IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
be provisioned on demand - calls script with domain,
username, challenge and LM and NT responses - passing
the info through a pipe.
Jeremy.
(This used to be commit 67be4ee41c)
compiler supports it.
We have to compile with -fPIE and not -fpie. Else ppc and s390(x) will
fail (to small GOT).
It's possible to disable configure's PIE detection with --disable-pie
(This used to be commit 07845bb4c5)
to a thin layer in fetch_reg_values(). Not entirely efficient
seeing as the the dynamic value paths are stored in an unsorted
array but it is one strequal() per path. If this was really big
it should be worked into the reghook_cache().
(This used to be commit 63b81ad3cb)
pulling back all recent rpc changes from trunk into
3.0. I've tested a compile and so don't think I've missed
any files. But if so, just mail me and I'll clean backup
in a couple of hours.
Changes include \winreg, \eventlog, \svcctl, and
general parse_misc.c updates.
I am planning on bracketing the event code with an
#ifdef ENABLE_EVENTLOG until I finish merging Marcin's
changes (very soon).
(This used to be commit 4e0ac63c36)
lanuage, English, at the moment). Fixes#2261. If other languages
might are added in the future, this parameter will still not be needed.
(This used to be commit d41e790b4b)
* Implement a fixed mapping of forbidden NT characters in filenames that are
* used a lot by the CAD package Catia.
*
* Yes, this a BAD BAD UGLY INCOMPLETE hack, but it helps quite some people
* out there. Catia V4 on AIX uses characters like "<*$ a *lot*, all forbidden
* under Windows...
Volker
(This used to be commit 8c0148df81)
cd up and down the tree and get directory listings.
Still have to figure out how to get a directory listing on a
2k dfs root. Also have to work out some issues with relative paths
that cross dfs mount points.
We're protected from the new code paths when connecting to
a non-dfs root share ( the flag from the tcon&X is stored
in the struct cli_state* )
(This used to be commit e57fd2c5f0)
and SMBsplclose commands (BUG 2010)
* clarify some debug messages in smbspool (also from Mike)
my changes:
* start adding msdfs client routines
* enable smbclient to maintain multiple connections
* set the CAP_DFS flag for our internal clienht routines.
I actualy have a dfs referral working in do_cd() but that code
is too ugly to live so I'm not checking it in just yet.
Further work is to merge with vl's changes in trunk to support multiple
TIDs per cli_state *.
(This used to be commit 0449756309)
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd)
one small todo item is to add a 'accounts' sub option
to 'net rpc list' so enumerate all privileged SIDs
and their associated rights.
(This used to be commit bf4385c79a)
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa)
vfstest refers to reload_printers, only defined in smbd/server.c. Jerry, could
you take a look at that?
Thanks,
Volker
(This used to be commit a83e5c1132)
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1)
Written by Sumit Bose <sbose@suse.de> and myself a while ago.
idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using
the idmap-range as offset. It does thus allow to have a unified mapping
over several winbindd-systems without having the need of a central
LDAP-Server (and all related dependencies and problems this solution can
bring).
Compile:
./configure --with-shared-modules=idmap_rid
Usage:
idmap backend = idmap_rid
idmp_rid does even allow you to have multiple mappings (for trusted
domains). This is a rather problemtic feature and will be turned off by
default rather soon. The problem is that ranges can quickly overlap when
not measured with caution.
idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999"
Will valgrind idmap_rid later today and fix a couple of things.
Guenther
(This used to be commit 49a238bd37)
HPUX. This is Richard Allen's suggestion to get HPUX to use cc instead of
ld.
Also he added some missing $(DYNEXP) on link lines and removed the definition
of $(LINK) as it is no longer used in the Makefile.
(This used to be commit 9481f2a79e)
a customer hash function for this tdb (yes it does make a difference
on benchmarks). Remove the no longer used hash.c code.
Jeremy.
(This used to be commit 3fbadac85b)
Jelmer, we need to find another way to solve this bug. This way,
rpcclient is linked to libxml2, libmysqlclient and libpg (with according
dependencies in samba-client.rpm's) if one just wants to build the more
experimental pdb-modules as well.
