17 years agoWe might not have the 'samba' directory in the samba_3_0 build.
Andrew Bartlett [Thu, 8 Jan 2004 08:44:39 +0000 (08:44 +0000)]
We might not have the 'samba' directory in the samba_3_0 build.

Andrew Bartlett
(This used to be commit a5cf5701e25e93e4e837f7cdc30a8603d289e4a9)

17 years agouse SAFE_FREE(), not free().
Andrew Bartlett [Thu, 8 Jan 2004 08:41:26 +0000 (08:41 +0000)]
use SAFE_FREE(), not free().

Andrew Bartlett
(This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)

17 years agoThis merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
Andrew Bartlett [Thu, 8 Jan 2004 08:19:18 +0000 (08:19 +0000)]
This merges in my 'always use ADS' patch.  Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)

17 years agoIn tdb_allocate(), we would create a new record by writing a local variable
Andrew Bartlett [Thu, 8 Jan 2004 05:37:23 +0000 (05:37 +0000)]
In tdb_allocate(), we would create a new record by writing a local variable
'newrec' into the tdb.

This was not initialised, so valgrind warned about it.

(Note:  valgrind only makes sense on tdbs with 'mmap = no' in your smb.conf)

Andrew Bartlett
(This used to be commit c9f9d6d3171d720b4ec0ba6af8c0c8ab178cd98b)

17 years agoMake it clearer that the domain here is the domain of the user for
Andrew Bartlett [Thu, 8 Jan 2004 02:57:42 +0000 (02:57 +0000)]
Make it clearer that the domain here is the domain of the user for

Andrew Bartlett
(This used to be commit 7e6cc8f0037f9948230a1e1bd380f30cec5d511e)

17 years agoMove more of winbind to use 'find_our_domain()' rather than the dangerous
Andrew Bartlett [Thu, 8 Jan 2004 02:15:46 +0000 (02:15 +0000)]
Move more of winbind to use 'find_our_domain()' rather than the dangerous

(as find_domain_from_name() can change the data in lp_workgroup())

Andrew Bartlett
(This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)

17 years agoThe correct test for 'is our primary domain' is domain->primary
Andrew Bartlett [Thu, 8 Jan 2004 00:55:13 +0000 (00:55 +0000)]
The correct test for 'is our primary domain' is domain->primary
(This used to be commit 703f101136b8e9bbc16f57a37cd9d9d739606a84)

17 years agoMachines are people too!
Andrew Bartlett [Wed, 7 Jan 2004 23:46:47 +0000 (23:46 +0000)]
Machines are people too!

While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.

This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further

This particular issue (bug 722) has started to come up a lot on the lists.

I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.

Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)

17 years agoFix for bug #922. Fast path not called for strlower_m() and strupper_m().
Jeremy Allison [Wed, 7 Jan 2004 23:21:36 +0000 (23:21 +0000)]
Fix for bug #922. Fast path not called for strlower_m() and strupper_m().
From (Alexander Bokovoy).
(This used to be commit fac9e6d7125fb9edfade3c92a3cd9e1f2c60cefd)

17 years agoTypo fix.
Rafal Szczesniak [Wed, 7 Jan 2004 22:44:28 +0000 (22:44 +0000)]
Typo fix.

(This used to be commit 5d7f81eea2f3d9ba59eb549a45de030b0a277263)

17 years agoDoxygen comment fix.
Rafal Szczesniak [Wed, 7 Jan 2004 22:43:36 +0000 (22:43 +0000)]
Doxygen comment fix.

(This used to be commit b5e492b8eaf7cefe185d44b6c708f96ff61bd27b)

17 years agoFix from Justin Baugh <> for bugid #948 for
Jeremy Allison [Wed, 7 Jan 2004 21:08:42 +0000 (21:08 +0000)]
Fix from Justin Baugh <> for bugid #948 for
FreeBSD winbindd.
(This used to be commit 7c4d52014e4432c9bd430a8885f0c314312002d5)

17 years agocommiting jra's fix for Exchange clear test auth
Gerald Carter [Wed, 7 Jan 2004 19:57:08 +0000 (19:57 +0000)]
commiting jra's fix for Exchange clear test auth
(This used to be commit 344e113368cb46fc4d26107d1cd276e4c76a6a9b)

17 years agoFix from Luke Howard <lukeh@PADL.COM> for incorrect early free().
Jeremy Allison [Wed, 7 Jan 2004 19:55:01 +0000 (19:55 +0000)]
Fix from Luke Howard <lukeh@PADL.COM> for incorrect early free().
(This used to be commit 8e20c06ed31d9ec10ff0155b1624eee3d60cd006)

17 years agoDon't duplicate pulling the 'IPC' username from secrets.tdb, instead
Andrew Bartlett [Wed, 7 Jan 2004 10:11:24 +0000 (10:11 +0000)]
Don't duplicate pulling the 'IPC' username from secrets.tdb, instead
just use one function for both places.

