IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Jump out of sam entry processing loop if the return value from
cli_netlogon_sam_sync() isn't OK or STATUS_MORE_ENTRIES.
(This used to be commit 47d8ee3679)
channel:
- If the domain name passed to create_rpc_bind_req() is empty, use
lp_workgroup()
- Correctly set the auth_padding field when the send_size is a multiple
of 8 bytes
I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k. The empty
passwords are being protected by the secure channel encryption though.
(This used to be commit a8c11e8556)
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab
2. Disabled by default and when requested, will be probed and enabled only on Linux where it works
3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far
Documentation to follow
(This used to be commit 4bf022ce9e)
1. idmap.h is used for unid_t only, agreed by Simo
2. sysquotas.h is used to add quota support to VFS layer and is needed for future NT quota commit
3. vfs_macros.h provides convenient macros to access VFS API.
(This used to be commit 1dd5786359)
1. Finally work with cascaded modules with private data storage per module
2. Convert VFS API to macro calls to simplify cascading
3. Add quota support to VFS layer (prepare to NT quota support)
Patch by Stefan (metze) Metzemacher, with review of Jelmer and me
Tested in past few weeks. Documentation to new VFS API for third-party developers to follow
(This used to be commit 91984ef5ca)
password. On NT4, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT means
the password was correct. So the PDC believed that he had his trust
account correctly added. Later the auth2 naturally failed.
BTW, setting up an interdom trust account is not what I would call
well documented and easy to handle... Working on that now :-)
Volker
(This used to be commit e4e44cf3b1)
useful in the auth verifier yet. So this patch ignores it.
Really checking this would be a lot more intrusive: in rpc_api_pipe we
would have to distinguish between binds and normal requests, or have
more state in the netsec info of cli_state, which is also somewhat
hackish.
Volker
(This used to be commit 8de04fcf68)
primaryGroupID (rid). This is consistant with the move from 'rid' to ntSid
for the primary user identifier.
Also cope with legacy installations where primaryGroupID might have been
stored as 0.
Andrew Bartlett
(This used to be commit 0e432817cb)
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
structure-memcpy for DATA_BLOB parameters to using a pointer to that DATA_BLOB.
auth_sam calls some of these functions, so I've cleaned it all up to use this
format now.
Also clean up some debug statements to make them easier to read.
Andrew Bartlett
(This used to be commit 0c355c274a)
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.
In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.
In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...
(we might need to parse for unicode issues later).
In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!
Andrew Bartlett
(This used to be commit 9f6a26769d)
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash
- auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash
- auth with ntlm and lm but deliberately break the ntlm hash
- auth with ntlm and lm but deliberately break the lm hash
My theory is that the NTLM or NTLMv2 field must be correct and if it is,
it doesn't matter what the value of the LM or LMv2 field is.
Fixed cosmetic test name display bug.
(This used to be commit 5dcde9451b)
then we weren't always correctly detecting that it had a valid stat struct
and so might now return a 'file existed'. Finally realized this when installing
the W2K resource kit as a test case.
Jeremy.
(This used to be commit a0688316ce)
then we weren't always correctly detecting that it had a valid stat struct
and so might now return a 'file existed'. Finally realized this when installing
the W2K resource kit as a test case.
Jeremy.
(This used to be commit d48069ccd8)
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a)
the other infrastructure with name owners etc in place. If anybody is
really going to tackle winsrepld, it will probably not be hard to put
the additional info back.
Volker
(This used to be commit eb82daa84a)
this world than 'status more entires'...
Also move all the cases to 'NT_STATUS_EQUAL()' to test it.
Andrew Bartlett
(This used to be commit b4645bf066)
(well, under certain conditions :-)
There is no length limit on the size of the authentication response added
into the MD5 hash. (We had previously limited this to lengths like 40, 44 or
64 in attempts to make sense of what the SNIA spec tells us).
Instead, the entire authentication response is added in.
Currently, this only works on a Win2k domain members with a Samba PDC,
becouse our NTLMv2 code currently fails against an Win2k PDC.
However, this splits the problem in half - particularly as the NTLMv2 format
is known, and even has an ethereal disector! (thanks tpot).
