IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The 'comment' element in a number of domain structures is called
oem_information. This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.
The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.
This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.
Andrew Bartlett
(This used to be commit 65dc0d5365)
Now that we don't create users/domain groups/aliases in the builtin
domain, we hit some bugs in the server-side implementation of the
enumeration functions.
In essence, it turns out to be: don't treat 0 as a special case.
Also, fix up the PDC name to always be returned. I'm sure nothing
actually uses it, particularly for BUILTIN...
Andrew Bartlett
(This used to be commit 353bb79f56)
The gendb_*() API does not return error codes, and mixes error returns
with the count of returned entries.
Andrew Bartlett
(This used to be commit facbc8dfa5)
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b05)
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc)
We need to be far more granular bout this - in particular, we need a
decide LDAP -> NTSTATUS conversion.
Andrew Bartlett
(This used to be commit 30fc3752c7)
to prove it is correct.
This should fix bug #4824: User Manager for Domains - Account Expires.
Thanks!
Andrew Bartlett
(This used to be commit e5f0744d62)
machine accounts are not subject to password policy in Win2k3 R2 (at
least in terms of password quality).
In testing this, I found that Win2k3 R2 has changed the way the old
ChangePassword RPC call is handled - the 'cross-checks' between new LM
and NT passwords are not required.
Andrew Bartlett
(This used to be commit 417ea885b4)
SAMR. This can't be done in the ldb templates code, as it doesn't
happen over direct LDAP.
As noted in bug #4829.
Andrew Bartlett
(This used to be commit 3bfa6dbf7d)
Any SAMR client (usrmgr.exe in this case) that attempted to set a
property to a zero length string found instead the the old value was
kept.
In fixing this, rework the macros to be cleaner (add the
always-present .string) to every macro, and remove the use of the
samdb_modify() and samdb_replace() wrappers where possible.
Andrew Bartlett
(This used to be commit b05fe69304)
Should fix another part (list of domains in usrmgr incorrectly
including accounts) of bug #4815 by mwallnoefer@yahoo.de.
Andrew Bartlett
(This used to be commit 7f7e4fe298)
- The icons in usermgr were incorrect, because the acct_flags were
not filled in (due to missing attribute in ldb query)
- The Full name was missing, and the description used as the full
name (due to missing attributes in ldb query and incorrect IDL)
To prove the correctness of these fixes, I added a substantial new
test to RPC-SAMR-USERS, to ensure cross-consistancy between
QueryDisplayInfo and QueryUserInfo on each user.
This showed that for some reason, we must add ACB_NORMAL to the
acct_flags on level 2 queries (for machine trust accounts)...
Getting this right is important, because Samba3's RPC winbind methods
uses these queries.
Andrew Bartlett
(This used to be commit 9475d94a61)
that we had the wrong objectClass for OU=Domain
Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN})
This fixes both the SAMR server and the LDIF templates.
Andrew Bartlett
(This used to be commit 625a9e6c04)
wants to check for an existing domain join account, and fails. This
test shows that we need to return NT_STATUS_NONE_MAPPED when nothing
matches. (not yet tested if this helps vista).
Andrew Bartlett
(This used to be commit 7f3671bf11)
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"
Note: you need to reprovision after this change!
metze
(This used to be commit dc4242c09c)
way to setup a Samba4 DC is to set 'server role = domain controller'.
We use the fSMORoleOwner attribute in the base DN to determine the PDC.
This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.
Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.
We also now use the ldb database to determine if we should run the
global catalog service.
In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.
Andrew Bartlett
(This used to be commit 67d8365e83)
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77)
- creation of ForeignSecurityPrincipals
- template duplication code
Rework much of the LSA server to pass the RPC-LSA test. Much of the
server code was untested. In implementing the LSA Accounts feature, I
have opted to have it only create entires when privilages are applied,
and not to delete entries, but to delete the privilages.
We skip some parts of the test, but it is much better than not testing
it at all.
Andrew Bartlett
(This used to be commit 10eeea6da4)
still a couple of unimplemented functions, but this is far better than
not testing this at all. In particular, this exercises the
password_hash module.
