1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

372 Commits

Author SHA1 Message Date
Günther Deschner
9d6f8ed5e7 r23837: Pass ADS_STRUCT and TALLOC_CTX down to ads_disp_sd.
Guenther
(This used to be commit ad0a6d5703)
2007-10-10 12:28:32 -05:00
Günther Deschner
f05dcab9bf r23836: Add ads_config_path() and ads_get_extended_right_name_by_guid().
Guenther
(This used to be commit 4d62f1191b)
2007-10-10 12:28:32 -05:00
Günther Deschner
c252b04abf r23834: Allow to pass an ADS_STRUCT pointer down to the dump function callback in
libads.

Guenther
(This used to be commit 311bbbafa6)
2007-10-10 12:28:32 -05:00
Günther Deschner
c8e23e4091 r23833: Document ads_find_samaccount().
Guenther
(This used to be commit 3effd1c346)
2007-10-10 12:28:31 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Günther Deschner
221d06d6f3 r23772: Add ads_find_samaccount() helper function.
Guenther
(This used to be commit 6fafa64bea)
2007-10-10 12:23:55 -05:00
Jeremy Allison
5a80fa5c0c r23514: Remove unused function ads_get_dn_from_extended_dn().
Jeremy.
(This used to be commit 03763bc528)
2007-10-10 12:23:24 -05:00
Michael Adam
2753d30cbe r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.

Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36)
2007-10-10 12:22:05 -05:00
Günther Deschner
83564b43e3 r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
Guenther
(This used to be commit e4e8f84060)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857 r22799: Fix the build.
Guenther
(This used to be commit 6e911c442b)
2007-10-10 12:21:59 -05:00
Günther Deschner
9c170fce26 r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control.

Guenther
(This used to be commit 648df57e53)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
2007-10-10 12:21:51 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b)
2007-10-10 12:19:49 -05:00
Günther Deschner
8040fec0ac r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
queries more generic. Michael, feel free to overwrite these and the following.

Guenther
(This used to be commit 0475b8eea9)
2007-10-10 12:19:35 -05:00
Jeremy Allison
725fcf3461 r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
Jeremy.
(This used to be commit 7c45bd3a47)
2007-10-10 12:19:14 -05:00
Jeremy Allison
fae01b4899 r21608: Fix a couple of memleaks in error code paths before
Coverity finds them :-)
Jeremy.
(This used to be commit cbe725f1b0)
2007-10-10 12:18:16 -05:00
Simo Sorce
e9e6af5951 r21606: Implement escaping function for ldap RDN values
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs

revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.

- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).

- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.

DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries

DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.

Simo.
(This used to be commit 5b4838f62a)
2007-10-10 12:18:16 -05:00
Günther Deschner
5aa3b27949 r21352: Let ads_upn_suffixes() return a pointer to an array of suffixes.
Guenther
(This used to be commit 7ad7847e5b)
2007-10-10 12:17:57 -05:00
Günther Deschner
08726ffcd4 r21349: Fix memleak in ads_upn_suffixes().
Guenther
(This used to be commit 8462f323cf)
2007-10-10 12:17:57 -05:00
Günther Deschner
8751923635 r21021: Fix memleak.
Guenther
(This used to be commit 4e622572eb)
2007-10-10 12:17:28 -05:00
Günther Deschner
e9c294b926 r20874: We need to distinguish client sitenames per realm. We were overwriting
the stored client sitename with the sitename from each sucessfull CLDAP
connection.

Guenther
(This used to be commit 6a13e878b5)
2007-10-10 12:17:16 -05:00
Jeremy Allison
bfd099e148 r20857: Silence gives assent :-). Checking in the fix for
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89a)
2007-10-10 12:17:14 -05:00
Gerald Carter
d3fc370fb9 r20487: Remove the unused dn2ad_canonical() call
(This used to be commit 86e6ae6a9f)
2007-10-10 12:16:52 -05:00
Volker Lendecke
bae1fcd20f r19687: Fix uninitialized variables found by Coverity (and gcc -O1... ;-))
Volker
(This used to be commit b7dc9b8169)
2007-10-10 12:15:47 -05:00
Günther Deschner
61a38bd4b8 r19651: Fix interesting bug with the automatic site coverage in Active Directory:
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.

Guenther
(This used to be commit ff004f7284)
2007-10-10 12:15:44 -05:00
Günther Deschner
e513fb27d6 r19646: Fix memleak in the default_ou_string handling. Thanks to David Hu
<david.hu@hp.com>. Fixes #4212.

Guenther
(This used to be commit 4ec896cdbe)
2007-10-10 12:15:43 -05:00
Günther Deschner
31a63ab19f r19528: Fix container handling for "net ads user" and "net ads group" functions
along with some memleaks.

Guenther
(This used to be commit 4bad52c5b3)
2007-10-10 12:15:41 -05:00
Günther Deschner
6b65a1c26d r19526: Fix minor memleak.
Guenther
(This used to be commit 61ebedc82e)
2007-10-10 12:15:40 -05:00
Günther Deschner
424d7640b8 r19263: Be more accurate in telling what the sitename problem is in this DEBUG
statement.