Andrew Bartlett
(This used to be commit 7645d3d28a)
lp_workgroup(), for all other server this is global_myname().
This is the name of the domain for accounts on *this* system, and getting
this wrong caused interesting bugs with 'take ownership' on member servers
and standalone servers at Snap.
(They lookup the username that they got, then convert that to a SID - but
becouse the domain out of the smbpasswd entry was wrong, we would fail the
lookup).
Andrew Bartlett
(This used to be commit 5fc78eba20)
Put in a prototype for dummy_snprintf() to quiet compiler warnings.
Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even if
the C library has some snprintf functions already.
(This used to be commit c49cfe1677)
servers don't answer that name. However we *know* they
have the name workgroup#1b (as we just looked it up).
So do the node status request on this name instead.
Found at LBL labs.
Jeremy.
(This used to be commit 41e3abe8b8)
servers don't answer that name. However we *know* they
have the name workgroup#1b (as we just looked it up).
So do the node status request on this name instead.
Found at LBL labs.
Jeremy.
(This used to be commit c5b1654c28)
initialisation code in winbindd_init_common() after the fork when
running in dual daemon mode.
The only tricky bit is we have to run a tdb_reopen_all() somewhere in
the child to avoid tdb corruption.
Fixed bug #60.
(This used to be commit 25e55aca0f)
key, so we can test it in ntlm_auth.
I suspect the 'lm' version doesn't exist, but it's easy to change back.
Andrew Bartlett
(This used to be commit 5efd95622c)
Our NTLMv2 client code needs work, becouse we don't get the session key for
any of the NTLMv2 stuff...
Also test some of the more 'odd' auth cases - like putting the NT password
into the LM feild.
Clean up some static globals into static locals.
Andrew Bartlett
(This used to be commit 62f0acc991)
directly - fixed problem where the last line of the link command was
'\ @LDAP_LIBS@'. If @LDAP_LIBS@ is zero then the backslash
incorrectly includes the next line of the Makefile in the current
target.
This should fix a bucketload of build farm failures.
(This used to be commit 895bef1a62)
This should make it clearer what magic numbers refer to the magic numbers
in the CIFS spec, and what bits and peices are being appended into the MD5
calculation where.
Andrew Bartlett
(This used to be commit 7f1c271cfb)
Now the IRIX and non-irix cases for one of these switch statements is the same,
eliminate the statement...
We now use autoconf > 2.50, so we can use some of it's features.
We also need to correctly include the magic for building vfs_fake_perms.
(This used to be commit a4ec8a6151)
add winbindd_passdb backend
this makes it possible to have nua accounts on security = user servers to
show up in unic through nss_winbind.so
the problem is that we do not have group support, so nss group support is
not very good at this time (read: totally absent)
we NEED group support in passdb
(This used to be commit 921215cf4b)
fixed I would like to see this tested a bit more. Default the schannel
stuff to auto which means 'offer, but do not enforce'.
Volker
(This used to be commit 7a1b8409be)
make a new sam_Account contain our domain by default, windows will complain
on logon otherwise.
fix stupid typo in idmap_util.c
(This used to be commit 21701876dc)
source file. I will be making changes to sock_exec to work on VOS, which
has a blocking connect() call, but first I want to get it in its own source
file so that it can be called from a test program.
(This used to be commit 10bf65d335)
source file. I will be making changes to sock_exec to work on VOS, which
has a blocking connect() call, but first I want to get it in its own source
file so that it can be called from a test program.
(This used to be commit 2dd18ca0cf)
few fixes to *id_to_*id functions, we don't set the mapping for algoritmic
RIDs, they are resolved in the classic way
eliminate getpw* calls from tdbsam
(This used to be commit 6a7689cf74)
SAM_ACCOUNT does not have anymore uid and gid fields
all the code that used them has been fixed to use the proper idmap calls
fix to idmap_tdb for first time idmap.tdb initialization.
auth_serversupplied_info structure has now an uid and gid field
few other fixes to make the system behave correctly with idmap
tested only with tdbsam, but smbpasswd and nisplus should be ok
have not tested ldap !
(This used to be commit 6a6f603246)
Net.exe on windows won't allow more than 50 characters to be entered, but
through AD you can have much more than this.
