1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

465 Commits

Author SHA1 Message Date
Volker Lendecke
16b007c223 Quite some callers of sid_split_rid do not care about the rid 2011-03-10 18:48:34 +01:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Andrew Bartlett
03011bf118 s3-libads call common GUID_from_ndr_blob()
This does a length-limited check, and so avoids reading beyond the
allocated memory if the server sends less than 16 bytes.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-20 16:15:11 -07:00
Günther Deschner
62544c5d2b s3-build: only include smbldap.h where needed.
Guenther
2010-09-20 13:54:56 -07:00
Jeremy Allison
447d96878a Fix all sid_parse returns to be checked. Tidy up some checks and error
messages.

Jeremy.
2010-09-15 15:40:15 -07:00
Björn Jacke
5b016dbab8 s3/libads: use monotonic clock for ldap connection timeouts 2010-09-07 20:37:53 +02:00
Günther Deschner
e7a6a3ec0d s3: avoid global include of ads.h.
Guenther
2010-08-05 00:32:02 +02:00
Günther Deschner
dff7be8ccb s3-libads: only include libds flags where needed.
Guenther
2010-07-01 23:20:40 +02:00
Günther Deschner
56538be6af s3-libads: move ads_dns out of main includes.
Guenther
2010-07-01 23:20:40 +02:00
Günther Deschner
2f9076ac29 s3-libads: use shared well known guids.
Guenther
2010-07-01 21:17:17 +02:00
Günther Deschner
fbb7814f91 s3: only use netlogon/nbt header when needed.
Guenther
2010-05-31 11:32:37 +02:00
Andrew Bartlett
cba7f8b827 s3:dom_sid Global replace of DOM_SID with struct dom_sid
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 10:39:59 +02:00
Günther Deschner
7f6bb48bdf s3-secdesc: remove "typedef struct security_descriptor SEC_DESC".
Guenther
2010-05-18 12:30:12 +02:00
Jelmer Vernooij
fc336590dc Remove the copy of ldb from Samba 3.
There were two utility functions that other parts of Samba 3
still relied on; they have been moved to lib/ldb_compat.[ch].
2010-05-06 11:34:30 +02:00
Matthias Dieter Wallnöfer
079897709e s3:libads/ldap.c - fix a build breakage 2010-04-27 20:45:06 +02:00
Simo Sorce
8492f92843 s3:ads fix dn parsing name was always null
While there also use ldap_exploded_dn instead of ldb_dn_validate()
so we can remove a huge dependency that is hanging there only for one very
minor marginal use.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-03-02 19:03:17 +01:00
Simo Sorce
61b7a24f16 s3 move the sitename cache in its own file 2010-02-23 12:46:26 -05:00
Andreas Schneider
5ad801beb9 s3-libads: Remove obsolete signal type cast. 2010-02-23 12:23:43 +01:00
Jim McDonough
265e4dfbb6 s3: bug #6967: Prevent glibc error on net ads join:
talloc()ed memory should not be SAFE_FREE()ed.

Signed-off-by: Jim McDonough <jmcd@samba.org>
2009-12-04 12:43:27 -05:00
Jeremy Allison
5d05d22999 Added prefer_ipv4 bool parameter to resolve_name().
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
2009-07-28 11:51:58 -07:00
Volker Lendecke
14c1362034 Fix some nonempty blank lines 2009-05-31 12:16:34 +02:00
Volker Lendecke
3194ad2838 Add smbldap_pull_sid 2009-05-28 10:52:04 +02:00
Jelmer Vernooij
b6981e79df samba3/ldb: Update the ldb_dn API to match that of the Samba 4 LDB:
* ldb_dn_new() now takes an initial DN string
 * ldb_dn_string_compose() -> ldb_dn_new_fmt()
 * dummy ldb_dn_validate(), since LDB DNs in the current implementation
   are always valid if they could be created.
2009-04-23 18:27:32 +02:00
Jelmer Vernooij
9b64073cf7 ldb/samba3: Support event context argument to ldb_init().
This argument is ignored (Samba3's LDB is synchronous) but having it
there is useful for API compatibility with the LDB used by Samba 4 and
available on some systems.
2009-04-23 18:27:31 +02:00
Jeremy Allison
e7466d0207 Add comment explaining the previous fix.
Jeremy.
2009-04-22 03:03:04 -07:00
Jeremy Allison
265ffe01f2 Fix bug #6279 - winbindd crash. Cope with LDAP libraries returning LDAP_SUCCESS but not returning a result.
Jeremy
2009-04-22 02:58:24 -07:00
Andrew Bartlett
3b3e21bd9b Convert Samba3 to use the common lib/util/charset API
This removes calls to push_*_allocate() and pull_*_allocate(), as well
as convert_string_allocate, as they are not in the common API

To allow transition to a common charcnv in future, provide Samba4-like
strupper functions in source3/lib/charcnv.c

(the actual implementation remains distinct, but the API is now shared)

Andrew Bartlett
2009-04-14 12:53:56 +10:00
Günther Deschner
d71dec9259 s3-libads: avoid NULL talloc context with ads_get_dn().
Guenther
2009-04-07 01:17:30 +02:00
Andrew Bartlett
2050187673 s3:libads Make ads_get_dn() take a talloc context
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().

