Stefan Metzmacher [Fri, 25 Jul 2008 14:02:29 +0000 (16:02 +0200)]
lib/ldb/tools: allow -W and --realm when build from samba4
metze
Stefan Metzmacher [Fri, 25 Jul 2008 14:00:50 +0000 (16:00 +0200)]
auth/credentials: use the same enctypes when getting a TGT and a TGS
metze
Stefan Metzmacher [Thu, 24 Jul 2008 08:00:20 +0000 (10:00 +0200)]
dsdb: add a comment about the parameter to DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:55:53 +0000 (09:55 +0200)]
dsdb/schema: make more clear where we create the value for the new prefix mapping
metze
Stefan Metzmacher [Thu, 24 Jul 2008 07:53:29 +0000 (09:53 +0200)]
dsdb/schema: dsdb_write_prefixes_to_ldb() should do the reverse of dsdb_read_prefixes_to_ldb()
metze
Stefan Metzmacher [Fri, 25 Jul 2008 19:26:28 +0000 (21:26 +0200)]
dcerpc.idl: add DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag
metze
Stefan Metzmacher [Sat, 26 Jul 2008 18:38:20 +0000 (20:38 +0200)]
mamachinepw: add better error handling
metze
Volker Lendecke [Mon, 19 May 2008 21:06:42 +0000 (23:06 +0200)]
Add "mymachinepw" to fetch our machine password out of secrets.ldb
Stefan Metzmacher [Wed, 14 May 2008 07:47:18 +0000 (09:47 +0200)]
smbtorture: add --extra-user option
This can we used to pass additional credentials to torture tests
(it can be used multiple times.
metze
Brad Hards [Fri, 25 Jul 2008 07:43:21 +0000 (17:43 +1000)]
Define HAVE_ASM_BYTEORDER at all times
Andrew Bartlett [Fri, 25 Jul 2008 04:15:22 +0000 (14:15 +1000)]
Per feedback, remove epoch and ldconfig requires.
See https://bugzilla.redhat.com/show_bug.cgi?id=453083
Andrew Bartlett [Fri, 25 Jul 2008 04:11:18 +0000 (14:11 +1000)]
Make a new define to ensure the accoc_group_id we use is always in common.
Andrew Bartlett [Fri, 25 Jul 2008 01:58:51 +0000 (11:58 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Fri, 25 Jul 2008 01:58:24 +0000 (11:58 +1000)]
Try to avoid a memory leak if we re-set the global schema
However, try also not to pull a schema out from under a running ldb
session.
Andrew Bartlett
Andrew Bartlett [Thu, 24 Jul 2008 22:45:16 +0000 (08:45 +1000)]
Complain if we are told to use an ldap backend, without the type
Andrew Bartlett [Thu, 24 Jul 2008 22:44:00 +0000 (08:44 +1000)]
Clarify how we are doing the 'this is a rootdse query' check.
Stefan Metzmacher [Thu, 24 Jul 2008 06:23:15 +0000 (08:23 +0200)]
hdb-ldb: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:22:23 +0000 (08:22 +0200)]
password_hash: fix the callers after drsblobs.idl changes
metze
Stefan Metzmacher [Thu, 24 Jul 2008 06:20:06 +0000 (08:20 +0200)]
drsblobs.idl: unify the Primary:Kerberos and Primary:Kerberos-Newer-Keys structs
metze
Stefan Metzmacher [Thu, 24 Jul 2008 05:53:55 +0000 (07:53 +0200)]
drsblobs.idl: give some unknowns a meaning
metze
Andrew Tridgell [Thu, 24 Jul 2008 04:26:30 +0000 (14:26 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into v4-0-test
Andrew Tridgell [Thu, 24 Jul 2008 04:21:52 +0000 (14:21 +1000)]
we can't query the ACL on a new file till it exists!
