Andrew Tridgell [Fri, 5 Dec 2003 11:30:47 +0000 (11:30 +0000)]
fixed a problem with "net rpc vampire" mis-parsing the alias member
info reply
Thanks to a bug report by 'musb'
(This used to be commit
310f90f3689d4acd16368a833f23ea5f9aaa0133)
Tim Potter [Fri, 5 Dec 2003 11:12:05 +0000 (11:12 +0000)]
Change PICFLAG -> PICFLAGS to keep in line with version from source
directory and fix display bug.
(This used to be commit
f43546d0af7c7ad74b3bf0bae1652822184a04da)
Gerald Carter [Thu, 4 Dec 2003 21:59:20 +0000 (21:59 +0000)]
updating top 0.8.2-1 of the smbldap tools
(This used to be commit
b798f30f0a83ba00ebbe1b82983ca6690642ad02)
Gerald Carter [Thu, 4 Dec 2003 21:38:47 +0000 (21:38 +0000)]
bumping version in preparation for 3.0.1rc1
(This used to be commit
91c95391c3efd4c1009032acc6af9f7886447c55)
Steve French [Thu, 4 Dec 2003 21:26:14 +0000 (21:26 +0000)]
Fix incorrect smb flags2 for connections to pre-NT servers (causes smbclient to
fail to OS2 for example)
(This used to be commit
54e2fcb8f4a9d603b3210baa014b3f5f15070a22)
Gerald Carter [Thu, 4 Dec 2003 20:20:59 +0000 (20:20 +0000)]
fix process_incoming_data() to return the number of bytes handled this call whether we have a complete pdu or not; fixes bug with multiple pdu request rpc's broken over SMBwriteX calls each
(This used to be commit
ff06f3ca8e597d093b8a76b5cfabfa6009f4b591)
Gerald Carter [Thu, 4 Dec 2003 19:22:44 +0000 (19:22 +0000)]
fix debug message
(This used to be commit
550b309a65d138364502c720894e2099de6b5076)
Gerald Carter [Thu, 4 Dec 2003 16:38:50 +0000 (16:38 +0000)]
typo in BASEDIR; patch from Darren Chew
(This used to be commit
21b0758a88a2469a61d13acf7ecc006152a07273)
Gerald Carter [Thu, 4 Dec 2003 05:02:53 +0000 (05:02 +0000)]
sync OID with HEAD
(This used to be commit
d463abb035a19dce84902039623275cd72e16edc)
Gerald Carter [Thu, 4 Dec 2003 04:52:00 +0000 (04:52 +0000)]
support munged dial for ldapsam; patch from Aurélien Degrémont; bug 800
(This used to be commit
1c3c16abc94d197e69e3350de1e5cc1e99be4322)
Gerald Carter [Thu, 4 Dec 2003 04:31:29 +0000 (04:31 +0000)]
don't crash on a NULL priviledge pointer; patch from Jianliang Lu
(This used to be commit
2742e813fea2366f91bec62dca407f65ad5c4623)
Andrew Bartlett [Thu, 4 Dec 2003 04:16:16 +0000 (04:16 +0000)]
Picked up by the build farm - despite all my efforts, security=server was
broken by my NTLM2 commit. This should correctly cause the NTLM2 case
not to be negotiated when 'security=server' is in effect.
Andrew Bartlett
(This used to be commit
19bb4b582f98eb1da41e22c9a2a2c11602cb95e4)
Andrew Bartlett [Thu, 4 Dec 2003 03:55:12 +0000 (03:55 +0000)]
Without 'non unix accounts' we can't test security=domain on the build farm.
(This used to be commit
c8485d3f00727fb363b45e48581eeb0b0b0cb851)
Gerald Carter [Thu, 4 Dec 2003 03:35:46 +0000 (03:35 +0000)]
* fix RemoveSidForeignDomain() ; bug 252
* don't fall back to unmapped UNIX group for
get_local_group_from_sid()
* remove an extra become/unbecome_root() pair
from group enumeration
(This used to be commit
da12bbdb0dd9179b1ed457fa009679e2da4a8440)
Jeremy Allison [Wed, 3 Dec 2003 23:16:27 +0000 (23:16 +0000)]
Fix for "hash" (not hash2) type mangling. Noticed by "Forrest W. Christian" <fwc@mt.net>
Jeremy.