This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2009-04-06 15:54:41 +02:00
Karolin Seeger
3f9daf434a s3/libads: Change "ldap ssl:ads" parameter to "ldap ssl ads".
Karolin
2009-02-05 15:55:14 +01:00
Michael Adam
27408de533 s3: fix bug #6073: prevent ads_connect() from using SSL unless explicitly requested
This fixes "net ads join".
It copes with the changed default "ldap ssl = start tls".
A new boolean option "ldap ssl : ads" is added to allow for
explicitly requesting ssl with  ads.

Michael
2009-01-29 13:23:06 +01:00
Gerald (Jerry) Carter
073e9f42f0 ads_connect: Return immediately on a failed GC connection.
ads_connect_gc() feeds an explicit server to ads_connect().  However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection.  This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.

The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().
2009-01-16 12:15:33 -06:00
Jeremy Allison
b143938b8a Fix more asprintf errors and error code paths.
Jeremy.
2008-12-23 11:27:19 -08:00
Stefan Metzmacher
17efebde11 s3:libads/ldap.c: store the dc name in the saf cache as in all other places
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 543fa85a71)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
a8040d5965 s3:libads/ldap.c: if the client belongs to no site at all any dc is the closest
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f86ef9b53a)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
2f27ffc4a2 s3:libads/ldap.c: pass the real workgroup name to get_dc_name()
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit c2d4a84abe)
2008-12-13 11:42:36 +01:00
Stefan Metzmacher
7f779450cb s3: libads: use get_dc_name() instead of get_sorted_dc_list() in the LDAP case
We use get_dc_name() for LDAP because it generates the selfwritten
krb5.conf with the correct kdc addresses and sets KRB5_CONFIG.

For CLDAP we need to use get_sorted_dc_list() to avoid recursion.

metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d2f7f81f4d)
2008-12-13 11:42:34 +01:00
Stefan Metzmacher
26461a72da s3:libads/ldap.c: return an error instead of crashing when no realm is given
The bug was triggered by "net ads info -S 127.8.7.6" (where 127.8.7.6 doesn't ex
and "disable netbios = yes".

metze

Signed-off-by: Michael Adam <obnox@samba.org>
2008-11-24 15:23:50 +01:00
Steven Danneman
6d59be1e6d Fix extended DN parse error when AD object does not have a SID.
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute.  This patch adds more granular return
errors to ads_get_sid_from_extended_dn().  Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.

I updated all callers to ignore SIDless objects when appropriate.

Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18 13:02:21 -08:00
Steven Danneman
9a7900fb38 Whitespace and >80 column cleanups. 2008-11-18 13:02:20 -08:00
Jelmer Vernooij
1f3e4f39c5 Use GUID_string rather than smb_uuid_string(). 2008-10-14 02:26:18 +02:00
Günther Deschner
d5a11f9679 fix build warnings.
Guenther
2008-10-13 00:40:57 +02:00
Jelmer Vernooij
218f482fbf Use common strlist implementation in Samba 3 and Samba 4. 2008-10-12 00:56:56 +02:00
Volker Lendecke
9eea6929e3 Fix an uninitialized variable found by the IBM Checker 2008-10-04 22:15:03 +02:00
Günther Deschner
f07431f5ba s3-nbt: use the new generated nbt.
Guenther
2008-09-24 03:34:23 +02:00
Günther Deschner
825f06c3f9 libads: remove unused vars.
Guenther
(This used to be commit ea9fc3bea3)
2008-08-20 22:07:40 +02:00
Gerald W. Carter
9ff1ffcbee libads: Add API call to connect to a global catalog server.
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389.  Also makes ads_try_connect() static and
only used internally to ldap.c
(This used to be commit f4c37dbe2c)
2008-06-27 10:26:11 -04:00
Günther Deschner
7b1f015675 libads: add ads_connect_user_creds() that won't overwrite given user creds.
Guenther
(This used to be commit 026018c9f1)
2008-06-24 23:37:49 +02:00
Günther Deschner
0447e6a0a7 libads: add ads_get_machine_kvno() to make ads_get_kvno() a bit more generic.
Guenther
(This used to be commit cb7ace209c)
2008-06-17 19:54:09 +02:00
Günther Deschner
3688eeafa3 libads: fix logic error in ads_get_kvno().
Guenther
(This used to be commit 132b038581)
2008-06-17 19:51:14 +02:00
Volker Lendecke
aaa2a4f447 Revert "Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails"
This reverts commit df8d089bc6.
(This used to be commit 342f885820)
2008-06-17 12:20:54 +02:00
Volker Lendecke
d261e16cfd Fix a memleak in ads_find_dc() in case get_sorted_dc_list() fails
This is really not a proper place to fix this, but as get_gc_list() and friends
are about to be replaced anyway, just work around the broken existing API
(This used to be commit df8d089bc6)
2008-06-05 10:56:18 +02:00
Tim Prouty
fb37f15600 Cleanup size_t return values in callers of convert_string_allocate
This patch is the second iteration of an inside-out conversion to cleanup
functions in charcnv.c returning size_t == -1 to indicate failure.
(This used to be commit 6b189dabc5)
2008-05-20 22:40:13 +02:00
Günther Deschner
eeb126a379 libads/cldap: store client sitename also keyed by dns domain name.
Guenther
(This used to be commit 0388b2f0cc)
2008-05-15 16:38:32 +02:00
Günther Deschner
847d385f7b Fix Bug #5465 (joining with createcomputer=ou1/ou2/ou3).
Guenther
(This used to be commit f3251ba03a)
2008-05-14 23:53:23 +02:00
Günther Deschner
cdd9913c4a cldap: let ads_cldap_netlogon() return all possible cldap replies.
Guenther
(This used to be commit 6f9d5e1cc9)
2008-05-09 14:59:18 +02:00
Steven Danneman
778a5414b1 Fix bug 5419: memory leak in ads_do_search_all_args() when enumerating 1000s of entries
The ads_do_search_all_args() function attempts to string together several
LDAPMessage structures, returned across several paged ldap requests, into a
single LDAPMessage structure.  It does this by pulling entries off the second
LDAPMessage structure and appending them to the first via the OpenLDAP specific
ldap_add_result_entry() call.