Andrew Tridgell [Thu, 24 Jul 2008 04:21:31 +0000 (14:21 +1000)]
initialise query_maximal_access here too
Andrew Tridgell [Thu, 24 Jul 2008 04:20:02 +0000 (14:20 +1000)]
make sure we initialise query_maximal_access
Andrew Tridgell [Thu, 24 Jul 2008 04:19:49 +0000 (14:19 +1000)]
fixed spelling error
Anatoliy Atanasov [Mon, 21 Jul 2008 14:04:49 +0000 (17:04 +0300)]
dsdb_create_prefix_mapping() implementation checks for existing prefix maping in ldb.
if one not found it creates a mapping for it and updates the prefixMap schema attribute in ldb.
Anatoliy Atanasov [Wed, 23 Jul 2008 06:59:17 +0000 (09:59 +0300)]
Handle schema reloading request.
The ldif for that operation looks like this:
dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
It uses the rootdse's object functional attribute schemaUpdateNow.
In rootdse_modify() this command is being recognized and it is send as extended operation with DSDB_EXTENDED_SCHEMA_UPDATE_NOW_OID.
In the partition module its dispatched to the schema_fsmo module.
The request is processed in the schema_fsmo module by schema_fsmo_extended().
Andrew Tridgell [Thu, 24 Jul 2008 01:48:27 +0000 (11:48 +1000)]
fixd a bug in the signal handling code - we could get phantom signals
(signum 64)
Michael Adam [Wed, 23 Jul 2008 14:23:31 +0000 (16:23 +0200)]
libnet_become_dc: send msDS_Behavior_Version == 3 (win2k8) in DsAddEntry
instead of version 2 (win2k3).
This makes the NET-API-BECOME-DC test work against windows 2003 and 2008.
Michael
Michael Adam [Wed, 23 Jul 2008 15:54:25 +0000 (17:54 +0200)]
libnet_become_cd: add boolean option "become_dc:force krb5" to control krb5 auth.
This allows controlling whether krb5 auth is forced for the rpc bind in
libnet_become_dc. It defaults to "yes". For Windows 2000, DsGetNCChanges
only krb5 auth works due to a bug in Windows (it returns garbage - a
positive object count is returned along with first object == NULL).
For Windows 2008, on the other hand, krb5 auth does not work currently
due to the lack of support for AES keys. (Metze is working on that.)
Michael
Michael Adam [Wed, 23 Jul 2008 13:34:45 +0000 (15:34 +0200)]
drsuapi: always set the pid field of the outgoing DsBindInfo to 0.
This is for debugging and informational purposes only.
The assignment is implementation specific.
(WSPP docs, sec. 5.35).
Michael
Michael Adam [Wed, 23 Jul 2008 13:21:44 +0000 (15:21 +0200)]
libnet_unbecome_dc: teach unbecomeDC_drsuapi_bind_recv() DsBindInfo48.
..to work agains w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 13:18:57 +0000 (15:18 +0200)]
libnet_become_cd: teach becomeDC_drsuapi_bind_recv() DsBindInfo48.
To work with w2k8.
Michael
Michael Adam [Wed, 23 Jul 2008 12:07:06 +0000 (14:07 +0200)]
dsdb: teach dreplsrv_out_drsuapi_bind_recv() knowledge of DsBindInfo48.
To make it work against w2k8.
