriptors and security descriptor
buffers.

Make security access masks simply a uint32 rather than a structure
with a uint32 in it.
(This used to be commit b41c52b9db)
2007-10-10 12:00:54 -05:00
Günther Deschner
4fa5a1c845 r18670: Fix memleaks.
Guenther
(This used to be commit 2fc63fb8f7)
2007-10-10 12:00:46 -05:00
Jeremy Allison
664c3f4166 r18663: Fix one more uuid -> GUID.
Jeremy.
(This used to be commit e568271af2)
2007-10-10 12:00:44 -05:00
Günther Deschner
245aa33f0d r18620: Fallback to non-paging LDAP searches in ads_do_search_retry_internal()
for anonymous bound connections.

When doing anonymous bind you can never use paged LDAP control for
RootDSE searches on AD.

Guenther
(This used to be commit dc1d92faab)
2007-10-10 11:52:01 -05:00
Jeremy Allison
a0aaa82f6d r18552: Ensure the sitename matches before we SAF store a DC in ADS mode.
Jeremy.
(This used to be commit 03e1078b45)
2007-10-10 11:51:49 -05:00
Günther Deschner
2ad8c705b2 r18512: Add krb5conf file environment to debug statement.
Guenther
(This used to be commit 398f368c8a)
2007-10-10 11:51:45 -05:00
Günther Deschner
dda94fdf96 r18508: A query for the LDAP schema can never be done anonymously against AD.
Guenther
(This used to be commit 8bb6e82f02)
2007-10-10 11:51:44 -05:00
Jeremy Allison
a4743f3a76 r18480: Doh ! Double-free of hostnameDN.
Jeremy.
(This used to be commit f8984fa8b7)
2007-10-10 11:51:43 -05:00
Volker Lendecke
6b3c42b1a1 r18466: Attempt to fix the AIX build
(This used to be commit 1398425067)
2007-10-10 11:51:42 -05:00
Volker Lendecke
dfa62cfa98 r18464: Solaris has LDAP_SCOPE_ONELEVEL. Linux seems to have it as well.
Fix a C++ compat warning.

Volker
(This used to be commit 351e583f66)
2007-10-10 11:51:42 -05:00
Volker Lendecke
d3237d2233 r18453: Attempt to fix the non-ldap build
(This used to be commit 86db854230)
2007-10-10 11:51:42 -05:00
Jeremy Allison
8c2c5c5d1d r18446: Add the ldap 'leave domain' code - call this as
a non-fatal error path if the 'disable machine
account' code succeeded.
Jeremy.
(This used to be commit f47bffa21e)
2007-10-10 11:51:42 -05:00
Günther Deschner
59e5149d8f r18425: Fix ads_ntstatus(). LDAP_SUCCESS should really map to NT_STATUS_OK.
Guenther
(This used to be commit 8ab214956e)
2007-10-10 11:51:23 -05:00
Gerald Carter
2b27c93a9a r18271: Big change:
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
  gen_ndr/ndr_security.c in SAMBA_4_0

The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28)
2007-10-10 11:51:18 -05:00
Jeremy Allison
6cfe7be80e r18241: If replacing the krb5.conf, ensure it's readable.
Jeremy.
(This used to be commit dfd93a3031)
2007-10-10 11:51:18 -05:00
Jeremy Allison
ed0274433c r18234: DNS failures are too common to log at level zero or 1.
Jeremy.
(This used to be commit 943e21d5da)
2007-10-10 11:51:17 -05:00
Jeremy Allison
34a25efad2 r18226: Ensure we only do this evil thing if it's our realm.
Jeremy.
(This used to be commit 0a89b37b1a)
2007-10-10 11:51:16 -05:00
Jeremy Allison
80052bcf13 r18225: If we're going to overwrite krb5.conf, at least
be polite enough to make a backup.
Jeremy.
(This used to be commit c82aac594f)
2007-10-10 11:51:16 -05:00
Jeremy Allison
253c01f29e r18201: Make explicit what's going on here.
Jeremy.
(This used to be commit 38b8a2b527)
2007-10-10 11:51:16 -05:00
Jeremy Allison
6d4c7b1345 r18200: Experimental code to allow system /etc/krb5.conf to be
overwritten by winbindd. Don't enable this :-).
Jeremy.
(This used to be commit 88e11ee91a)
2007-10-10 11:51:16 -05:00
Jelmer Vernooij
995205fc60 r18188: merge 3.0-libndr branch
(This used to be commit 1115745cae)
2007-10-10 11:43:56 -05:00
Günther Deschner
b5f6cbbe1b r18177: Some build- and memleak-fixes for the (not build by default) ADS GPO
routines.

