Andrew Bartlett [Sun, 6 Nov 2005 14:17:00 +0000 (14:17 +0000)]
r11538: More notes on things we need.
Andrew Bartlett
Andrew Bartlett [Sun, 6 Nov 2005 14:16:34 +0000 (14:16 +0000)]
r11537: Make the authsam_account_ok routine callable by external users (the KDC).
Andrew Bartlett
Andrew Bartlett [Sun, 6 Nov 2005 14:15:34 +0000 (14:15 +0000)]
r11536: Add a hook for client-principal access control to hdb-ldb, re-using
the code in auth/auth_sam.c for consistancy. This will also allow us
to have one place for a backend directory hook.
I will use a very similar hook to add the PAC.
Andrew Bartlett
Jelmer Vernooij [Sun, 6 Nov 2005 13:53:37 +0000 (13:53 +0000)]
r11535: Support void functions when generating templates.
Jelmer Vernooij [Sun, 6 Nov 2005 13:21:22 +0000 (13:21 +0000)]
r11534: Consider ntvfs as a library
Volker Lendecke [Sun, 6 Nov 2005 12:24:33 +0000 (12:24 +0000)]
r11533: Be a bit less intrusive
Volker Lendecke [Sun, 6 Nov 2005 12:19:34 +0000 (12:19 +0000)]
r11532: Enable kerberos session setup for winbind smb connections
Andrew Bartlett [Sun, 6 Nov 2005 01:46:12 +0000 (01:46 +0000)]
r11529: Disable DNS lookups for forwarded credentials, unless really, really
wanted. There is nothing that suggests that the host we forward
credentials to will not have other interfaces, unassoicated with their
service name. Likewise, the name may be a netbios, not DNS name.
This should avoid some nasty DNS lookups.
Andrew Bartlett
Volker Lendecke [Sat, 5 Nov 2005 23:46:57 +0000 (23:46 +0000)]
r11528: Separate finding dcs from initializing a domain. Makes it easier to possibly
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
Volker Lendecke [Sat, 5 Nov 2005 23:14:30 +0000 (23:14 +0000)]
r11527: Has this ever been run?
Volker Lendecke [Sat, 5 Nov 2005 23:09:23 +0000 (23:09 +0000)]
r11526: And another warning...
Andrew Bartlett [Sat, 5 Nov 2005 21:26:28 +0000 (21:26 +0000)]
r11525: Move lookups (including the attribute search) for users from
kdc/hdb-ldb.c to share the routines used for auth/
This will require keeping the attribute list in sync, but I think it
is worth it for the next steps (sharing the server_info generation).
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 11:29:34 +0000 (11:29 +0000)]
r11524: More work on our hdb backend in the KDC.
The aim here is to restructure the queries to match the queries we do
in auth, then to share the code that does the actual query (at least
for user logins).
Then we can generate the PAC from that shared query, rather than a
seperate query.
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 11:24:10 +0000 (11:24 +0000)]
r11523: Working towards having Samba3 join Samba4, this allows the SASL
credentials to be NULL, where the client is requesting a CIFS style
server-first negTokenInit.
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 11:13:22 +0000 (11:13 +0000)]
r11522: Add support for delegated credentials and machine account credentials
to ldb, based on the sessionInfo we now pass around.
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 11:02:37 +0000 (11:02 +0000)]
r11521: Add in client support for checking supportedSASLmechanisms, and then
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 10:51:13 +0000 (10:51 +0000)]
r11520: indent
Volker Lendecke [Sat, 5 Nov 2005 10:00:18 +0000 (10:00 +0000)]
r11519: And an uninitialized variable...
Volker Lendecke [Sat, 5 Nov 2005 09:59:00 +0000 (09:59 +0000)]
r11518: Fix a warning
Volker Lendecke [Sat, 5 Nov 2005 09:34:07 +0000 (09:34 +0000)]
r11517: Cleanup time, this looks larger than it is. This mainly gets rid of
wb_domain_request, now that we have queued rpc requests.
Volker
Volker Lendecke [Sat, 5 Nov 2005 09:32:15 +0000 (09:32 +0000)]
r11516: Fix a valgrind bug I introduce with queued requests
Volker Lendecke [Sat, 5 Nov 2005 09:31:24 +0000 (09:31 +0000)]
r11515: Add some talloc_get_type
Andrew Bartlett [Sat, 5 Nov 2005 06:38:47 +0000 (06:38 +0000)]
r11514: Fixup debug message
Andrew Bartlett [Sat, 5 Nov 2005 06:36:42 +0000 (06:36 +0000)]
r11513: Add the ability to use the local machine account instead of a static
password or delegation.
