Andrew Tridgell [Tue, 27 Nov 2001 22:49:29 +0000 (22:49 +0000)]
up the log level for server level security to try to track down the
segvs in the build farm
Andrew Tridgell [Tue, 27 Nov 2001 22:47:09 +0000 (22:47 +0000)]
don't use /dev/null for a smbpasswd file
Jeremy Allison [Tue, 27 Nov 2001 22:39:57 +0000 (22:39 +0000)]
Added negative caching to group lookups.
Jeremy.
Andrew Tridgell [Tue, 27 Nov 2001 22:37:25 +0000 (22:37 +0000)]
added test for krb5.h
this was causing the kerberos stuff to fail compilation on several
platforms
Jeremy Allison [Tue, 27 Nov 2001 20:57:14 +0000 (20:57 +0000)]
Added negative caching to the user pw lookup by name and by uid.
Jeremy.
Jeremy Allison [Tue, 27 Nov 2001 20:01:23 +0000 (20:01 +0000)]
Added PRINTER_ALREADY_EXISTS error check from Gerry.
Jeremy
Andrew Tridgell [Tue, 27 Nov 2001 13:31:02 +0000 (13:31 +0000)]
allow printing of NULL pointers with internal snprintf
Andrew Tridgell [Tue, 27 Nov 2001 13:29:14 +0000 (13:29 +0000)]
fixed the panics on basicsmb-sharelist on sun1
Richard Sharpe [Tue, 27 Nov 2001 10:42:39 +0000 (10:42 +0000)]
Fix another memory leak spotted by Tom Jansen.
Andrew Tridgell [Tue, 27 Nov 2001 07:09:06 +0000 (07:09 +0000)]
sigh.
some systems have libkrb5 but not krb5.h
Jeremy Allison [Tue, 27 Nov 2001 06:28:06 +0000 (06:28 +0000)]
nsswitch/winbindd_group.c nsswitch/winbindd_user.c: formatting fixups.
smbd/open.c: Fix "delete on close" for directories.
Jeremy.
Andrew Tridgell [Tue, 27 Nov 2001 05:00:55 +0000 (05:00 +0000)]
reverted incorrect patch
Andrew Tridgell [Tue, 27 Nov 2001 04:07:57 +0000 (04:07 +0000)]
fixed leak in free_user_info()
Andrew Tridgell [Tue, 27 Nov 2001 04:05:28 +0000 (04:05 +0000)]
another memory leak bites the dust
Andrew Tridgell [Tue, 27 Nov 2001 03:54:15 +0000 (03:54 +0000)]
fixed another memory leak
Andrew Tridgell [Tue, 27 Nov 2001 03:50:53 +0000 (03:50 +0000)]
prevent a bogus insure wild ptr message
Andrew Tridgell [Tue, 27 Nov 2001 03:40:06 +0000 (03:40 +0000)]
added -i option to nmbd, giving interactive mode (like winbindd)
Andrew Tridgell [Tue, 27 Nov 2001 03:34:56 +0000 (03:34 +0000)]
more memory leak fixes
Andrew Tridgell [Tue, 27 Nov 2001 03:34:25 +0000 (03:34 +0000)]
unable to open smbpasswd on initial create should only be a warning
Andrew Tridgell [Tue, 27 Nov 2001 03:29:20 +0000 (03:29 +0000)]
prevent a memory leak of cli structures
Andrew Tridgell [Tue, 27 Nov 2001 03:25:31 +0000 (03:25 +0000)]
fix sense of lp_allow_trusted_domains()
fix a memory leak
Andrew Tridgell [Tue, 27 Nov 2001 01:51:10 +0000 (01:51 +0000)]
don't try to auto-change the trust password unless we are in domain
security
Andrew Tridgell [Tue, 27 Nov 2001 01:45:08 +0000 (01:45 +0000)]
automatically look for /usr/kerberos to make redhat happy
Andrew Tridgell [Mon, 26 Nov 2001 09:28:27 +0000 (09:28 +0000)]
don't die with a FPE if there are no DCs
Andrew Tridgell [Mon, 26 Nov 2001 09:28:00 +0000 (09:28 +0000)]
increment the value not the pointer
Andrew Bartlett [Mon, 26 Nov 2001 07:53:33 +0000 (07:53 +0000)]
Fix --enable-developer shadow warning
Andrew Bartlett [Mon, 26 Nov 2001 07:23:51 +0000 (07:23 +0000)]
Fix debug
Andrew Tridgell [Mon, 26 Nov 2001 06:52:33 +0000 (06:52 +0000)]
basic ADS HOWTO
Andrew Bartlett [Mon, 26 Nov 2001 06:47:04 +0000 (06:47 +0000)]
A number of things to clean up the auth subsytem a bit...