Guenther
(This used to be commit 67bffc5034)
* add IA64 to the architecture table of printer-drivers
* add new "net"-subcommands:
net rpc printer migrate {drivers|printers|forms|security|settings|all}
[printer]
net rpc share migrate {shares|files|all} [share]
this is the first part of the migration suite. this will will (once
feature-complete) allow to do 1:1 server-cloning in the best possible way by
making heavy use of samba's rpc_client-functions. all migration-steps
are implemented as rpc/smb-client-calls; net communicates via rpc/smb
with two servers at the same time (a remote, source server and a
destination server that currently defaults to the local smbd). this
allows e. g. printer-driver migration including driverfiles, recursive
mirroring of file-shares including file-acls, etc. almost any migration
step can be called with a migrate-subcommand to provide more flexibility
during a migration process (at the cost of quite some redundancy :) ).
"net rpc printer migrate settings" is still in a bad condition (many
open questions that hopefully can be adressed soon).
"net rpc share migrate security" as an isolated call to just migrate
share-ACLs will be added later.
Before playing with it, make sure to use a test-server. Migration is a
serious business and this tool-set can perfectly overwrite your
existing file/print-shares.
* along with the migration functions had to make I the following
changes:
- implement setprinter level 3 client-side
- implement net_add_share level 502 client-side
- allow security descriptor to be set in setprinterdata level 2
serverside
guenther
(This used to be commit 8f1716a29b)
helps amd64 systems with /lib and /lib64 and an explicit configure --libdir
setting.
Thanks to Bjoern Jacke <bj@sernet.de>
Volker
(This used to be commit cc1881c143)
haven't broken krb5 ticket verification in the mainline code path,
also need to check with valgrind. Everything now compiles (MIT, need
to also check Heimdal) and the "net keytab" utility code will follow.
Jeremy.
(This used to be commit f0f2e28958)
Split off the non-crypto related parts of lib/afs.c into
lib/afs_settoken.c. This makes wbinfo link without -lcrypto.
Commit vfs_afsacl.c, display & set AFS acls via the NT security editor.
Volker
(This used to be commit 43870a3fc1)
Implement vfs_full_audit.c that can log every vfs.h operation. So if you
change vfs.h, from now on you also have to change full_audit :-)
Volker
(This used to be commit 9cb9c5f7c9)
the main ntlm_auth program.
It quite possibly should belong in smbtorture, but relies on the
winbind client for now.
Andrew Bartlett
(This used to be commit 6e1b7a8848)
stream. This is to implement wbinfo -k that asks winbind for authentication
which then creates the AFS token for the authenticated user.
Volker
(This used to be commit 2df6750a07)
bad time locally, updating the directory only for hitting the policy limit
or resetting.
This needed to be done at the passdb level rather than auth, because some
of the functions need to be supported from tools such as pdbedit. It was
done at the LDAP backend level instead of generically after discussion,
because of the complexity of inserting it at a higher level.
The login cache read/write/delete is outside of the ldap backend, so it could
easily be called by other backends. tdbsam won't call it for obvious
reasons, and authors of other backends need to decide if they want to
implement it.
(This used to be commit 2a679cbc87)
Big thanks to tpot and mbp for showing how easy it can be to write a simple
unit test, and for providing the STF.
This also changes the strstr_m() code to use strstr_w() (avoiding
duplication) and fixes it so that it passes the STF.
(We now always restart before doing the unicode run, until sombody can
show me why the testsuite is wrong).
Andrew Bartlett
(This used to be commit a893a324f3)
* remove corrupt tdb and shutdown (only for printing tdbs, connections,
sessionid & locking)
* decrement smbd counter in connections.tdb in smb_panic()
* various Makefile hack to get things to link
'max smbd processes' looks like it might be broken. The counter KEY is not
being set. Will look into that tomorrow.
(This used to be commit 6e22c5da92)
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c
(These should perhaps be pulled back out to smbpasswd.c, but that can occour
later).
Andrew Bartlett
(This used to be commit fcdc5efb1e)
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 2a2b1f0c87)
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096)
:-).
"here's a patch which ports the samba 2.2 samba_linux_quota.h stuff to 3_0.
This is needed because of so many broken quota files outthere.
