Andrew Bartlett [Fri, 21 Oct 2005 01:25:55 +0000 (01:25 +0000)]
r11239: Use ${REALM} for the realm in rootdse.ldif
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 13:11:06 +0000 (13:11 +0000)]
r11226: Cope with Samba3's behaviour on LDAP with GSS-SPNEGO.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 13:10:20 +0000 (13:10 +0000)]
r11225: Remove pointless goto.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 11:19:52 +0000 (11:19 +0000)]
r11223: Only pass around the ldb handle (make this code easier to seperate
into a general lib).
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 11:19:03 +0000 (11:19 +0000)]
r11222: Small provision fixes: canonicalName is now generated, and the DC=
list should be from the dnsdomain (ie lowercae).
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:29:41 +0000 (10:29 +0000)]
r11221: I don't quite know how I tested this before, but clearly I didn't.
The samdb_set_password_sid helper function now works.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:28:16 +0000 (10:28 +0000)]
r11220: Add the ability to handle the salt prinicpal as part of the
credentials. This works with the setup/secrets.ldif change from the
previous patch, and pretty much just re-invents the keytab.
Needed for kpasswdd work.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:25:51 +0000 (10:25 +0000)]
r11219: Now that we have the credentials hooked in here, we have a much more
reasonable value to fill in for the mechListMIC.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:21:04 +0000 (10:21 +0000)]
r11218: Always return the mutual authentication reply (needed for kpasswd),
and remove now duplicated unwrap_pac().
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:18:45 +0000 (10:18 +0000)]
r11217: Ensure the realm is substituted in UPPER case.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:15:31 +0000 (10:15 +0000)]
r11216: Upgrade to gd's PAC extraction code from Samba3. While I still want
to make some this the kerberos library's problem, we may as well use
the best code that is around.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 10:10:40 +0000 (10:10 +0000)]
r11215: Remove no-op prompter intended to work around bugs in old kerberos libs.
I'm also worried this might cause loops, if we get a 'force password
change', and the prompter tries to 'deal with it'.
Andrew Bartlett
Jelmer Vernooij [Thu, 20 Oct 2005 10:04:57 +0000 (10:04 +0000)]
r11214: Remove scons files (see lists.samba.org/archive/samba-technical/2005-October/043443.html)
Andrew Bartlett [Thu, 20 Oct 2005 07:36:08 +0000 (07:36 +0000)]
r11212: Enable sealing of data with raw krb5, consolidate some code into the
main gensec_krb5_start and always ask for sequence numbers.
Andrew Bartlett
Tim Potter [Thu, 20 Oct 2005 07:06:49 +0000 (07:06 +0000)]
r11211: Append an error message to COL_INFO if the RPC call returned an error.
Tim Potter [Thu, 20 Oct 2005 06:31:51 +0000 (06:31 +0000)]
r11210: Log registry open function name when starting hive tests.
Andrew Bartlett [Thu, 20 Oct 2005 05:09:58 +0000 (05:09 +0000)]
r11209: We can't read the priorSecret unless we ask for it.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 05:09:14 +0000 (05:09 +0000)]
r11208: Add DNS entries for finding the kpasswd server to the default zone.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 05:08:24 +0000 (05:08 +0000)]
r11207: Correct principal search define
Andrew Bartlett [Thu, 20 Oct 2005 04:56:47 +0000 (04:56 +0000)]
r11206: It appears to me that any account may operate as a server.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 04:55:56 +0000 (04:55 +0000)]
r11205: Another test for cracknames.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 04:53:42 +0000 (04:53 +0000)]
r11204: Allow us to read credentials from secrets.ldb without a
secureChannelType (non machine join records).
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 04:35:30 +0000 (04:35 +0000)]
r11203: Use different variable names to make it easier to tell which assert fired.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 04:34:26 +0000 (04:34 +0000)]
r11202: Add more structs to structs.h
Andrew Bartlett [Thu, 20 Oct 2005 03:55:35 +0000 (03:55 +0000)]
r11201: New filters for searching in secrets.ldb
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 03:47:55 +0000 (03:47 +0000)]
r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 03:38:01 +0000 (03:38 +0000)]
r11199: Push an objectSid into the schannel state database, to match the new header.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 03:34:49 +0000 (03:34 +0000)]
r11198: The recent changes to netlogon changed this from a RID to a SID.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 03:21:34 +0000 (03:21 +0000)]
r11197: indent
Andrew Bartlett [Thu, 20 Oct 2005 03:20:43 +0000 (03:20 +0000)]
r11196: Clean up memory leaks (pointed out by vl), and handle the case where
the client doesn't guess correctly on the mech to use. It must back
off and try the mech the server selected from the list.