Andrew Bartlett
(This used to be commit 85da181e8a0ade839f6d595fabdf4cea606f82e1)

17 years agoThere is a German translation of swat -- surprise :-)
Volker Lendecke [Wed, 7 Jan 2004 10:02:10 +0000 (10:02 +0000)]
There is a German translation of swat -- surprise :-)

Fix some msgs

(This used to be commit d42953681731d18aef740cd7dd9919e0f4715645)

17 years agoAdd smbget utility, a simple wget-like utility that uses libsmbclient.
Jelmer Vernooij [Wed, 7 Jan 2004 00:43:52 +0000 (00:43 +0000)]
Add smbget utility, a simple wget-like utility that uses libsmbclient.
Supports recursive downloads and resume, progress indication and shows
estimated time remaining.
(This used to be commit 82bd1b45a4205706b57bae42c7b03974f8b44753)

17 years agoFix segfualt caused by incorrect configuration. If lp_realm() was not set,
Andrew Bartlett [Tue, 6 Jan 2004 23:57:12 +0000 (23:57 +0000)]
Fix segfualt caused by incorrect configuration.  If lp_realm() was not set,
but security=ADS, we would attempt to free the principal name that krb5
never allocated.

Also fix the dump_data() of the session key, now that we use a data_blob to
store that.

Andrew Bartlett
(This used to be commit 4ad67f13404ef0118265ad66d8bdfa256c914ad0)

17 years agoPatch penguin. Cleaning out old mbp patch.
Jeremy Allison [Tue, 6 Jan 2004 22:34:06 +0000 (22:34 +0000)]
Patch penguin. Cleaning out old mbp patch.
(This used to be commit d75db0bf1eee9c4341a3ec14c05f82b364a202b3)

17 years agomore commits logged
Gerald Carter [Tue, 6 Jan 2004 20:56:59 +0000 (20:56 +0000)]
more commits logged
(This used to be commit fd357ab4e5d4bc0661bfbdd10053a5664e8d1a01)

17 years agoWrite bug number like in the rest of the file
Jelmer Vernooij [Tue, 6 Jan 2004 20:03:34 +0000 (20:03 +0000)]
Write bug number like in the rest of the file
(This used to be commit 3c936f1cb58fb0f47e64342f65f72e51b5120387)

17 years agoFix -s option to smbcontrol (#908)
Jelmer Vernooij [Tue, 6 Jan 2004 20:01:48 +0000 (20:01 +0000)]
Fix -s option to smbcontrol (#908)
(This used to be commit 7495395c1cc3b09b27d6eeb7dff6f214701d03d6)

17 years agoremove unused seek_file(); don't hardcode '\' when printing the auth-user
Gerald Carter [Tue, 6 Jan 2004 19:57:14 +0000 (19:57 +0000)]
remove unused seek_file(); don't hardcode '\' when printing the auth-user
(This used to be commit fac5e05ca1b56cb6e3ab6537d0848fa373c00831)

17 years agobumping to 3.0.2pre2
Gerald Carter [Tue, 6 Jan 2004 19:14:22 +0000 (19:14 +0000)]
bumping to 3.0.2pre2
(This used to be commit 52480d6d05c1008a25b4a45cbf7682fe227df83a)

17 years agomore commit logs
Gerald Carter [Tue, 6 Jan 2004 19:05:23 +0000 (19:05 +0000)]
more commit logs
(This used to be commit dc51a4c1f99d5727b5219b2c98586415ee58585a)

17 years ago* making sure contributors are listed in alphabetical order
Gerald Carter [Tue, 6 Jan 2004 18:42:09 +0000 (18:42 +0000)]
* making sure contributors are listed in alphabetical order
* adding jra's fix for bug 815
(This used to be commit 4d07f7dff8a60b4bce0e266a6a3b13d35dbff089)

17 years agoisolate ldap debug messages to the common smbldap_XXX() functions
Gerald Carter [Tue, 6 Jan 2004 18:26:18 +0000 (18:26 +0000)]
isolate ldap debug messages to the common smbldap_XXX() functions
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)