Specific changes:
- Add support for SetDomainInfo
- Add many more info levels to QueryDomainInfo
- Set a domain comment in RPC-SAMR, and verify it is kept
- Refactor QueryUserInfo not to always serach for all attributes
- Add QueryDiplayInfo3 and QueryDomainInfo2 as aliased calls
- Make OemChangePassword2 search under the samdb_base_dn(), so it
finds the user when partitions are active.
- Skip SetSecurity, DisplayIndex, MemberAttributesOfGroup and
'Multiple' alias operations in RPC-SAMR for Samba4
- Add RPC-SAMR as a 'slow' RPC test (it is quite slow)
Andrew Bartlett
(This used to be commit 01d25c9d6c)
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.
Andrew Bartlett
(This used to be commit 81f3cd1c45)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.
Andrew Bartlett
(This used to be commit c530ab5dc6)
sambaNTPassword. Likewise lmPwdHistory -> sambaLMPwdHistory.
The idea here is to avoid having conflicting formats when we get to
replication. We know the base data matches, but we may need to use a
module to munge formats.
Andrew Bartlett
(This used to be commit 8e608dd4bf)
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name. It may cause problems later when we get
replication form windows.
I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.
Andrew Bartlett
(This used to be commit 097d9d0b7f)
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e902274321)
different computer account types. (Earlier code changes removed the
BDC case).
We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif
Andrew Bartlett
(This used to be commit c4520ba2e6)
This is for use on user-supplied arguments to printf style format
strings which will become ldb filters. I have used it on LSA, SAMR
and the auth/ code so far.
Also add comments to cracknames code.
Andrew Bartlett
(This used to be commit 8308cf6e04)
for netlogon as well) to change/set a user's password, given only
their SID.
This avoids the callers doing the lookups, and also performs the
actual 'set', as these callers do not wish any further buisness with
the entry.
Andrew Bartlett
(This used to be commit 060a2a7bcc)
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f)
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a)
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655)
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)
The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.
Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.
Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong. Many of these should perhaps be hooked
into an error string.
Andrew Bartlett
(This used to be commit 1f071b0609)
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2)
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.
metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)
This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:
- the ltdb index records need to use the string form of the objectSid
(to keep the DNs sane). Until that it done I have disabled indexing on
objectSid, which is a big performance hit, but allows us to pass
all our tests while I rejig the indexing system to use a externally
supplied conversion function
- I haven't yet put in place the code that allows client to use the
"S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
supports this, presumably by looking for the "S-" prefix to
determine what type of objectSid form is being used by the client. I
have been working on ways to handle this, but am not happy with
them yet so they aren't part of this patch
- I need to change pidl to generate push functions that take a
"const void *" instead of a "void*" for the data pointer. That will
fix the couple of new warnings this code generates.
Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8d)
Old way was ugly and had a bug, you couldn't add an attribute named
dn or distinguishedName and search for it, tdb would change that search in a dn search.
This makes it also possible to search by dn against an ldap server as the old method was
not supported by ldap syntaxes.
sss
(This used to be commit a614466dec)
- This module will take care of properly filling an user or group object
with required fields. You just need to provide the dn and the objectclass
and a user/group get created
Simo.
(This used to be commit fb9afcaf53)
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619)
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e90)
- Use templates for Secrets and the new trusted domains
- Auto-add modifiedTime, createdTime and objectGUID to records in the
samdb layer.
Andrew Bartlett
(This used to be commit 271c8faadf)
this stage does the following:
- simplifies the dcerpc_handle handling, and all the callers of it
- split out the context_id depenent state into a linked list of established contexts
- fixed some talloc handling in several rpc servers that i noticed while doing the above
(This used to be commit fde042b3fc)
must zero r.out before making the 2nd call if the 2nd call has any
non-ref out parameters. This is needed for the case where the 2nd call
fails, and the 1st call would then fill in its out fields based on
uninitialised memory.
(This used to be commit 202470326d)
change was in the ldb_msg_add_*() routines, which now use the msg as a context,
and thus it needs to be a talloc ptr)
(This used to be commit 1a4713bfd0)
* Implement samr_search_domain, filter out all elements with no "objectSid"
attribute and all objects outside a specified domain sid.
* Minor cleanups in dcerpc_samr.c due to that.
* Implement srvsvc_NetSrvGetInfo level 100. A quick hack to get usrmgr.exe
one step further.