The problem with this approach is it skips non-entry messages such as the
result, and controls.  These messages are leaked.

The short term solution as suggested by Volker is to replace the ads_*_entry()
calls with ads_*_message() calls so we don't leak any messages.

This fixes the leak but doesn't remove the dependence on the OpenLDAP specific
implementation of ldap_add_result_entry().
(This used to be commit f1a5405409)
2008-04-26 08:11:20 -07:00
Günther Deschner
bcbac69d1a cldap: avoid duplicate definitions so remove ads_cldap.h.
Guenther
(This used to be commit 538eefe22a)
2008-04-21 20:21:40 +02:00
Günther Deschner
1dd7ab38e7 cldap: add talloc context to ads_cldap_netlogon().
Guenther
(This used to be commit 4cee7b1bd5)
2008-04-21 20:21:40 +02:00
Günther Deschner
ba98dd4989 libads: Use libnbt for CLDAP reply parsing.
Guenther
(This used to be commit 751f3064a5)
2008-04-21 20:21:39 +02:00
Günther Deschner
33a3766f03 Add ads_check_ou_dn().
Guenther
(This used to be commit 380e9d26db)
2008-03-28 16:43:59 +01:00
Volker Lendecke
561fb9daa4 Fix Coverity ID 487
(This used to be commit 22cee9c1af)
2008-03-23 19:44:55 +01:00
Marc VanHeyningen
e06aa46b9f Coverity fixes
(This used to be commit 3fc85d2259)
2008-03-17 20:52:25 +01:00
Volker Lendecke
b361956942 str_list_free is not needed anymore
(This used to be commit feddc1447d)
2008-02-04 21:05:41 +01:00
Volker Lendecke
2762b9a975 Always pass a TALLOC_CTX to str_list_make and str_list_copy
(This used to be commit e2c9fc4cf5)
2008-02-04 20:57:49 +01:00
Günther Deschner
6c764172e5 When running with debug level > 10, dump ads_struct in ads_connect().
Guenther
(This used to be commit 2dd7c64fa8)
2008-01-31 11:05:25 +01:00
Günther Deschner
f89fa0a6f8 Do not ignore provided machine_name in ads_get_upn().
Guenther
(This used to be commit ddc1307844)
2008-01-08 14:07:01 +01:00
Michael Adam
4aba7475ef Re-Indent function ldap_open_with_timeout().
This reverts commit #cafda34783f0961c9b463803c19cfcb69f836e3f .

I just learned (the hard way) that these indeted functions
are not indented by accident but that the intention of this
is to not include the prototype into proto.h.

Michael
(This used to be commit 2e5d01b214)
2008-01-04 22:56:10 +01:00
Michael Adam
b54310cbaa Add a debug message (when the LDAP server has really been connected).
Michael
(This used to be commit 7d9d2de390)
2008-01-04 22:09:36 +01:00
Michael Adam
2cb68e3898 Untangle assignment and result check.
Michael
(This used to be commit 465a3b356c)
2008-01-04 22:09:36 +01:00
Michael Adam
34e579fce5 Enhance DEBUG-verbosity of ldap_open_with_timeout().
Michael
(This used to be commit 9e70d1f24d)
2008-01-04 22:09:36 +01:00
Michael Adam
4ad3464fb9 Unindent function header.
Michael
(This used to be commit cafda34783)
2008-01-04 22:09:35 +01:00
Michael Adam
3f42428f9b Fix a misleading DEBUG message.
At this stage, the (tcp) connection to the LDAP server has not
been established, this is what is about to be attempted. What
has been succesfully done, is a CLDAP netlogon query.