17 years agoXFS quota patch from Stefan Metzmacher <>.
Jeremy Allison [Tue, 6 Jan 2004 18:13:32 +0000 (18:13 +0000)]
XFS quota patch from Stefan Metzmacher <>.
(This used to be commit cae5f158e583572436a2f4c20d919816d763f93d)

17 years agoUpdates for pread/pwrite code.
Jeremy Allison [Tue, 6 Jan 2004 17:53:34 +0000 (17:53 +0000)]
Updates for pread/pwrite code.
(This used to be commit 53e7d1508efc6e7910d052845f718d19ef307794)

17 years agoCorrectly detect AFS headers on SuSE in /usr/include/afs/afs/
Volker Lendecke [Tue, 6 Jan 2004 15:41:32 +0000 (15:41 +0000)]
Correctly detect AFS headers on SuSE in /usr/include/afs/afs/

(This used to be commit 50be537b19dc6a4c63a58b9c73e6ad354b7c0d89)

17 years agofix case in objectclass name (not that it really matters); patch from Darren Chew...
Gerald Carter [Tue, 6 Jan 2004 14:40:35 +0000 (14:40 +0000)]
fix case in objectclass name (not that it really matters); patch from Darren Chew <>
(This used to be commit 86e0015b06eb9590a6a3e64cb4fe5a88a9f156c2)

17 years agoPatch by Stefan Metzmacher <>:
Andrew Bartlett [Tue, 6 Jan 2004 10:22:13 +0000 (10:22 +0000)]
Patch by Stefan Metzmacher <>:

here's a small fix that fixes the new quota system on irix.

I need to reanable XFS quotas on irix for the new quota system
(Jerry do you want to wait for this for the release ?)

But the old system works and is the default on irix!
(This used to be commit 5d43e00a49afc4cf523a531ae6db1a3a8b86c650)

17 years agoFix typo..
Volker Lendecke [Tue, 6 Jan 2004 07:57:35 +0000 (07:57 +0000)]
Fix typo..

(This used to be commit 651f7cd69c4c808f9fbd096d21c852cb83e058a9)

17 years agoPatch based on work from James Peach <> to convert over to
Jeremy Allison [Tue, 6 Jan 2004 01:22:14 +0000 (01:22 +0000)]
Patch based on work from James Peach <> to convert over to
using pread/pwrite. Modified a little to ensure fsp->pos is correct.
Fix for #889.
(This used to be commit 019aaaf0df091c3f67048f591e70d4353a02bb9b)

17 years agoEnsure that for wbinfo --set-auth-user, we actually use the domain.
Andrew Bartlett [Tue, 6 Jan 2004 00:32:24 +0000 (00:32 +0000)]
Ensure that for wbinfo --set-auth-user, we actually use the domain.

Andrew Bartlett
(This used to be commit 93a5d8079a0291be14517e437f8f0c964c21e91d)

17 years agocifs mount helper merge
Steve French [Mon, 5 Jan 2004 22:18:44 +0000 (22:18 +0000)]
cifs mount helper merge
(This used to be commit 865fcdcb85d47eeff854f4df0aba0c0f3452bdd9)

17 years agoworking on new format for relerase notes in 3.0.2pre1
Gerald Carter [Mon, 5 Jan 2004 21:51:01 +0000 (21:51 +0000)]
working on new format for relerase notes in 3.0.2pre1
(This used to be commit 6770f32c0e9fc3974504bf0cb303ea41beff3d29)

17 years agoFix more cases to ensure that as a server, we don't complain to the client
Andrew Bartlett [Mon, 5 Jan 2004 21:24:27 +0000 (21:24 +0000)]
Fix more cases to ensure that as a server, we don't complain to the client
about our server-side lack of session key.

Andrew Bartlett
(This used to be commit ba33f1e0d5fe2aed3e378c9c23511c0b4d6f7d14)

17 years agoAdded last missing file.
Jeremy Allison [Mon, 5 Jan 2004 21:03:12 +0000 (21:03 +0000)]
Added last missing file.
(This used to be commit ffaf9982dcf9e8d8aec1b3edb79ba7c93bfbb9ef)

17 years agoOops. Broke the build. Added missing files.
Jeremy Allison [Mon, 5 Jan 2004 21:02:37 +0000 (21:02 +0000)]
Oops. Broke the build. Added missing files.
(This used to be commit 52eafc131e26ecc2c4ce8df856c380eb7fd8af69)