I'm not particularly attached to our SPNEGO parser, so while I can't
easily use the SPNEGO application logic in Heimdal, I'm going to look
closely at using the asn1 routines to avoid some pain here.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 03:17:42 +0000 (03:17 +0000)]
r11195: Add a new helper function (needed by my kpasswdd work, but hooked in
for netlogon as well) to change/set a user's password, given only
their SID.
This avoids the callers doing the lookups, and also performs the
actual 'set', as these callers do not wish any further buisness with
the entry.
Andrew Bartlett
Andrew Bartlett [Thu, 20 Oct 2005 01:48:11 +0000 (01:48 +0000)]
r11194: Use the special ldb attribute "canonicalName" (therefore testing that
codepath) in DRSUAPI CrackNames.
Fix the NT4 account return value.
Andrew Bartlett
Volker Lendecke [Wed, 19 Oct 2005 21:53:03 +0000 (21:53 +0000)]
r11193: Implement wbinfo -m
Volker Lendecke [Wed, 19 Oct 2005 21:19:49 +0000 (21:19 +0000)]
r11192: Too many contexts around... :-)
Stefan Metzmacher [Wed, 19 Oct 2005 17:48:55 +0000 (17:48 +0000)]
r11189: add some more special group vs. special group tests,
to make sure that replicas from the same owner are blinding overwritten
in all cases
metze
Stefan Metzmacher [Wed, 19 Oct 2005 16:52:50 +0000 (16:52 +0000)]
r11188: - add multi homed vs. multi homed section
metze
Stefan Metzmacher [Wed, 19 Oct 2005 16:30:02 +0000 (16:30 +0000)]
r11187: in case the msDS-KeyVersionNumber is replicated (I didn't assume this...)
show the string in the debug output, and show it with
--option="dssync:print_pwd_blobs=yes"
metze
Stefan Metzmacher [Wed, 19 Oct 2005 16:25:58 +0000 (16:25 +0000)]
r11186: - get rid of some .extra = True cases
- add multihomed vs unique section
- update conflict handling for the above case
metze
Stefan Metzmacher [Wed, 19 Oct 2005 15:34:39 +0000 (15:34 +0000)]
r11185: - resolve attid for "supplementalCredentials" into a name
- print "supplementalCredentials" also when --option="dssync:print_pwd_blobs=yes"
is used
abartlet: this field may contain the krb5 keys...
metze
Jelmer Vernooij [Wed, 19 Oct 2005 14:35:25 +0000 (14:35 +0000)]
r11184: Remove test that checks whether ftruncate() needs root, because I can't
find the file it tries to use (build/tests/ftruncroot.c) and the value
it defines is not used anywhere.
Jelmer Vernooij [Wed, 19 Oct 2005 14:08:39 +0000 (14:08 +0000)]
r11182: Explicitly add "." to perl include path so that perl doesn't use the
Config module instead of the configure-generated config.pm on case-insensitive
filesystems (MacOSX, OpenVMS)
Volker Lendecke [Wed, 19 Oct 2005 13:45:44 +0000 (13:45 +0000)]
r11181: Implement wbinfo -s and wbinfo --user-sids. The patch is so large because
--user-sids required the extension to trusted domains.
Implement "winbind sealed pipes" parameter for debugging purposes.