(This used to be commit
3a8fe3b2ef30cbe0cf441d6c4ffa9c309dc71e54)
Andrew Bartlett [Tue, 2 Dec 2003 12:48:15 +0000 (12:48 +0000)]
Match Win2k and return 'invalid parameter' for creating of a new account with
account flags of 0.
Andrew Bartlett
(This used to be commit
601120f335b69e5b8a003038dfac00f3f234a5c1)
Volker Lendecke [Tue, 2 Dec 2003 11:36:02 +0000 (11:36 +0000)]
Two trivial warnings
Volker
(This used to be commit
a13e088493d91d39f730ba4b5138d5c4c5aa113a)
Jeremy Allison [Mon, 1 Dec 2003 22:55:43 +0000 (22:55 +0000)]
Client connect signing error messages should be level zero else
they're easy to miss.
Jeremy.
(This used to be commit
7fa89b093709053650d197d2d0f091b9a1cd8218)
Jeremy Allison [Mon, 1 Dec 2003 22:46:46 +0000 (22:46 +0000)]
Get a little paranoid about memfree use in convert_string_allocate..
Looking at crash bugs #809 and others.
Jeremy.
(This used to be commit
cd2075580b0f35c8a414c995f03834c01efaa9be)
Gerald Carter [Mon, 1 Dec 2003 19:59:25 +0000 (19:59 +0000)]
another strequal() == 0 fix
(This used to be commit
464b410734c46bc55f2427e99ecf61bad7e3b244)
Gerald Carter [Mon, 1 Dec 2003 19:25:41 +0000 (19:25 +0000)]
fix inverted logic caused by s/strcmp/strequal/; host allow/deny works again; bug 846
(This used to be commit
c816b44a9c1278d756f63044bb3a3bce3afec9b3)
Gerald Carter [Mon, 1 Dec 2003 18:37:47 +0000 (18:37 +0000)]
add Replicator and RAS Servers to list of builtin SIDs we resolve; bug 608
(This used to be commit
4bc58129e073973620aed1bfb161ee83c1863f81)
Gerald Carter [Mon, 1 Dec 2003 18:02:05 +0000 (18:02 +0000)]
don't mistake pre-existing UNIX jobs for smb jobs; patch from SATOH Fumiyasu bug 770
(This used to be commit
3a55788dca537248d0aea9973a84075e142b7736)
Volker Lendecke [Mon, 1 Dec 2003 14:12:26 +0000 (14:12 +0000)]
In the brief 'net rpc group' listing, don't cut off group names at 21 chars.
Volker
(This used to be commit
5d0b8280f6c4990ee3a26c310efebfa859ee21be)
Volker Lendecke [Mon, 1 Dec 2003 14:07:22 +0000 (14:07 +0000)]
Beautify the net status help message a bit
Volker
(This used to be commit
e9391e206a8cdbcc08597a33b557b86f9a5d73ce)
Volker Lendecke [Mon, 1 Dec 2003 13:58:43 +0000 (13:58 +0000)]
I needed a decently parseable format of smbstatus. Looking at smbstatus code
tells me that this should not be expanded, so I implemented
net status [sessions|shares] [parseable]
Volker
(This used to be commit
63d877c6b4786dcddf5f389842f798857be282c0)
Jeremy Allison [Mon, 1 Dec 2003 06:59:54 +0000 (06:59 +0000)]
Fix spurious error msg. when seq=0.
Jeremy
(This used to be commit
4912ad8f18041c9c3abe2cfa67dd26a324c9c31e)
Jeremy Allison [Mon, 1 Dec 2003 06:53:10 +0000 (06:53 +0000)]
Ensure the server can cope with multiple secondary trans
requests when signing is turned on.
Jeremy.
(This used to be commit
206464a748a59b1d485d4d3d0cb4d257d60fbd00)
Jeremy Allison [Mon, 1 Dec 2003 06:19:17 +0000 (06:19 +0000)]
Subtract NT_STATUS from common flag, don't add it...
Jeremy.
(This used to be commit
4e73faa7b4af7f73bdce9fcc2ee1825249dc7da7)
Jeremy Allison [Mon, 1 Dec 2003 03:24:50 +0000 (03:24 +0000)]
Ensure we use the same mid for the secondary trans requests, W2K3
does this.
