IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We force using a MEMORY ccache though in the wkssvc server.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Sep 21 19:13:33 CEST 2011 on sn-devel-104
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.
Andrew Bartlett
Most fault codes have a NTSTATUS representation, so use that.
This brings the fault handling in common with the source4/librpc/rpc code,
which make it possible to share more highlevel code, between source3 and
source4 as the error checking can be the same now.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
Due to missing defines in modern kerberos libraries, this code was
not compiled and so this wasn't noticed.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time
as follows:
ccache build w/o patch
real 4m21.529s
ccache build with patch
real 3m6.402s
pch build w/o patch
real 4m26.318s
pch build with patch
real 3m6.932s
Guenther
The documentation shows that all these functions in fact use the same
flags variable type. To be consistent between functions, and to allow
easy reference to the WSPP docs, it is better for us to also use this
generic DrsOptions bitfield rather than one per operations.
It turns out in win32 ERROR_DC_NOT_FOUND exists and it is
an error for Device Context (DC), not Domain Controller
Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
"net ads leave" stopped working when "modify properties"
permissions were not granted (meaning you had to be allowed
to disable the account that you were about to delete).
Libnetapi should not delete machine accounts, as this does not
happen on win32. The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag
really means "disable" (both in practice and docs).
However, to keep the functionality in "net ads leave", we
will still try to do the delete. If this fails, we try
to do the disable.
Additionally, it is possible in windows to not disable or
delete the account, but just tell the local machine that it
is no longer in the account. libnet can now do this as well.
What a difference a name makes... :-). Just because something is missnamed
SAMR_ACCESS_OPEN_DOMAIN, when it should actually be SAMR_ACCESS_LOOKUP_DOMAIN,
don't automatically use it for a security check in _samr_OpenDomain().
Jeremy.
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
We absolutely need to avoid messing with the sync_context as that breaks the
stream of replication data coming from the DC (only replicates ~350 instead of
~4000 groups).
Guenther
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
version.h changes rather frequently. Since it is included via includes.h,
this means each C file will be a cache miss. This applies to the following
situations:
* When building a new package with a new Samba version
* building in a git branch after calling mkversion.sh
after a new commit (i.e. virtually always)
This patch improves the situation in the following way:
* remove inlude "version.h" from includes.h
* Use samba_version_string() instead of SAMBA_VERSION_STRING
in files that use no other macro from version.h instead of
SAMBA_VERSION_STRING.
* explicitly include "version.h" in those files that use more
macros from "version.h" than just SAMBA_VERSION_STRING.
Michael
"I believe I have found two bugs in the 3.2 code and one bug that
carried on to the 3.3 branch. In the 3.2 code, everything is
located in the utils/net_rpc_samsync.c file. What I believe is the
first problem is that fetch_database() is calling
samsync_fix_delta_array() with rid_crypt set to true, which means
the password hashes are unencrypted from the RID encryption.
However, I believe this call is redundant, and the corresponding
call for samdump has rid_crypt set to false. So I think the
rid_crypt param should be false in fetch_database().
If you follow the code, it makes its way to sam_account_from_delta()
where the password hashes are decrypted a second time by calling
sam_pwd_hash(). I believe this is what is scrambling my passwords.
These methods were refactored somewhere in the 3.3 branch. Now the
net_rpc_samsync.c class calls rpc_vampire_internals, which calls
libnet/libnet_samsync.c, which calls samsync_fix_delta_array() with
rid_crypt always set to false. I think that's correct. But the
second bug has carried through in the sam_account_from_delta()
function:
208 if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
209 sam_pwd_hash(r->rid, r->ntpassword.hash, lm_passwd, 0);
210 pdb_set_lanman_passwd(account, lm_passwd, PDB_CHANGED);
211 }
212
213 if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
214 sam_pwd_hash(r->rid, r->lmpassword.hash, nt_passwd, 0);
215 pdb_set_nt_passwd(account, nt_passwd, PDB_CHANGED);
If you look closely you'll see that the nt hash is going into the
lm_passwd variable and the decrypted value is being set in the lanman
hash, and the lanman hash is being decrypted and put into the nt hash
field. So the LanMan and NT hashes look like they're being put in
the opposite fields."
Fix this by removing the rid_crypt parameter.
Jeremy.
This is a workaround for the cases where you want to join under a netbios name
that is different from your hostname, i.e. a name that can not be found in
/etc/hosts or dns. In these cases, name_to_fqdn fails or gives invalid results.
With gcc 4.1.3 on Ubuntu 7.10 the following build warning occurs:
Compiling libnet/libnet_samsync_keytab.c
cc1: warnings being treated as errors
libnet/libnet_samsync_keytab.c: In function ‘fetch_sam_entries_keytab’:
libnet/libnet_samsync_keytab.c:102: warning: ‘entry.enctype’ is used uninitialized in this function
Fixed by initializing to ENCTYPE_NULL
Use the libnet_dssync_context as a talloc context for the
result_message and error_message string members.
Using the passed in mem_ctx makes the implicit assumption
that mem_ctx is at least as long-lived as the libnet_dssync_context,
which is wrong.
Michael
(This used to be commit 635baf6b7d)
Initialize it to false.
And pass it down to the libnet_keytab context in
libnet_dssync_keytab.c:keytab_startup().
Unused yet.
Michael
Note: This might not be not 100% clean design to put this into the
toplevel dssync context while it is keytab specific. But then, on the
other hand, other imaginable backends might want to use this flag, too...
(This used to be commit 12e884f227)
to allow for removing all entries with given principal and enctype without
repecting the kvno (i.e. cleaning "old" entries...)
This is called with ignore_kvno == false from libnet_keytab_add_entry() to
keep the original behaviour.
Michael
(This used to be commit 6047f7b685)
I.e. only the passwords and keys of those objects whose dns are provided
are written to the keytab file. Others are skippded.
Michael
(This used to be commit a013f926ae)
Just specify several DNs separated by spaces on the command line of
"net rpc vampire keytab" to get the passwords for each of these
accouns via single object replication.
Michael
(This used to be commit 6e53dc2db8)
Untangle parsing of results and processing.
Make loop logic more obvious.
Call finishing operation after the loop, not inside.
Michael
(This used to be commit 47c8b3391c)
When retreiving a diff replication, the sAMAccountName attribute is usually
not replicated. So in order to build the principle, we need to store the
sAMAccounName in the keytab, referenced by the DN of the object, so that
it can be retrieved if necessary.
It is stored in the form of SAMACCOUNTNAME/object_dn@dns_domain_name
with kvno=0 and ENCTYPE_NONE.
Michael
(This used to be commit 54e2dc1f4e)
This makes libnet_keytab_remove_entries static and moves it up.
libnet_keytab_add_entry() now removes the duplicates in advance.
No special handling neede for the UTDV - this is also needed
for other entries...
Michael
(This used to be commit 3c46374544)
This is a stripped down version of smb_krb5_kt_add_entry() that
takes one explicit enctype instead of an array. And it does
not neither salting of keys nor cleanup of old entries.
Michael
(This used to be commit c83e54f1eb)