Michael
(This used to be commit 71c3c8ad4c)
2008-01-04 22:09:35 +01:00
Günther Deschner
b076a7e802 Add ads_get_joinable_ous().
Guenther
(This used to be commit 5bbceac881)
2008-01-03 18:15:59 +01:00
Volker Lendecke
240391be53 Make use of [un]marshall_sec_desc
(This used to be commit 54576733d6)
2007-12-29 23:13:03 +01:00
Volker Lendecke
d365a43785 make use of unmarshall_sec_desc
(This used to be commit ced0c42f05)
2007-12-16 14:15:16 +01:00
Volker Lendecke
2e07c2ade8 s/sid_to_string/sid_to_fstring/
least surprise for callers
(This used to be commit eb523ba776)
2007-12-15 22:47:30 +01:00
Volker Lendecke
14ef4cdec1 Replace sid_string_static with sid_to_string
This adds 28 fstrings on the stack, but I think an fstring on the stack is
still far better than a static one.
(This used to be commit c7c885078b)
2007-12-15 22:09:37 +01:00
Volker Lendecke
900288a2b8 Replace sid_string_static by sid_string_dbg in DEBUGs
(This used to be commit bb35e794ec)
2007-12-15 22:09:36 +01:00
Michael Adam
d8ac0cecae Remove an incredible amount of whitespace.
Sorry - could not resist. Michael
(This used to be commit 1000c98eae)
2007-12-06 14:08:54 +01:00
Jeremy Allison
6f46f75dfc Make strhex_to_str clear on string limits. Remove pstring from web/*.c
Jeremy.
(This used to be commit f9c8d62389)
2007-12-03 17:17:05 -08:00
Volker Lendecke
1011b32678 Remove some statics
(This used to be commit 1fab16ffb8)
2007-11-27 14:18:47 +01:00
Jeremy Allison
de51d3dd5f More pstring removal....
Jeremy.
(This used to be commit 809f5ab4c5)
2007-11-20 18:55:36 -08:00
Jeremy Allison
f88b7a076b This is a large patch (sorry). Migrate from struct in_addr
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c312)
2007-10-24 14:16:54 -07:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Günther Deschner
6ba2d944a0 r24252: Dump guid of msExchMailboxGuid when returned.
Guenther
(This used to be commit 1142f3df54)
2007-10-10 12:29:21 -05:00
Volker Lendecke
8476d072d3 r24166: Fix Coverity ID 391
(This used to be commit 461974d2cc)
2007-10-10 12:29:17 -05:00
Günther Deschner
e6875b1b45 r23951: Fix segfault.
Guenther
(This used to be commit 1a5c8780ae)
2007-10-10 12:28:48 -05:00
Stefan Metzmacher
07c034f7c4 r23945: add infrastructure to select plain, sign or seal LDAP connection
metze
(This used to be commit 2075c05b3d)
2007-10-10 12:28:48 -05:00
Günther Deschner
9e0c550922 r23937: Use ads_config_path() when we need to know the configration context.
Guenther
(This used to be commit 1a62c731c6)
2007-10-10 12:28:46 -05:00
Stefan Metzmacher
809c9d4d31 r23888: move elements belonging to the current ldap connection to a
substructure.

metze
(This used to be commit 00909194a6)
2007-10-10 12:28:38 -05:00
Stefan Metzmacher
2fc53c947b r23886: add ads_disconnect() function
metze
(This used to be commit ba70737b70)
2007-10-10 12:28:38 -05:00
Günther Deschner
ed0ffc5cef r23861: Fix return code in ads_find_samaccount().
Guenther
(This used to be commit 684fcf39dc)
2007-10-10 12:28:35 -05:00
Günther Deschner
9d6f8ed5e7 r23837: Pass ADS_STRUCT and TALLOC_CTX down to ads_disp_sd.
Guenther
(This used to be commit ad0a6d5703)
2007-10-10 12:28:32 -05:00
Günther Deschner
f05dcab9bf r23836: Add ads_config_path() and ads_get_extended_right_name_by_guid().
Guenther
(This used to be commit 4d62f1191b)
2007-10-10 12:28:32 -05:00
Günther Deschner
c252b04abf r23834: Allow to pass an ADS_STRUCT pointer down to the dump function callback in
libads.

Guenther
(This used to be commit 311bbbafa6)
2007-10-10 12:28:32 -05:00
Günther Deschner
c8e23e4091 r23833: Document ads_find_samaccount().
Guenther
(This used to be commit 3effd1c346)
2007-10-10 12:28:31 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Günther Deschner
221d06d6f3 r23772: Add ads_find_samaccount() helper function.
Guenther
(This used to be commit 6fafa64bea)
2007-10-10 12:23:55 -05:00
Jeremy Allison
5a80fa5c0c r23514: Remove unused function ads_get_dn_from_extended_dn().
Jeremy.
(This used to be commit 03763bc528)
2007-10-10 12:23:24 -05:00
Michael Adam
2753d30cbe r22893: Use ldap_rename_s instead of deprecated ldap_rename2_s.
This fixes the build on solaris (host sun9).
And hopefully doesn't break any other builds... :-)
If it does, we need some configure magic.

Thanks to Björn Jacke <bj@sernet.de>.
(This used to be commit a43775ab36)
2007-10-10 12:22:05 -05:00
Günther Deschner
83564b43e3 r22800: Add GPO_SID_TOKEN and an LDAP function to get tokensids from the tokenGroup attribute.
Guenther
(This used to be commit e4e8f84060)
2007-10-10 12:21:59 -05:00
Günther Deschner
75a0171857 r22799: Fix the build.
Guenther
(This used to be commit 6e911c442b)
2007-10-10 12:21:59 -05:00
Günther Deschner
9c170fce26 r22797: We are only interested in the DACL of the security descriptor, so search with
the SD_FLAGS control.