We now default encrypt passwords = yes
We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.
(this kills off the 'local' backed. The sam backend may be renamed in its
place)
The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.
Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.
The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.
Andrew Bartlett
Andrew Tridgell [Mon, 26 Nov 2001 06:21:24 +0000 (06:21 +0000)]
add SEC_ADS auth method
Andrew Tridgell [Mon, 26 Nov 2001 06:18:09 +0000 (06:18 +0000)]
updated server_role for ADS
Andrew Bartlett [Mon, 26 Nov 2001 05:59:43 +0000 (05:59 +0000)]
prevent proto from picking up this as a defintion for 'main()' becoue it conflicts with nmbd's definition.
Tim Potter [Mon, 26 Nov 2001 04:53:08 +0000 (04:53 +0000)]
More compiler warnings fixed. Some minor reformatting.
Andrew Tridgell [Mon, 26 Nov 2001 04:37:24 +0000 (04:37 +0000)]
we can safely give NO_SUCH_USER if the ticket decodes but the local
account doesn't exist
Tim Potter [Mon, 26 Nov 2001 04:27:51 +0000 (04:27 +0000)]
Another merge from appliance-head: in [ug]id_to_sid don't call the
winbind function if the id is obviously going to be local. Cleanup
of winbind [ug]id parameter handling.
Tim Potter [Mon, 26 Nov 2001 04:05:28 +0000 (04:05 +0000)]
challange -> challenge
Tim Potter [Mon, 26 Nov 2001 03:39:16 +0000 (03:39 +0000)]
Merge from appliance-head: when creating a default security descriptor
for a printer, save it in ntprinters.tdb instead of recreating it
every time it is required. This can save at least one winbind lookup
per secdesc creation. Opening a port monitor and viewing the security
tab in the properties dialog required the security descriptor to be
returned 25 times!
Tim Potter [Mon, 26 Nov 2001 03:11:44 +0000 (03:11 +0000)]
Got medieval on another pointless extern. Removed extern struct ipzero
and replaced with two functions:
void zero_ip(struct in_adder *ip);
BOOL is_zero_ip(struct in_addr ip);
Andrew Bartlett [Mon, 26 Nov 2001 02:10:59 +0000 (02:10 +0000)]
Fix up the build farm again.
This should get us 'green' for once...
Andrew Bartlett
Tim Potter [Mon, 26 Nov 2001 02:01:00 +0000 (02:01 +0000)]
dyn_CONFIGFILE fixups.
Tim Potter [Mon, 26 Nov 2001 01:59:33 +0000 (01:59 +0000)]
Fixed compiler warnings and dyn_CONFIGFILE related breakage.
Andrew Bartlett [Mon, 26 Nov 2001 01:37:44 +0000 (01:37 +0000)]
And delete domain_client_validate.c...
Andrew Bartlett
Andrew Bartlett [Mon, 26 Nov 2001 01:37:01 +0000 (01:37 +0000)]
This compleats the of the authenticaion subystem into the new 'auth'
subdirectory.
(The insertion of these files was done with some CVS backend magic, hence the
lack of a commit message).
This also moves libsmb/domain_client_validate.c back into auth_domain.c,
becouse we no longer share it with winbind.
Andrew Bartlett
Tim Potter [Mon, 26 Nov 2001 01:20:57 +0000 (01:20 +0000)]
Removed bogus SAFE_FREE() call of talloced return data from
winbindd_lookup_usergroups()
Tim Potter [Mon, 26 Nov 2001 01:17:03 +0000 (01:17 +0000)]
Ignore *.po files.
Tim Potter [Mon, 26 Nov 2001 00:58:43 +0000 (00:58 +0000)]
Fixed some indentation.
Andrew Tridgell [Mon, 26 Nov 2001 00:45:51 +0000 (00:45 +0000)]
use DEBUG() not d_printf() in libraries
Andrew Tridgell [Mon, 26 Nov 2001 00:43:37 +0000 (00:43 +0000)]
fixed spnego, non-kerberos negprot
Tim Potter [Mon, 26 Nov 2001 00:19:23 +0000 (00:19 +0000)]
Allow lookup of users with spaces in their name.
Tim Potter [Sun, 25 Nov 2001 23:33:15 +0000 (23:33 +0000)]
Fixed compiler warning.
Why do people keep adding stuff to includes.h (OK I am guilty of this too)?
It's getting really huge and full of random junk. )-:
I've noticed TNG have started to split stuff up in to individual header
files included as needed.