Guenther
(This used to be commit 62928734b8)
2007-10-10 12:15:26 -05:00
Günther Deschner
f7633eca18 r18923: Fix more memleaks.
Guenther
(This used to be commit ecb632a153)
2007-10-10 12:14:47 -05:00
Günther Deschner
dd992469dd r18902: Also dump mS-DS-CreatorSID.
Guenther
(This used to be commit e7cae9bbae)
2007-10-10 12:14:44 -05:00
Jeremy Allison
664c3f4166 r18663: Fix one more uuid -> GUID.
Jeremy.
(This used to be commit e568271af2)
2007-10-10 12:00:44 -05:00
Jeremy Allison
a0aaa82f6d r18552: Ensure the sitename matches before we SAF store a DC in ADS mode.
Jeremy.
(This used to be commit 03e1078b45)
2007-10-10 11:51:49 -05:00
Jeremy Allison
a4743f3a76 r18480: Doh ! Double-free of hostnameDN.
Jeremy.
(This used to be commit f8984fa8b7)
2007-10-10 11:51:43 -05:00
Volker Lendecke
dfa62cfa98 r18464: Solaris has LDAP_SCOPE_ONELEVEL. Linux seems to have it as well.
Fix a C++ compat warning.

Volker
(This used to be commit 351e583f66)
2007-10-10 11:51:42 -05:00
Volker Lendecke
d3237d2233 r18453: Attempt to fix the non-ldap build
(This used to be commit 86db854230)
2007-10-10 11:51:42 -05:00
Jeremy Allison
8c2c5c5d1d r18446: Add the ldap 'leave domain' code - call this as
a non-fatal error path if the 'disable machine
account' code succeeded.
Jeremy.
(This used to be commit f47bffa21e)
2007-10-10 11:51:42 -05:00
Günther Deschner
73d25f6f78 r18165: Fix memleaks.
Guenther
(This used to be commit 6f301b2dc3)
2007-10-10 11:43:29 -05:00
Jeremy Allison
8d812f8eed r18063: When we get a successful connection using ADS,
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb)
2007-10-10 11:43:24 -05:00
Volker Lendecke
ee0e397d6f r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.

Volker
(This used to be commit b2ff9680eb)
2007-10-10 11:39:49 -05:00
Jeremy Allison
98cfbd3ccf r18015: Try and detect network failures immediately in
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a)
2007-10-10 11:39:48 -05:00
Jeremy Allison
0c9ca3fe19 r17994: Add debugs that showed me why my site code wasn't
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c)
2007-10-10 11:39:45 -05:00
Jeremy Allison
a78c61b9cd r17946: Fix couple of typos...
Jeremy.
(This used to be commit 638d53e2ad)
2007-10-10 11:39:01 -05:00
Jeremy Allison
2fcd113f55 r17945: Store the server and client sitenames in the ADS
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b)
2007-10-10 11:39:01 -05:00
Jeremy Allison
6fada7a82a r17943: The horror, the horror. Add KDC site support by
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d)
2007-10-10 11:39:01 -05:00
Jeremy Allison
9d37ee52e0 r17937: Move the saf_ cache into the tcp ad connection code.
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a983394171)
2007-10-10 11:39:00 -05:00
Jeremy Allison
2abab7ee6d r17928: Implement the basic store for CLDAP sitename
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e)
2007-10-10 11:38:59 -05:00
Jeremy Allison
9f0c2827a4 r17901: Stanford checker fix. cookie here can't be null or we'd
deref null. Make interface explicit.
Jeremy.
(This used to be commit 4e99606ec1)
2007-10-10 11:38:58 -05:00
Volker Lendecke
c52b3fb89f r17881: Another microstep towards better error reporting: Make get_sorted_dc_list
return NTSTATUS.

If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.

Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?

Volker
(This used to be commit 60a166f034)
2007-10-10 11:38:57 -05:00
Gerald Carter
5693e6c599 r17798: Beginnings of a standalone libaddns library released under
the LGPL.   Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.

It's still got some warts, but non-secure updates do
currently work.  There are at least four things left to
really clean up.

1. Change the memory management to use talloc() rather than
   malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
   dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
   (and under the LGPL).

A few notes:

* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
  issues.
(This used to be commit 36f04674ae)
2007-10-10 11:38:48 -05:00
Volker Lendecke
c804dd0117 r17551: Move some DEBUG to d_printf in interactive functions and return
NO_LOGON_SERVERS if no domain controller was found.

Thanks to Michael Adam <ma@sernet.de>.

Volker
(This used to be commit d44599de3a)
2007-10-10 11:38:38 -05:00
Volker Lendecke
b757699e8b r17536: Add a debug message citing the reason why an LDAP connection failed, inspired
by Christian M Ambach <CAMBACH1@de.ibm.com>.

Volker
(This used to be commit cf7c83d462)
2007-10-10 11:38:37 -05:00
Volker Lendecke
7c94b93af6 r17535: Reformatting, this had many tabs instead of ^$
(This used to be commit 0f483cf66c)
2007-10-10 11:38:37 -05:00
Volker Lendecke
846e939260 r17089: Fix a possible null dereference and some memleaks.
Jerry, please check.

Thanks,

Volker
(This used to be commit b87c495221)
2007-10-10 11:38:11 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Günther Deschner
7048040be8 r16862: Reverting accidential changes in ads_try_connect() from previous commit.
Guenther
(This used to be commit 6257f9af93)
2007-10-10 11:19:12 -05:00
Günther Deschner
f3e71c6072 r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.
Guenther
(This used to be commit 863aeb621a)
2007-10-10 11:19:11 -05:00
Günther Deschner
67d8c7432f r16836: When receiving a CLDAP reply make sure that we always store the correct
netbios domain name in server affinity cache.

