1
0
mirror of https://github.com/samba-team/samba.git synced 2025-07-22 16:59:09 +03:00
Commit Graph

36 Commits

Author SHA1 Message Date
5ec1faa2ad r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts 2007-10-10 10:55:32 -05:00
dc294c52e0 r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for each
supported pipe. Netlogon is still special, as we open that twice, one to do
the auth2, the other one with schannel.

The client interface is completely unchanged for those who only use a single
pie. cli->pipe_idx is used as the index for everything except the "real"
client rpc calls, which have been explicitly converted in my last commit. Next
step is to get winbind to just use a single smb connection for multiple pipes.

Volker
2007-10-10 10:53:47 -05:00
620f2e608f r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
2007-10-10 10:53:32 -05:00
7f161702fa r2835: Since we always have -I. and -I$(srcdir) in CFLAGS, we can get rid of
'..' from all #include preprocessor commands.   This fixes bugzilla #1880
where OpenVMS gets confused about the '.' characters.
2007-10-10 10:52:55 -05:00
fcdc5efb1e Make more functions static, and remove duplication in the use of functions
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c

(These should perhaps be pulled back out to smbpasswd.c, but that can occour
later).

Andrew Bartlett
-
2a2b1f0c87 This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.

This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.

Andrew Bartlett
-
a885df7635 Fix net rpc join (at least newstyle) after it was broken by changing
the parms to cli_lsa_query_info_policy without changing them here...
-
9ecf9408d9 Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins.  Now, you need to hack 'net' to do that, but the principal is
important...

When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.

(server-side support to follow shortly)

Andrew Bartlett
-
ff222716a0 Removed strupper/strlower macros that automatically map to strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
-
1ddeea2179 This glosses over John's problem at SambaXP 2003. When we want to join
a NT4 domain as a BDC with an existing workstation account (existing
bdc is fine), we fail. Print a friendly error message in this case.

The correct solution would probably be to delete the account and try
again. But even this makes us better than NT: NT4 fails in this
situation with an empty warning message box and an unusable BDC. It
has unsuccessfully tried to suck down the domain database, and thus
has no administrator account to log in after reboot....

Volker
-
a4f76f2520 Fix misleading debug message.
Volker
-
ac69b9c83c another improved debug statement -
af526fa9b3 Make sure that we use schannel (if configured) when checking for a valid
join to the DC.

Andrew Bartlett
-
f35674e755 Fix up bugs in the new 'store sec_channel type' code - we were always joining
as a BDC.

Andrew Bartlett
-
876e00fd11 Merge from HEAD - save the type of channel used to contact the DC.
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
-
6a5b88c95b Merge of Jelmer's usage updates for net. -
837680ca51 Merge from HEAD client-side authentication changes:
- new kerberos code, allowing the account to change it's own password
   without special SD settings required
 - NTLMSSP client code, now seperated from cliconnect.c
 - NTLMv2 client code
 - SMB signing fixes

Andrew Bartlett
-
09a218a9f6 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
-
f755711df8 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
-
1cfd2ee433 merge of new client side support the Win2k LSARPC UUID in rpcbind
from APP_HEAD
-
65e7b5273b sync'ing up for 3.0alpha20 release -
1b83b78e33 sync 3.0 branch with HEAD -
03ac082dcb updated the 3.0 branch from the head branch - ready for alpha18 -
0784ab67ad Join as a server trust account if the server role is either PDC or BDC. -
1f007d3ed4 Renamed get_nt_error_msg() to nt_errstr(). -
539d0cc030 Change new style join function name for clarity in net_rpc.c -
ac8c24a9a8 Allow Samba to trust NT4 Domains.
This commit builds on the auth subsystem to give Samba support for trusting NT4
domains.  It is off by default, but is enabled by adding 'trustdomain' to the
'auth methods' smb.conf paramater.

Tested against NT4 only - there are still some issues with the join code for
Win2k servers (spnego stuff).

The main work TODO involves enumerating the trusted domains (including the RPC
calls to match), and getting winbind to run on the PDC correctly.

Similarly, work remains on getting NT4 to trust Samba domains.

Andrew Bartlett
-
6a58c9bd06 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
-
2efae7cc52 Add a pile of doxygen style comments to various parts of Samba. Many of these
probably will never actually be genearted, but I like the style in any case.

Also fix a segfault in 'net rpc' when the login failed and a small memory leak
on failure in the auth_info.c code.

Andrew Bartlett
-
af24b1036c Display a nice error message if the user%password specified for net rpc
join does not have administrator privileges.
-
3789c8c707 Merge from 2.2 to allow net rpc join -U to complete even if the workstation
account already exists.

# net rpc join --user=Administrator%password

It's kind of weird seeing the mix of NET.EXE style of options (net command
subcommand /arg:value) with the GNU-style long options.  I think it works.
-
784a3f2951 allow join of already joined domain -
575897e879 OK. Smbpasswd -j is DEAD.
This moves the rest of the functionality into the 'net rpc join' code.

Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.

I have also fixed up the smbpasswd -a -m bug in the process.

We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.

With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).

Andrew Bartlett
-
d00f461f43 Follow herb's suggestion and don't strdup a string to itself -
cee58f1097 allow for passwords other than "samba2"
:)
-
c0b7ee6ee5 Add 'net rpc join' to match the ADS equiv.
This kills off the offending code in smbpasswd -j -Uab%c

In the process we have changed from unsing compelatly random passwords
to random, 15 char ascii strings.  While this does produce a decrese in
entropy, it is still vastly greater than we need, considering the application.

In the meantime this allows us to actually *type* the machine account
password duruign debugging.

This code also adds a 'check' step to the join, confirming that the
stored password does indeed do somthing of value :-)

Andrew Bartlett
-