Volker
Stefan Metzmacher [Wed, 19 Oct 2005 09:43:48 +0000 (09:43 +0000)]
r11179: revert to the old code, till jelmer find a solution how to
handle a UTF16 string in a uint8 array
metze
Stefan Metzmacher [Wed, 19 Oct 2005 09:41:54 +0000 (09:41 +0000)]
r11178: add some logic functions for the replica_vs_replica conflict handling
to our winsrepl server, but it handles only the simple cases (without merging)
and we still didn't apply records to our wins.ldb, we just print out what we would do
metze
Stefan Metzmacher [Wed, 19 Oct 2005 07:47:29 +0000 (07:47 +0000)]
r11177: move unique vs * and normal group vs * into this form
ACTIVE vs ACTIVE
ACTIVE vs TOMBSTONE
RELEASED vs ACTIVE
RELEASED vs TOMBSTONE
TOMBSTONE vs ACTIVE
TOMBSTONE vs TOMBSTONE
as it seems that is all we need to test,
and w2k3 only decides between ACTIVE and NON-ACTIVE (REALEASED or TOMBSTONE)
when it gets new replica objects
also I have removed all the extra test, we only test the worst cases now,
and this will make the algorithms more clear when you look at the output
of the NBT-WINSREPLICATION torture test
metze
Stefan Metzmacher [Wed, 19 Oct 2005 07:24:36 +0000 (07:24 +0000)]
r11176: - add multi homed vs. special group section
metze
Stefan Metzmacher [Wed, 19 Oct 2005 07:12:26 +0000 (07:12 +0000)]
r11175: - add multi homed vs. normal group section
metze
Stefan Metzmacher [Wed, 19 Oct 2005 07:00:31 +0000 (07:00 +0000)]
r11174: - add special group vs. multi homed section
- disable special group vs. special group,
I need to look closer at this, as I'm getting strange timeouts
randomly, so the server might be doing some challegnes while
doing the merging of special group records, witch reaches
timeouts
metze
Stefan Metzmacher [Wed, 19 Oct 2005 06:30:05 +0000 (06:30 +0000)]
r11173: print out the correct messages
metze
Stefan Metzmacher [Wed, 19 Oct 2005 06:13:53 +0000 (06:13 +0000)]
r11172: - start with special group vs. special group testing
metze
Stefan Metzmacher [Wed, 19 Oct 2005 06:09:14 +0000 (06:09 +0000)]
r11171: fix the build
metze
Stefan Metzmacher [Tue, 18 Oct 2005 14:58:51 +0000 (14:58 +0000)]
r11146: make sure we get the expected amount of addresses
metze
Stefan Metzmacher [Tue, 18 Oct 2005 14:48:12 +0000 (14:48 +0000)]
r11144: - add special group vs. normal group section
metze
Stefan Metzmacher [Tue, 18 Oct 2005 14:18:58 +0000 (14:18 +0000)]
r11142: - add special group vs. unique section
metze
Jelmer Vernooij [Tue, 18 Oct 2005 14:12:33 +0000 (14:12 +0000)]
r11141: Re-add paranoid string terminator check
Volker Lendecke [Mon, 17 Oct 2005 15:20:52 +0000 (15:20 +0000)]
r11122: Fix some talloc hierarchy errors
Stefan Metzmacher [Mon, 17 Oct 2005 15:12:03 +0000 (15:12 +0000)]
r11121: - add normal groups vs. multihomed section
- make sure we test the worst case,
so that we don't need to test everything...
- same ip(s) => not replace
- different ip(s) => replace
metze
Volker Lendecke [Mon, 17 Oct 2005 15:08:52 +0000 (15:08 +0000)]
r11120: calling_name is used later in sesssetup_nt1, so hang the names to the right
talloc context.