Jeremy.
(This used to be commit
8adf0cd27a23b1bc6e0da08789a8b1e9eefb54a7)
Jeremy Allison [Mon, 1 Dec 2003 02:25:56 +0000 (02:25 +0000)]
Don't automatically set nt status code flag unless client tells us it can
cope.
Jeremy.
(This used to be commit
0d82ac57a59276adb403f8e023578c2d6d5136e4)
Jeremy Allison [Mon, 1 Dec 2003 01:04:04 +0000 (01:04 +0000)]
Better fix for client signing bug. Ensure we don't malloc/free trans signing
state info each packet.
Jeremy.
(This used to be commit
818cf32d6330f7e7855ce662326003e75d4a1d46)
Jeremy Allison [Sun, 30 Nov 2003 19:40:57 +0000 (19:40 +0000)]
Fix signing bug with secondary client trans requests. Turns out the last
packet is the one that matters for checking the signing replies. Need to
check the server code does this correctly too....
Bug #832 reported by Volker.
Jeremy.
(This used to be commit
6750dc33b46c422582176b704592d9b2f1fb04d7)
Volker Lendecke [Fri, 28 Nov 2003 15:10:00 +0000 (15:10 +0000)]
Implement 'net rpc group list [global|local|builtin]*' for a select listing of
the respective user databases.
Volker
(This used to be commit
39e4ee0c5be9f8d5a26b03ae17865b8e576b0b62)
Jeremy Allison [Thu, 27 Nov 2003 18:34:42 +0000 (18:34 +0000)]
Fix for pdbedit error code returns (sorry, forgot who sent in the patch).
Jeremy.
(This used to be commit
685097bc50a8ef387c5082401858d482329c37bc)
Volker Lendecke [Thu, 27 Nov 2003 17:31:18 +0000 (17:31 +0000)]
Only ask for 512 names at a time.
Volker
(This used to be commit
d5775b7106dc5d6326db89f7369d2ffd61646426)
Tim Potter [Thu, 27 Nov 2003 05:11:14 +0000 (05:11 +0000)]
Correct freebsd 5.1 support for winbind contributed by Aaron Collins.
Let the build farm chew on it for a bit.
(This used to be commit
41e4b036dff0af7be69bf95ea3d64dfccd3a4b8e)
Gerald Carter [Thu, 27 Nov 2003 04:39:53 +0000 (04:39 +0000)]
use samr_dispinfo(level == 1) for enumerating domain users so we can include the full name in gecos field; bug 587
(This used to be commit
329065d7cddb52c52667c93e0a0218c0e89938be)
Jeremy Allison [Wed, 26 Nov 2003 20:58:53 +0000 (20:58 +0000)]
Patch from Benjamin Riefenstahl <Benjamin.Riefenstahl@epost.de> to add
MacOSX (Darwin) specific charset module code. Also had to add AC_CHECK_CPP
to configure.in (this took a *long* time to track down) to make autoconf
work correctly on Fedora Core 1.
Jeremy.
(This used to be commit
c51d974b18e31a38608a3837d3fee04a209f91c8)
cvs2svn Import User [Wed, 26 Nov 2003 20:58:52 +0000 (20:58 +0000)]
This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to be commit
9ccf8c530def31ccf6aca4f56b53676512131e66)
Jeremy Allison [Wed, 26 Nov 2003 20:58:51 +0000 (20:58 +0000)]
Patch from Benjamin Riefenstahl <Benjamin.Riefenstahl@epost.de> to add
MacOSX (Darwin) specific charset module code. Also had to add AC_CHECK_CPP
to configure.in (this took a *long* time to track down) to make autoconf
work correctly on Fedora Core 1.
Jeremy.
(This used to be commit
a5711943428e4b586fb7f064739c78fa0a3ebd52)
Richard Sharpe [Wed, 26 Nov 2003 19:15:22 +0000 (19:15 +0000)]
Clean up a comment noticed by Jonathan Shao@Panasas.com and remove an
obsolete comment by Luke Leighton.
(This used to be commit
316f83add76b56fe102f5dc4c9ce3a0413d9a1f4)
John Terpstra [Wed, 26 Nov 2003 18:43:26 +0000 (18:43 +0000)]
Fixing barfed idmap entries and adding not on use of FLAG_HIDE.