Guenther
(This used to be commit 0ef504a0a6)
2007-10-10 11:43:30 -05:00
Günther Deschner
171a5cd5c0 r18175: Forgot to call asn1_free() in previous commit.
Guenther
(This used to be commit af3779a516)
2007-10-10 11:43:30 -05:00
Günther Deschner
4bc83e60de r18174: Do not return "success" when we failed to write in the CLDAP code.
Guenther
(This used to be commit 1fe4724f57)
2007-10-10 11:43:30 -05:00
Günther Deschner
5a87bbd48a r18172: Just a little more verbosity in this debug statement.
Guenther
(This used to be commit e852bc4646)
2007-10-10 11:43:30 -05:00
Günther Deschner
73d25f6f78 r18165: Fix memleaks.
Guenther
(This used to be commit 6f301b2dc3)
2007-10-10 11:43:29 -05:00
Günther Deschner
30c0e93156 r18162: Close socket when the CLDAP request has failed.
Guenther
(This used to be commit 714ea3ceab)
2007-10-10 11:43:29 -05:00
Jeremy Allison
8d812f8eed r18063: When we get a successful connection using ADS,
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb)
2007-10-10 11:43:24 -05:00
Volker Lendecke
f8a17bd8bd r18047: More C++ stuff
(This used to be commit 86f4ca84f2)
2007-10-10 11:43:24 -05:00
Volker Lendecke
ee0e397d6f r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.

