IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
This does a length-limited check, and so avoids reading beyond the
allocated memory if the server sends less than 16 bytes.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
While there also use ldap_exploded_dn instead of ldb_dn_validate()
so we can remove a huge dependency that is hanging there only for one very
minor marginal use.
Signed-off-by: Günther Deschner <gd@samba.org>
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
* ldb_dn_new() now takes an initial DN string
* ldb_dn_string_compose() -> ldb_dn_new_fmt()
* dummy ldb_dn_validate(), since LDB DNs in the current implementation
are always valid if they could be created.
This argument is ignored (Samba3's LDB is synchronous) but having it
there is useful for API compatibility with the LDB used by Samba 4 and
available on some systems.
This removes calls to push_*_allocate() and pull_*_allocate(), as well
as convert_string_allocate, as they are not in the common API
To allow transition to a common charcnv in future, provide Samba4-like
strupper functions in source3/lib/charcnv.c
(the actual implementation remains distinct, but the API is now shared)
Andrew Bartlett
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with ads.
Michael
ads_connect_gc() feeds an explicit server to ads_connect(). However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection. This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.
The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().
We use get_dc_name() for LDAP because it generates the selfwritten
krb5.conf with the correct kdc addresses and sets KRB5_CONFIG.
For CLDAP we need to use get_sorted_dc_list() to avoid recursion.
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d2f7f81f4d)
The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't ex
and "disable netbios = yes".
metze
Signed-off-by: Michael Adam <obnox@samba.org>
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute. This patch adds more granular return
errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.
I updated all callers to ignore SIDless objects when appropriate.
Also did some cleanup to the out paths of lookup_usergroups_memberof()
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389. Also makes ads_try_connect() static and
only used internally to ldap.c
(This used to be commit f4c37dbe2c)
This is really not a proper place to fix this, but as get_gc_list() and friends
are about to be replaced anyway, just work around the broken existing API
(This used to be commit df8d089bc6)
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc5)
The ads_do_search_all_args() function attempts to string together several
LDAPMessage structures, returned across several paged ldap requests, into a
single LDAPMessage structure. It does this by pulling entries off the second
LDAPMessage structure and appending them to the first via the OpenLDAP specific
ldap_add_result_entry() call.
The problem with this approach is it skips non-entry messages such as the
result, and controls. These messages are leaked.
The short term solution as suggested by Volker is to replace the ads_*_entry()
calls with ads_*_message() calls so we don't leak any messages.
This fixes the leak but doesn't remove the dependence on the OpenLDAP specific
implementation of ldap_add_result_entry().
(This used to be commit f1a5405409)
This reverts commit #cafda34783f0961c9b463803c19cfcb69f836e3f .
I just learned (the hard way) that these indeted functions
are not indented by accident but that the intention of this
is to not include the prototype into proto.h.
Michael
(This used to be commit 2e5d01b214)
At this stage, the (tcp) connection to the LDAP server has not
been established, this is what is about to be attempted. What
has been succesfully done, is a CLDAP netlogon query.
Michael
(This used to be commit 71c3c8ad4c)
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c312)
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.
Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36)
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62a)
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89a)
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.
Guenther
(This used to be commit ff004f7284)
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb)
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680eb)
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a)
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e)
return NTSTATUS.
If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.
Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?
Volker
(This used to be commit 60a166f034)
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.
It's still got some warts, but non-secure updates do
currently work. There are at least four things left to
really clean up.
1. Change the memory management to use talloc() rather than
malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
(and under the LGPL).
A few notes:
* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
issues.
(This used to be commit 36f04674ae)
Major points of interest:
* Figure the DES salt based on the domain functional level
and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
keys
* Remove all the case permutations in the keytab entry
generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
in AD
The resulting keytab looks like:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value. The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.
Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc)
Re-add the capability to specify an OU in which to create
the machine account. Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e304)
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f)
I had to eliminate "\" as an OU path separator, because it is the escape
char in LDAP. We still accept "/", but using the escape char is just
not a good choice.
(This used to be commit 1953f63903)
Use the subtree delete ldap control when running 'net ads leave'
to ensure that the machine account is actually deleted.
(This used to be commit e96000c16c)
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b5969942)
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f2)
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)