* Same for samr_info_DomInfo1.
Volker
(This used to be commit cdec896113)
the idea is to have a directory service db layer
which will be used by the ldap server, samr server, drsuapi server
authentification...
I plan to make different implementations of this interface possible
- current default will be the current samdb code with sam.ldb
- a compat implementation for samba3 (if someone wants to write one)
- a new dsdb implementation which:
- understands naming contexts (directory parrtitions)
- do schema and acl checking checking
- maintain objectGUID, timestamps and USN number,
maybe linked attributes ('member' and 'memberOf' attributes)
- store metadata on a attribute=value combination...
metze
(This used to be commit 893a8b8bca)
lm hash from the samdb, and thus not checking the verifier)
fixed the client side to calculate the lm verifier based on the nt
hash, not the lm hash (confirmed using w2k3)
(This used to be commit 27e7fb3baf)
verify that the security descriptor found in the SamSync is the same
as what is available over SAMR.
Unfortunately, the administrator seems unable to retrieve the SACL on
the security descriptor, so I've added a new function to compare with
a mask.
Andrew Bartlett
(This used to be commit 39ae5e1dac)
This compares values for the domain and for secrets. We still have
some problems we need to sort out for secrets.
Also rename a number of structures in samr.idl and netlogon.idl, to
better express their consistancy.
Andrew Bartlett
(This used to be commit 3f52fa3a42)
- split ldh.h out of samba's includes.h
- make ldb_context and ldb_module private to the subsystem
- use ltdb_ prefix for all ldb_tdb functions
metze
(This used to be commit f5ee40d6ce)
NETLOGON.
In particular, rename samr_Name to samr_String - given that many
strings in this pipe are not 'names', the previous was just confusing.
(I look forward to PIDL turning these into simple char * some day...).
Also export out a few changes from testjoin.c to allow for how I have
written the new RPC-SAMSYNC test.
Andrew Bartlett
(This used to be commit 9cd666bcfb)
- tidied up some of the system includes
- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
knows about inter-IDL dependencies
(This used to be commit 7b7477ac42)
The thing that finally convinced me that minimal includes was worth
pursuing for rpc was a compiler (tcc) that failed to build Samba due
to reaching internal limits of the size of include files. Also the
fact that includes.h.gch was 16MB, which really seems excessive. This
patch brings it back to 12M, which is still too large, but
better. Note that this patch speeds up compile times for both the pch
and non-pch case.
This change also includes the addition iof a "depends()" option in our
IDL files, allowing you to specify that one IDL file depends on
another. This capability was needed for the auto-includes generation.
(This used to be commit b8f5fa8ac8)
caller doesn't have to worry about the constraint of only opening a
database a single time in a process. These wrappers will ensure that
only a single open is done, and will auto-close when the last instance
is gone.
When you are finished with a database pointer, use talloc_free() to
close it.
note that this code does not take account of the threads process
model, and does not yet take account of symlinks or hard links to tdb
files.
(This used to be commit 04e1171996)
so talloc now doesn't contain any ldb specific functions.
allow NULL to be passed to a couple more talloc() functions
(This used to be commit 1246f80d80)
void *talloc_reference(const void *context, const void *ptr);
this function makes a secondary reference to ptr, and hangs it off the
given context. This greatly simplifies some of the current reference
counting code in the samr server and I suspect it will be widely used
in other places too.
the way you use it is like this:
domain_state->connect_state = talloc_reference(domain_state, connect_state);
that makes the element connect_state of domain_state a secondary
reference to connect_state. The connect_state structure will then only
be freed when both domain_state and the original connect_state go
away, allowing you to free them independently and in any order.
you could do this alrady using a talloc destructor, and that is what
the samr server did previously, but that meant this construct was
being reinvented in several places. So this convenience function sets
up the destructor for you, giving a much more convenient and less
error prone API.
(This used to be commit dc53150861)
have the handle type implied by the parameter name. There are four
types of handle: connect, domain, user and group handles. The
various samr_Connect functions return a connect handle, and the
samr_OpenFoo functions return a foo handle.
There is one exception - the samr_{Get,Set}Security function can
take any type of handle.
Fix up all C callers.
