1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-17 02:05:21 +03:00

1271 Commits

Author SHA1 Message Date
Volker Lendecke
413ed77142 Fix compiler warning -
Volker Lendecke
ea1a5fb303 Display some nicer error messages for login via 'net'. I don't
see a reason why we have so many special cases and not simply use
nt_errstr(nt_status).

Comments?

Volker
-
Jim McDonough
07d6ed4343 Fix another join problem. Don't use a TALLOC_CTX before it has been
initialized.

Also split out the oldstyle join into a new fn, allowing us to call it
with no failure message from net rpc join, but displaying a failure message
when used with net rpc oldjoin.
-
Jim McDonough
a885df7635 Fix net rpc join (at least newstyle) after it was broken by changing
the parms to cli_lsa_query_info_policy without changing them here...
-
Gerald Carter
d7b6298b9e fixing compile problems due to my recent ads.h changes -
Andrew Bartlett
7c34de8096 This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
-
Jelmer Vernooij
82bd1b45a4 Add smbget utility, a simple wget-like utility that uses libsmbclient.
Supports recursive downloads and resume, progress indication and shows
estimated time remaining.
-
Jelmer Vernooij
7495395c1c Fix -s option to smbcontrol () -
Jeremy Allison
019aaaf0df Patch based on work from James Peach <jpeach@sgi.com> to convert over to
using pread/pwrite. Modified a little to ensure fsp->pos is correct.
Fix for .
Jeremy.
-
Andrew Bartlett
f9e59f8bc0 JHT came up with a nasty (broken) torture case in preparing examples for
his book.

This prompted me to look at the code that reads the unix group list.  This
code did a lot of name -> uid -> name -> sid translations, which caused
problems.  Instead, we now do just name->sid

I also cleaned up some interfaces, and client tools.

Andrew Bartlett
-
Andrew Bartlett
3225f262b1 Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
-
Andrew Bartlett
7a3a5a6361 Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

Andrew Bartlett
-
Andrew Bartlett
0fa268863b Make the name of the NTLMSSP client more consistant before we lock it in stone. -
Andrew Bartlett
96f3beb462 Remove testing hack -
Andrew Bartlett
48315e8fd2 Move our basic password checking code from inside the authentication
subsystem into a seperate file - ntlm_check.c.

This allows us to call these routines from ntlm_auth.  The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind.  This should allow for easier debugging.

ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes.  A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's
work)

Andrew Bartlett
-
Andrew Bartlett
2375abfa00 Refactor our authentication and authentication testing code.
The next move will be to remove our password checking code from the SAM
authentication backend, and into a file where other parts of samba can use
it.

The ntlm_auth changes provide for better use of common code.

Andrew Bartlett
-
Volker Lendecke
e6b4b956f6 Collecting some minor patches...
This adds the ability to specify the new user password for 'net ads password'
on the command line. As this needs the admin password on the command line, the
information leak is minimally more.

Patch from gd@suse.de

Volker
-
Andrew Bartlett
e0a026c9b5 Thanks to Serassio Guido for noticing issues in our Squid NTLMSSP
implementation.  We were not resetting the NTLMSSP state for new
negotiate packets.

Andrew Bartlett
-
Volker Lendecke
5d0b8280f6 In the brief 'net rpc group' listing, don't cut off group names at 21 chars.
Volker
-
Volker Lendecke
e9391e206a Beautify the net status help message a bit
Volker
-
Volker Lendecke
63d877c6b4 I needed a decently parseable format of smbstatus. Looking at smbstatus code
tells me that this should not be expanded, so I implemented

net status [sessions|shares] [parseable]

Volker
-
Volker Lendecke
39e4ee0c5b Implement 'net rpc group list [global|local|builtin]*' for a select listing of
the respective user databases.

Volker
-
Jeremy Allison
685097bc50 Fix for pdbedit error code returns (sorry, forgot who sent in the patch).
Jeremy.
-
Volker Lendecke
d5775b7106 Only ask for 512 names at a time.
Volker
-
Volker Lendecke
4e3a2eb8e0 Implement "net rpc group members": Get members of a domain group in
human-readable format.