Please, test this with old, new kernels
(strucr dqblk, struct mem_dqblk, and struct if_dqblk)
, quota.user, aquota.user formats
what is when a user is over soft quota and over hard quotas..."
Jeremy.
(This used to be commit 4350aa6ce6)
- Add pgSQL backend (based on patch by Hamish Friedlander)
- Use query generate functions from pdb_mysql and pdb_pgsql
- Only pdb_pgsql.c needs to be changed whenever the fields in SAM_ACCOUNT change
(This used to be commit 65ad2c02fd)
subsystem into a seperate file - ntlm_check.c.
This allows us to call these routines from ntlm_auth. The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind. This should allow for easier debugging.
ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's
work)
Andrew Bartlett
(This used to be commit 48315e8fd2)
MacOSX (Darwin) specific charset module code. Also had to add AC_CHECK_CPP
to configure.in (this took a *long* time to track down) to make autoconf
work correctly on Fedora Core 1.
Jeremy.
(This used to be commit c51d974b18)
this is not called by default and I don't think it should be - I think
the programmer should specifically ask for pch generation when they
want it.
(This used to be commit ef01aedfb4)
the trouble of detecting what the PIC suffix should actually be.
Change PICFLAG in configure.in to PICFLAGS for consistency.
Patches from Joachim Schmitz <schmitz@hp.com> for bug 574.
(This used to be commit ecfbc5f529)
(no need to include all of smbd files to use some basic sec functions)
also minor compile fixes
couldn't compile to test these due to some kerberos problems wirh 3.0,
but on HEAD they're working well, so I suppose it's ok to commit
(This used to be commit c78f2d0bd1)
this (HPUX 11). Currently it's initialised to 'ar' but this may have
to be changed if any systems pop up that have archivers that aren't
named 'ar'. Closes bug #552.
(This used to be commit 6aada3bd3e)
This implements some kind of improved AFS support for Samba on Linux with
OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have
OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile
into secrets.tdb with 'net afskey'. If this is done, on each tree connect
smbd creates a Kerberos V4 ticket suitable for use by the AFS client and
gives it to the kernel via the AFS syscall. This is meant to be very
light-weight, so I did not link in a whole lot of libraries to be more
platform-independent using the ka_SetToken function call.
Volker
(This used to be commit 5775690ee8)
kerberos symbols unless I do the same as smbd does. It does not hurt
on my debian, so simply give a pointer to LDAPLIBS as well.
Volker
(This used to be commit 353d527291)
relocatable form.
Added a comment about this in the hope that it won't happen again.
Renamed PAM_WINBIND_OBJ to PAM_WINBIND_PICOBJ to make it a bit clearer.
(This used to be commit 04797e12d8)
Now all 8-bit charsets with gaps (not all symbols defined) could be produced through
one macro -- SMB_GENERATE_CHARSET_MODULE_8_BIT_GAP(CHARSETNAME) within source file
with three charset tables. Full source code for such modules can be generated by
source/script/gen-8bit-gap.sh script which was taken from GNU libc and changed slightly
to follow our data types and structure.
(This used to be commit 37042c7bc0)
pam_smbpass.so will load ok. Had to move some functions around to work
around dependency problems (hence the new passdb/lookup_sid.c)
Also make sure that libsmbclient.a is built and installed when
we support shared libraries.
(This used to be commit 780055f442)
We now fallback to Samba-provided CP850 charset module if CP850 or IBM850 does not exist on target system at runtime.
1. Introduce CP850 charset module based on charmaps table from GNU libc 2.2.5
2. Make CP850 charset module shared and build it by default
Should fix Solaris run-time
(This used to be commit e855dc8c91)
smbadduser must obeys the paths from configure options
* Try to get libsmbclient files installed during 'make install'
Still one outstanding problem with static lib. INSTALLCLIENTCMD_A
is not getting set correctly.
(This used to be commit 50ab28bd25)
same ads_verify_ticket routine that smbd uses, so in the current state
we have to be have the host password in secrets.tdb instead of the
keytab. This means we have to be an ADS member, but it's a start.
Volker
(This used to be commit dc2d2ad467)
10 for data contents as well) and creates a packet trace readable by
ethereal.