Add the ability to delegate for RPC pipes on the RPC proxy backend
(the backend itself seems be having problems however).
Andrew Bartlett
Andrew Bartlett [Sat, 5 Nov 2005 05:44:26 +0000 (05:44 +0000)]
r11512: fix typo
Stefan Metzmacher [Fri, 4 Nov 2005 11:02:35 +0000 (11:02 +0000)]
r11503: be quite...
metze
Stefan Metzmacher [Fri, 4 Nov 2005 08:02:20 +0000 (08:02 +0000)]
r11502: make sure we always use the 7 chars for the unix socket name.
this is to test if that works on irix 6.4 where we can only use 16 chars for the sun_path
of the unix sockets.
the plan is to make multiple interfaces possible with socket wrapper,
and the format will change to ("%c%02X%04X", type, iface, port),
which is also 7 char to the file name
metze
Andrew Tridgell [Fri, 4 Nov 2005 04:07:45 +0000 (04:07 +0000)]
r11501: change provision code to use the new display specifiers
Andrew Tridgell [Fri, 4 Nov 2005 04:07:24 +0000 (04:07 +0000)]
r11500: fixed a bug in the variable substition code using the new limit argument to split()
Andrew Tridgell [Fri, 4 Nov 2005 04:06:35 +0000 (04:06 +0000)]
r11499: added a minimal set of display specifiers for mmc to use to display
the core elements of a Samba4 domain
Andrew Tridgell [Fri, 4 Nov 2005 04:05:48 +0000 (04:05 +0000)]
r11498: added an optional extra argument to split to limit the number of
pieces a string is split into. This allows for a fix in the variable
substitution used in provisioning
Andrew Bartlett [Fri, 4 Nov 2005 03:30:47 +0000 (03:30 +0000)]
r11497: Don't name parameters 'floor'. Rename fl and floor to epm_floor for
consistancy.
Andrew Bartlett
Andrew Tridgell [Fri, 4 Nov 2005 02:23:50 +0000 (02:23 +0000)]
r11496: add a minimal ads-compatible schema into our sam.ldb setup. This is
needed for mmc management of Samba4.
Stefan Metzmacher [Thu, 3 Nov 2005 19:22:01 +0000 (19:22 +0000)]
r11489: add the one replication cycle test to NBT-WINSREPLICATION-QUICK
metze
Stefan Metzmacher [Thu, 3 Nov 2005 19:12:36 +0000 (19:12 +0000)]
r11488: handle the stupid name release demand a windows there send...
metze
Stefan Metzmacher [Thu, 3 Nov 2005 18:38:41 +0000 (18:38 +0000)]
r11487: thanks to make test I noticed a dead lock bug, in the last change,
this only happens with socket_wrapper as socket_connect() returns NT_STATUS_OK
instead of NT_STATUS_MORE_PROCESSING_REQUIRED, and we missed to replace the
fde event handler...
metze
Stefan Metzmacher [Thu, 3 Nov 2005 16:24:57 +0000 (16:24 +0000)]
r11485: prevent us from calling the request handler recursiv when
the handler calls talloc_free(wrepl_socket)
metze
Stefan Metzmacher [Thu, 3 Nov 2005 13:13:45 +0000 (13:13 +0000)]
r11484: test some multi homed record merging
metze
Jelmer Vernooij [Wed, 2 Nov 2005 19:31:04 +0000 (19:31 +0000)]
r11481: Disable pre-linking on VMS
Stefan Metzmacher [Wed, 2 Nov 2005 17:15:17 +0000 (17:15 +0000)]
r11480: demonstrate the only the positive name query response cares,
not the addresses that are returned in it
metze
Stefan Metzmacher [Wed, 2 Nov 2005 16:48:22 +0000 (16:48 +0000)]
r11479: fix compiler warning
metze
Stefan Metzmacher [Wed, 2 Nov 2005 15:56:24 +0000 (15:56 +0000)]
r11478: add owned,active,multi homed vs. * section
metze
Andrew Bartlett [Wed, 2 Nov 2005 09:51:32 +0000 (09:51 +0000)]
r11477: This seems really nasty, but as I understand it an attacker cannot
change this checksum, as it is inside the encrypted packets.
