IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- use the PFC_CONC_MPX flag for the 3rd connection
- to DsGetNCChanges requests on the 3rd connection with the bind handle
from the 2nd connection to match w2k3
metze
(This used to be commit 5071af332c)
"ntPwdHash" => "unicodePwd"
"lmPwdHash" => "dBCSPwd"
"sambaLMPwdHistory" => "lmPwdHistory"
"sambaNTPwdHistory" => "ntPwdHistory"
Note: you need to reprovision after this change!
metze
(This used to be commit dc4242c09c)
because talloc_asprintf_append() doesn't work like talloc_append_string()
which uses strlen() on the old string instead of (tc->size - 1)
This matter in this case because strlower_talloc() over allocates
tridge: how should we fix this in lib/talloc/?
metze
(This used to be commit 1748af20b1)
behaviors and the schema version is what the caller expects.
also a callback prepares the new database and commits chunks
to the partitions
metze
(This used to be commit 9b5116be2e)
trigger the caller to call the _recv() function again and will be an endless
loop.
this is just a fix the to prevent this, and use a more usefull error code
than NT_STATUS_UNSUCCESSFUL
I think we should move the checks about valid responses into the function
which receives the the response (here continue_name_found()),
so that the _recv() function only needs to transfer the output vars to the caller
without any logic to analyse the network response.
metze
(This used to be commit c02048f480)
enough memory for the new sub_auth element.
the old version wrote behind the buffer.
also make the output sid a pointer.
metze
(This used to be commit b9901d5f8c)
particular to verify more expected results.
Also return more details from the join process. Now we also return
the machine account's GUID.
Andrew Bartlett
(This used to be commit 5b32f102af)
- implement set userAccountControl = UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION
- implement moving to CN=Domain Controllers
metze
(This used to be commit c4037880a0)
- implement rootdse search on the 1st LDAP connection
- implement msDs-Behavior-Version and objectVersion searches on the 1st LDAP connection
metze
(This used to be commit b9b705b7dd)
- as the SetUserInfo2() levels 26/25 and 24/23 have the same encryption
but 26 and 24 change only the password and 25 and 23 take a info21 and change the password,
we now use 26 with fallback to 24 or 25 with fallback to 23.
- use samr_SetUserInfo2() to match what w2k3 does (works also against nt4)
- pass the info21 to libnet_SetPassword() to set acct_flags and full_name
together with the password (to match what w2k3 does)
metze
(This used to be commit 1b86af32f3)
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3)
tests). The issue is that Win2k3 SP1 will not answer many LSA
requests on that port (I think this is as a security measure).
In this case, we need to skip ahead in the composite functions.
We were also checking the wrong variable to determine sucess/failure
of the LsaOpenPolicy2.
Andrew Bartlett
(This used to be commit 67c191305f)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0)
(in this case domain related) to ensure certain conditions before
doing what libnet function is expected to do.
rafal
(This used to be commit e3159ceeed)
This is a pointer to an element pointer. If it is not null it will be
filled with the pointer of the manipulated element.
Will avoid double searches on the elements list in some cases.
(This used to be commit 0fa5d4bc22)
to perform a lookup once, resolve the name to an IP, while still
communicating the full name to the lower layers, for kerberos etc.
This fixes 'net samdump', which was failing due to the schannel target
name being *smbserver.
Andrew Bartlett
(This used to be commit 0546f487f4)
NULL).
This showed up in a manual pre-TP3 test of the 'net samdump' code, and
shows the critical need for the windows testing infrustructure on the
build farm.
Andrew Bartlett
(This used to be commit 9cef40779a)
of set user info calls one after another (each one using
different info level). Also, try to do as many changes as
possible using a single infolevel.
rafal
(This used to be commit cee9a69ffa)
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77)
These two perform name resolving in SAM database and fetching
user account information, respectively. The code is quite rough
yet, but it builds and basic tests work. Now, I'm working on
cleaning it up...
rafal
(This used to be commit 4a932255a0)
properties more consistently reflected.
2) Add domain open routine for lsa pipe - this is needed for ongoing
name resolve function.
Tests (still neglected) and comments to follow.
rafal
(This used to be commit fe5652c2b8)
on ncacn_np, as abartlet suggested. Also, named pipe remains the default
transport for all kinds of servers to be contacted.
rafal
(This used to be commit 76888c74a6)
using different transport and possibly address type, when
the first attempt fails (only if it makes any sense, of course).
This may be especially useful when connecting DCs and PDCs in
mixed environments.
Also, add monitor messages issuing.
rafal
(This used to be commit d69b31230d)
no continue functions) need to report an error by means of state only.
composite_error calls event handler function which frees the context and
state structure. This fixes a segfault in some cases (caught it on modifyuser
test).
rafal
(This used to be commit 9e800fd0cf)
the current API we need to check both that the RPC didn't fault, and
that the query succeeded.
Also print the right things in debug messages.
Andrew Bartlett
(This used to be commit d18e515391)
opened and rpc pipe connected. Each user management routine
calls the function before doing their job
- Initial work on user modify functionality (does nothing yet)
rafal
(This used to be commit 51501cdeef)
- don't check for mem_ctx, ctx and r, we should crash when they're wrong
as it's a programmer error!
- pass the error string to the caller
metze
(This used to be commit 5f65447f5d)
causing ejsnet test to segfault. Also, cleanup a bit and add monitor
fn pointer to internal user delete libnet function.