(This used to be commit
25aa5df5c79070d0f1273a71617e64fba7831742)
Volker Lendecke [Wed, 26 Nov 2003 10:09:59 +0000 (10:09 +0000)]
Implement "net rpc group members": Get members of a domain group in
human-readable format.
Volker
(This used to be commit
e5770a9433099f86a1f828a35bbecbe5691c000c)
Volker Lendecke [Wed, 26 Nov 2003 10:07:07 +0000 (10:07 +0000)]
Implement "net rpc group members": Get members of a domain group in
human-readable format.
Volker
(This used to be commit
4e3a2eb8e04c3a669d94e38d81e994606fa6ef9d)
Volker Lendecke [Wed, 26 Nov 2003 10:01:31 +0000 (10:01 +0000)]
Get rid of a const warning
Volker
(This used to be commit
ab1096d58e2447bc91370e0a7f913d9375658c4c)
Volker Lendecke [Wed, 26 Nov 2003 09:58:41 +0000 (09:58 +0000)]
Get rid of a const warning
Volker
(This used to be commit
94860687c535ace0c962ca3fe7da59df05325c62)
Andrew Bartlett [Wed, 26 Nov 2003 00:07:55 +0000 (00:07 +0000)]
Merge from 3.0:
- NTLM2 fixes, don't force NTLM2
- Don't use NTLM2 for RPC, it doesn't work yet
- Add comments to winbindd_pam.c
- Merge 64 bit fixes and better debug messages in winbindd.c
Andrew Bartlett
(This used to be commit
ba94e4a1ab6dc3335bbb29686ca6795d0ffad5b0)
Jeremy Allison [Tue, 25 Nov 2003 23:25:42 +0000 (23:25 +0000)]
Patch from Jim McDonough for bug #802. Retrieve the correct ACL group bits
if the file has an ACL.
Jeremy.
(This used to be commit
7bf5ed30ce74ba658ca35059955748c1d8cbd6d2)
Jeremy Allison [Tue, 25 Nov 2003 23:25:15 +0000 (23:25 +0000)]
Patch from Jim McDonough for bug #802. Retrieve the correct ACL group bits
if the file has an ACL.
Jeremy.
(This used to be commit
a51d9e947ef012fabf5a13250df6232d23722f68)
Andrew Bartlett [Tue, 25 Nov 2003 23:24:14 +0000 (23:24 +0000)]
Add a comment, and a useful debug message.
(This used to be commit
df14b0af31863680218b06ae9de2f010a38fba6e)
Jelmer Vernooij [Tue, 25 Nov 2003 19:41:47 +0000 (19:41 +0000)]
Fix build of winbindd with static pdb modules
(This used to be commit
92a138f027cf2f1c2b13c6f3d59493fb21885d5e)
Gerald Carter [Tue, 25 Nov 2003 19:17:20 +0000 (19:17 +0000)]
allow users to delete jobs with cups printing backend
The changes the name of the job passed off to cups
from "Test Page" to "smbprn.
00000033 Test Page" so that
we can get the smb jobid back from lpq. Working on bug
770.
(This used to be commit
3a84daf24f80cf44605841c844a0ba516354420b)
Gerald Carter [Tue, 25 Nov 2003 19:16:35 +0000 (19:16 +0000)]
allow users to delete jobs with cups printing backend
The changes the name of the job passed off to cups
from "Test Page" to "smbprn.
00000033 Test Page" so that
we can get the smb jobid back from lpq. Working on bug
770.
(This used to be commit
5979f4d645e84fb22223e6cbf0043f2fa21acb2f)
Jeremy Allison [Tue, 25 Nov 2003 18:15:52 +0000 (18:15 +0000)]
If signing starts successfully, don't just turn it off automatically if
it fails later. Only turn it off automatically if it fails at the start.
Jeremy.
(This used to be commit
4a145531c2b6353291cd25f14f5572aa31e86594)
Jeremy Allison [Tue, 25 Nov 2003 18:15:49 +0000 (18:15 +0000)]
If signing starts successfully, don't just turn it off automatically if
it fails later. Only turn it off automatically if it fails at the start.
Jeremy.
(This used to be commit
2a00d538da61253455db1734b74ef1debaea24ea)
Andrew Bartlett [Tue, 25 Nov 2003 11:25:38 +0000 (11:25 +0000)]
Do not add NTLM2 to the NTLMSSP flags unconditionally - allow the
defaults specified by the caller to prevail.
Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.
Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.
Andrew Bartlett
(This used to be commit
48123f7e42c3fde85887de23c80ceee04c2f6281)
Jeremy Allison [Tue, 25 Nov 2003 02:04:10 +0000 (02:04 +0000)]
Patch for #263 from jpjanosi@us.ibm.com.
Jeremy.
(This used to be commit
6543bca0cbf6030d2400e30bb7491237d9c818f8)
Jeremy Allison [Tue, 25 Nov 2003 02:04:03 +0000 (02:04 +0000)]
Patch for #263 from jpjanosi@us.ibm.com.
Jeremy.
(This used to be commit
0f2a50316d8245ea9c441f0ea08e1a0fd9a92583)
Jeremy Allison [Tue, 25 Nov 2003 00:32:51 +0000 (00:32 +0000)]
When server signing is set to "auto", if the client doesn't sign just
ignore it. Only fail if signing is set to "required".
Jeremy.
(This used to be commit
8916ddfc39c3e70265188926f24034152f0e7b6b)
Jeremy Allison [Tue, 25 Nov 2003 00:32:48 +0000 (00:32 +0000)]
When server signing is set to "auto", if the client doesn't sign just
ignore it. Only fail if signing is set to "required".
Jeremy.
(This used to be commit
ab5db8873e2882900baa1c74706bb907baaff7fd)
Gerald Carter [Mon, 24 Nov 2003 20:22:41 +0000 (20:22 +0000)]
strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in check_bind_response()
(This used to be commit
84f0e97e5882375b765b818e89a6d96736cd5932)
Gerald Carter [Mon, 24 Nov 2003 20:22:12 +0000 (20:22 +0000)]
strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in check_bind_response()
(This used to be commit
5e062f72baad6f7a70f1a3c8cf190535ccacc89e)
Jeremy Allison [Mon, 24 Nov 2003 20:18:47 +0000 (20:18 +0000)]
Added "passwd chat timeout" parameter. Docs to follow.
Jeremy.
(This used to be commit
16097f2072085432f4c669d9e008023f36f7afbb)
Jeremy Allison [Mon, 24 Nov 2003 20:18:44 +0000 (20:18 +0000)]
Added "passwd chat timeout" parameter. Docs to follow.
Jeremy.
(This used to be commit
4d49fb806db6868f97069a603a28a85dc31cfe21)
Gerald Carter [Mon, 24 Nov 2003 18:38:15 +0000 (18:38 +0000)]
patch from Matthias Hilbig for bug 467; use the dns name (or IP) as the originating client name when using CUPS
(This used to be commit
eae48cda0f7f1346cd66d5a581c1273880f214d4)
Gerald Carter [Mon, 24 Nov 2003 18:37:19 +0000 (18:37 +0000)]
patch from Matthias Hilbig for bug 467; use the dns name (or IP) as the originating client name when using CUPS
(This used to be commit
71333299a6e6bc6d74d2172f71e3fe21ef75aa3c)
Gerald Carter [Mon, 24 Nov 2003 17:33:15 +0000 (17:33 +0000)]
more access fixes for group enumeration in LDAP; bug 281
(This used to be commit
c4ce92e80688fe7fd4b2fde2c31e94baf3e4dca0)
Gerald Carter [Mon, 24 Nov 2003 17:31:38 +0000 (17:31 +0000)]
more access fixes for group enumeration in LDAP; bug 281
(This used to be commit
68283407e0f366d8315f4be6caed67eb6fe84b85)
Andrew Bartlett [Sun, 23 Nov 2003 00:23:26 +0000 (00:23 +0000)]
(Merge from 3.0)
Patch by emil@disksites.com <Emil Rasamat> to ensure we always always
free() each auth method. (We had relied on the use of talloc() only,
despite providing the free() callback)
Andrew Bartlett
(This used to be commit
58c4963a8389dff4d925548217fabed1c9932abd)
Andrew Bartlett [Sun, 23 Nov 2003 00:22:17 +0000 (00:22 +0000)]
Merge from 3.0:
Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
-
Add server-side support for variable-length session keys (as used by
DES based krb5 logins).