Michael
Stefan Metzmacher [Wed, 23 Jul 2008 07:35:19 +0000 (09:35 +0200)]
password_hash: add generation of the Primary:Kerberos-Newer-Keys blob
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:47:27 +0000 (18:47 +0200)]
hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute
metze
Stefan Metzmacher [Tue, 22 Jul 2008 10:28:07 +0000 (12:28 +0200)]
drsblobs.idl: add idl for Primary:Kerberos-Newer-Keys blob in supplementalCredentials
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:54:21 +0000 (18:54 +0200)]
password_hash: order the supplementalCredentials Packages in the same order like windows
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:27:36 +0000 (18:27 +0200)]
password_hash: split the generation of krb5 keys into a different function
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:32:49 +0000 (18:32 +0200)]
password_hash: simplify the logic if we have cleartext we always generate the hashes
metze
Stefan Metzmacher [Wed, 23 Jul 2008 08:05:43 +0000 (10:05 +0200)]
password_hash: fix callers after idl change for package_PrimaryKerberos
metze
Stefan Metzmacher [Wed, 23 Jul 2008 06:53:34 +0000 (08:53 +0200)]
drsblobs.idl: fix unknowns in package_PrimaryKerberos idl
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:41:51 +0000 (13:41 +0200)]
hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:31:14 +0000 (13:31 +0200)]
password_hash: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:06:32 +0000 (13:06 +0200)]
drsblobs.idl: fix idl for supplementalCredentialsSubBlob
metze
Stefan Metzmacher [Wed, 23 Jul 2008 10:00:42 +0000 (12:00 +0200)]
password_hash: ignore reserved value, but still set it like windows does
metze
Stefan Metzmacher [Wed, 23 Jul 2008 11:53:03 +0000 (13:53 +0200)]
drsblobs.idl: rename unknown1 -> reserved
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:31:45 +0000 (18:31 +0200)]
password_hash: don't add zero padding as w2k8 also don't add it
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:46:24 +0000 (18:46 +0200)]
hdb-ldb: fix comment about padding
metze
Stefan Metzmacher [Tue, 22 Jul 2008 16:34:14 +0000 (18:34 +0200)]
hdb-ldb: fix crash bug in the error path
metze
Stefan Metzmacher [Tue, 22 Jul 2008 12:06:36 +0000 (14:06 +0200)]
RPC-DSSYNC: print 'supplementalCredentials' more verbosely
metze
Stefan Metzmacher [Wed, 23 Jul 2008 12:41:16 +0000 (14:41 +0200)]
rpc_server: be more strict with the incoming assoc_group_id
Allow 0 and 0x12345678 only.
This fixes the RPC-HANDLES test.
metze
Michael Adam [Wed, 23 Jul 2008 09:06:50 +0000 (11:06 +0200)]
smbtorture: add a warning for unknown BindInfo length to the RPC-DSSYNC test
Michael
Michael Adam [Wed, 23 Jul 2008 09:05:24 +0000 (11:05 +0200)]
smbtorture: add support for the DSBindInfo48 to the RPC-DSSYNC test.
Michael
Stefan Metzmacher [Thu, 17 Jul 2008 11:36:59 +0000 (13:36 +0200)]
libnet/become_dc: add a comment and explain why it's important to specify krb5
metze
Andrew Bartlett [Wed, 23 Jul 2008 06:20:07 +0000 (16:20 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Wed, 23 Jul 2008 06:19:54 +0000 (16:19 +1000)]
The SMB session key must not be more than 16 bytes in SAMR (and
presumably LSA).
Tests show that Vista requires the sesion key to be truncated for a
domain join.
Andrew Bartlett
Andrew Bartlett [Wed, 23 Jul 2008 06:15:46 +0000 (16:15 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Wed, 23 Jul 2008 06:15:43 +0000 (16:15 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Andrew Bartlett [Wed, 23 Jul 2008 06:14:20 +0000 (16:14 +1000)]
Remove the 'accoc_group_id' check in the RPC server.
This check breaks more than it fixes, and while technically not
correct, is the best solution we have at this time. Otherwise,
SCHANNEL binds from WinXP fail.
Andrew Bartlett
Andrew Bartlett [Wed, 23 Jul 2008 03:49:00 +0000 (13:49 +1000)]
Explain where some other OIDs are allocated.
This is an odd place for an OID registry - we perhaps need a central
wiki page.
Andrew Bartlett
Michael Adam [Tue, 22 Jul 2008 13:35:23 +0000 (15:35 +0200)]
Change occurrences of the u1 member of DsBindInfo* to pid after idl change.
Michael
Michael Adam [Tue, 22 Jul 2008 13:33:26 +0000 (15:33 +0200)]
drsuapi.idl: change the u1 field in DsBindInfo* to "pid".
According to the WSPP docs, section 5.35,
this is the "process identifyer" of the client.
It is meant for informational and debugging purposes
only and its assignment is implementation specific.
Michael
Michael Adam [Tue, 22 Jul 2008 11:07:55 +0000 (13:07 +0200)]
drsuapi.idl: add drsuapi_SupportedExtensionsExt bitfield.
This knowledge is obtained from the wspp-docs (section 5.35).