Guenther
(This used to be commit 08958411ee)
2007-10-10 11:19:11 -05:00
Jeremy Allison
8f0ea257b6 r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.
Jeremy.
(This used to be commit d48655d9c0)
2007-10-10 11:19:07 -05:00
Volker Lendecke
8961048d24 r16339: Fix Klocwork ID
277 278     (cmd_*)

485 487 488 (ldap.c)

Volker
(This used to be commit 5b1eba76b3)
2007-10-10 11:17:36 -05:00
Jeremy Allison
d730df0493 r16324: Klocwork #499. Allways check results from alloc.
Jeremy.
(This used to be commit 2b69d436da)
2007-10-10 11:17:33 -05:00
Jeremy Allison
be6fd76436 r16322: Klocwork #481., Don't deref null on malloc fail.
Jeremy.
(This used to be commit dd31f3fc0e)
2007-10-10 11:17:33 -05:00
Günther Deschner
1628d33ba0 r16190: Fix more memleaks.
Guenther
(This used to be commit dfebcc8e19)
2007-10-10 11:17:23 -05:00
Günther Deschner
97f496a0e3 r16117: Make winbindd work again in security=ads.
We still used the old HOST/* UPN to get e.g. users, now we need
samaccountname$@REA.LM.

Guenther
(This used to be commit f6516a799a)
2007-10-10 11:17:21 -05:00
Lars Müller
ec3021dc3b r15822: Add suggestion made by Ralf Haferkamp.
(This used to be commit 7c375fd540)
2007-10-10 11:17:10 -05:00
Gerald Carter
463e7c1171 r15701: change 'net ads leave' to disable the machine account in the domain (since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625)
2007-10-10 11:17:08 -05:00
Günther Deschner
c60e96c392 r15698: An attempt to make the winbind lookup_usergroups() call in security=ads
more scalable:

The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).

Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.

The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.

The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.

Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.

Guenther
(This used to be commit 7d766b5505)
2007-10-10 11:17:08 -05:00
Günther Deschner
39c45ce4f1 r15697: I take no comments as no objections :)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.

This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).

Guenther
(This used to be commit 52423e01dc)
2007-10-10 11:17:08 -05:00
Günther Deschner
e129dc40f7 r15696: Free LDAP search result.
Guenther
(This used to be commit ec26c355b3)
2007-10-10 11:17:07 -05:00
Volker Lendecke
c290d34985 r15635: Fix a bogus gcc uninit variable message
(This used to be commit 53f7104b4f)
2007-10-10 11:17:04 -05:00
Gerald Carter
f1039b8fb4 r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....
Re-add the capability to specify an OU in which to create
the machine account.  Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e304)
2007-10-10 11:17:01 -05:00
Gerald Carter
2c029a8b96 r15543: New implementation of 'net ads join' to be more like Windows XP.
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.

The points of interest are

* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
  ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
  libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
  using the machine account after the join

Thanks to Guenther and Simo for the review.

Still to do:

* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
  'kinit -k' (although we might be able to just use the sAMAccountName
  instead)
* Re-add support for pre-creating the machine account in
  a specific OU
(This used to be commit 4c4ea7b20f)
2007-10-10 11:16:57 -05:00
Günther Deschner
3bff11407e r15461: Free LDAP result in ads_get_attrname_by_oid().
Guenther
(This used to be commit f4af888282)
2007-10-10 11:16:49 -05:00
Günther Deschner
b86c19795a r15250: dump some more sids.
Guenther
(This used to be commit 2922c7f570)
2007-10-10 11:16:30 -05:00
Jim McDonough
92f139d4c4 r14931: Fix #1374: can't join an OU with name that contains '#'
I had to eliminate "\" as an OU path separator, because it is the escape
char in LDAP.  We still accept "/", but using the escape char is just
not a good choice.
(This used to be commit 1953f63903)
2007-10-10 11:15:54 -05:00
Jim McDonough
06f7ee5d4b r14252: Fix Coverity #72: free alloc'ed storage before return. Also found one
more that coverity didn't find from asprintf.
(This used to be commit 37b6e2c8de)
2007-10-10 11:15:21 -05:00
Jeremy Allison
acf0c6fb66 r14118: Fix coverity bug #24. Missing return statement meant
a possible NULL ptr deref.
Jeremy.
(This used to be commit 78ac3f9cbd)
2007-10-10 11:11:13 -05:00
Günther Deschner
3432273ab0 r13965: Make sure we always reset the userAccountControl bits when re-joining
with an existing account.

Guenther
(This used to be commit e4c12ab167)
2007-10-10 11:11:01 -05:00
Volker Lendecke
c2288e6db3 r13951: Fix Coverity Bug #163.
This code was not used anyway :-)

Volker
(This used to be commit bbfb205693)
2007-10-10 11:11:01 -05:00
Günther Deschner
379bd6865f r13657: Let winbindd try to obtain the gecos field from the msSFU30Gecos
attribute when "winbind nss info = sfu" is set. Fixes #3539.

Guenther
(This used to be commit ffce0461de)
2007-10-10 11:10:21 -05:00
Günther Deschner
c1ffb8d9bc r13410: Dump a netbootGUID as a GUID.
Guenther
(This used to be commit 9b19a68456)
2007-10-10 11:09:59 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
855e02f164 r13310: first round of server affinity patches for winbindd & net ads join
(This used to be commit 6c3480f9ae)
2007-10-10 11:06:23 -05:00
James Peach
92092cbcdc r12878: Don't use non-static array initialisers.
(This used to be commit 95b231f028)
2007-10-10 11:06:05 -05:00
Gerald Carter
3f6d9a7b9d r12196: patch from Krishna Ganugapati <krishnag@centeris.com>
Use the subtree delete ldap control when running 'net ads leave'
to ensure that the machine account is actually deleted.
(This used to be commit e96000c16c)
2007-10-10 11:05:49 -05:00
Jeremy Allison
d1f91f7c72 r12043: It's amazing the warnings you find when compiling on a 64-bit
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604)
2007-10-10 11:05:42 -05:00
Günther Deschner
f6b8327fac r11875: Allow to use START_TLS (by manually setting "ldap ssl = start_tls") for
LDAP connections to ADS (Windows 2003).

