IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
state->domain->netlogon_binding is a child of ctx, and ctx is freed by
the composite_is_ok failure callback
(This used to be commit 3c217518ba9a7b64fe6c842187499f1ee5189567)
return full SIDs for the user SID and primary group sid.
This should help kai with his getpwnam work in winbind.
Andrew Bartlett
(This used to be commit 078671d5015c63e4bcd96815e150dae918763b83)
We need to set the access_mask and the domain name, or else libnet
will try to do this itself.
This seems to fix the issues Kai was having.
Andrew Bartlett
(This used to be commit 44c193272b05959c756ee0078d666bcdf1374023)
We now setup a libnet_ctx for each domain. We should then be able to
replace/merge some more of the winbind code with libnet calls,
referencing domain->libnet_ctx.
Andrew Bartlett
(This used to be commit bad2dc14d704be59300f619c84694c11620559e0)
Add a test for wbinfo -a to test_member.sh
Reimplement the server-side 'pam_auth' and 'pam_auth_crap' calls to
use the same SamLogon code as auth_winbind uses.
In my previous code, we did not bind to the LSA and SAMR pipes, before
attempting operations. We now do this (how we passed any tests before
is beyond me).
This required some rework, particularly to make it easier to setup
secondary connections. The new rpc_secondary_auth_connection()
function also performs the bind.
The dcerpc_connect.c file was getting to big, so things have been
merged into dcerpc_secondary.c.
Andrew Bartlett
(This used to be commit 365778a993b7d76af6d53ba2a598b7e271741dc5)
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
(I created finddcs() from the winbind code a while back, so this
finishes that work)
Andrew Bartlett
(This used to be commit 218b279a46a4ca739597936f0b67573599e6d375)
decided to clean it up a little.
We now use SPNEGO for authentication if possible, and common routines
shared with the rest of the librpc codebase. Rather than make a
connection to IPC$, then connect the pipes to it, we instead have the
lsa and samr pipes as 'secondary connections'.
Andrew Bartlett
(This used to be commit 86654056b22245a57396544d572de6401069b9e5)
This change in particular catches winbind up with the next
composite_create() function.
We also needed to remove an unused flags field, and fill in the lm
response.
Andrew Bartlett
(This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea)
using the pattern in the clilsa code, it didn't fill in the p->binding
structure. This affects nearly all users of dcerpc_pipe_open_smb(), so
the simplest fix is to ensure that dcerpc_pipe_open_smb() initialises
the binding if its not already there.
- re-enable the RAW-ACLS test
(This used to be commit d8875c286d2be49c01703d8fd58bbc1842054bd9)
library. Even though we don't like to that library, it gets loaded via
nss-ldap, which means nss-ldap calls into the samba ldap lib with the
wrong parameters, and crashes.
We really need to use a completely different namespace in libcli/ldap/
(This used to be commit c440e0eed9afae5fe69995a7416971e7c8560779)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
This also removes dcerpc_bind_auth_password, the only user of
dcerpc_bind_auth. And this was not only passwords anyway.
Andrew Bartlett, as usual: Please take a close look.
Thanks,
Volker
(This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee)
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
(This used to be commit d14948fdf687c8f70ef9ec35445b7eb04da84253)
--user-sids required the extension to trusted domains.
Implement "winbind sealed pipes" parameter for debugging purposes.
Volker
(This used to be commit 3821a17bdb68b2f1389b5a150502c057d28569d2)
first. And if a request is being processed, queue it. This correctly survived
3 endless loops with wbinfo's doing different things while starting up smbd.
The number of indirections starts to become a bit scary, but what can you do
without a decent programming language that provides closures :-)
One thing that we might consider is to auto-generate async rpc requests that
return composite_context structs instead of rpc_requests. Otherwise I'd have
to write a lot of wrappers like composite_netr_LogonSamLogon_send.
The alternative would be to write two versions of wb_queue_domain_send which I
would like to avoid. This is cluttered enough already.
Volker
(This used to be commit 66c1b674f9870de73cce0e611909caf9eff34baa)
* rename the composite helper functions from comp_* to composite_*
* Move the lsa initialization to wb_connect_lsa.c
* Equip smb_composite_connect with a fallback_to_anonymous
The latter two simplify wb_init_domain.c quite a bit.
Volker
(This used to be commit deb127e04ea01ae93394da5ebffb39d81caeb6d9)
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