Volker
(This used to be commit b2ff9680eb)
2007-10-10 11:39:49 -05:00
Jeremy Allison
98cfbd3ccf r18015: Try and detect network failures immediately in
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a)
2007-10-10 11:39:48 -05:00
Jeremy Allison
fea5d59b84 r18010: Ensure we don't timeout twice to the same
server in winbindd when it's down and listed
in the -ve connection cache. Fix memory leak,
reduce timeout for cldap calls - minimum 3 secs.
Jeremy.
(This used to be commit 10b32cb6de)
2007-10-10 11:39:48 -05:00
Jeremy Allison
0f1bc28744 r18006: Actually a smaller change than it looks. Leverage
the get_dc_list code to get the _kerberos. names
for site support. This way we don't depend on one
KDC to do ticket refresh. Even though we know it's
up when we add it, it may go down when we're trying
to refresh.
Jeremy.
(This used to be commit 77fe2a3d74)
2007-10-10 11:39:47 -05:00
Jeremy Allison
d0bbe3751a r18004: If you're writing out a krb5.conf, at least
get the syntax right... :-).
Jeremy.
(This used to be commit ecca467e46)
2007-10-10 11:39:46 -05:00
Jeremy Allison
b05c81a184 r18003: Creating a directory and getting EEXIST isn't an error.
Jeremy.
(This used to be commit 515f86167b)
2007-10-10 11:39:46 -05:00
Jeremy Allison
0a847b4111 r18002: Improved debug.
Jeremy.
(This used to be commit 5f84c8c815)
2007-10-10 11:39:46 -05:00
Jeremy Allison
d31ee84d88 r18001: Proper error reporting on write/close fail.
Jeremy.
(This used to be commit ba311ac4ea)
2007-10-10 11:39:46 -05:00
Jeremy Allison
e05728b669 r18000: Get nelem/size args right for x_fwrite.
Jeremy.
(This used to be commit f1c5409b9f)
2007-10-10 11:39:46 -05:00
Jeremy Allison
1bd715d915 r17999: No need to prevent others from reading. Use 755 instead
of 700, and 644 instead of 600. Reading might help
debugging.
Jeremy.
(This used to be commit 99f100cfec)
2007-10-10 11:39:46 -05:00
Jeremy Allison
d62c3cff51 r17997: Ensure lockdir exists for winbindd. Store tmp
krb5.conf files under lockdir, not privatedir.
Jeremy.
(This used to be commit c59eff3e53)
2007-10-10 11:39:46 -05:00
Jeremy Allison
ef92f91cd7 r17996: Don't talloc free the memory then reference it. Doh !
Jeremy.
(This used to be commit 188eb9794d)
2007-10-10 11:39:45 -05:00
Jeremy Allison
fc6bce6d9c r17995: Ensure we create the domain-specific krb5 files in a
separate directory.
Jeremy.
(This used to be commit 541594153b)
2007-10-10 11:39:45 -05:00
Jeremy Allison
0c9ca3fe19 r17994: Add debugs that showed me why my site code wasn't
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c)
2007-10-10 11:39:45 -05:00
Gerald Carter
ac25c32322 r17972: revert accidental commit to ads_verify_ticket()
(This used to be commit 95f6b22e51)
2007-10-10 11:39:44 -05:00
Gerald Carter
e53dfa1f4a r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid/gid cache. FIxes a bug in token creation
(This used to be commit fa05708789)
2007-10-10 11:39:44 -05:00
Jeremy Allison
305ceade39 r17970: Add missing include-guards around ads.h and ads_cldap.h.
Remove all reference to "Default-First-Site-Name" and
treat it like any other site.
Jeremy.
(This used to be commit 5ae3564d68)
2007-10-10 11:39:44 -05:00
Jeremy Allison
a78c61b9cd r17946: Fix couple of typos...
Jeremy.
(This used to be commit 638d53e2ad)
2007-10-10 11:39:01 -05:00
Jeremy Allison
2fcd113f55 r17945: Store the server and client sitenames in the ADS
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b)
2007-10-10 11:39:01 -05:00
Jeremy Allison
cceb492250 r17944: Handle locking madness.
Jeremy.
(This used to be commit 408267a2d7)
2007-10-10 11:39:01 -05:00
Jeremy Allison
6fada7a82a r17943: The horror, the horror. Add KDC site support by
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d)
2007-10-10 11:39:01 -05:00
Jeremy Allison
256172f7d6 r17942: Jerry is right - when no site support is enabled
the client sitename is "Default-First-Site-Name".
Treat this as a blank site (no site configured).
Jeremy.
(This used to be commit 5c46381bd7)
2007-10-10 11:39:01 -05:00
Jeremy Allison
9d37ee52e0 r17937: Move the saf_ cache into the tcp ad connection code.
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a983394171)
2007-10-10 11:39:00 -05:00
Jeremy Allison
7b7ce43b40 r17929: Ok, I think I finally figured out where to put
the code to redo the CLDAP query to restrict DC
DNS lookups to the sitename. Jerry, please check
to stop me going insane :-).
Jeremy.
(This used to be commit 8d22cc1115)
2007-10-10 11:38:59 -05:00
Jeremy Allison
2abab7ee6d r17928: Implement the basic store for CLDAP sitename
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e)
2007-10-10 11:38:59 -05:00
Gerald Carter
743a8e7f00 r17910: remove incorrect comment (code has already been fixed)
(This used to be commit 9810d74e17)
2007-10-10 11:38:58 -05:00
Jeremy Allison
9f0c2827a4 r17901: Stanford checker fix. cookie here can't be null or we'd
deref null. Make interface explicit.
Jeremy.
(This used to be commit 4e99606ec1)
2007-10-10 11:38:58 -05:00
Jeremy Allison
0362fde476 r17899: Fix Stanford checker bug - possible null deref.
Jeremy.
(This used to be commit e779491751)
2007-10-10 11:38:57 -05:00
Volker Lendecke
c52b3fb89f r17881: Another microstep towards better error reporting: Make get_sorted_dc_list
return NTSTATUS.

If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.

Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?

Volker
(This used to be commit 60a166f034)
2007-10-10 11:38:57 -05:00
Volker Lendecke
4bbb995e8d r17854: Steal the LDAP in NTSTATUS trick from Samba4
Thanks to Michael Adam <ma@sernet.de>

Volker
(This used to be commit 91878f9b6f)
2007-10-10 11:38:54 -05:00
Gerald Carter
5693e6c599 r17798: Beginnings of a standalone libaddns library released under
the LGPL.   Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.

It's still got some warts, but non-secure updates do
currently work.  There are at least four things left to
really clean up.

1. Change the memory management to use talloc() rather than
   malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
   dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
   (and under the LGPL).

A few notes:

* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
  issues.
(This used to be commit 36f04674ae)
2007-10-10 11:38:48 -05:00
Gerald Carter
8cac7c1399 r17795: Finally track down the "ads_connect: Interrupted system call"
error.  Fix our DNS SRV lookup code to deal with multi-homed hosts.
We were noly remembering one IP address per host from the Additional
records section in the SRV response which could have been an unreachable
address.
(This used to be commit 899179d2b9)
2007-10-10 11:38:47 -05:00
Günther Deschner
58247fea05 r17677: There is no need for a 2nd krb5_to_nt_status function, is there?
Michael Adam/Volker, please check.