Guenther
(This used to be commit 95543fab0f)
2007-10-10 11:05:33 -05:00
Gerald Carter
ac331c48db r11863: BUG 3196: patch from Alex Deiter <tiamat@komi.mts.ru> to compile against the Sun LDAP client libs. But not for AD support; just ldap support
(This used to be commit a33e78aced)
2007-10-10 11:05:31 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Günther Deschner
065d7e82a7 r8048: Replace "done" with "failed".
Guenther
(This used to be commit 7285edc4fe)
2007-10-10 10:58:09 -05:00
Volker Lendecke
3f11139bf3 r8047: "oid" is defined in a heimdal header. With my gcc this generates a ton of
shadowed variable warnings. Fix that.

Volker
(This used to be commit 3846c0afa1)
2007-10-10 10:58:09 -05:00
Günther Deschner
2e7f22e833 r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".

Enable it with:

        winbind sfu support = yes

User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.

Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.

If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:

        idmap backend = ad

When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.

Guenther
(This used to be commit 28b5969942)
2007-10-10 10:58:07 -05:00
Jeremy Allison
7b9d6ac23e r6595: This is Volkers new-talloc patch. Just got the go-ahead from
Volker to commit. Woo Hoo !
Jeremy.
(This used to be commit 316df944a4)
2007-10-10 10:56:46 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Gerald Carter
73d1950c01 r5956: more compile warngin fixes from the Mr. Mader
(This used to be commit f3f315b14d)
2007-10-10 10:56:11 -05:00
Gerald Carter
40295c41db r5948: more compile cleanups from Jason Mader
(This used to be commit cc6c769c3c)
2007-10-10 10:56:10 -05:00
Gerald Carter
a309fed583 r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable netbios = yes'
(This used to be commit 75a223f118)
2007-10-10 10:55:38 -05:00
Gerald Carter
44be949f28 r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)
(This used to be commit 9019a84361)
2007-10-10 10:55:33 -05:00
Jeremy Allison
d16a5c4381 r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.
Make all LDAP timeouts consistent.
Jeremy.
(This used to be commit 0f0281c234)
2007-10-10 10:53:50 -05:00
Jeremy Allison
883874c562 r4346: Fix cut-and-paste error - bugid #2189. Fixed by Buck Huppmann <buckh@pobox.com>
Jeremy.
(This used to be commit 5c22cb082c)
2007-10-10 10:53:45 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Volker Lendecke
0bd9bc6eca r3841: Time out in ads search queries. Even AD servers can hang.
Volker
(This used to be commit fc454c8ef6)
2007-10-10 10:53:20 -05:00
Jeremy Allison
aad0bc6c37 r3764: Ensure on failure that *res is always NULL.
Check for malloc fail. Fixes for bug #2036.
Jeremy.
(This used to be commit b815247747)
2007-10-10 10:53:17 -05:00
Jeremy Allison
d4a46dec34 r3569: Fix for bug #1651, added extra servicePrincipalNames for kerberos interop.
Modified the redhat patch some...
Jeremy.
(This used to be commit 2ae717cd2c)
2007-10-10 10:53:10 -05:00
Jeremy Allison
f8345c1b18 r3273: Ensure we're consistent in the use of strchr_m for '@'.
Jeremy.
(This used to be commit 0f3f7b035b)
2007-10-10 10:53:03 -05:00
Günther Deschner
132879b285 r2832: Readd WKGUID-binding to match the correct default-locations of new
User-, Group- and Machine-Accounts in Active Directory (this got lost
during the last trunk-merge).

This way we match e.g. default containers moved by redircmp.exe and
redirusr.exe in Windows 2003 and don't blindly default to cn=Users or
cn=Computers.

Further wkguids can be examied via "net ads search wellknownobjects=*".
This should still keep a samba3-client joining a samba4 dc. Fixes
Bugzilla #1343.

Guenther
(This used to be commit 8836621694)
2007-10-10 10:52:54 -05:00
Gerald Carter
725d939548 r2091: only use sAMAccountName and not userPrincipalName since the breaks winbindd (lookup_name() only works with the sAMAccountName) -- *please* test this change. My tests all pass but there is probably something I missed
(This used to be commit 2bf08aaa37)
2007-10-10 10:52:31 -05:00
Gerald Carter
02001dfb6c r1381: fixing behavior found by gd@sernet.de; we must use the userPrincipalName value (host/hostname@REALM) and not the servicePrincipalName (host/fqdn@REALM) in the SASL binds
(This used to be commit 959da6e176)
2007-10-10 10:52:09 -05:00
Volker Lendecke
6c1baa6f4c r1330: Fix the build for systems without ldap headers
(This used to be commit b7267121af)
2007-10-10 10:52:07 -05:00
Jeremy Allison
569177a194 r1317: Patch from Joe Meadows "Joe Meadows" <jameadows@webopolis.com> to
add a timeout to the ldap open calls. New parameter, ldap timeout
added.
Jeremy.
(This used to be commit e5b3094c4c)
2007-10-10 10:52:06 -05:00
Jeremy Allison
7825677b86 r1222: Valgrind memory leak fixes. Still tracking down a strange one...
Can't fix the krb5 memory leaks inside that library :-(.
Jeremy.
(This used to be commit ad440213aa)
2007-10-10 10:52:00 -05:00
Jeremy Allison
e948458a79 r1215: Intermediate checkin of the new keytab code. I need to make sure I
haven't broken krb5 ticket verification in the mainline code path,
also need to check with valgrind. Everything now compiles (MIT, need
to also check Heimdal) and the "net keytab" utility code will follow.
Jeremy.
(This used to be commit f0f2e28958)
2007-10-10 10:52:00 -05:00
Jeremy Allison
05bc327990 r764: More memleak fixes in error code path from kawasa_r@itg.hitachi.co.jp.
Jeremy.
(This used to be commit 9647394e7c)
2007-10-10 10:51:37 -05:00
Jeremy Allison
a442c65e59 r562: Memory leak fix in error code path from kawasa_r@itg.hitachi.co.jp.
Jeremy.
(This used to be commit ac501348f4)
2007-10-10 10:51:29 -05:00
Gerald Carter
8ad3d8c9b0 r196: merging struct uuid from trunk
(This used to be commit 911a28361b)
2007-10-10 10:51:13 -05:00
Andrew Bartlett
d57d2d0897 Bug found by gd - the new range-reterival code did still had 'member'
hardcoded into it.

