IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978)
Jump out of sam entry processing loop if the return value from
cli_netlogon_sam_sync() isn't OK or STATUS_MORE_ENTRIES.
(This used to be commit 47d8ee3679)
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.
In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.
In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...
(we might need to parse for unicode issues later).
In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!
Andrew Bartlett
(This used to be commit 9f6a26769d)
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash
- auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash
- auth with ntlm and lm but deliberately break the ntlm hash
- auth with ntlm and lm but deliberately break the lm hash
My theory is that the NTLM or NTLMv2 field must be correct and if it is,
it doesn't matter what the value of the LM or LMv2 field is.
Fixed cosmetic test name display bug.
(This used to be commit 5dcde9451b)
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a)
this world than 'status more entires'...
Also move all the cases to 'NT_STATUS_EQUAL()' to test it.
Andrew Bartlett
(This used to be commit b4645bf066)
Our NTLMv2 client code needs work, becouse we don't get the session key for
any of the NTLMv2 stuff...
Also test some of the more 'odd' auth cases - like putting the NT password
into the LM feild.
Clean up some static globals into static locals.
Andrew Bartlett
(This used to be commit 62f0acc991)
Net.exe on windows won't allow more than 50 characters to be entered, but
through AD you can have much more than this.
(This used to be commit ca2886c938)
to the system. This means that we always run Get_Pwnam(), and can never add
FOO when foo exists on the system (the idea is to instead add foo into
the passdb, using it's full name, RID etc).
Andrew Bartlett
(This used to be commit bb79b127e0)
>When calling cli_samr_enum_{dom,als}_groups in a while loop, the
>terminating condition should be result != STATUS_MORE_ENTRIES, not
>result == NT_STATUS_OK otherwise we get stuck in an infinite loop
>when there's any sign of trouble.
(This used to be commit 4998a72cf8)
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd11)
Need to check on where the privilege code is sitting
and update the docs.
Examples:
root# bin/net help groupmap
net groupmap add
Create a new group mapping
net groupmap modify
Update a group mapping
net groupmap delete
Remove a group mapping
net groupmap list
List current group map
# bin/net groupmap add
Usage: net groupmap add rid=<int> name=<string> type=<domain|local|builtin> [comment=<string>]
# bin/net groupmap delete
Usage: net groupmap delete name=<string|SID>
# bin/net groupmap modify
Usage: net groupmap modify name=<string|SID> [comment=<string>] [type=<domain|local>
(This used to be commit f2fd0ab41f)
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79ed)
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aef)
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d24)
nicer to use and more hackable.
- converted to popt
- text message destinations (except for broadcast smbd) are resolved
using files in piddir so the string 'winbindd' is now a destination
- added --timeout option to specify timeout value
- deleted complicated handling of debug args as separate command line
arguments: use shell quoting instead
- deleted interactive mode as punishment for using strtok() (-:
- much improved command line argument checking
Some of this stuff was broken before I started (print notify,
profiling) but the basics still work (ping, pool-usage, debug,
debuglevel).
(This used to be commit 269f838dee)
- Make passdb work with absolute paths (passdb backend = /path/to/smbpasswd.so works now). vfs, rpc and charset will follow
(This used to be commit 794d3ed036)
please remember to *test* your changes before committing them. This is
especially the case when you receive patches from outside the team -
before you commit you must make sure that the patch actually works.
(This used to be commit 1d3c7e7fb6)
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dc)
are 'SET' when adding the account.
I really don't like passing flags down to inner routines and
complicated if/else conditions, but this time he might be right. ;-)
Volker
(This used to be commit 339c149068)
are 'SET' when adding the account.
I really don't like passing flags down to inner routines and
complicated if/else conditions, but this time he might be right. ;-)
Volker
(This used to be commit 80d2578108)
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit dcdc75ebd8)
* pdbedit -i -e sets all SAM_ACCOUNT elements
to CHANGED to satisfy the new pdb_ldap.c handling
* pdbedit -g transfers group mappings. I made this
separate from the user database, as current installations
have to live with a split backend.
So, if you are running 3_0 alphas with LDAP as a backend
and upgrade to the next 3_0 alpha, you should call
pdbedit -i tdbsam -e ldapsam -g
to transfer your group mapping database to LDAP.
You certainly have to have all your groups as posixGroup
objects in LDAP and adapt the LDAP schema before this
call.
Volker
(This used to be commit 09a3db0ffc)
* pdbedit -i -e sets all SAM_ACCOUNT elements
to CHANGED to satisfy the new pdb_ldap.c handling
* pdbedit -g transfers group mappings. I made this
separate from the user database, as current installations
have to live with a split backend.
So, if you are running 3_0 alphas with LDAP as a backend
and upgrade to the next 3_0 alpha, you should call
pdbedit -i tdbsam -e ldapsam -g
to transfer your group mapping database to LDAP.
You certainly have to have all your groups as posixGroup
objects in LDAP and adapt the LDAP schema before this
call.
Volker
(This used to be commit 6d3faeaef6)
- Decode all the database names, even if we don't decode their contents
- Update the 'set' code to match rpc_server/srv_samr_nt.c in only recording
the difference between the old and new.