17 years agoFix from James Flemer <> to make HAVE_ATTR_LIST linked to
Jeremy Allison [Mon, 5 Jan 2004 21:01:08 +0000 (21:01 +0000)]
Fix from James Flemer <> to make HAVE_ATTR_LIST linked to
(This used to be commit 1b1c216122e4dcf40e4ccaea528a7775521fa618)

17 years agofix inverted check using krb5_kt_resolve() and HAVE_MEMORY_KEYTAB; bug 912
Gerald Carter [Mon, 5 Jan 2004 20:23:56 +0000 (20:23 +0000)]
fix inverted check using krb5_kt_resolve() and HAVE_MEMORY_KEYTAB; bug 912
(This used to be commit 134cf1d546cc46c8a907205ee7be7593cbb524b6)

17 years agoPatch from Stefan (metze) Metzmacher <metze at> to revert to 2.2.x quota...
Jeremy Allison [Mon, 5 Jan 2004 19:36:02 +0000 (19:36 +0000)]
Patch from Stefan (metze) Metzmacher <metze at> to revert to 2.2.x quota methods.


"here's a patch which ports the samba 2.2 samba_linux_quota.h stuff to 3_0.

This is needed because of so many broken quota files outthere.

Please, test this with old, new kernels
(strucr dqblk, struct mem_dqblk, and struct if_dqblk)
, quota.user, aquota.user formats

what is when a user is over soft quota and over hard quotas..."

(This used to be commit 4350aa6ce6cfdaf71cdcfd2aebcdc9560fa7efcf)

17 years agoEnsure we set "always sign" flag if set. We don't currently do anything with
Jeremy Allison [Mon, 5 Jan 2004 19:21:06 +0000 (19:21 +0000)]
Ensure we set "always sign" flag if set. We don't currently do anything with
this but we should log the fact it was negotiated.
(This used to be commit 84d34e32be03ec99ce19520f24bb4daaeeddbbc3)

17 years agoFix warning
Volker Lendecke [Mon, 5 Jan 2004 16:58:37 +0000 (16:58 +0000)]
Fix warning

(This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)

17 years agoDon't free the encrypted_session_key early - that causes the subsequent
Andrew Bartlett [Mon, 5 Jan 2004 12:36:21 +0000 (12:36 +0000)]
Don't free the encrypted_session_key early - that causes the subsequent
test for a valid length to fail...

This should fix 'security=server' and hosts-equiv failures picked up by
the build farm.

Andrew Bartlett
(This used to be commit 39311495de3bd0a902f730967f30176db97be05a)

17 years agoshorten some more lines.
Andrew Bartlett [Mon, 5 Jan 2004 12:21:04 +0000 (12:21 +0000)]
shorten some more lines.
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)

17 years agoTry to keep vl happy - shorten some of these lines.
Andrew Bartlett [Mon, 5 Jan 2004 12:20:15 +0000 (12:20 +0000)]
Try to keep vl happy - shorten some of these lines.
(This used to be commit 3a4c56e4c60854bbd291adc7d321d3869e6dedab)

17 years agoGrumble... grumble... fix the build...
Andrew Bartlett [Mon, 5 Jan 2004 05:07:59 +0000 (05:07 +0000)]
Grumble... grumble... fix the build...
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)

17 years agoShow the sid type in name->sid translatons in a way that can be easily
Andrew Bartlett [Mon, 5 Jan 2004 04:26:35 +0000 (04:26 +0000)]
Show the sid type in name->sid translatons in a way that can be easily
understood by humans.

Andrew Bartlett
(This used to be commit 3d91b0a0060f18d49b2fdd9f93ef310e2ea7779d)

17 years agoAlways call the auto-init funciton - this avoids tdb segfaulting under
Andrew Bartlett [Mon, 5 Jan 2004 04:15:55 +0000 (04:15 +0000)]
Always call the auto-init funciton - this avoids tdb segfaulting under
us if we failed to open it earlier.

Andrew Bartlett
(This used to be commit 379368b0bec1f57cc5302b274362ce2f1df0fd9d)

17 years agoCorrectly handle per-pipe NTLMSSP inside a NULL session. Previously we
Andrew Bartlett [Mon, 5 Jan 2004 04:12:40 +0000 (04:12 +0000)]
Correctly handle per-pipe NTLMSSP inside a NULL session.  Previously we
would attempt to supply a password to the 'inside' NTLMSSP, which the
remote side naturally rejected.

Andrew Bartlett
(This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)

17 years agoChange our Domain controller lookup routines to more carefully seperate
Andrew Bartlett [Mon, 5 Jan 2004 04:10:28 +0000 (04:10 +0000)]
Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.

Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.

Now if DNS comes back negative, we fall straight back to looking up the
short name.

Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)

17 years agoFix typo in RW2 torture test. Closes bugzilla bug #924.
Tim Potter [Mon, 5 Jan 2004 02:57:33 +0000 (02:57 +0000)]
Fix typo in RW2 torture test.  Closes bugzilla bug #924.
(This used to be commit d22313998abff680d38b208588824a1981fe2aa7)

17 years agoAdd const.
Andrew Bartlett [Mon, 5 Jan 2004 02:16:51 +0000 (02:16 +0000)]
Add const.
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)

17 years agoThere is some memory corruption hidden somewhere in our winbind code. If I
Andrew Bartlett [Mon, 5 Jan 2004 02:12:38 +0000 (02:12 +0000)]
There is some memory corruption hidden somewhere in our winbind code.  If I
could reproduce it, I would fix it, but for now just make sure we always
SAFE_FREE() and set our starting pointers to NULL.

Andrew Bartlett
(This used to be commit c279e178bc122e1e2aa519f7a373a3d93672a3ac)

17 years agoChange (unused) structure parameter for cli_ds_enum_domain_trusts() cleanup.
Andrew Bartlett [Mon, 5 Jan 2004 02:05:19 +0000 (02:05 +0000)]
Change (unused) structure parameter for cli_ds_enum_domain_trusts() cleanup.
(This used to be commit 6e5b084c20b59a86e86445bf6d101cada45da602)

17 years agorpc_client/cli_lsarpc.c:
Andrew Bartlett [Mon, 5 Jan 2004 02:04:37 +0000 (02:04 +0000)]
 - Add const

 - Cleanup function for use

 - Use new utility function ads_sid_to_dn
 - Don't search for 'dn=', rather call the ads_search_retry_dn()

 - Fixup braindamage in cli_ds_enum_domain_trusts():
    - This function was returning a UNISTR2 up to the caller, and
      was doing nasty (invalid, per valgrind) things with memcpy()
    - Create a new structure that represents this informaiton in a useful way
      and use talloc.

Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)

17 years agoFix for bug 707, getent group for huge ads groups (>1500 members)
Andrew Bartlett [Mon, 5 Jan 2004 01:48:21 +0000 (01:48 +0000)]
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.

VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.

I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was

In particular, the range retrieval is now generic, for strings.  It
could easily be made generic for any attribute type, if need be.

Andrew Bartlett
(This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)

17 years agoI'm not quite sure what happened here - but replace the ads_sid_to_dn
Andrew Bartlett [Mon, 5 Jan 2004 01:06:56 +0000 (01:06 +0000)]
I'm not quite sure what happened here - but replace the ads_sid_to_dn
function with one that compiles.

Andrew Bartlett
(This used to be commit 0d5b0345a60741ae50f6770d9cecf698864cd209)

17 years agoWe can't possilby get 'ok' here, as the if statement above just checked for it.
Andrew Bartlett [Mon, 5 Jan 2004 00:15:34 +0000 (00:15 +0000)]
We can't possilby get 'ok' here, as the if statement above just checked for it.
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)

17 years agoMake arbitary binary data unsigned char.
Andrew Bartlett [Mon, 5 Jan 2004 00:14:12 +0000 (00:14 +0000)]
Make arbitary binary data unsigned char.
(This used to be commit a78b0205622f10e0acfdf54915df6864608ab928)

17 years agoAdd a utilty function for converting a sid to a DN.
Andrew Bartlett [Mon, 5 Jan 2004 00:13:00 +0000 (00:13 +0000)]
Add a utilty function for converting a sid to a DN.

Andrew Bartlett
(This used to be commit 49a7a3fd17cfeef439e2049a51dbfcbc037f1a93)

17 years agoMake it clear that we cannot sign if we don't have a session key.
Andrew Bartlett [Mon, 5 Jan 2004 00:11:35 +0000 (00:11 +0000)]
Make it clear that we cannot sign if we don't have a session key.
(This used to be commit a2f6dec05b3b30292ec3e42808dc89f1bf5c7ab4)

17 years agoAutomaticly initialise the signing engine, if we have a session key.
Andrew Bartlett [Mon, 5 Jan 2004 00:11:02 +0000 (00:11 +0000)]
Automaticly initialise the signing engine, if we have a session key.
(This used to be commit cb063c1b6949a2a9637689537c6ab8dc881bc568)