This didn't matter, as we only use it for 'member' so far...

Andrew Bartlett
(This used to be commit 8621899112)
2004-02-08 00:31:36 +00:00
Andrew Bartlett
e4f8914c3f Try to keep vl happy - shorten some of these lines.
(This used to be commit 3a4c56e4c6)
2004-01-05 12:20:15 +00:00
Andrew Bartlett
685e0cbeb8 Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.

VL rewrote most of Gnther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.

I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.

In particular, the range retrieval is now generic, for strings.  It
could easily be made generic for any attribute type, if need be.

Andrew Bartlett
(This used to be commit 131bb928f1)
2004-01-05 01:48:21 +00:00
Volker Lendecke
9f662094af After talking with abartlet remove the fix for bug 707 again.
Volker
(This used to be commit 0c8ee04c78)
2004-01-01 21:10:35 +00:00
Volker Lendecke
31ff56fd3e Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.

I've rewritten most of Gnther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.

Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.

Tested with a group of 4000 members along with lots of small groups.

Volker
(This used to be commit 9d8235bf41)
2004-01-01 20:30:50 +00:00
Andrew Bartlett
5eee23cc64 auth/auth_util.c:
- Fill in the 'backup' idea of a domain, if the DC didn't supply one.  This
   doesn't seem to occour in reality, hence why we missed the typo.

lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
 - all the callers to pull_utf8_allocate() pass a char ** as the first
   parammeter, so don't make them all cast it to a void **

nsswitch/winbind_util.c:
 - Allow for a more 'correct' view of when usernames should be qualified
   in winbindd.  If we are a PDC, or have 'winbind trusted domains only',
   then for the authentication returns stip the domain portion.
 - Fix valgrind warning about use of free()ed name when looking up our
   local domain.  lp_workgroup() is maniplated inside a procedure that
   uses it's former value.  Instead, use the fact that our local domain is
   always the first in the list.

Andrew Bartlett
(This used to be commit 494781f628)
2003-12-31 00:31:43 +00:00
Jeremy Allison
ec83590024 Fix from ndb@theghet.to to allow an existing LDAP machine account to be
re-used, rather than created from scratch.
Jeremy.
(This used to be commit 6d46e66ac2)
2003-12-13 01:43:54 +00:00
Volker Lendecke
203710ea6d Get rid of a const warning
Volker
(This used to be commit 94860687c5)
2003-11-26 09:58:41 +00:00
Jeremy Allison
bb0598faf5 Put strcasecmp/strncasecmp on the banned list (except for needed calls
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb92)
2003-10-22 23:38:20 +00:00
Gerald Carter
48958b0105 don't call ads_destroy() twice; fixes segfault in winbindd when DC goes down; bug 437
(This used to be commit 1cfbd92404)
2003-10-03 21:43:09 +00:00
Jeremy Allison
ca1c6ebb11 Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not converting
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
(This used to be commit 910d21d316)
2003-09-10 22:33:06 +00:00
Gerald Carter
d5bef211d0 revert retry loops in winbindd_ads as abartket points out, we
already have ads_search_retry() for this.  However, neither
domain_sid() nor sequence_nunber() used this function.  So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
(This used to be commit 89f6adf830)
2003-09-06 18:02:19 +00:00
Gerald Carter
8bfe26b62d metze's autogenerate patch for version.h
(This used to be commit ae452e51b0)
2003-08-20 17:13:38 +00:00
Jim McDonough
9f2e6167d2 Update my copyrights according to my agreement with IBM
(This used to be commit c9b209be2b)
2003-08-01 15:21:20 +00:00
Gerald Carter
0d087e3ba2 working on transtive trusts issue:
* use DsEnumerateDomainTrusts() instead of LDAP search.
    wbinfo -m now lists all trusted downlevel domains and
    all domains in the forest.