Andrew Tridgell [Sun, 25 Nov 2001 23:05:13 +0000 (23:05 +0000)]
added 'security=ADS'
Volker Lendecke [Sun, 25 Nov 2001 18:54:04 +0000 (18:54 +0000)]
Minor typos
Volker Lendecke [Sun, 25 Nov 2001 18:49:20 +0000 (18:49 +0000)]
Don't close tdb twice.
Andrew Tridgell [Sun, 25 Nov 2001 13:36:02 +0000 (13:36 +0000)]
portability fixes
Andrew Tridgell [Sun, 25 Nov 2001 13:32:28 +0000 (13:32 +0000)]
fixed typo
Andrew Tridgell [Sun, 25 Nov 2001 12:56:04 +0000 (12:56 +0000)]
add popt build dependency
Andrew Tridgell [Sun, 25 Nov 2001 12:46:14 +0000 (12:46 +0000)]
move popt out of proto objs
Andrew Tridgell [Sun, 25 Nov 2001 12:40:23 +0000 (12:40 +0000)]
added HAVE_LDAP_H check
Andrew Tridgell [Sun, 25 Nov 2001 12:26:40 +0000 (12:26 +0000)]
check for liblber separately
Jeremy Allison [Sun, 25 Nov 2001 08:26:37 +0000 (08:26 +0000)]
#ifdefed DMF fix so not compiled by default. We need to look at this...
Jeremy.
Jeremy Allison [Sun, 25 Nov 2001 06:38:17 +0000 (06:38 +0000)]
Use "password server" for searching for BDC's also as Tim suggested.
Jeremy.
Andrew Bartlett [Sun, 25 Nov 2001 03:01:14 +0000 (03:01 +0000)]
Add the PDC end of the smbtorture test for creating an NT_STATUS -> DOS error
map.
This little authentication module is #ifdef DEVELOPER, becouse it really is of
no use execept as a development tool
invoke by setting:
auth methods = guest sam name_to_ntstatus
in the smb.conf file (the SAM and guest elements are required for the member
server to authenticate itself).
Andrew Bartlett
Andrew Bartlett [Sun, 25 Nov 2001 02:58:15 +0000 (02:58 +0000)]
oops, I forgot to include the header file
Andrew Bartlett [Sun, 25 Nov 2001 02:35:37 +0000 (02:35 +0000)]
Add a new torture test to extract a NT->DOS error map from an NT member of a
samba domain.
The PDC must be running a special authenticaion module that spits out NT errors
based on username.
Andrew Bartlett
Andrew Bartlett [Sun, 25 Nov 2001 02:30:30 +0000 (02:30 +0000)]
Unless the error is exactly NT_STATUS_OK, we might not have a server info, so
we need to bail here.
Jeremy Allison [Sun, 25 Nov 2001 02:23:22 +0000 (02:23 +0000)]
I think this is a fix for the "out of space" errors with oplocks=no.
Jeremy.
Andrew Bartlett [Sun, 25 Nov 2001 02:08:43 +0000 (02:08 +0000)]
Fix ./configure --enable-developer warnings (shadow of global)
Andrew Tridgell [Sun, 25 Nov 2001 01:42:29 +0000 (01:42 +0000)]
better help
Andrew Tridgell [Sun, 25 Nov 2001 01:36:02 +0000 (01:36 +0000)]
use generate_random_str()
Andrew Tridgell [Sun, 25 Nov 2001 01:31:07 +0000 (01:31 +0000)]
added "net ads user" and "net ads group" commands
Andrew Tridgell [Sun, 25 Nov 2001 01:06:56 +0000 (01:06 +0000)]
added "net ads status" command
Andrew Tridgell [Sun, 25 Nov 2001 00:18:11 +0000 (00:18 +0000)]
made a "net ads" command, currently with "net ads join" and "net ads leave"
Andrew Tridgell [Sun, 25 Nov 2001 00:10:28 +0000 (00:10 +0000)]
stop popt from doing its own intl stuff
Andrew Tridgell [Sun, 25 Nov 2001 00:08:48 +0000 (00:08 +0000)]
better auto-selection of realm and ldap server
Andrew Tridgell [Sat, 24 Nov 2001 14:16:41 +0000 (14:16 +0000)]
added "net join" command
this completes the first stage of the smbd ADS support
Andrew Tridgell [Sat, 24 Nov 2001 13:58:40 +0000 (13:58 +0000)]
removed unused function
Andrew Tridgell [Sat, 24 Nov 2001 13:26:01 +0000 (13:26 +0000)]
rewrote net.c
The rewrite fixes a number of things:
- much better command line parsing
- fixed usage of static and const
- better finding of hosts
- clean internal separation of sub-functions
- expandable design
Andrew Bartlett [Sat, 24 Nov 2001 12:16:27 +0000 (12:16 +0000)]
And add the winbind module I missed in the last run.