Guenther
(This used to be commit 648df57e53)
2007-10-10 12:21:57 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
2007-10-10 12:21:51 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b)
2007-10-10 12:19:49 -05:00
Günther Deschner
8040fec0ac r22459: Adding ads_get_dn_from_extended_dn(), in preparation of making ranged LDAP
queries more generic. Michael, feel free to overwrite these and the following.

Guenther
(This used to be commit 0475b8eea9)
2007-10-10 12:19:35 -05:00
Jeremy Allison
725fcf3461 r22112: Fix memleak pointed out by Steven Danneman <steven.danneman@isilon.com>.
Jeremy.
(This used to be commit 7c45bd3a47)
2007-10-10 12:19:14 -05:00
Jeremy Allison
fae01b4899 r21608: Fix a couple of memleaks in error code paths before
Coverity finds them :-)
Jeremy.
(This used to be commit cbe725f1b0)
2007-10-10 12:18:16 -05:00
Simo Sorce
e9e6af5951 r21606: Implement escaping function for ldap RDN values
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs

revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.

- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).

- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.

DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries

DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.

Simo.
(This used to be commit 5b4838f62a)
2007-10-10 12:18:16 -05:00
Günther Deschner
5aa3b27949 r21352: Let ads_upn_suffixes() return a pointer to an array of suffixes.
Guenther
(This used to be commit 7ad7847e5b)
2007-10-10 12:17:57 -05:00
Günther Deschner
08726ffcd4 r21349: Fix memleak in ads_upn_suffixes().
Guenther
(This used to be commit 8462f323cf)
2007-10-10 12:17:57 -05:00
Günther Deschner
8751923635 r21021: Fix memleak.
Guenther
(This used to be commit 4e622572eb)
2007-10-10 12:17:28 -05:00
Günther Deschner
e9c294b926 r20874: We need to distinguish client sitenames per realm. We were overwriting
the stored client sitename with the sitename from each sucessfull CLDAP
connection.

Guenther
(This used to be commit 6a13e878b5)
2007-10-10 12:17:16 -05:00
Jeremy Allison
bfd099e148 r20857: Silence gives assent :-). Checking in the fix for
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89a)
2007-10-10 12:17:14 -05:00
Gerald Carter
d3fc370fb9 r20487: Remove the unused dn2ad_canonical() call
(This used to be commit 86e6ae6a9f)
2007-10-10 12:16:52 -05:00
Volker Lendecke
bae1fcd20f r19687: Fix uninitialized variables found by Coverity (and gcc -O1... ;-))
Volker
(This used to be commit b7dc9b8169)
2007-10-10 12:15:47 -05:00
Günther Deschner
61a38bd4b8 r19651: Fix interesting bug with the automatic site coverage in Active Directory:
When having DC-less sites, AD assigns DCs from other sites to that site
that does not have it's own DC. The most reliable way for us to identify
the nearest DC - in that and all other cases - is the closest_dc flag in
the CLDAP reply.

Guenther
(This used to be commit ff004f7284)
2007-10-10 12:15:44 -05:00
Günther Deschner
e513fb27d6 r19646: Fix memleak in the default_ou_string handling. Thanks to David Hu
<david.hu@hp.com>. Fixes #4212.

Guenther
(This used to be commit 4ec896cdbe)
2007-10-10 12:15:43 -05:00
Günther Deschner
31a63ab19f r19528: Fix container handling for "net ads user" and "net ads group" functions
along with some memleaks.

Guenther
(This used to be commit 4bad52c5b3)
2007-10-10 12:15:41 -05:00
Günther Deschner
6b65a1c26d r19526: Fix minor memleak.
Guenther
(This used to be commit 61ebedc82e)
2007-10-10 12:15:40 -05:00
Günther Deschner
424d7640b8 r19263: Be more accurate in telling what the sitename problem is in this DEBUG
statement.

Guenther
(This used to be commit 62928734b8)
2007-10-10 12:15:26 -05:00
Günther Deschner
f7633eca18 r18923: Fix more memleaks.
Guenther
(This used to be commit ecb632a153)
2007-10-10 12:14:47 -05:00
Günther Deschner
dd992469dd r18902: Also dump mS-DS-CreatorSID.
Guenther
(This used to be commit e7cae9bbae)
2007-10-10 12:14:44 -05:00
Jeremy Allison
664c3f4166 r18663: Fix one more uuid -> GUID.
Jeremy.
(This used to be commit e568271af2)
2007-10-10 12:00:44 -05:00
Jeremy Allison
a0aaa82f6d r18552: Ensure the sitename matches before we SAF store a DC in ADS mode.
Jeremy.
(This used to be commit 03e1078b45)
2007-10-10 11:51:49 -05:00
Jeremy Allison
a4743f3a76 r18480: Doh ! Double-free of hostnameDN.
Jeremy.
(This used to be commit f8984fa8b7)
2007-10-10 11:51:43 -05:00
Volker Lendecke
dfa62cfa98 r18464: Solaris has LDAP_SCOPE_ONELEVEL. Linux seems to have it as well.
Fix a C++ compat warning.