Thnigs to do:

  o Look at Krb5 connection trusted domains
  o make sure to initial the trusted domain cache as soon
    as possible
(This used to be commit 0ab00ccaed)
2003-07-31 05:43:47 +00:00
Gerald Carter
c916e5e390 fix case where no realm or workgroup means to use our own
(This used to be commit 6edc7e0a74)
2003-07-25 16:42:34 +00:00
Gerald Carter
3a00cedc01 connect to the right realm or domain for trusted AD domains
(This used to be commit 83376671c5)
2003-07-23 19:58:01 +00:00
Tim Potter
b5cd4a8643 Call the synchronous version of the ldap delete function otherwise we end up
treating the returned message id as an error code.
(This used to be commit 42fdcef324)
2003-07-07 02:50:09 +00:00
Jeremy Allison
ce72beb2b5 Removed strupper/strlower macros that automatically map to strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a0)
2003-07-03 19:11:31 +00:00
Tim Potter
40ece6552d Fix bug in doxygen comments for ads search functions.
(This used to be commit ae6c05ea72)
2003-07-03 04:12:54 +00:00
Gerald Carter
72876b79c9 * fix typos in a few debug statements
* check negative connection cache before ads_try_connect()
  in ads_find_dc()
(This used to be commit 2a76101a3a)
2003-06-25 19:00:15 +00:00
Gerald Carter
f51d769dd3 large change:
*)  consolidates the dc location routines again (dns
    and netbios)  get_dc_list() or get_sorted_dc_list()
    is the authoritative means of locating DC's again.

    (also inludes a flag to get_dc_list() to define
     if this should be a DNS only lookup or not)

    (however, if you set "name resolve order = hosts wins"
     you could still get DNS queries for domain name IFF
     ldap_domain2hostlist() fails.  The answer?  Fix your DNS
     setup)

*)  enabled DOMAIN<0x1c> lookups to be funneled through
    resolve_hosts resulting in a call to ldap_domain2hostlist()
    if lp_security() == SEC_ADS

*)  enables name cache for winbind ADS backend

*)  enable the negative connection cache for winbind
    ADS backend

*)  removes some old dead code

*)  consolidates some duplicate code

*)  moves the internal_name_resolve() to use an IP/port pair
    to deal with SRV RR dns replies.  The namecache code
    also supports the IP:port syntax now as well.

*)  removes 'ads server' and moves the functionality back
    into 'password server' (which can support "hostname:port"
    syntax now but works fine with defaults depending on
    the value of lp_security())
(This used to be commit d7f7fcda42)
2003-06-25 17:41:05 +00:00
Gerald Carter
f36c96d59c * s/get_dc_name/rpc_dc_name/g (revert a previous change)
* move back to qsort() for sorting IP address in get_dc_list()

* remove dc_name_cache in cm_get_dc_name() since it slowed
  things down more than it helped.  I've made a note of where
  to add in the negative connection cache in the ads code.
  Will come back to that.

* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
  of MAX_ALLOWED)

* only enumerate domain local groups in our domain

* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b)
2003-06-23 19:05:23 +00:00
Andrew Tridgell
ec0303820f we need to call ads_first_entry() before using a ldap result,
otherwise we can segv or return garbage
(This used to be commit d1316656b0)
2003-06-16 02:42:00 +00:00
Tim Potter
0a9396dcca Rename some uuid functions so as not to conflict with system
versions.  Fixes bug #154.
(This used to be commit 986eae40f7)
2003-06-13 04:35:53 +00:00
Andrew Bartlett
f071020f5e Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
(This used to be commit 876e00fd11)
2003-04-21 14:09:03 +00:00
Jelmer Vernooij
f7792732e6 Change variable name to get this working on gcc 3.2 (Merge from HEAD)
(This used to be commit d49113caef)
2003-04-15 17:06:51 +00:00
Andrew Bartlett
aa4bfd4711 merge from HEAD - dump tokenGroups as sids.
(This used to be commit f0daa15521)
2003-03-17 22:41:14 +00:00
Andrew Bartlett
a65b65c87a Make sure these values are never uninitialsised.
(This used to be commit eacb8dde7a)
2003-02-24 03:43:49 +00:00
Andrew Bartlett
d1221c9b6c Merge from HEAD client-side authentication changes:
- new kerberos code, allowing the account to change it's own password
   without special SD settings required
 - NTLMSSP client code, now seperated from cliconnect.c
 - NTLMv2 client code
 - SMB signing fixes

Andrew Bartlett
(This used to be commit 837680ca51)
2003-02-24 02:55:00 +00:00
Jim McDonough
4560329abb Fix segv in net ads join...an extra & was the culprit
(This used to be commit 1a9050a6fe)
2003-02-19 15:04:04 +00:00
Andrew Bartlett
251ea1e677 Merge minor library fixes from HEAD to 3.0.
- setenv() replacement
 - mimir's ASN1/SPNEGO typo fixes
 - (size_t)-1 fixes for push_* returns
 - function argument signed/unsigned correction
 - ASN1 error handling (ensure we don't use initiailsed data)
 - extra net ads join error checking
 - allow 'set security discriptor' to fail
 - escape ldap strings in libads.
 - getgrouplist() correctness fixes (include primary gid)

Andrew Bartlett
(This used to be commit e9d6e2ea9a)
2003-02-19 12:31:16 +00:00
Jeremy Allison
8fc1f1aead Ensure that only parse_prs.c access internal members of the prs_struct.
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b4)
2003-02-14 22:55:46 +00:00
Jeremy Allison
abbbaa2f6f Merging from HEAD - add a note about a better method for finding netbios name of workgroup
(not implemented yet)
Jeremy.
(This used to be commit c0eab99753)
2003-02-12 01:07:48 +00:00
Jeremy Allison
eccae5d23a Mem alloc checks.
Jeremy.
(This used to be commit 46ea028169)
2003-02-04 23:44:28 +00:00
Andrew Bartlett
963e88aa90 Merge LDAP filter parinoia from HEAD, a few other pdb_ldap updates and some
misc libads fixes.