Andrew Bartlett
(This used to be commit
1287cf5f921327c9ea758de46220c4e2dedc485c)
Andrew Bartlett [Sun, 23 Nov 2003 00:16:54 +0000 (00:16 +0000)]
Patch by emil@disksites.com <Emil Rasamat> to ensure we always always
free() each auth method. (We had relied on the use of talloc() only, despite providing the free() callback)
Andrew Bartlett
(This used to be commit
5872c0e26e3407c7c1dcf2074a36896a3ca1325a)
Andrew Bartlett [Sun, 23 Nov 2003 00:04:29 +0000 (00:04 +0000)]
Add server-side support for variable-length session keys (as used by
DES based krb5 logins).
Andrew Bartlett
(This used to be commit
240b0d178e1b4a3556207bdf2e342c70155f64ee)
Andrew Bartlett [Sat, 22 Nov 2003 23:38:41 +0000 (23:38 +0000)]
Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit
9ecf9408d98639186b283f1acf0fac46417547d0)
Andrew Bartlett [Sat, 22 Nov 2003 13:29:02 +0000 (13:29 +0000)]
(merge from 3.0)
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit
57a895aaabacc0c9147344d097d333793b77c947)
Andrew Bartlett [Sat, 22 Nov 2003 13:19:38 +0000 (13:19 +0000)]
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit
f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
Gerald Carter [Sat, 22 Nov 2003 06:17:46 +0000 (06:17 +0000)]
debug and swat fixes from 3.0
(This used to be commit
52c1973f39f4c4161097843fcf395e0102531575)
Gerald Carter [Sat, 22 Nov 2003 06:16:01 +0000 (06:16 +0000)]
include WWW-Authenticate field in 401 response for bad auth attempt; bug 629
(This used to be commit
879d0f15ea260d61c56c5b841065ecb2f5ec26ca)
Gerald Carter [Sat, 22 Nov 2003 06:15:28 +0000 (06:15 +0000)]
adding a useful debug
(This used to be commit
e374ce779efaec001c1476e0710ceaa9c3b84e8d)
Gerald Carter [Sat, 22 Nov 2003 04:49:32 +0000 (04:49 +0000)]
fix winbind ping call so that SWAT correctly determines if winbindd is running; bug 398
(This used to be commit
cb12d519cc40b964d022886538044e8613931199)
Gerald Carter [Sat, 22 Nov 2003 04:47:34 +0000 (04:47 +0000)]
fix winbind ping call so that SWAT correctly determines if winbindd is running; bug 398
(This used to be commit
04e37283f230b28f3019bfab3a71dde5e4ae4e23)
Gerald Carter [Sat, 22 Nov 2003 04:35:36 +0000 (04:35 +0000)]
Ensure that items in a list of strings containing whitespace
are written out surrounded by single quotes. This means that
both double and single quotes are now used to surround
strings in smb.conf. This is a slight change from the previous
behavior but needed or else things like
printer admin = +ntadmin, 'VALE\Domain, Admin'
get written to smb.conf by SWAT.
(This used to be commit
59e9d6e301c752e99fb6a50204d7941f7f84566a)
Gerald Carter [Sat, 22 Nov 2003 04:33:36 +0000 (04:33 +0000)]
Ensure that items in a list of strings containing whitespace
are written out surrounded by single quotes. This means that
both double and single quotes are now used to surround
strings in smb.conf. This is a slight change from the previous
behavior but needed or else things like
printer admin = +ntadmin, 'VALE\Domain, Admin'
get written to smb.conf by SWAT.
(This used to be commit
5bf91c79d620e34ac71d72c80f74e47754d49dcb)
Jeremy Allison [Fri, 21 Nov 2003 23:01:37 +0000 (23:01 +0000)]
Fix for rename across filesystems. Noticed by Rainer Link <link@foo.fh-furtwangen.de>.
Jeremy.
(This used to be commit
598d9d3e5f612133e0528a1a8907745d715b61ed)
Jeremy Allison [Fri, 21 Nov 2003 23:01:34 +0000 (23:01 +0000)]
Fix for rename across filesystems. Noticed by Rainer Link <link@foo.fh-furtwangen.de>.
Jeremy.
(This used to be commit
f68c2ff0f3307612ddbe62b8cc2ea12251d54ec6)
Jeremy Allison [Fri, 21 Nov 2003 19:20:51 +0000 (19:20 +0000)]
Fix Jerry's no-proto bug :-).
