IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
There are cases where we fill in params.password.response.lm_data with non-NULL
where params.password.response.lm_length is 0. wbcAuthenticateUserEx does not
like that.
I haven't been able to reproduce this with smbclient yet, I've seen it with a
proprietary smb client implementation.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Jan 17 16:30:11 CET 2011 on sn-devel-104
This happens if you set "auth methods = winbind" without a fallback method.
The return NT_STATUS_LOGON_FAILURE; is not strictly require here, because we
fall through to the equivalent statement a few lines down, but it makes the
code a bit clearer IMO.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Nov 9 20:15:59 UTC 2010 on sn-devel-104
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
smbd doesn't need $(WBCOMMON_OBJ) anymore,
it works with any libwbclient.so now
and may talk to an older winbindd.
metze
(This used to be commit e3435930a3)
to be idle it might happen that smbd needs to do a winbind operation (for
example sid2name) as non-root. This then fails to get the privileged
pipe. When later on on the same connection another authentication request
comes in, we try to do the CRAP auth via the non-privileged pipe.
This adds a winbindd_priv_request_response() request that kills the existing
winbind pipe connection if it's not privileged.
Volker
(This used to be commit e5741e27c4)
changing the token generation. I *hate* this code!
Jerry, you have been looking at this as well, can you double-check that I did
not screw it up?
Thanks,
Volker
(This used to be commit 2765c4ff8d)
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef8663)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
In auth_winbind, remove the push_utf8 calls, as this is no longer a
UTF8 interface. (Removed from everywhere else earlier).
Tested with ASCII - I tried to load the weird charset for testing, but
it doesn't seem to work any more.
Andrew Bartlett
(This used to be commit cb27c197ee)
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9)