Time for some comments now.
rafal
(This used to be commit 89e9a88719)
a bit more smart and more aware of what libnet_context can offer.
The context is a help when some of the arguments are not passed
(programmer counts on using sensible defaults) and stores some of
results so that similar subsequent calls don't need to reopen some
of policy handles, pipes, etc. again. It also helps to hide some
of details the library user don't really want to know much about.
Also, change domain open function to be part of public api, as
it is going to be used in ejsnet interface.
Note, this is work in progress. Comments are welcome.
rafal
(This used to be commit 1ed80c594c)
around the mess that is composite functions...
Async might be all the rage, but it's bloody painful to debug.
Andrew Bartlett
(This used to be commit 756e1dad7c)
This support requires that the bind_ack and alter_ack recv functions
also be send the DCE/RPC fault. This would be best done by having the
ack run as a normal RPC reply callback, but this isn't easily possible
for now.
Andrew Bartlett
(This used to be commit be6dde22fe)
and make it async. Also, update any other usages of old function.
Build goes fine and so do tests, comments to follow.
rafal
(This used to be commit aef0a2de9d)
this isn't supported, fallback to NTLM.
Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS. (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).
Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.
Andrew Bartlett
(This used to be commit b3212d1fb9)
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
- VERSION: should contain the current version. Will be made part of the filename.
- SO_VERSION: should contain the latest version that this on is compatible to. Will be used for setting the soname of the shared library.
Fix sonames and use them on platforms that support them
Remove symlinking code. ldconfig will take care of creating the symlinks now
that we set the soname.
(This used to be commit 7871b07e21)
we don't have a server messaging context. We should replace the
datagram messages with stream sockets in this case, so we don't have
to create a unique socket.
Andrew Bartlett
(This used to be commit fd974fb647)
This patch pulls the AD site name generation and site join code from
libnet/libnet_join.c and puts it into a new file, libnet/libnet_site.c.
This way, a common means for site name, configuration dn and server dn
generation exists so it doesn't need to be rewritten in new code (such
as the future libnet_leave for example).
I've made a couple of changes, but nothing dramatic. Nice work Brad!
Andrew Bartlett
(This used to be commit 45f67b3f6d)
Previously, we had to know (or guess) the host and domain guid at the
provision stage. Now we query the database post-provision, to extract
the values and fill in the zone file.
This allows us to generate a correct zone file in the Windows migration case.
In an effort to make SWAT easier to use, I have removed and renamed
some of the provision options.
I have also fixed a nasty issue in my js code. I had implictly
declared a global variable of the name 'join', with disasterious
results for any subsequent user of the string utility function:
esp exception - ASSERT at lib/appweb/ejs/ejsParser.c:2064, 0
Backtrace:
[ 0] substitute_var:20 -> list[i] = join("", list2)
[ 1] setup_file:9 -> data = substitute_var(data, subobj)
Andrew Bartlett
(This used to be commit a38ceefd11)
the remote sever, and to query it for domain information.
Provide and use this information in the SamSync/Vampire callbacks, to allow a
parallel connection to LDAP, if we are talking to AD. This allows us
to get at some important attributes not exposed in the old protocol.
With this, we are able to do a all-GUI vampire of a AD domain from
SWAT, including getting all the SIDs, servicePrincipalNames and the
like correct.
Andrew Bartlett
(This used to be commit 918358cee0)
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.
This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'. This should prevent it
being broken again.
Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.
The js credentials interface now handles the 'set machine account' flag.
New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).
Andrew Bartlett
(This used to be commit a5e7c17c34)
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959)
the remote server's name, or in the absence of a local nbt_server to
communicate with (or without root access), a node status request.
The result is that we are in a better position to use kerberos, as well
as to remove the 'password server' mandatory parameter for the samsync
and samdump commands. (I need this to put these into SWAT).
The only problem I have is that I must create a messaging context, which
requires a server ID. As a client process, I don't expect to get
messages, but it is currently required for replies, so I generate a
random() number. We probably need the servers to accept connections on
streamed sockets too, for client-only tasks that want IRPC.
Because I wanted to test this code, I have put the NET-API-* tests into
our test scripts, to ensure they pass and keep passing. They are good
frontends onto the libnet system, and I see no reason not to test them.
In doing so the NET-API-RPCCONNECT test was simplified to take a
binding string on the command line, removing duplicate code, and
testing the combinations in the scripts instead.
(I have done a bit of work on the list shares code in libnet_share.c
to make it pass 'make test')
In the future, I would like to extend the libcli/findds.c code (based
off volker's winbind/wb_async_helpers.c, which is why it shows up a bit
odd in the patch) to handle getting multiple name replies, sending a
getdc request to each in turn.
(posted to samba-technical for review, and I'll happily update with
any comments)
Andrew Bartlett
(This used to be commit 7ccddfd351)
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name. It may cause problems later when we get
replication form windows.
I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.
Andrew Bartlett
(This used to be commit 097d9d0b7f)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583ed)
This extracts a remote windows domain into a keytab, suitable for use
in ethereal for kerberos decryption.
For the moment, like net samdump and net samsync, the 'password
server' smb.conf option must be set to the binding string for the
server. eg:
password server = ncacn_np:mypdc
Andrew Bartlett
(This used to be commit 272013438f)
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee)