Where the client (such as Samba3) fakes up GSSAPI, allow it to
continue. We can't rid the world of all Samba3 and similar clients...
Andrew Bartlett
Andrew Tridgell [Wed, 2 Nov 2005 07:27:06 +0000 (07:27 +0000)]
r11476: finally fixed the intermittent registry server bug! This has been
cropping up occasionally for ages. The problem was the generic reg
code setting up a backend_data value, which it has no business doing
(backend_data is for backends ...)
Andrew Tridgell [Wed, 2 Nov 2005 06:49:08 +0000 (06:49 +0000)]
r11475: removed a extraneous ldb_delete() call (i had it there for debugging)
Andrew Tridgell [Wed, 2 Nov 2005 06:41:11 +0000 (06:41 +0000)]
r11474: - enable ldb transactions from ejs
- speed up provisioning a bit using a ldb transaction (also means you
can't end up with a ldb being half done)
Volker Lendecke [Wed, 2 Nov 2005 05:34:17 +0000 (05:34 +0000)]
r11473: Based on work by Jelmer, implement the [async] flag for rpc requests. If it's
not there (it's not yet on *any* call... :-)), the rpc client strictly
sequences calls to an rpc pipe. Might need some more work on the exact
sequencing semantics when a pipe with both sync and async calls is actually
deployed, but I want it in for winbind simplification.
Volker
Andrew Tridgell [Wed, 2 Nov 2005 04:49:45 +0000 (04:49 +0000)]
r11472: use talloc_get_type() to try to catch an intermittent failure I'm seeing in the ldb winreg backend
Andrew Bartlett [Wed, 2 Nov 2005 04:24:04 +0000 (04:24 +0000)]
r11471: Describe how kerberos forwarding works with the ntvfs.
Andrew Bartlett
Andrew Bartlett [Wed, 2 Nov 2005 04:12:47 +0000 (04:12 +0000)]
r11470: To a server trusted for delegation (checked for in the gss libs),
delegate by default.
Andrew Bartlett
Andrew Bartlett [Wed, 2 Nov 2005 04:11:36 +0000 (04:11 +0000)]
r11469: Fix typo, and use the correct (RFC4120) session key for delegating
credentials. This means we now delegate to windows correctly.
Andrew Bartlett
Andrew Bartlett [Wed, 2 Nov 2005 03:48:49 +0000 (03:48 +0000)]
r11468: Merge a bit more of init_sec_context from Heimdal CVS into our
DCE_STYLE modified version, and add parametric options to control
delegation.
It turns out the only remaining issue is sending delegated credentials
to a windows server, probably due to the bug lha mentions in his blog
(using the wrong key).
If I turn delgation on in smbclient, but off in smbd, I can proxy a
cifs session.
I can't wait till Heimdal 0.8, so I'll see if I can figure out the fix
myself :-)
Andrew Bartlett
Andrew Tridgell [Wed, 2 Nov 2005 03:23:05 +0000 (03:23 +0000)]
r11467: yay! mmc now accepts our schema. The trick was to get all the OID
mappings right for the attributeTypes field of the aggregate schema
now to add the display specifiers and I won't need the proxy module
any more
Andrew Bartlett [Wed, 2 Nov 2005 03:08:52 +0000 (03:08 +0000)]
r11466: Clear up some memory leaks in smbclient.
Andrew Bartlett
Andrew Tridgell [Wed, 2 Nov 2005 02:32:25 +0000 (02:32 +0000)]
r11463: more progress on the schema generator. mmc now accepts all parts
except the attributeTypes fields of the Aggregrate record. Proxying
just that field and the display specifiers gives us a working mmc
client
hopefully i'll work out what it doesn't like about the attributeTypes
field soon
Andrew Bartlett [Wed, 2 Nov 2005 02:22:35 +0000 (02:22 +0000)]
r11462: Fix the build: somehow I lost the header for this samba-specific hack.