(This used to be commit 32f0f3154a)
'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
(This used to be commit b80d849b6b)
count features of talloc, instead of re-implementing both those
features inside of samdb (which is what we did before).
This makes samdb considerably simpler, and also fixes some bugs, as I
found some error paths that didn't call samdb_close(). Those are now
handled by the fact that a talloc_free() will auto-close and destroy
the samdb context, using a destructor.
(This used to be commit da60987a92)
This version does the following:
1) talloc_free(), talloc_realloc() and talloc_steal() lose their
(redundent) first arguments
2) you can use _any_ talloc pointer as a talloc context to allocate
more memory. This allows you to create complex data structures
where the top level structure is the logical parent of the next
level down, and those are the parents of the level below
that. Then destroy either the lot with a single talloc_free() or
destroy any sub-part with a talloc_free() of that part
3) you can name any pointer. Use talloc_named() which is just like
talloc() but takes the printf style name argument as well as the
parent context and the size.
The whole thing ends up being a very simple piece of code, although
some of the pointer walking gets hairy.
So far, I'm just using the new talloc() like the old one. The next
step is to actually take advantage of the new interface
properly. Expect some new commits soon that simplify some common
coding styles in samba4 by using the new talloc().
(This used to be commit e35bb094c5)
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.
This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal). This causes
changes in all the existing gensec users.
Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.
Gensec has also taken over the role of auth/auth_ntlmssp.c
An important part of gensec, is the output of the 'session_info'
struct. This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.
The schannel code is reworked, to be in the same file for client and
server.
ntlm_auth is reworked to use gensec.
The major problem with this code is the way it relies on subsystem
auto-initialisation. The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.
There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.
Andrew Bartlett
(This used to be commit 07fd885fd4)
the dce_conn->auth_state.session_info
( the ntlmssp one works fine, but the schannel one isn't implemented yet)
this is also set by the ntvfs_ipc backend on the endpoint connect.
metze
(This used to be commit ad3dd1789e)
pwd -> password
passwd -> password
username -> account_name
Also work on consistant structure feild names between these two pipes,
and fix up some callers to use samr_Password for the netlogon
credential code.
Andrew Bartlett
(This used to be commit 4e35418c27)
names rather than our crazy naming scheme. So DES is now called
des_crypt() rather than smbhash()
- added the code from the solution of the ADS crypto challenge that
allows Samba to correctly handle a 128 bit session key in all of the
netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard
from PADL for solving this one!
- restructured the server side rpc authentication to allow for other
than NTLMSSP sign and seal. This commit just adds the structure, the
next commit will add schannel server side support.
- added 128 bit session key support to our client side code, and
testing against w2k3 with smbtorture. Works well.
(This used to be commit 729b2f41c9)
- moved some sec desc defines into misc.idl
- fixed pw_len field in UserInfo26
- made some pipes available on TCP
- added netr_DsrEnumerateDomainTrusts() to netlogon
- added templates for remaining netlogon IDL calls (from ethereal)
- added a unistr_noterm vs unistr error detector in ndr basic decoder
- added torture test for netr_DsrEnumerateDomainTrusts()
(This used to be commit ae5a5113fb)
- added lsa_OpenPolicy2() to server
- added guid handling in samdb
- added a couple more info policy levels in lsa server
- added some DNS info in the provisioning template and script
With the above changes WinXP professional can join a Samba4 domain
(This used to be commit d6dca96352)
- added start of QueryDomainInfo in samr server
"net rpc info" from samba3 now works against a samba4 server. I
suspect join will work fairly soon.
(This used to be commit 0a2c6a1062)
With this change WinXP can now successfully change the password on a
Samba4 server via SAMR. After the change you can't login because the
handling of much_change_time seems to be broken in the auth code, but
that should be easy to fix.
(This used to be commit 8feeecf303)
always returning the info for the primary domain. I noticed this
because WinXP sends the wrong information in this field (it sends
\\server_name) and gets away with it
(This used to be commit e128bcca56)
Builtin and local domain, as some calls (notably password change
calls) don't specify a domain name, they just specifiy an account
name.
- added the remaining password set levels to SetUserInfo in the samr
server. We now support all of the password set and change levels
that we know about in SAMR.
(This used to be commit 965748cbee)