Jeremy.
(This used to be commit
2b39e3f12a12f0863bf76d996c0d0db422d593bc)
Jeremy Allison [Fri, 21 Nov 2003 19:20:07 +0000 (19:20 +0000)]
Fix Jerry's no-proto bug :-).
Jeremy.
(This used to be commit
48153f7a07cc04b849a79778fdc3e76af6c6eb13)
Gerald Carter [Fri, 21 Nov 2003 19:12:33 +0000 (19:12 +0000)]
make sure we don't append the ldap suffix when writing out the ldap XXX suffix values in SWAT; based on tpot's original patch; bug 328
(This used to be commit
b1d5173b16c40d55cfb6265f1d1947ec78952b6f)
Gerald Carter [Fri, 21 Nov 2003 19:11:48 +0000 (19:11 +0000)]
make sure we don't append the ldap suffix when writing out the ldap XXX suffix values in SWAT; based on tpot's original patch; bug 328
(This used to be commit
12a06dd9807ea3a10f8220d6e7c33b4b79ae25b4)
Alexander Bokovoy [Fri, 21 Nov 2003 10:54:33 +0000 (10:54 +0000)]
Update WHATSNEW.txt with text from release branch
(This used to be commit
56fc6962fb32de180a6b1af9259e0a7b580daeab)
Rafal Szczesniak [Thu, 20 Nov 2003 23:56:42 +0000 (23:56 +0000)]
Rafal Szczesniak [Thu, 20 Nov 2003 23:54:13 +0000 (23:54 +0000)]
Rafal Szczesniak [Wed, 19 Nov 2003 23:14:21 +0000 (23:14 +0000)]
Added useful information to debug lines.
Patch by metze.
rafal
(This used to be commit
91e1be66b1a3aa002f68d8f1c2fc148c1374d365)
Jeremy Allison [Wed, 19 Nov 2003 22:57:56 +0000 (22:57 +0000)]
Look at error before using it in debug statement.
Jeremy.
(This used to be commit
69550332f33496b0a513914e2290fdb256bc2958)
Jeremy Allison [Wed, 19 Nov 2003 22:57:53 +0000 (22:57 +0000)]
Look at error before using it in debug statement.
Jeremy.
(This used to be commit
42114b75f2c082522f7806a1af11409609785b06)
Rafal Szczesniak [Wed, 19 Nov 2003 22:56:02 +0000 (22:56 +0000)]
Added useful information to debug lines.
Patch by metze.
rafal
(This used to be commit
2eef3c7bc182bb2c0c483190570ee1a297047ad2)
Gerald Carter [Wed, 19 Nov 2003 18:33:19 +0000 (18:33 +0000)]
changing versionb to pre4
(This used to be commit
8c46576f64cc54abd3bc43312559b960af220b60)
Andrew Tridgell [Wed, 19 Nov 2003 08:14:09 +0000 (08:14 +0000)]
added a wbtest program that shows how to access winbindd extended nss
functionality directly from an application.
This is under a liberal license as we want application vendors to be
able to use the example code
(This used to be commit
8d848de45d75bf6ac69cb921e04abf36a66117c4)
Andrew Tridgell [Wed, 19 Nov 2003 08:11:14 +0000 (08:11 +0000)]
as discussed on irc, this is a small patch that allows a few more
winbind functions to be accessed via NSS. This provides a much cleaner
way for applications that need (for example) to provide name->sid
mappings to do this via NSS rather than having to know the winbindd
pipe protocol (as this might change).
This patch also adds a varient of the winbindd_getgroups() call called
winbindd_getusersids() that provides direct SID->SIDs listing of a
users supplementary groups. This is enough to allow non-Samba
applications to do ACL checking.
A test program for the new functionality will be committed shortly.
I also added the 'wbinfo --user-sids' option to expose the new
function in wbinfo.
(This used to be commit
702b35da0ac7c73aa5a6603f871d865565bbe278)
Jeremy Allison [Wed, 19 Nov 2003 02:19:34 +0000 (02:19 +0000)]
Group quotas patch from "Heinreichsberger, Helmut" <Helmut.Heinreichsberger@wincor-nixdorf.com>
Jeremy.
(This used to be commit
06c9e9163010a1035f448f76c4084228dc95334f)