Andrew Bartlett
Andrew Tridgell [Wed, 2 Nov 2005 01:05:07 +0000 (01:05 +0000)]
r11459: display a schemaIDGUID as a guid in ldif, making it easier to work
with schemas in ldbedit
Andrew Tridgell [Wed, 2 Nov 2005 01:04:00 +0000 (01:04 +0000)]
r11458: fixed our ejs smbscript interfaces to use arrays where appropriate. In
js arrays are a special type of object where the length property is
automatic, and cannot be modified manually. Our code was manually
setting length, which made it abort when someone passed in a real ejs
array. To fix this we need to create real arrays instead of objects,
and remove the code that manually sets the length
Andrew Tridgell [Wed, 2 Nov 2005 01:01:17 +0000 (01:01 +0000)]
r11457: fixed the winreg IDL and torture code so key and value enumerations
work again. The automatic value() is fine for the length, but cannot
be used for the size as the size is not the number of bytes being
sent, but the number of bytes that the server is allowed to use in the
reply
Andrew Tridgell [Wed, 2 Nov 2005 00:59:01 +0000 (00:59 +0000)]
r11456: fixed a ejs parser bug for delete() statements
Andrew Bartlett [Wed, 2 Nov 2005 00:34:25 +0000 (00:34 +0000)]
r11453: Fix warning, for a case that just can't happen.
Andrew Bartlett
Andrew Bartlett [Wed, 2 Nov 2005 00:31:22 +0000 (00:31 +0000)]
r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
Andrew Tridgell [Tue, 1 Nov 2005 23:44:01 +0000 (23:44 +0000)]
r11447: fixed a problem with the ldap server spinning using CPU time
Andrew Bartlett [Tue, 1 Nov 2005 14:21:31 +0000 (14:21 +0000)]
r11442: Don't use BASE-NEGNOWAIT any more. It is a mostly meaningless test.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Nov 2005 13:35:59 +0000 (13:35 +0000)]
r11441: Remove the auth_domain module from Samba4, as we will only do things
via winbindd in Samba4.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Nov 2005 13:33:05 +0000 (13:33 +0000)]
r11440: Actually check the right thing for 'is this a machine account' (thanks metze).
Andrew Bartlett
Andrew Bartlett [Tue, 1 Nov 2005 13:32:09 +0000 (13:32 +0000)]
r11439: Make presedence on strcmp comparison clear, and fill in
logon_parameters for the auth subsystem.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Nov 2005 13:30:09 +0000 (13:30 +0000)]
r11438: Move enum samr_RejectReason into misc.idl so I can use it in a global
prototype.
Andrew Bartlett
Andrew Bartlett [Tue, 1 Nov 2005 13:29:22 +0000 (13:29 +0000)]
r11437: Fix (valid!) use of uninitialised value warnings.
Andrew Bartlett
Andrew Tridgell [Tue, 1 Nov 2005 07:07:48 +0000 (07:07 +0000)]
r11436: this is work in progress for generating the schema we need for our ADS
ldap server. It's still not quite right, and I'm chasing down a few
errors that mmc throws up, but its a lot closer than it was. I had to
change the approach quite substantially over the last couple of days,
but this approach now seems to be working out.
Stefan Metzmacher [Mon, 31 Oct 2005 22:48:58 +0000 (22:48 +0000)]
r11429: - add owned,active,sgroup vs. unique, group and mhomed replica
special group vs. special group will be done later
metze
Stefan Metzmacher [Mon, 31 Oct 2005 22:25:29 +0000 (22:25 +0000)]
r11426: add owned,active,normalgroup vs. * replica sections
metze
Stefan Metzmacher [Mon, 31 Oct 2005 21:51:53 +0000 (21:51 +0000)]
r11425: add owned,active,unique vs. multi homed section
metze
Volker Lendecke [Mon, 31 Oct 2005 21:37:36 +0000 (21:37 +0000)]
r11424: Fix an uninitialized variable warning
Volker Lendecke [Mon, 31 Oct 2005 20:28:08 +0000 (20:28 +0000)]
r11423: Add some TALLOC_CTX
Volker Lendecke [Mon, 31 Oct 2005 20:12:22 +0000 (20:12 +0000)]
r11422: Remove unused args
Stefan Metzmacher [Mon, 31 Oct 2005 18:19:43 +0000 (18:19 +0000)]
r11419: add owned,unique,active vs. special group replica section
metze
Stefan Metzmacher [Mon, 31 Oct 2005 13:20:47 +0000 (13:20 +0000)]
r11418: - add unique,owned,active vs. normal group section
- we handle incoming release demands for that
metze
Jelmer Vernooij [Mon, 31 Oct 2005 13:02:17 +0000 (13:02 +0000)]
r11417: Add TODO for the build system
Stefan Metzmacher [Mon, 31 Oct 2005 11:05:48 +0000 (11:05 +0000)]
r11416: add some more comments
metze
Stefan Metzmacher [Mon, 31 Oct 2005 10:14:05 +0000 (10:14 +0000)]
r11415: - create a seperate nbt socket for handling incoming packets
- remove useless .release attribute, we have seperate tests for this
now
- add first owned,active vs. replica test, including handling incoming
name queries from the server
metze
Andrew Bartlett [Mon, 31 Oct 2005 06:08:11 +0000 (06:08 +0000)]
r11414: Add passing around of logon_parameters to Samba4 auth_winbind
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 06:01:55 +0000 (06:01 +0000)]
r11413: More comments, plus always check (and update) the credentials chain,
regardless the authentication result on a particular user.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 05:45:19 +0000 (05:45 +0000)]
r11412: These comments may not be much, but my eyes scan code with even
minimal comments much better (much like volker scans code of less than
80 cols better ;-)
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 04:17:51 +0000 (04:17 +0000)]
r11411: Add to Samba4 the Samba3 patch I just posted for machine account
logins (changing the winbindd interface).