Volker
-
Volker Lendecke
94860687c5 Get rid of a const warning
Volker
-
Andrew Bartlett
9ecf9408d9 Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins.  Now, you need to hack 'net' to do that, but the principal is
important...

When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.

(server-side support to follow shortly)

Andrew Bartlett
-
Andrew Bartlett
f3bbc87b0d Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
-
Gerald Carter
d72d77c427 show locked files for -u <user>; bug 590 -
Tim Potter
0519a7022b Final round of printf warnings fixes for the moment. -
Jim McDonough
e660b04e8f Add shutdown abort try over initshutdown pipe first, then fall back to
winreg pipe if it doesn't work.  Fixes bug .

I will go back and add the same logic for the shutdown itself, even though
that works so far against win2k (haven't tested all win clients).
-
Jim McDonough
8ef7ac22ef Fix bug 451. Stop net -P from prompting for machine account password.
Based on work by Ken Cross (kcross@nssolutions.com).
-
Jeremy Allison
d7e35dfb92 Put strcasecmp/strncasecmp on the banned list (except for needed calls
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
-
John Terpstra
0450dc9773 Changed output so all debug output goes to stderr, and all file processing
goes to stdout.

Note: This change permits use of testparm processing of smb.conf to be
redirected into a file that can be used as an smb.conf file. ie: All
information that should not be in smb.conf will be on stderr, all pertinent
smb.conf info will go to stdout.

Example of use:
	A fully documented smb.conf.master file can be maintained.
	To create smb.conf do:
		testparm -s > smb.conf
-
Tim Potter
f899448348 Break out of samsync loop on error. -
Tim Potter
22655a65ab Set errno = ENOSYS if mmap not supported.
From Joachim Schmitz <schmitz@hp.com>
-
Jeremy Allison
93669f329e Portability fixes from schmitz@hp.com (Joachim Schmitz). Bug .
Jeremy.
-
Jelmer Vernooij
2690c185f0 Testparm fixes:
- Also check global 'hosts allow'/'hosts deny' when checking access to share
 - Warn when user specifies 2 arguments instead of 1 or 3.

Patch from Jay Fenlason <fenlason@redhat.com>
-
Jeremy Allison
e4c955c98e Fix to parse the level-2 strings. From Anthony Liguori aliguor@us.ibm.com.
Jeremy.
-
Volker Lendecke
4a3f7a9356 This only touches the fake kaserver support. It adds two parameters:
afs share -- this is an AFS share, do AFS magic things
afs username map -- We need a way to specify the cell and possibly
		    weird username codings for several windows domains
		    in the afs cell

Volker
-
Gerald Carter
e1fac713e2 fix some warnings found by the Sun C compiler -
Jelmer Vernooij
37db75fc95 Fix typo -
Jeremy Allison
28b315a750 Ensure that dup_sec_desc copies the 'type' field correctly. This caused
me to expose a type arguement to make_sec_desc(). We weren't copying
the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on
auto inherited checks.
Jeremy.
-
Jeremy Allison
c8bfde5be9 Fix from gregory@networksentry.co.za, don't clobber the comment if it
exists.
Jeremy.
-
Christopher R. Hertel
be06e52ce0 Fixed test and wording for long share names.
The RAP NetShareEnum() call has a length limit of 12 characters (not 8, as
previously tested).  Took DaveCB's suggested and added a note listing some
of the client systems that might be affected.
-
Simo Sorce
fa7dea1710 fix online help
-w option need the password on the command line
-
Tim Potter
bc8a181477 Fix error message when calling namedtogid() fails adding a group map
entry.  Bug .
-
Tim Potter
0c35ba2cd6 Fix error return path memory leaks in vampire code for creating users.
Display an error if we can't create a posix account for the user
(e.g no add user/machine script was specified; bug ).
-
Tim Potter
d7bd3c1efb Use opt_target_workgroup instead of lp_workgroup() in vampire code so
we can override the value in smb.conf with the -w option.

Migrating accounts from another domain can now be done like:

# bin/net join bdc -w nt4dom -Uadministrator%password
# bin/net rpc vampire -w nt4dom -U administrator%password
-
Tim Potter
c030d14019 Formatting fixups for help output. -