(This used to be commit ca2886c938)
set one - new accounts -> domain users, unless otherwise specified.
This moves that logic from pdb_set_sam_sids() into pdb_init_sam_new(), which
is called by all the 'new account' creators. (pdb_set_sam_sids() now only
deals with the mapping from an existing account)
Andrew Bartlett
(This used to be commit 2c7b3d9fd5)
his IDMAP work.
This version also works properly (the HEAD version had suffered from bitrot),
and should be a good basis to change into the new IDMAP rules.
It also includes UTF8 conversions.
Included also are the schema changes, and a note about the now very old scripts
in examples/LDAP (they don't work for this, or even the previous schema).
Andrew Bartlett
(This used to be commit 38a8f2b23a)
to the system. This means that we always run Get_Pwnam(), and can never add
FOO when foo exists on the system (the idea is to instead add foo into
the passdb, using it's full name, RID etc).
Andrew Bartlett
(This used to be commit bb79b127e0)
reverted user making function, did not pass the abartlet test :-)
idmap is now fully integrated, we only miss user creation and removal of uid
and gid from SAM_ACCOUNT
(This used to be commit 67af8c2658)
This patch removes 'non unix account range' (same as idra's change in HEAD),
and uses the winbind uid range instead.
More importanly, this patch changes the LDAP schema to use 'ntSid' instead
of 'rid' as the primary attribute. This makes it in common with the group
mapping code, and should allow it to be used closely with a future idmap_ldap.
Existing installations can use the existing functionality by using the
ldapsam_compat backend, and users who compile with --with-ldapsam will get
this by default.
More importantly, this patch adds a 'sambaDomain' object to our schema -
which contains 2 'next rid' attributes, the domain name and the domain sid.
Yes, there are *2* next rid attributes. The problem is that we don't 'own'
the entire RID space - we can only allocate RIDs that could be 'algorithmic'
RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be
mapped by IDMAP, not the algorithm.
Andrew Bartlett
(This used to be commit 3e07406ade)
>Replace workgroup global variable with lp_workgroup()
>
>Call lp_load() before parsing command line options so we can override
>the workgroup value with the -W switch.
(This used to be commit 272d06369d)
Call lp_load() before parsing command line options so we can override
the workgroup value with the -W switch.
Fixes bug #39.
(This used to be commit 56f070cd52)
change idmap_init call
removed ldap backend for winbind idmap, seem it had problems anyway and it
have to be reworked to work with idmap without calling winbind code.
simo
(This used to be commit 9d7d007443)
'UF8-safe' LDAP code.
I hope I've caught all the places where we were pushing strings into or
out of LDAP now.
Andrew Bartlett
(This used to be commit 70bf7a5f71)
This uses 'socket address' as the source address for nmbd. This way we
can again synchronize with the DMB if we have 'bind interfaces only'
to a virtual interface.
I'd love to see this in 2.2.9, but that is up to jerry or jra.
Volker
(This used to be commit 5e305e4255)
This uses 'socket address' as the source address for nmbd. This way we
can again synchronize with the DMB if we have 'bind interfaces only'
to a virtual interface.
I'd love to see this in 2.2.9, but that is up to jerry or jra.
Volker
(This used to be commit fe637c690b)
the writing of a registry tree, since I can store the header, and the first
key (NK_REC) and the SD associated with that key, the SK_REC.
(This used to be commit abced0ed9e)
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
talloc fails
- don't try and tallocate memory when the number of entries returned was
zero
- rename some cut&pasted variable names in enum domain aliases function
(This used to be commit aa748e1da5)
>When calling cli_samr_enum_{dom,als}_groups in a while loop, the
>terminating condition should be result != STATUS_MORE_ENTRIES, not
>result == NT_STATUS_OK otherwise we get stuck in an infinite loop
>when there's any sign of trouble.
(This used to be commit 4998a72cf8)
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
talloc fails
- don't try and tallocate memory when the number of entries returned was
zero
- rename some cut&pasted variable names in enum domain aliases function
(This used to be commit cb94b2b2d1)
terminating condition should be result != STATUS_MORE_ENTRIES, not
result == NT_STATUS_OK otherwise we get stuck in an infinite loop
when there's any sign of trouble.
(This used to be commit 2266d281a4)