Andrew Bartlett
(This used to be commit 9c3a1710ef)
2003-02-01 07:59:29 +00:00
Gerald Carter
8308ec6979 sanity checks from Ken Cross
(This used to be commit 9f35846b8e)
2003-01-21 01:21:33 +00:00
Andrew Bartlett
634c54310c Merge from HEAD - make Samba compile with -Wwrite-strings without additional
warnings.  (Adds a lot of const).

Andrew Bartlett
(This used to be commit 3a7458f947)
2003-01-03 08:28:12 +00:00
Jeremy Allison
64501e44ee Catching up with old patches. Add define for VERITAS quota support.
Check return in ldap.
Jeremy.
(This used to be commit 66eff26fc9)
2002-12-30 23:55:53 +00:00
Jeremy Allison
ef8bd7c4f7 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6)
2002-12-20 20:21:31 +00:00
Jim McDonough
81a2a30739 More printer publishing code.
- Add published attribute to info2, needed for win clients to work properly
- Return proper info on getprinter 7

This means you can now look at the sharing tab of a printer and get correct
info about whether it is published or not, and change it.
(This used to be commit d57bddc9b2)
2002-12-13 19:01:27 +00:00
Gerald Carter
3ab6fcc5c6 [merge from APP_HEAD]
90% fix for CR 1076.  The password server parameter will no take things
like

        password server = DC1 *

which means to contact DC1 first and the go to auto lookup if it
fails.


jerry
(This used to be commit 016ef8b36b)
2002-11-23 14:52:34 +00:00
Andrew Bartlett
c64d762997 Updates from HEAD:
- const for PACKS() in lanman.c
 - change auth to 'account before password'
 - add help to net rpc {vampire,samsync}
 - configure updates for sun workshop cc
 - become_root() around pdb_ calls in auth_util for guest login.

Andrew Bartlett
(This used to be commit 43e90eb6e3)
2002-11-15 21:43:57 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Tim Potter
ab1cf8d1cf Merge of get_dc_list() api change from HEAD.
(This used to be commit 6ba7847ce2)
2002-11-06 05:14:15 +00:00
Jim McDonough
4a7c48aaf0 Merge from HEAD:
GUID formatting on ads dump
Allow rc4-hmac when available
.NET likes both forms of servicePrincipalName in machine account record
(This used to be commit 89e3a3da5d)
2002-10-29 14:47:11 +00:00
Gerald Carter
f2d1f19a66 syncing up with HEAD. Seems to be a lot of differences creeping in
(i ignored the new SAMBA stuff, but the rest of this looks like it should
have been merged already).
(This used to be commit 3de09e5cf1)
2002-10-01 18:26:00 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Jim McDonough
69f41523b3 A few more updates:
- Add doxygen comments
- remove server sort control (ms implementation was not reliable)
- rename ads_do_search_all2() to ads_do_search_all_fn()
(This used to be commit 7aa5fa6172)
2002-04-10 13:28:03 +00:00
Jim McDonough
40260fdaf9 Several updates to get server side sorting going:
- Added sort control to ads_do_paged_search.  It allows a char * to be passed
  as the sort key.  If NULL, no sort is done.
- fixed a bug in the processing of controls (loop wasn't incremented properly)
- Added ads_do_search_all2, which funs a function that is passed in against
  each entry.  No ldapmessage structures are returned.  Allows results to
  be processed as the come in on each page.

I'd like ads_do_search_all2 to replace ads_do_search_all, but there's some
work to be done in winbindd_ads.c first.

Also, perhaps now we can do async ldap searches?  Allow us to process a
page while the server retrieves the next one?
(This used to be commit 95bec4c8ba)
2002-04-05 19:26:52 +00:00
Jim McDonough
f21ccff91f Try harder next time to not duplicate function...take ads_err2string back
out since it's already in ads_errstr() in ads_status.c
(This used to be commit 0475126ffb)
2002-04-04 03:03:00 +00:00
Jim McDonough
417b1ce487 Add ads_err2string() function for generating error strings from an ADS_STATUS.
I've got the cases besides gssapi...anyone know how to get those?
(This used to be commit c937e13522)
2002-04-04 02:49:30 +00:00
Jim McDonough
2ed1dfcf4e Added ads_process_results(), which takes a function that is called for each
entry returned from a search, and applies it to the results.  Re-structured
ads_dump to use this, plus changed the ber_free in ads_dump from (b,1) to
(b,0), in accordance with openldap manpages.  Also allows proper free of
result using ldap_msgfree afterwards, so you can do something with the
results after an ads_dump.
(This used to be commit f01f02fc56)
2002-03-29 21:06:33 +00:00
Jim McDonough
90ada79bbf Whoops, left the paged control not critical in the paged search...kind of
defeats the purpose.
(This used to be commit 71806c49b3)
2002-03-27 03:09:50 +00:00
Jim McDonough
1a06eeb6da Add server control to prevent referrals in paged searches. This keeps
the scope limited to the domain at hand, and also keeps the openldap
libs happy, since they don't currently chase referrals and return
server controls properly at the same time.
(This used to be commit 2bebc8a391)
2002-03-27 02:58:58 +00:00
Andrew Tridgell
b462700e53 added a ads_do_search_all() call, which is a more convenient interface
to paged searches. This makes updating winbindd to used paged searches
trivial.
(This used to be commit 514c11b4e3)
2002-03-19 22:14:53 +00:00
Andrew Tridgell
f464ceb109 fixed paged controls on my box. The problem seems to be incorrect
referrals parsing in the openldap libs. By disabling referrals we get
valid controls back and the cookies work.
(This used to be commit 8bf487ddff)
2002-03-19 12:58:38 +00:00
Jim McDonough
0640a5ceeb This adds the Paged Result Control to ads searching. The new function, ads_do_paged_search, is the same as ads_do_search, but it also contains a count of records returned in this page, and a cookie for resuming, to be passed back. The cookie must start off NULL, and when it returns as NULL, the search is done.
(This used to be commit 9afba67f9a)
2002-03-14 17:48:26 +00:00
Andrew Tridgell
2001b83faa detect SIZELIMIT_EXCEEDED in ldap queries and truncate
the problem is, how the heck do we properly handle these? Jerry?