Clean up the wbsrv_samba3_async_epilogue() handling, as it was mixing
auth and other replies, such that all replies were having the auth
error strings set. We now do a better job of filling in the right
errors in the right places.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 03:44:29 +0000 (03:44 +0000)]
r11410: Fix rejoin as a BDC by modifying, rather than trying to recreate, the
server reference.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 03:06:13 +0000 (03:06 +0000)]
r11409: The use of 'password server = ' here is still bogus, but for now at
least don't allow binding to become uninitialised.
Andrew Bartlett
Andrew Tridgell [Mon, 31 Oct 2005 03:05:26 +0000 (03:05 +0000)]
r11408: fixed the mapping of ldb errors to ldap errors in the ldap server
Andrew Bartlett [Mon, 31 Oct 2005 03:03:32 +0000 (03:03 +0000)]
r11407: Push 'recreate account' logic into libnet/libnet_join.c. We don't
return the pesky USER_EXISTS 'error' code any more, and it is much
easier to handle this inline.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 03:00:36 +0000 (03:00 +0000)]
r11406: Clean up uninitialised value warnings found by -01.
The warnings were caused by the structure assignements, which we don't
need to do. The actual values are filled in by the NDR layer later.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 02:58:29 +0000 (02:58 +0000)]
r11405: Ensure we can never have secret4 be uninitialised. Found after
volker's urging on the use of -O1.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 02:46:15 +0000 (02:46 +0000)]
r11404: Another torture test and a new WERR.
Andrew Bartlett
Andrew Tridgell [Mon, 31 Oct 2005 02:13:02 +0000 (02:13 +0000)]
r11403: improved the error handling in the ildap ldb backend. Now passes
through all ldap errors except on search. Search errors are only
available via ldb_errstring() until we decide how to fix ldb_search().
Andrew Bartlett [Mon, 31 Oct 2005 02:12:13 +0000 (02:12 +0000)]
r11402: In response to comments by volker, expand our Netlogon DsRGetDCName
IDL and testsuites. The server-side of this remains a stub, we should
probably be doing ldb searches for the server reference record.
Andrew Bartlett
Andrew Bartlett [Mon, 31 Oct 2005 00:23:38 +0000 (00:23 +0000)]
r11401: A simple hack to have our central credentials system deny sending LM
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
Stefan Metzmacher [Sun, 30 Oct 2005 10:39:52 +0000 (10:39 +0000)]
r11400: fix compiler warnings
metze
Andrew Bartlett [Sun, 30 Oct 2005 00:56:39 +0000 (00:56 +0000)]
r11399: Add another case where we need to fallback, if the KDC isn't there.
Andrew Bartlett
Andrew Bartlett [Sat, 29 Oct 2005 13:13:52 +0000 (13:13 +0000)]
r11394: Allow KDC unreachable as another 'forget about gssapi' error on SPNEGO.
Andrew Bartlett
Andrew Bartlett [Sat, 29 Oct 2005 11:11:05 +0000 (11:11 +0000)]
r11393: Avoid error messages and get more correctness with long plaintext passwords.
Andrew Bartlett
Volker Lendecke [Sat, 29 Oct 2005 06:59:54 +0000 (06:59 +0000)]
r11392: After confirmation from Love, fix a compiler warning