17 years ago- Put functions for generating SQL queries in pdb_sql.c
Jelmer Vernooij [Sun, 4 Jan 2004 21:09:42 +0000 (21:09 +0000)]
- Put functions for generating SQL queries in pdb_sql.c
- Add pgSQL backend (based on patch by Hamish Friedlander)
- Use query generate functions from pdb_mysql and pdb_pgsql
- Only pdb_pgsql.c needs to be changed whenever the fields in SAM_ACCOUNT change
(This used to be commit 65ad2c02fd2bf36d535c279ad290ab81e39f6816)

17 years agoCommit the translation of the realm to the netbios domain name in the kerberos
Volker Lendecke [Sun, 4 Jan 2004 11:51:31 +0000 (11:51 +0000)]
Commit the translation of the realm to the netbios domain name in the kerberos
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.

Jerry: This is a change in behaviour, but I think it is necessary.

(This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)

17 years agoEven if the 'device type' is always an ascii string, use push_string to get
Andrew Bartlett [Sun, 4 Jan 2004 11:05:30 +0000 (11:05 +0000)]
Even if the 'device type' is always an ascii string, use push_string to get
it out onto the wire.  Avoids valgrind warnings because the fstrcpy() causes
part of the wire buffer to be 'marked'.

Andrew Bartlett
(This used to be commit 53d802c72aa712e099dc8de666ab66a21e18fae1)

17 years agoAnd yet another const
Volker Lendecke [Sat, 3 Jan 2004 20:20:59 +0000 (20:20 +0000)]
And yet another const

(This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)

17 years agoThere is not a particularly good excuse for complaining to the *client* that
Andrew Bartlett [Sat, 3 Jan 2004 01:12:56 +0000 (01:12 +0000)]
There is not a particularly good excuse for complaining to the *client* that
it sent 'INVALID_PARAMETER', when it was us as the server that could not
come up with a session key.  Instead, allow normal authentication to take
place, but do not setup a session key.

Andrew Bartlett
(This used to be commit e5abd93d799e5f86839560feca448743c13a9055)

17 years agoMatch Win2k, and return NT_STATUS_INVALID_PARAMETER
Andrew Bartlett [Fri, 2 Jan 2004 23:55:44 +0000 (23:55 +0000)]
if this parameter is not an account type

Andrew Bartlett
(This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c)

17 years agoUnder certain error conditions (a talloc() failure above) this would cause
Andrew Bartlett [Fri, 2 Jan 2004 11:39:07 +0000 (11:39 +0000)]
Under certain error conditions (a talloc() failure above) this would cause
a double-free(), and the resultant malloc heap corruption.

This may be one of our lurking winbind segfaults.

Andrew Bartlett
(This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)

17 years agoHaving no members of a group is a perfectly valid (if unusual) situation.
Andrew Bartlett [Fri, 2 Jan 2004 05:33:14 +0000 (05:33 +0000)]
Having no members of a group is a perfectly valid (if unusual) situation.

Andrew Bartlett
(This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)

17 years agoJHT came up with a nasty (broken) torture case in preparing examples for
Andrew Bartlett [Fri, 2 Jan 2004 05:32:07 +0000 (05:32 +0000)]
JHT came up with a nasty (broken) torture case in preparing examples for
his book.

This prompted me to look at the code that reads the unix group list.  This
code did a lot of name -> uid -> name -> sid translations, which caused
problems.  Instead, we now do just name->sid

I also cleaned up some interfaces, and client tools.

Andrew Bartlett
(This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)

17 years agoAfter talking with abartlet remove the fix for bug 707 again.
Volker Lendecke [Thu, 1 Jan 2004 21:10:35 +0000 (21:10 +0000)]
After talking with abartlet remove the fix for bug 707 again.

(This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)

17 years agoFix for bug 707, getent group for huge ads groups (>1500 members)
Volker Lendecke [Thu, 1 Jan 2004 20:30:50 +0000 (20:30 +0000)]
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.

I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.

Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.

Tested with a group of 4000 members along with lots of small groups.

(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)

17 years agoChanges to our PAM code to cope with the fact that we can't handle some
Andrew Bartlett [Wed, 31 Dec 2003 08:45:03 +0000 (08:45 +0000)]
Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)

By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change

This allows pam_winbind to co-exist with other pam modules for password changes.