Volker
Stefan Metzmacher [Mon, 17 Oct 2005 14:32:16 +0000 (14:32 +0000)]
r11119: add normal group vs. special group section
metze
Stefan Metzmacher [Mon, 17 Oct 2005 14:12:54 +0000 (14:12 +0000)]
r11117: add a normal group vs. normal group section
metze
Stefan Metzmacher [Mon, 17 Oct 2005 13:17:42 +0000 (13:17 +0000)]
r11116: - don't display cleanup updates
- add unique vs. multi homed section
metze
Stefan Metzmacher [Mon, 17 Oct 2005 12:40:45 +0000 (12:40 +0000)]
r11115: add unique vs special group section
metze
Andrew Tridgell [Mon, 17 Oct 2005 11:50:34 +0000 (11:50 +0000)]
r11114: - fixed error handling on bad bind in ildap client
- added nicer error display, giving a string version of the error code
Andrew Tridgell [Mon, 17 Oct 2005 11:33:13 +0000 (11:33 +0000)]
r11113: fixed two small bugs in newuser
- randpass() is now in the random ejs module, not global
- don't dereference the undefined variable on getopt failure
Andrew Tridgell [Mon, 17 Oct 2005 11:32:20 +0000 (11:32 +0000)]
r11112: listen on the global catalog ldap server port as well if we are a
PDC. I suspect we should behave slightly differently on the two ports,
but this is a lot closer than not listening at all. When creating a
user with mmc the global catalog port is used to check for an existing
user
Andrew Tridgell [Mon, 17 Oct 2005 11:27:29 +0000 (11:27 +0000)]
r11111: fixed a talloc error in the dn shortcut code
Andrew Tridgell [Mon, 17 Oct 2005 11:27:03 +0000 (11:27 +0000)]
r11110: make ldb_oom() also set the ldb error string
Andrew Tridgell [Mon, 17 Oct 2005 11:26:23 +0000 (11:26 +0000)]
r11109: fixed the error code return from most ldb functions (the change to use
ldb_transaction_cancel() broke it)
Stefan Metzmacher [Mon, 17 Oct 2005 10:55:50 +0000 (10:55 +0000)]
r11108: - always test the old and new record
- check that the record is the same as what we pushed to the server
(we need to verify the ip-addresses later too...)
metze
Jelmer Vernooij [Mon, 17 Oct 2005 08:34:05 +0000 (08:34 +0000)]
r11107: Include 0 byte
Andrew Bartlett [Mon, 17 Oct 2005 01:01:59 +0000 (01:01 +0000)]
r11106: Make the KDC handler plugable, as I want to drop kpasswdd into exactly
the same spot (it has identical TCP sementics).
Andrew Bartlett
Jelmer Vernooij [Sun, 16 Oct 2005 23:47:09 +0000 (23:47 +0000)]
r11105: Warn if conformant arrays are not at the end of a struct
Support conformant [string] arrays
Eliminate utf8string
This breaks xattr binary compatibility with previous versions - is that a
problem?
Jelmer Vernooij [Sun, 16 Oct 2005 23:39:13 +0000 (23:39 +0000)]
r11104: Fix LOCAL-PAC test
Jelmer Vernooij [Sun, 16 Oct 2005 19:21:17 +0000 (19:21 +0000)]
r11103: Eliminate ascstr
Jelmer Vernooij [Sun, 16 Oct 2005 19:12:02 +0000 (19:12 +0000)]
r11102: Remove unistr_noterm
Jelmer Vernooij [Sun, 16 Oct 2005 18:59:57 +0000 (18:59 +0000)]
r11101: Remove last instances of unistr
Jelmer Vernooij [Sun, 16 Oct 2005 18:54:31 +0000 (18:54 +0000)]
r11100: Replace unistr with [string,charset(UTF16)]
Jelmer Vernooij [Sun, 16 Oct 2005 18:33:56 +0000 (18:33 +0000)]
r11099: Replace unistr with [string] equivalent
Jelmer Vernooij [Sun, 16 Oct 2005 17:17:57 +0000 (17:17 +0000)]
r11098: Replace string with [string]
Jelmer Vernooij [Sun, 16 Oct 2005 17:17:42 +0000 (17:17 +0000)]
r11097: Allow pointers in "const"
Jelmer Vernooij [Sun, 16 Oct 2005 15:47:28 +0000 (15:47 +0000)]
r11096: Eliminate pointer_default_top()
Volker Lendecke [Sun, 16 Oct 2005 12:43:09 +0000 (12:43 +0000)]
r11095: Implement wb_getuserdomgroups.
Tridge, if you have the time, you might want to look at a problem I'm having
with unix domain stream sockets. From a comment in this commit:
/* Using composite_trigger_error here causes problems with the client
* socket. Linux 2.6.8 gives me a ECONNRESET on the next read after
* writing the reply when I don't wait the 100 milliseconds. */
This is in winbind/wb_cmd_userdomgroups.c:93.
The problem I have is that I can not *immediately* send an error reply to the
client because the next receive fails. Waiting 100 milliseconds helps. It
might also be a problem with epoll(), I don't really know.
I'd appreciate if you took a brief look at this, maybe I'm doing something
wrong.