(large change to modularise the auth subsystem)
Andrew Bartlett
Andrew Bartlett [Sat, 24 Nov 2001 12:12:38 +0000 (12:12 +0000)]
This is another rather major change to the samba authenticaion
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
Andrew Bartlett [Sat, 24 Nov 2001 00:36:37 +0000 (00:36 +0000)]
Kill off that crazy copy_sam_passwd(). You simply can't do that if the
structre contains pointers (well not if you intend of free those pointers
at some stage)
There is no reason (given the new passdb interface) that you can't modify a
SAM_ACCOUNT in any case.
Andrew Bartlett
Jean-François Micouleau [Sat, 24 Nov 2001 00:13:41 +0000 (00:13 +0000)]
added lsaenumprivsaccount and lsalookupprivvalue to rpcclient
and more to come ...
J.F.
Jeremy Allison [Fri, 23 Nov 2001 19:07:35 +0000 (19:07 +0000)]
Sorry. I broke the build, missed on open_directory call.
Jeremy.
Jean-François Micouleau [Fri, 23 Nov 2001 15:17:30 +0000 (15:17 +0000)]
return NO_MORE_ENTRIES in lsa_enum_trust_dom. UserManager is happier :-)
J.F.
Jean-François Micouleau [Fri, 23 Nov 2001 15:11:22 +0000 (15:11 +0000)]
Changed how the privileges are stored in the group mapping code. It's now
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
Jeremy Allison [Fri, 23 Nov 2001 11:18:20 +0000 (11:18 +0000)]
Fixed delete on close bug. Added core dump code to winbindd.
Jeremy.
Jeremy Allison [Fri, 23 Nov 2001 09:04:09 +0000 (09:04 +0000)]
Set type to NOTUSED if lookup fail.
Jeremy.
Andrew Bartlett [Fri, 23 Nov 2001 07:08:20 +0000 (07:08 +0000)]
Update some of the error mapping, based on on-the-wire observations of an NT4 server.
This lets our Win9X clients give sane error messages when you get passwords wrong
and the like.
Andrew Bartlett
Tim Potter [Fri, 23 Nov 2001 05:50:05 +0000 (05:50 +0000)]
Finally worked out why a enumerate trusted domains was returning a
NT_STATUS_UNABLE_TO_FREE_VM error. This error code was mis-defined
as 0x8000001a instead of 0xc000001a. The former is actually a
NT_STATUS_NO_MORE_ENTRIES warning which is what we see in the status
code.
Removed the & 0xffffff from the loop in get_nt_error_msg() as all the
error constants now have the correct high bits set.
Tim Potter [Fri, 23 Nov 2001 05:37:40 +0000 (05:37 +0000)]
Added constants and error message for dos error code 1326 (logon failure).
Martin Pool [Fri, 23 Nov 2001 05:34:41 +0000 (05:34 +0000)]
Reference about SIDs from tpot.
Martin Pool [Fri, 23 Nov 2001 04:53:56 +0000 (04:53 +0000)]
More better now.
Tim Potter [Fri, 23 Nov 2001 04:37:41 +0000 (04:37 +0000)]
Got rid of that stupid parse_domain_user() warning when compiling
winbindd.
Martin Pool [Fri, 23 Nov 2001 04:24:26 +0000 (04:24 +0000)]
Quieten gcc const warning.
doxyfy.
Martin Pool [Fri, 23 Nov 2001 03:54:07 +0000 (03:54 +0000)]
Finish 1.45 by removing redundant sid->string conversion in
winbindd_lookup_sid_by_name. Also if the lookup fails then clobber
the output parameters rather than leaving them looking potentially
valid.
Add doxygen.
Martin Pool [Fri, 23 Nov 2001 03:33:22 +0000 (03:33 +0000)]
I think you were passing the name of the SID, rather than the DOM_SID
pointer itself. (Whatever that is.... ;-)
Tim Potter [Fri, 23 Nov 2001 03:24:36 +0000 (03:24 +0000)]
Fixed bug in canned results list for checking the error code of wbinfo.
Made test names more verbose.
Tim Potter [Fri, 23 Nov 2001 01:00:54 +0000 (01:00 +0000)]
Don't initialise static pointers to NULL.
Tim Potter [Fri, 23 Nov 2001 00:52:29 +0000 (00:52 +0000)]
Removed TimeInit() call from every client program (except for one place
in smbd/process.c where the timezone is reinitialised. Was replaced with
check for a static is_initialised boolean.
Tim Potter [Fri, 23 Nov 2001 00:14:04 +0000 (00:14 +0000)]
Fixed check machine account function.
Tim Potter [Fri, 23 Nov 2001 00:08:12 +0000 (00:08 +0000)]
Ignore *.po files.