Volker
(This used to be commit 351e583f66)
2007-10-10 11:51:42 -05:00
Volker Lendecke
d3237d2233 r18453: Attempt to fix the non-ldap build
(This used to be commit 86db854230)
2007-10-10 11:51:42 -05:00
Jeremy Allison
8c2c5c5d1d r18446: Add the ldap 'leave domain' code - call this as
a non-fatal error path if the 'disable machine
account' code succeeded.
Jeremy.
(This used to be commit f47bffa21e)
2007-10-10 11:51:42 -05:00
Günther Deschner
73d25f6f78 r18165: Fix memleaks.
Guenther
(This used to be commit 6f301b2dc3)
2007-10-10 11:43:29 -05:00
Jeremy Allison
8d812f8eed r18063: When we get a successful connection using ADS,
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb)
2007-10-10 11:43:24 -05:00
Volker Lendecke
ee0e397d6f r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.

Volker
(This used to be commit b2ff9680eb)
2007-10-10 11:39:49 -05:00
Jeremy Allison
98cfbd3ccf r18015: Try and detect network failures immediately in
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a)
2007-10-10 11:39:48 -05:00
Jeremy Allison
0c9ca3fe19 r17994: Add debugs that showed me why my site code wasn't
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c)
2007-10-10 11:39:45 -05:00
Jeremy Allison
a78c61b9cd r17946: Fix couple of typos...
Jeremy.
(This used to be commit 638d53e2ad)
2007-10-10 11:39:01 -05:00
Jeremy Allison
2fcd113f55 r17945: Store the server and client sitenames in the ADS
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b)
2007-10-10 11:39:01 -05:00
Jeremy Allison
6fada7a82a r17943: The horror, the horror. Add KDC site support by
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d)
2007-10-10 11:39:01 -05:00
Jeremy Allison
9d37ee52e0 r17937: Move the saf_ cache into the tcp ad connection code.
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a983394171)
2007-10-10 11:39:00 -05:00
Jeremy Allison
2abab7ee6d r17928: Implement the basic store for CLDAP sitename
support when looking up DC's. On every CLDAP
call store the returned client sitename (if
present, delete store if not) in gencache with
infinate timeout. On AD DNS DC lookup, try looking
for sitename DC's first, only try generic if
sitename DNS lookup failed.
I still haven't figured out yet how to ensure
we fetch the sitename with a CLDAP query before
doing the generic DC list lookup. This code is
difficult to understand. I'll do some experiments
and backtraces tomorrow to try and work out where
to force a CLDAP site query first.
Jeremy.
(This used to be commit ab3f0c5b1e)
2007-10-10 11:38:59 -05:00
Jeremy Allison
9f0c2827a4 r17901: Stanford checker fix. cookie here can't be null or we'd
deref null. Make interface explicit.
Jeremy.
(This used to be commit 4e99606ec1)
2007-10-10 11:38:58 -05:00
Volker Lendecke
c52b3fb89f r17881: Another microstep towards better error reporting: Make get_sorted_dc_list
return NTSTATUS.

If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.

Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?

Volker
(This used to be commit 60a166f034)
2007-10-10 11:38:57 -05:00
Gerald Carter
5693e6c599 r17798: Beginnings of a standalone libaddns library released under
the LGPL.   Original code by Krishna Ganugapati <krishnag@centeris.com>.
Additional work by me.

It's still got some warts, but non-secure updates do
currently work.  There are at least four things left to
really clean up.

1. Change the memory management to use talloc() rather than
   malloc() and cleanup the leaks.
2. Fix the error code reporting (see initial changes to
   dnserr.h)
3. Fix the secure updates
4. Define a public interface in addns.h
5. Move the code in libads/dns.c into the libaddns/ directory
   (and under the LGPL).

A few notes:

* Enable the new code by compiling with --with-dnsupdate
* Also adds the command 'net ads dns register'
* Requires -luuid (included in the e2fsprogs-devel package).
* Has only been tested on Linux platforms so there may be portability
  issues.
(This used to be commit 36f04674ae)
2007-10-10 11:38:48 -05:00
Volker Lendecke
c804dd0117 r17551: Move some DEBUG to d_printf in interactive functions and return
NO_LOGON_SERVERS if no domain controller was found.

Thanks to Michael Adam <ma@sernet.de>.

Volker
(This used to be commit d44599de3a)
2007-10-10 11:38:38 -05:00
Volker Lendecke
b757699e8b r17536: Add a debug message citing the reason why an LDAP connection failed, inspired
by Christian M Ambach <CAMBACH1@de.ibm.com>.

Volker
(This used to be commit cf7c83d462)
2007-10-10 11:38:37 -05:00
Volker Lendecke
7c94b93af6 r17535: Reformatting, this had many tabs instead of ^$
(This used to be commit 0f483cf66c)
2007-10-10 11:38:37 -05:00
Volker Lendecke
846e939260 r17089: Fix a possible null dereference and some memleaks.
Jerry, please check.

Thanks,

Volker
(This used to be commit b87c495221)
2007-10-10 11:38:11 -05:00
Gerald Carter
060b155cd2 r16952: New derive DES salt code and Krb5 keytab generation
Major points of interest:

* Figure the DES salt based on the domain functional level
  and UPN (if present and applicable)
* Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC
  keys
* Remove all the case permutations in the keytab entry
  generation (to be partially re-added only if necessary).
* Generate keytab entries based on the existing SPN values
  in AD

The resulting keytab looks like:

ktutil:  list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   2    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   3    6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   4    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   5    6           host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   6    6           host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)
   7    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32)
   8    6               suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5)
   9    6               suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5)

The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName)
and the sAMAccountName value.  The UPN will be added as well if the machine has
one. This fixes 'kinit -k'.