Andrew Bartlett
(This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)

17 years agoForgot to commit this for the 'get our primary domain' change.
Andrew Bartlett [Wed, 31 Dec 2003 08:42:22 +0000 (08:42 +0000)]
Forgot to commit this for the 'get our primary domain' change.
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)

17 years agoJerry rightly complained that we can't assume that the first domain is
Andrew Bartlett [Wed, 31 Dec 2003 05:26:29 +0000 (05:26 +0000)]
Jerry rightly complained that we can't assume that the first domain is
our primary domain - new domains are added to the front of the list. :-(

Use a much more reliable 'flag test' instead.  (note:  changes winbind structures, make clean).

Andrew Bartlett
(This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)

17 years agoauth/auth_util.c:
Andrew Bartlett [Wed, 31 Dec 2003 00:31:43 +0000 (00:31 +0000)]
 - Fill in the 'backup' idea of a domain, if the DC didn't supply one.  This
   doesn't seem to occour in reality, hence why we missed the typo.

 - all the callers to pull_utf8_allocate() pass a char ** as the first
   parammeter, so don't make them all cast it to a void **

 - Allow for a more 'correct' view of when usernames should be qualified
   in winbindd.  If we are a PDC, or have 'winbind trusted domains only',
   then for the authentication returns stip the domain portion.
 - Fix valgrind warning about use of free()ed name when looking up our
   local domain.  lp_workgroup() is maniplated inside a procedure that
   uses it's former value.  Instead, use the fact that our local domain is
   always the first in the list.

Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)

17 years agoGet the DOMAIN\username around the right way (I had username\domain...)
Andrew Bartlett [Tue, 30 Dec 2003 22:27:33 +0000 (22:27 +0000)]
Get the DOMAIN\username around the right way (I had username\domain...)

Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
(This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)

17 years agoMove to short lived TALLOC_CTX* for allocating printer
Gerald Carter [Tue, 30 Dec 2003 22:17:14 +0000 (22:17 +0000)]
Move to short lived TALLOC_CTX* for allocating printer
objects from the print handle cache.   Fixes bug that
caused smbd to consume large amounts of RAM when

(a) a printer handle was kept open over an extended
    period of time, and
(b) the client issued frequent requests that resulted
    in a call to get_a_printer()
(This used to be commit 10b9976e0ab961dc34c9426f0a497e0f81a5e17f)

17 years agoAnother little one: Make pdb_test.c at least compile, although its way out of
Volker Lendecke [Tue, 30 Dec 2003 21:12:36 +0000 (21:12 +0000)]
Another little one: Make pdb_test.c at least compile, although its way out of

(This used to be commit 5d7a14166af3daf04b570fd5f66469d5db5a3500)

17 years agoThe AFS pts command always generates completely lower-case user names. As case
Volker Lendecke [Tue, 30 Dec 2003 16:00:56 +0000 (16:00 +0000)]
The AFS pts command always generates completely lower-case user names. As case
is not significant in windows user names we should not lose information by
lower-casing the name before handing it to AFS.

(This used to be commit 6d2285b6d1599648661be47abaaa888419700d22)

17 years agoFix Bug # 924
Volker Lendecke [Tue, 30 Dec 2003 15:18:25 +0000 (15:18 +0000)]
Fix Bug # 924

(This used to be commit 3663ed2b964cc306cfe6b4060b51d991405e720d)

17 years agoTry to gain a bit more consistancy in the output of usernames from ntlm_auth:
Andrew Bartlett [Tue, 30 Dec 2003 13:20:39 +0000 (13:20 +0000)]
Try to gain a bit more consistancy in the output of usernames from ntlm_auth:

Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

Andrew Bartlett
(This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)

17 years agoMake the name of the NTLMSSP client more consistant before we lock it in stone.
Andrew Bartlett [Tue, 30 Dec 2003 08:52:46 +0000 (08:52 +0000)]
Make the name of the NTLMSSP client more consistant before we lock it in stone.
(This used to be commit 0fa268863b7352343eb7f211181a02f60848bd0c)

17 years agoRemove testing hack
Andrew Bartlett [Tue, 30 Dec 2003 07:38:32 +0000 (07:38 +0000)]
Remove testing hack
(This used to be commit 96f3beb462a6d4a489e894c1f05c528107135b3a)

17 years agoMove our basic password checking code from inside the authentication
Andrew Bartlett [Tue, 30 Dec 2003 07:33:58 +0000 (07:33 +0000)]
Move our basic password checking code from inside the authentication
subsystem into a seperate file - ntlm_check.c.

This allows us to call these routines from ntlm_auth.  The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind.  This should allow for easier debugging.

ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes.  A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's

Andrew Bartlett
(This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)

17 years agoRefactor our authentication and authentication testing code.
Andrew Bartlett [Tue, 30 Dec 2003 05:02:32 +0000 (05:02 +0000)]
Refactor our authentication and authentication testing code.

The next move will be to remove our password checking code from the SAM
authentication backend, and into a file where other parts of samba can use

The ntlm_auth changes provide for better use of common code.

Andrew Bartlett
(This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)

17 years agoAdd the alignment required before all 2-byte quantities in NDR. Allows us
Andrew Bartlett [Mon, 29 Dec 2003 04:21:32 +0000 (04:21 +0000)]
Add the alignment required before all 2-byte quantities in NDR.  Allows us
to correctly parse plaintext netlogon calls with odd-length passwords

Andrew Bartlett
(This used to be commit de3c3cbeeb8b674ffc0dd8fe16913f15edcf9022)

17 years agoShutting down the connection closes outstanding sessions, so we don't need
Andrew Bartlett [Sun, 28 Dec 2003 09:57:29 +0000 (09:57 +0000)]
Shutting down the connection closes outstanding sessions, so we don't need
to do it twice...

Amdrew Bartlett
(This used to be commit 8f9a069c59cbd357cbef8814764c10f6d8b6e6e8)

17 years agoThis patch corrects some errors in the NTLMSSP implementation, that
Andrew Bartlett [Sat, 27 Dec 2003 11:33:24 +0000 (11:33 +0000)]
This patch corrects some errors in the NTLMSSP implementation, that
would incorrectly return INVALID_PARAMETER, instead of allowing a

Andrew Bartlett
(This used to be commit 76c59469a340209959c420bd5c2e947d3347bdb1)

17 years agoPreliminary fix for our signing problem with failed NTLMSSP logins. This patch
Volker Lendecke [Sat, 27 Dec 2003 10:11:26 +0000 (10:11 +0000)]
Preliminary fix for our signing problem with failed NTLMSSP logins. This patch
solves the problem for me here, I can still successfully set up signing using
NTLMSSP against w2k3 and it does not show a signing error anymoe when the
password was wrong.

Jeremy, you might want to take a further look at it as this is not
particularly elegant.

(This used to be commit f5afaafd61dc7bd191225ffa8eee184125dd97c3)

17 years agoCollecting another little patch from
Volker Lendecke [Fri, 26 Dec 2003 21:33:53 +0000 (21:33 +0000)]
Collecting another little patch from

As broken as it might be, should be put into the
libdir and not bindir.

(This used to be commit d74137d227cfb7b09294f4429fa09b10d3d01229)

17 years agoCollecting some minor patches...
Volker Lendecke [Fri, 26 Dec 2003 19:38:36 +0000 (19:38 +0000)]
Collecting some minor patches...

This adds the ability to specify the new user password for 'net ads password'
on the command line. As this needs the admin password on the command line, the
information leak is minimally more.

Patch from

(This used to be commit e6b4b956f68bfea69b2de3608b4c829250d24a7a)

17 years agoCheck the return value of string_to_sid in a few more places. (But
Andrew Bartlett [Fri, 26 Dec 2003 03:14:31 +0000 (03:14 +0000)]
Check the return value of string_to_sid in a few more places.  (But
string_to_sid also needs to be less permissive on what it thinks are
valid sids...)

Andrew Bartlett
(This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)

17 years agoShow the error message for failure to set the ldap password.
Andrew Bartlett [Fri, 26 Dec 2003 00:43:48 +0000 (00:43 +0000)]
Show the error message for failure to set the ldap password.
(For 'ldap password sync = yes')

Andrew Bartlett
(This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)

17 years agoBased on patch by Petri Asikainen <> fix bug #387 and #330.
Andrew Bartlett [Fri, 26 Dec 2003 00:38:12 +0000 (00:38 +0000)]
Based on patch by Petri Asikainen <> fix bug #387 and #330.

This patch will change order how attributes are modified
from: add, delete
to:   delete, add

This is needed to update single valued attributes in Novell NDS and
should not harm anyone else.
(This used to be commit fabf80169079483a1378aa0177d8d8335bd98bb3)

17 years agoldap rebind sleep -> ldap replication sleep
Andrew Bartlett [Thu, 25 Dec 2003 23:11:07 +0000 (23:11 +0000)]
ldap rebind sleep -> ldap replication sleep

While writing documentation for metze's patch, it became clear that this is a
better name.

Andrew Bartlett
(This used to be commit 6f828ff3d3622c56ee732b976e7ab90b7897a8d3)