Guenther
(This used to be commit d0feb85781)
2007-10-10 11:38:46 -05:00
Volker Lendecke
f852fdbe06 r17626: Some C++ Warnings
(This used to be commit 09e7c010f0)
2007-10-10 11:38:44 -05:00
Volker Lendecke
41a4496b20 r17606: Introduce krb5_to_ntstatus.
Thanks to Michael Adam <ma@sernet.de>

Volker
(This used to be commit 6e641c90b8)
2007-10-10 11:38:42 -05:00
Volker Lendecke
ac2fa9f414 r17589: Check in the really uncontroversial patch from Michael
(This used to be commit de76217cfb)
2007-10-10 11:38:41 -05:00
Volker Lendecke
c804dd0117 r17551: Move some DEBUG to d_printf in interactive functions and return
NO_LOGON_SERVERS if no domain controller was found.

Thanks to Michael Adam <ma@sernet.de>.

Volker
(This used to be commit d44599de3a)
2007-10-10 11:38:38 -05:00
Volker Lendecke
b757699e8b r17536: Add a debug message citing the reason why an LDAP connection failed, inspired
by Christian M Ambach <CAMBACH1@de.ibm.com>.

Volker
(This used to be commit cf7c83d462)
2007-10-10 11:38:37 -05:00
Volker Lendecke
7c94b93af6 r17535: Reformatting, this had many tabs instead of ^$
(This used to be commit 0f483cf66c)
2007-10-10 11:38:37 -05:00
Volker Lendecke
fd8bae8b16 r17345: Some C++ warnings
(This used to be commit 21c8fa2fc8)
2007-10-10 11:38:26 -05:00
Gerald Carter
1a0b57b5f5 r17242: BUG 3957: make sure to zero memory in the SRV hostlist in case there is not an A record for each SRV name
(This used to be commit 42608b8bb9)
2007-10-10 11:38:21 -05:00
Gerald Carter
18feaab9d5 r17239: BUG 3959: patch from William Charles <william@charles.name> to fix a segv in the DNS SRV lookups dur to calling rand()
(This used to be commit be12519fd8)
2007-10-10 11:38:21 -05:00
Gerald Carter
f3550d82a7 r17146: Starting to cleanout my local tree some
* add code to lookup NS records (in prep for later coe that
  does DNS updates as part of the net ads join)
(This used to be commit 36d4970646)
2007-10-10 11:38:15 -05:00
Volker Lendecke
846e939260 r17089: Fix a possible null dereference and some memleaks.
Jerry, please check.

Thanks,

Volker
(This used to be commit b87c495221)
2007-10-10 11:38:11 -05:00
Jeremy Allison
de5d967505 r17003: Fix coverity #303 - possible null deref. Jerry please
check this is your new code.
Jeremy.
(This used to be commit 144067783d)
2007-10-10 11:19:17 -05:00
Gerald Carter
69f0c8aef1 r16957: fix cut-n-paste error. The check for 'if (\!salt)' make no sense when fetching the DES salting principal
(This used to be commit baf554c793)
2007-10-10 11:19:15 -05:00
Volker Lendecke
361fef49c5 r16955: Fix an uninitialized var -- Jerry, please check.
(This used to be commit bf701f5129)
2007-10-10 11:19:15 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Günther Deschner
7048040be8 r16862: Reverting accidential changes in ads_try_connect() from previous commit.
Guenther
(This used to be commit 6257f9af93)
2007-10-10 11:19:12 -05:00
Günther Deschner
f3e71c6072 r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.
Guenther
(This used to be commit 863aeb621a)
2007-10-10 11:19:11 -05:00
Günther Deschner
67d8c7432f r16836: When receiving a CLDAP reply make sure that we always store the correct
netbios domain name in server affinity cache.

Guenther
(This used to be commit 08958411ee)
2007-10-10 11:19:11 -05:00
Jeremy Allison
8f0ea257b6 r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.
Jeremy.
(This used to be commit d48655d9c0)
2007-10-10 11:19:07 -05:00
Jeremy Allison
49f6498a6f r16589: Fix Klocwork #1999. Although it should be impossible to
get duplicate OID's returned in the oids_out list it is
still good programming practice to clear out a malloc'ed
string before re-writing it (especially in a loop).
Jeremy
(This used to be commit ae02c05bfc)
2007-10-10 11:19:02 -05:00
Günther Deschner
1b12b48a09 r16452: Fix memleak in the CLDAP processing (found by valgrind).
Guenther
(This used to be commit 479dec6845)
2007-10-10 11:18:54 -05:00
Volker Lendecke
8961048d24 r16339: Fix Klocwork ID
277 278     (cmd_*)

485 487 488 (ldap.c)