Tested keytab using mod_auth_krb and MIT's telnet.  ads_verify_ticket()
continues to work with RC4-HMAC and DES keys.
(This used to be commit 6261dd3c67)
2007-10-10 11:19:15 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Günther Deschner
7048040be8 r16862: Reverting accidential changes in ads_try_connect() from previous commit.
Guenther
(This used to be commit 6257f9af93)
2007-10-10 11:19:12 -05:00
Günther Deschner
f3e71c6072 r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.
Guenther
(This used to be commit 863aeb621a)
2007-10-10 11:19:11 -05:00
Günther Deschner
67d8c7432f r16836: When receiving a CLDAP reply make sure that we always store the correct
netbios domain name in server affinity cache.

Guenther
(This used to be commit 08958411ee)
2007-10-10 11:19:11 -05:00
Jeremy Allison
8f0ea257b6 r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.
Jeremy.
(This used to be commit d48655d9c0)
2007-10-10 11:19:07 -05:00
Volker Lendecke
8961048d24 r16339: Fix Klocwork ID
277 278     (cmd_*)

485 487 488 (ldap.c)

Volker
(This used to be commit 5b1eba76b3)
2007-10-10 11:17:36 -05:00
Jeremy Allison
d730df0493 r16324: Klocwork #499. Allways check results from alloc.
Jeremy.
(This used to be commit 2b69d436da)
2007-10-10 11:17:33 -05:00
Jeremy Allison
be6fd76436 r16322: Klocwork #481., Don't deref null on malloc fail.
Jeremy.
(This used to be commit dd31f3fc0e)
2007-10-10 11:17:33 -05:00
Günther Deschner
1628d33ba0 r16190: Fix more memleaks.
Guenther
(This used to be commit dfebcc8e19)
2007-10-10 11:17:23 -05:00
Günther Deschner
97f496a0e3 r16117: Make winbindd work again in security=ads.
We still used the old HOST/* UPN to get e.g. users, now we need
samaccountname$@REA.LM.

Guenther
(This used to be commit f6516a799a)
2007-10-10 11:17:21 -05:00
Lars Müller
ec3021dc3b r15822: Add suggestion made by Ralf Haferkamp.
(This used to be commit 7c375fd540)
2007-10-10 11:17:10 -05:00
Gerald Carter
463e7c1171 r15701: change 'net ads leave' to disable the machine account in the domain (since removal implies greater permissions that Windows clients require)
(This used to be commit ad1f947625)
2007-10-10 11:17:08 -05:00
Günther Deschner
c60e96c392 r15698: An attempt to make the winbind lookup_usergroups() call in security=ads
more scalable:

The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).

Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.

The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.

The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.

Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.

Guenther
(This used to be commit 7d766b5505)
2007-10-10 11:17:08 -05:00
Günther Deschner
39c45ce4f1 r15697: I take no comments as no objections :)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.

This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).

Guenther
(This used to be commit 52423e01dc)
2007-10-10 11:17:08 -05:00
Günther Deschner
e129dc40f7 r15696: Free LDAP search result.
Guenther
(This used to be commit ec26c355b3)
2007-10-10 11:17:07 -05:00
Volker Lendecke
c290d34985 r15635: Fix a bogus gcc uninit variable message
(This used to be commit 53f7104b4f)
2007-10-10 11:17:04 -05:00
Gerald Carter
f1039b8fb4 r15560: Since the hotel doesn't have Sci-Fi and no "Doctor Who"....
Re-add the capability to specify an OU in which to create
the machine account.  Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e304)
2007-10-10 11:17:01 -05:00
Gerald Carter
2c029a8b96 r15543: New implementation of 'net ads join' to be more like Windows XP.
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.

The points of interest are

* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
  ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
  libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
  using the machine account after the join

Thanks to Guenther and Simo for the review.

Still to do:

* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
  'kinit -k' (although we might be able to just use the sAMAccountName
  instead)
* Re-add support for pre-creating the machine account in
  a specific OU
(This used to be commit 4c4ea7b20f)
2007-10-10 11:16:57 -05:00
Günther Deschner
3bff11407e r15461: Free LDAP result in ads_get_attrname_by_oid().
Guenther
(This used to be commit f4af888282)
2007-10-10 11:16:49 -05:00
Günther Deschner
b86c19795a r15250: dump some more sids.
Guenther
(This used to be commit 2922c7f570)
2007-10-10 11:16:30 -05:00
Jim McDonough
92f139d4c4 r14931: Fix #1374: can't join an OU with name that contains '#'
I had to eliminate "\" as an OU path separator, because it is the escape
char in LDAP.  We still accept "/", but using the escape char is just
not a good choice.
(This used to be commit 1953f63903)
2007-10-10 11:15:54 -05:00
Jim McDonough
06f7ee5d4b r14252: Fix Coverity #72: free alloc'ed storage before return. Also found one
more that coverity didn't find from asprintf.
(This used to be commit 37b6e2c8de)
2007-10-10 11:15:21 -05:00
Jeremy Allison
acf0c6fb66 r14118: Fix coverity bug #24. Missing return statement meant
a possible NULL ptr deref.
Jeremy.
(This used to be commit 78ac3f9cbd)
2007-10-10 11:11:13 -05:00
Günther Deschner
3432273ab0 r13965: Make sure we always reset the userAccountControl bits when re-joining
with an existing account.