Thanks,
Volker
Volker Lendecke [Sat, 15 Oct 2005 22:01:15 +0000 (22:01 +0000)]
r11094: Connect to SAM, implement getdcname
Volker Lendecke [Sat, 15 Oct 2005 19:18:05 +0000 (19:18 +0000)]
r11093: Implement wb_queue_domain_send: If the domain is not yet initialized, do that
first. And if a request is being processed, queue it. This correctly survived
3 endless loops with wbinfo's doing different things while starting up smbd.
The number of indirections starts to become a bit scary, but what can you do
without a decent programming language that provides closures :-)
One thing that we might consider is to auto-generate async rpc requests that
return composite_context structs instead of rpc_requests. Otherwise I'd have
to write a lot of wrappers like composite_netr_LogonSamLogon_send.
The alternative would be to write two versions of wb_queue_domain_send which I
would like to avoid. This is cluttered enough already.
Volker
Stefan Metzmacher [Sat, 15 Oct 2005 12:30:58 +0000 (12:30 +0000)]
r11092: run NBT-WINSREPLICATION-QUICK test with make test
metze
Stefan Metzmacher [Sat, 15 Oct 2005 12:30:08 +0000 (12:30 +0000)]
r11091: add a NBT-WINSREPLICATION-QUICK test that passed the current samba4 server
metze
Stefan Metzmacher [Sat, 15 Oct 2005 12:23:33 +0000 (12:23 +0000)]
r11090: we need this to run correct under socket_wrapper
metze
Stefan Metzmacher [Sat, 15 Oct 2005 11:04:46 +0000 (11:04 +0000)]
r11089: start the winsreplication task when we run with wins support = yes
metze
Stefan Metzmacher [Sat, 15 Oct 2005 10:55:30 +0000 (10:55 +0000)]
r11088: don't try to set empty strings values as attributes
our ldb doesn't support them, does w2k3 LDAP supports them?
metze
Stefan Metzmacher [Sat, 15 Oct 2005 10:15:42 +0000 (10:15 +0000)]
r11087: - add type,name,scope as attributes to winsRecords,
so you can use them in search filters,
only for administration not used inside the winserver code
- fix the samba3 ugrade scripts to create a correct samba4 wins.ldb
metze
Stefan Metzmacher [Sat, 15 Oct 2005 10:04:33 +0000 (10:04 +0000)]
r11086: add sys.unix2nttime() function
metze
Stefan Metzmacher [Sat, 15 Oct 2005 09:32:04 +0000 (09:32 +0000)]
r11085: as ejs doesn't support '&' '|' bitwise AND and OR,
we need some helper functions for this
metze
Stefan Metzmacher [Sat, 15 Oct 2005 09:28:56 +0000 (09:28 +0000)]
r11084: - allow hex numbers with 'a'...'f' digits to be parsed
- parse hex numbers correct
tridge: how could we submit this to the upstream appweb library?
metze
Stefan Metzmacher [Sat, 15 Oct 2005 09:25:43 +0000 (09:25 +0000)]
r11083: use the addresses from the record
metze
Volker Lendecke [Sat, 15 Oct 2005 08:17:22 +0000 (08:17 +0000)]
r11082: Fix a segfault
Jeremy Allison [Sat, 15 Oct 2005 00:50:03 +0000 (00:50 +0000)]
r11081: Remember to remove unused variables.
Jeremy.
Jeremy Allison [Sat, 15 Oct 2005 00:48:47 +0000 (00:48 +0000)]
r11080: Narrowing down on the #1828 PPC bug. The PPC client sends an
initial NTLMSSP negotiate blob of only 16 bytes - no strings
added ! (So don't try parsing them).
Jeremy.
Jelmer Vernooij [Sat, 15 Oct 2005 00:45:16 +0000 (00:45 +0000)]
r11077: Fix [string] for Samba3
Jeremy Allison [Fri, 14 Oct 2005 22:04:24 +0000 (22:04 +0000)]
r11076: Still working on bug #1828, PPC hell. The PPC client sends the
NTLMSSP client and domain strings as Unicode, even when setting
flags as OEM. Cope with this.
Jeremy.
Volker Lendecke [Fri, 14 Oct 2005 21:41:08 +0000 (21:41 +0000)]
r11070: Fix a cut&paste error, now wbinfo can properly separate domain and user...
Volker