Volker
(This used to be commit 5b1eba76b3)
2007-10-10 11:17:36 -05:00
Jeremy Allison
86a13b97e4 r16326: Klocwork #509. Always check return allocs.
Jeremy.
(This used to be commit 7e397b534a)
2007-10-10 11:17:33 -05:00
Jeremy Allison
d730df0493 r16324: Klocwork #499. Allways check results from alloc.
Jeremy.
(This used to be commit 2b69d436da)
2007-10-10 11:17:33 -05:00
Jeremy Allison
be6fd76436 r16322: Klocwork #481., Don't deref null on malloc fail.
Jeremy.
(This used to be commit dd31f3fc0e)
2007-10-10 11:17:33 -05:00
Günther Deschner
d4ad11ccd8 r16272: Fix memleak.
Guenther
(This used to be commit afdb118902)
2007-10-10 11:17:30 -05:00
Günther Deschner
e030a9e9dc r16268: Add TCP fallback for our implementation of the CHANGEPW kpasswd calls.
This patch is mainly based on the work of Todd Stecher
<tstecher@isilon.com> and has been reviewed by Jeremy.

I sucessfully tested and valgrinded it with MIT 1.4.3, 1.3.5, Heimdal
0.7.2 and 0.6.1rc3.

Guenther
(This used to be commit 535d03cbe8)
2007-10-10 11:17:29 -05:00
Volker Lendecke
edcffcbe28 r16201: Fix Klocwork 439
(This used to be commit b369d0891a)
2007-10-10 11:17:24 -05:00
Jeremy Allison
c0e4753cfc r16199: Fix Klocwork #1 - ensure we test the first
strtok for NULL.
Jeremy.
(This used to be commit 98751e8190)
2007-10-10 11:17:24 -05:00
Günther Deschner
1628d33ba0 r16190: Fix more memleaks.
Guenther
(This used to be commit dfebcc8e19)
2007-10-10 11:17:23 -05:00
Günther Deschner
97f496a0e3 r16117: Make winbindd work again in security=ads.
We still used the old HOST/* UPN to get e.g. users, now we need
samaccountname$@REA.LM.

Guenther
(This used to be commit f6516a799a)
2007-10-10 11:17:21 -05:00
Günther Deschner
bf7a5433b4 r16115: Make "net ads changetrustpw" work again.
(adapt to the new UPN/SPN scheme).

Guenther
(This used to be commit 8fc70d0df0)
2007-10-10 11:17:21 -05:00
Günther Deschner
2b7b5e9ece r15980: Correctly destroy talloc_ctx when the LDAP posix attribute query has
failed. Noticed by Bob Gautier.

Guenther
(This used to be commit 7327f94546)
2007-10-10 11:17:16 -05:00
Lars Müller
ec3021dc3b r15822: Add suggestion made by Ralf Haferkamp.
(This used to be commit 7c375fd540)
2007-10-10 11:17:10 -05:00
Günther Deschner
1e3147cf12 r15704: Prefer LDAP error codes in ads_search_retry_sid().
Guenther
(This used to be commit 6cfc65ea20)
2007-10-10 11:17:08 -05:00
Gerald Carter
463e7c1171 r15701: change 'net ads leave' to disable the machine account in the domain (since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625)
2007-10-10 11:17:08 -05:00
Günther Deschner
c60e96c392 r15698: An attempt to make the winbind lookup_usergroups() call in security=ads
more scalable:

The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).

Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.

The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.

The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.

Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.

Guenther
(This used to be commit 7d766b5505)
2007-10-10 11:17:08 -05:00
Günther Deschner
39c45ce4f1 r15697: I take no comments as no objections :)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.

This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).

Guenther
(This used to be commit 52423e01dc)
2007-10-10 11:17:08 -05:00
Günther Deschner
e129dc40f7 r15696: Free LDAP search result.
Guenther
(This used to be commit ec26c355b3)
2007-10-10 11:17:07 -05:00
Volker Lendecke
c290d34985 r15635: Fix a bogus gcc uninit variable message
(This used to be commit 53f7104b4f)
2007-10-10 11:17:04 -05:00
Gerald Carter
f1039b8fb4 r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....
Re-add the capability to specify an OU in which to create
the machine account.  Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e304)
2007-10-10 11:17:01 -05:00
Günther Deschner
453e4b50aa r15559: Smaller fixes for the new cldap code:
* replace printf to stderr with DEBUG statements as they get printed in
  daemons
* "net ads lookup" return code

Guenther
(This used to be commit 8dd925c5fb)
2007-10-10 11:17:01 -05:00