Guenther
(This used to be commit e4c12ab167)
2007-10-10 11:11:01 -05:00
Volker Lendecke
c2288e6db3 r13951: Fix Coverity Bug #163.
This code was not used anyway :-)

Volker
(This used to be commit bbfb205693)
2007-10-10 11:11:01 -05:00
Günther Deschner
379bd6865f r13657: Let winbindd try to obtain the gecos field from the msSFU30Gecos
attribute when "winbind nss info = sfu" is set. Fixes #3539.

Guenther
(This used to be commit ffce0461de)
2007-10-10 11:10:21 -05:00
Günther Deschner
c1ffb8d9bc r13410: Dump a netbootGUID as a GUID.
Guenther
(This used to be commit 9b19a68456)
2007-10-10 11:09:59 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
855e02f164 r13310: first round of server affinity patches for winbindd & net ads join
(This used to be commit 6c3480f9ae)
2007-10-10 11:06:23 -05:00
James Peach
92092cbcdc r12878: Don't use non-static array initialisers.
(This used to be commit 95b231f028)
2007-10-10 11:06:05 -05:00
Gerald Carter
3f6d9a7b9d r12196: patch from Krishna Ganugapati <krishnag@centeris.com>
Use the subtree delete ldap control when running 'net ads leave'
to ensure that the machine account is actually deleted.
(This used to be commit e96000c16c)
2007-10-10 11:05:49 -05:00
Jeremy Allison
d1f91f7c72 r12043: It's amazing the warnings you find when compiling on a 64-bit
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604)
2007-10-10 11:05:42 -05:00
Günther Deschner
f6b8327fac r11875: Allow to use START_TLS (by manually setting "ldap ssl = start_tls") for
LDAP connections to ADS (Windows 2003).

Guenther
(This used to be commit 95543fab0f)
2007-10-10 11:05:33 -05:00
Gerald Carter
ac331c48db r11863: BUG 3196: patch from Alex Deiter <tiamat@komi.mts.ru> to compile against the Sun LDAP client libs. But not for AD support; just ldap support
(This used to be commit a33e78aced)
2007-10-10 11:05:31 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Günther Deschner
065d7e82a7 r8048: Replace "done" with "failed".
Guenther
(This used to be commit 7285edc4fe)
2007-10-10 10:58:09 -05:00
Volker Lendecke
3f11139bf3 r8047: "oid" is defined in a heimdal header. With my gcc this generates a ton of
shadowed variable warnings. Fix that.

Volker
(This used to be commit 3846c0afa1)
2007-10-10 10:58:09 -05:00
Günther Deschner
2e7f22e833 r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".

Enable it with:

        winbind sfu support = yes

User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.

Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.

If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:

        idmap backend = ad

When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.

Guenther
(This used to be commit 28b5969942)
2007-10-10 10:58:07 -05:00
Jeremy Allison
7b9d6ac23e r6595: This is Volkers new-talloc patch. Just got the go-ahead from
Volker to commit. Woo Hoo !
Jeremy.
(This used to be commit 316df944a4)
2007-10-10 10:56:46 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Gerald Carter
73d1950c01 r5956: more compile warngin fixes from the Mr. Mader
(This used to be commit f3f315b14d)
2007-10-10 10:56:11 -05:00
Gerald Carter
40295c41db r5948: more compile cleanups from Jason Mader
(This used to be commit cc6c769c3c)
2007-10-10 10:56:10 -05:00
Gerald Carter
a309fed583 r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable netbios = yes'
(This used to be commit 75a223f118)
2007-10-10 10:55:38 -05:00
Gerald Carter
44be949f28 r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)
(This used to be commit 9019a84361)
2007-10-10 10:55:33 -05:00
Jeremy Allison
d16a5c4381 r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.
Make all LDAP timeouts consistent.
Jeremy.
(This used to be commit 0f0281c234)
2007-10-10 10:53:50 -05:00
Jeremy Allison
883874c562 r4346: Fix cut-and-paste error - bugid #2189. Fixed by Buck Huppmann <buckh@pobox.com>
Jeremy.
(This used to be commit 5c22cb082c)
2007-10-10 10:53:45 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Volker Lendecke
0bd9bc6eca r3841: Time out in ads search queries. Even AD servers can hang.
Volker
(This used to be commit fc454c8ef6)
2007-10-10 10:53:20 -05:00
Jeremy Allison
aad0bc6c37 r3764: Ensure on failure that *res is always NULL.
Check for malloc fail. Fixes for bug #2036.
Jeremy.
(This used to be commit b815247747)
2007-10-10 10:53:17 -05:00
Jeremy Allison
d4a46dec34 r3569: Fix for bug #1651, added extra servicePrincipalNames for kerberos interop.
Modified the redhat patch some...
Jeremy.
(This used to be commit 2ae717cd2c)
2007-10-10 10:53:10 -05:00
Jeremy Allison
f8345c1b18 r3273: Ensure we're consistent in the use of strchr_m for '@'.
Jeremy.
(This used to be commit 0f3f7b035b)
2007-10-10 10:53:03 -05:00