Andrew Bartlett
(This used to be commit 6509397f91)
- pdb_guest (including change defaults)
- 'default' passdb actions (instead of 'not implemented' stubs in each module)
- net_rpc_samsync no longer assumes pdb_unix
Andrew Bartlett
(This used to be commit 4bec53c8c8)
This patch catches up on the rest of the work - as much string checking
as is possible is done at compile time, and the rest at runtime.
Lots of code converted to pstrcpy() etc, and other code reworked to correctly
call sizeof().
Andrew Bartlett
(This used to be commit c5b604e2ee)
have some of the labels 'duplicated' (ie, the defines double-up).
Also, to an ads_connect() to try and find our KDC. (So we don't segfualt
*every* time)
Andrew Bartlett
(This used to be commit 56dce7ddad)
in general searches, but only if searching for the DN only.
In my case, it was the tokenGroups attribute that caused me trouble, hence
this patch.
Andrew Bartlett
(This used to be commit 8a0cc4c2be)
- new kerberos code, allowing the account to change it's own password
without special SD settings required
- NTLMSSP client code, now seperated from cliconnect.c
- NTLMv2 client code
- SMB signing fixes
Andrew Bartlett
(This used to be commit 837680ca51)
it can be used for 'net rpc join'.
Also fix a bug in our server-side NTLMSSP code - a client without any domain
trust links to us may calculate the NTLMv2 response with "" as the domain.
Andrew Bartlett
(This used to be commit ddaa42423b)
users w/o full administrative access on computer accounts to join a
computer into AD domain.
The patch and detailed changelog is available at:
http://www.itcollege.ee/~aandreim/samba
This is a list of changes in general:
1. When creating machine account do not fail if SD cannot be changed.
setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
username is specified (-U). Initial TGT will be requested in this case.
I've modified the patch to share the kinit code, rather than copying it,
and updated it to current CVS. The other change included in the original patch
(local realms) has been left out for now.
Andrew Bartlett
(This used to be commit ce52f1c2ed)
from HEAD. I had to do this for him as he was *so* tired, the poor
chap, plus he has this bad leg, plus the dog ate his homework etc. etc.
Jeremy.
(This used to be commit 1e752b48a1)
"
Make the vampire code use just pdb calls - allowing better operation on systems
that are not configured with an add user script, and have an _nua backend for
storage.
We really need to get the PDB backends out of the IDMAP game...
Andrew Bartlett
"
(This used to be commit e959a8eb67)
that are not configured with an add user script, and have an _nua backend for
storage.
We really need to get the PDB backends out of the IDMAP game...
Andrew Bartlett
(This used to be commit dceb7820d7)
of the SWAT code, and adding a base64 encoder.
The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for
use with Squid. Unfortunetly the squid side doesn't quite support what we need
yet.
Changes to winbind to get us the info we need, and a couple of consequential
changes/cleanups in the rest of the code.
Andrew Bartlett
(This used to be commit fe50ca8f54)
*sync up configure.in
*don't build torture tools in make all
*make sure to remove torture tools as part of make clean
(This used to be commit 0fb724b321)
* removed unused variable from rpcclient code
* added container option to net command (patch from SuSE)
* Makefile patch for examples/VFS from SuSE
(This used to be commit 25a9681ddd)
- fstring/pstring mixups
- the detection code that found them (disabled)
- a bit of whitespace
- a static
Andrew Bartlett
(This used to be commit 9b70fa868e)
This patch makes Samba compile cleanly with -Wwrite-strings.
- That is, all string literals are marked as 'const'. These strings are
always read only, this just marks them as such for passing to other functions.
What is most supprising is that I didn't need to change more than a few lines of code (all
in 'net', which got a small cleanup of net.h and extern variables). The rest
is just adding a lot of 'const'.
As far as I can tell, I have not added any new warnings - apart from making all
of tdbutil.c's function const (so they warn for adding that const string to
struct).
Andrew Bartlett
(This used to be commit 92a777d0ea)
Still have to make sure that the datastructure is correct, though.
Then on to writing it out and editing/changing keys, values and sec_descriptors
(This used to be commit 8686b551cd)
Security Descriptors/Keys not yet processed.
Make debugging printfs only occur if verbose is set.
Create an iterator for the registry key.
Still not King. Bother!
(This used to be commit 8bc6aa72f5)
and the data parts of the VK records.
Also have to code up routines that can iterate across keys and values, as
well as return values associated with a particular key, etc.
(This used to be commit 8dd608f7ad)
in. Don't yet handle the SK records (security descriptors), but will soon.
It still compiles on Linux, but I am still not King.
(This used to be commit b51bb89841)
Start processing the header and etc.
Make sure it compiles on Linux, and runs on Linux for the code that is there.
Will try FreeBSD soon, and maybe Slowaris.
(This used to be commit ee99843861)
should actual functional differences between HEAD and 3.0.
- Mostly reformatting
- Removal of unecessary #include "smb.h"
- Merge of dyn_DRIVERFILE removal
- Silly bug fix for python code
(This used to be commit d3998307ad)