What does not work yet:
- SMB data contents (log level 5)
- SMB data contents beyond the 512 byte range (log level 99 or something?)
(This used to be commit 95b1d4933b)
There is a workaround documented in the bug report.
This patch does:
* add server support for the LSA_DS UUID on the lsarpc pipe
* store a list of context_ids/api_structs in the pipe_struct
so that we don't have to lookup the function table for a pipe.
We just match the context_id. Note that a dce/rpc alter_context
does not destroy the previous context so it is possible to
have multiple bindings active on the same pipe. Observed from
standalone win2k sp4 client.
* added server code for DsROleGetPrimaryDOmainInfo() but disabled it
since it causes problems enumerating users and groups from a 2ksp4
domain member in a Samba domain.
(This used to be commit 96bc2abfcb)
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def)
Anybody familiar with Makefile.in could you please look at this?
This is probably the wrong way to fix this.
Volker
(This used to be commit 9a04750dea)
Tested on a large combination of operating systems and versions.
Hopefully the build farm will find any remaining nasties if they
exist.
(This used to be commit 2e42fa3d72)
* is_trusted_domain() is broken without winbind. Still working on this.
* get_global_sam_name() should return the workgroup name unless we
are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
if 'user' exists in the local list of accounts (on domain members w/o
winbind)
Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.
notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd. disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d06)
object files for modules are in .po files, while object files for
static use are in .o files. Pointed out by metze.
This reduces the number of files that have to be recompiled after the Makefile
changes. Preventing unnecessary recompiling of the other few is high
on my todo list.
(This used to be commit b9b46d43c7)
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda42)
groupmap'. The correct way to implement this stuff is via a function
table, as exampled in all the other parts of 'net'.
This also moves the idmap code into a new file. Volker, is this your
code? You might want to put your name on it.
Andrew Bartlett
(This used to be commit 477f2d9e39)
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc)
fails to build on a ton of platforms as it completely bypasses all of
our portability code.
if you want it then use 'make bin/editreg'. If some distros want to
add that to their spec files then thats up to them, but we really
can't have non-portable code unconditionally built in our main tree.
(This used to be commit 3c66111f32)
* remove 'winbind uid' and 'winbind gid' parameters (replaced
by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
(parameters are passed to idmap init() function
(This used to be commit 1665926281)
Includes sambaUnixIdPool objectclass
Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 8241758544)
- Use absolute directories for $builddir and $srcdir in the Makefile
- Don't try and combine source files in $builddir and $srcdir to build
proto.h. It's just too hard to get it right across all targets we
wish to compile on. Use a hand created prototype for the single
function in smbd/build_options.c that we need. This allows us to ditch
all the extra sed work that was causing problems: \t not portable - hah!
- Fix bogus delheaders target to remove the correct files
This appears to work quite nicely now. Let's see how it goes on the
buildfarm machines.
(This used to be commit 456184463d)
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978)
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab
2. Disabled by default and when requested, will be probed and enabled only on Linux where it works
3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far
Documentation to follow
(This used to be commit 4bf022ce9e)
source file. I will be making changes to sock_exec to work on VOS, which
has a blocking connect() call, but first I want to get it in its own source
file so that it can be called from a test program.
(This used to be commit 10bf65d335)
build options, so we will always have the right values for how and when
an smbd was built.
In particular, this is indended to address bitrot caused by configure.in
changes.
Andrew Bartlett
(This used to be commit 2be258071c)
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee)
Need to check on where the privilege code is sitting
and update the docs.
Examples:
root# bin/net help groupmap
net groupmap add
Create a new group mapping
net groupmap modify
Update a group mapping
net groupmap delete
Remove a group mapping
net groupmap list
List current group map
# bin/net groupmap add
Usage: net groupmap add rid=<int> name=<string> type=<domain|local|builtin> [comment=<string>]
# bin/net groupmap delete
Usage: net groupmap delete name=<string|SID>
# bin/net groupmap modify
Usage: net groupmap modify name=<string|SID> [comment=<string>] [type=<domain|local>
(This used to be commit f2fd0ab41f)
- whitespace syncup
- winbind nss client cleanups
- new rpc echo pipe
- prettier warnings for out of date autoconf scripts
(This used to be commit bb812d1670)