It seems that the Win2000 ADS server only returns a max of 1000 records!
(This used to be commit 9338964720)
2002-03-13 06:43:52 +00:00
Andrew Tridgell
bd3a6e6cc9 put in the ADS DNS hack, but commented out
(This used to be commit 3396a671c5)
2002-03-11 04:06:30 +00:00
Andrew Tridgell
cfbbf73677 yipee! Finally put in the patch from Alexey Kotovich
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts

thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
(This used to be commit 6891393b5d)
2002-03-10 01:54:44 +00:00
Herb Lewis
23e6fc25e2 fix for IRIX compile error
(This used to be commit 2d620909f9)
2002-03-04 01:07:02 +00:00
Jim McDonough
9fc99e3c55 Fix LDAP modification operation. Cut and paste error: was LDAP_MOD_ADD, should be LDAP_MOD_REPLACE. Caught by Alexey Kotovich.
(This used to be commit be48a05ed9)
2002-02-13 15:00:39 +00:00
Jim McDonough
a346cfb467 talloc'ify ads modify functions. Also add more complete berval support.
(This used to be commit 1f186c60ad)
2002-02-12 18:22:33 +00:00
Jim McDonough
d2b65dcbff Add ability to extend ads modification list on the fly. Also add some malloc checks and return ADS_ERROR(LDAP_NO_MEMORY) if they fail.
(This used to be commit 81d76f05d8)
2002-02-11 15:47:02 +00:00
Andrew Tridgell
fb444a546e when a trusted domain is down an ADS server will return a success on a
get trusted domains query but leave the domain SID blank - we need to
fail the add of the trusted domain in winbindd in that case
(This used to be commit 24c7e7a384)
2002-02-07 02:44:37 +00:00
Jim McDonough
9aa88da9d5 Fix ldapmod list overrun check. Also better document and format ldap control for permissive modify.
(This used to be commit 01e7f7c3d9)
2002-02-06 02:28:46 +00:00
Jim McDonough
81b54940b7 merge in some changes from Alexey Kotovich. Return ADS_STATUS instead of BOOLs. Add support for bervals in mod lists. Also put undocumented AD ldap control in to allow modifications when an attribute does not yet exist.
(This used to be commit 1a2d27b21e)
2002-02-02 22:06:10 +00:00
Jim McDonough
bb8349735f Minor bug fixes, plus support to remove a printer. Commented out optional attributes until a method for checking for their existence is done.
(This used to be commit 538c19a698)
2002-02-02 02:04:01 +00:00
Jim McDonough
0c63216603 Fix build errors on non-ldap systems...change function parms from LDAPMod ** to void **
(This used to be commit 9467792843)
2002-02-01 17:13:39 +00:00
Jim McDonough
9e75e5c1f0 Add functions for modifying an entry in ADS. Needed for printer publishing.
(This used to be commit 3d8d8cef64)
2002-02-01 16:14:33 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Jim McDonough
de260eadf9 Enable net ads commands to use existing tickets if the user doesn't specify a username on the commandline. Also don't continue past the kinit if a password is entered and fails because existing tickets would be used, which may not be desired if the username was specified.
(This used to be commit 7e5d7dfa83)
2002-01-25 22:07:46 +00:00
Andrew Tridgell
9f85d4ad5f much better support for organisational units in ADS join
(This used to be commit 7e876057d5)
2002-01-16 02:22:30 +00:00
Andrew Bartlett
4acb3125cd Fix up 'net ads join' to delete and rejoin if the account already exists.
This fixes up a problem where a machine would join (or downgrade by trust
password change) to NT4 membership and not be able to regain full ADS
membership until a 'net ads leave'.

Andrew Bartlett
(This used to be commit ab8ff85f03)
2002-01-11 04:50:45 +00:00
Andrew Tridgell
9e0297b3ed added nTSecurityDescriptor field to host acct dump
(This used to be commit f383e19e09)
2002-01-03 11:59:33 +00:00
Andrew Bartlett
34037e2479 Make Samba compile on RH 6.2 again.
We now include the libber.h file if required, but currently we just don't use
ldap.  (I'll chase this up).

In the meantime, I've moved the ads_status code about, its now in its own file,
and has a couple of #ifdefs to allow smbd to link - becouse the lack of LDAP
caused HAVE_ADS to be undefined. (I hope its not too ugly).

Andrew Bartlett
(This used to be commit 14407c87e2)
2001-12-30 05:59:43 +00:00
Andrew Tridgell
401c7495ea added ads_domain_sid() function
(This used to be commit ff002a458a)
2001-12-20 23:35:14 +00:00
Andrew Tridgell
6c7e9dfb29 net ads password and net ads chostpass commands from Remus Koos
(This used to be commit 412e79c448)
2001-12-20 03:54:52 +00:00
Andrew Tridgell
1f31ace6cb much better ADS error handling system
(This used to be commit 05a90a2884)
2001-12-19 12:21:12 +00:00
Andrew Tridgell
a062e58d9e - added initial support for trusted domains in winbindd_ads
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f04)
2001-12-19 08:44:23 +00:00