IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
stream. This is to implement wbinfo -k that asks winbind for authentication
which then creates the AFS token for the authenticated user.
Volker
(This used to be commit 2df6750a07)
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 2a2b1f0c87)
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01)
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 6a8cc7f012)
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
Andrew Bartlett
(This used to be commit 7a3a5a6361)
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
and workstation to utf8 before sending the winbindd request. Also, don't
continue when the call to pull_utf8() fails but rather return a winbind
error. (This is what was causing the crash)
(This used to be commit ca1c463360)
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaed)
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba00)
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee7)
to handle domain trusts. Jeremy and I talked about this
and it's going in as working code. It keeps winbind clean
and solves the trust problem with minimal changes.
To summarize, there are 2 basic cases where the deadlock would
occur. (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.
o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
the username includes the 'winbind separator'.
o Case #2 is handled by adding checks in winbindd to return failure
if we are a DC and the domain matches our own.
This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain'). The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.
Other misc fixes:
* we need to fix check_ntlm_password() to be able to determine
if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
etc...). I worked around my specific situation, but this needs to be
fixed. the winbindd auth module was causing delays.
* fix named server mutex deadlock between trust domain auth module
and winbindd looking up a uid
* make sure SAM_ACCOUNT gets stored in the server_info struct for the
_net_sam_logon() reply.
Configuration details:
The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.
* set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
* create domain trusts like normal
* join winbind on the pdc to the Samba domain using 'net rpc join'
* add normal parameters to smb.conf for winbind
* set 'auth method = guest sam winbind'
* start smbd, nmbd, & winbindd
Problems that remain:
* join a Windows 2k/XP box to a Samba domain.
* create a 2-way trust between the Samba domain
and an NT domain
* logon to the windows client as a user from theh trusted
domain
* try to browse server in the trusted domain (or other
workstations). an NT client seems to work ok, but 2k
and XP either prompt for passwords or fail with errors.
apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9)
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc)
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a)
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd11)
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483)
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dc)
- vorlan's hosts allow with DNS names patch
- use x_fileno() in debug.c, not the struct directly.
- check for server timeout on password change (was reporting success)
- better error/status loggin in both the pam_winbind client and winbindd_pam
server code.
- (pdb_ldap) don't set the ldap version twice - we do it on every bind anyway.
(This used to be commit 9fa1863d8e)
- pam_winbind updates from vance, fixing a typo and making some the options
work properly.
- Extra parinoia in the winbind connection loop
- Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do).
- Fix up configure.in to use the same method for building the test .so
as the Makefile uses.
Andrew Bartlett
(This used to be commit 8e705dd921)
This patch fixes the segfaults I introduced in the previous conneciton caching
patch. It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.
If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.
There is still a memory leak in here somewhere - but this code also cleans up a
number of these.
Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.
Andrew Bartlett
(This used to be commit 92cbefdf27)
Add a connection cache to the netlogon pipe. This makes a *massive* difference
to the time-per-auth. Also fix up *some* of the memory leaks in other
connection caches.
Add some debugging messages for the is_connected() code. I'm thinking we
should get a client implementation of SMBecho and call it here - as it would
allow us to always know the DC is around before we start.
Down the debug level for some of the pam_winbind code - I'll probably down it
further when I'm finished debugging.
Andrew Bartlett
(This used to be commit 49d3e47666)
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.
In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.
Added code to wbinfo to display these - makes a big difference in debugging
winbindd.
The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)
Andrew Bartlett
(This used to be commit dc1a72f896)