Michael
Michael Adam [Tue, 22 Jul 2008 10:46:04 +0000 (12:46 +0200)]
drsuapi.idl: the last 16 bytes in DsBindInfo48 ar the GUID of the config dn.
This bit seems not to be documented in the WSPP docs.
Michael
Michael Adam [Tue, 22 Jul 2008 09:37:32 +0000 (11:37 +0200)]
drsuapi.idl: add drsuapi_DsBindInfo48.
This is necessary to make DsGetNcChanges work with win2008.
Michael
Volker Lendecke [Mon, 21 Jul 2008 11:05:23 +0000 (13:05 +0200)]
s3 cli_do_rpc_ndr does not use PI_* anymore
Andrew Bartlett [Tue, 22 Jul 2008 01:09:18 +0000 (11:09 +1000)]
Install'named.txt' to private/ as documentation.
This document is much more use when subbed with all the right things.
Andrew Bartlett
Matthias Dieter Wallnöfer [Tue, 22 Jul 2008 01:06:47 +0000 (11:06 +1000)]
Improve DNS and Group poicy configurations.
- fixes bug #4813 (simplify DNS setup)
- This reworks the named.conf to be a fully fledged include
- This also moves the documentation into named.txt
- improves bug #4900 (Group policy support in Samba)
- by creating an empty GPT.INI
- fixes bug #5582 (DNS: Enhanced zone file)
- This is now closer to the zone file AD creates
committed by Andrew Bartlett
Jelmer Vernooij [Mon, 21 Jul 2008 10:47:08 +0000 (12:47 +0200)]
Properly cast array length in print functions.
Andrew Bartlett [Mon, 21 Jul 2008 05:00:18 +0000 (15:00 +1000)]
Fix winbindd not to sit in a busy loop...
Clearly winbindd in Samba4 has not ever been run against windows, as
when we fixed the Samba4 server not to cause XP to loop like this,
Samba4's own client starts looping...
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 03:42:07 +0000 (13:42 +1000)]
Rename structures to better match the names in the WSPP IDL.
The 'comment' element in a number of domain structures is called
oem_information. This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.
The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.
This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 02:05:53 +0000 (12:05 +1000)]
Remove bogus test in 'enum trusted domains' LSA server.
The change to the RPC-LSA test proves that when the remote server has
0 trusted domains, it will return NT_STATUS_NO_MORE_ENTRIES, not
NT_STATUS_OK.
Andrew Bartlett
Andrew Bartlett [Mon, 21 Jul 2008 01:27:23 +0000 (11:27 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
Andrew Bartlett [Mon, 21 Jul 2008 01:18:54 +0000 (11:18 +1000)]
Sleep longer in the hope that the OpenLDAP backend might catch up
Andrew Bartlett [Mon, 21 Jul 2008 01:18:21 +0000 (11:18 +1000)]
Fix ldb_map to add/remove the same 'extra' objectclass
The code previously added data->add_objectClass, but only removed the
fixed objectclass of extensibleObject.
Found by the ldap.py test.
Andrew Bartlett
Andrew Bartlett [Sun, 20 Jul 2008 23:36:24 +0000 (09:36 +1000)]
Make invalid 'member' detection work again.
This defines a rootdn globally, and due to OpenLDAP bugs, gives it
manage access to the whole database. This makes the memberOf module
able to validate the links again, now we have database ACLs.
Andrew Bartlett
Volker Lendecke [Sat, 19 Jul 2008 10:47:31 +0000 (12:47 +0200)]
Fix RAW-OPEN against Samba3
This test assumed that fnums are recycled immediately after a close. This is
not true on Samba 3.
Andrew B., I assume this is just a bug in the test. Assuming recycled fnums
might be true on Windows and Samba 4, but I don't think we should assume this
everywhere.
Volker
Andrew Bartlett [Fri, 18 Jul 2008 08:58:56 +0000 (18:58 +1000)]
Make a seperate template for the refint configuration too
Andrew Bartlett [Fri, 18 Jul 2008 08:44:07 +0000 (18:44 +1000)]
Put the memberof template into a seperate setup/ file.
Set a memberof-dn in a fruitless attempt to fix the ACL problem I'm
having with OpenLDAP
Andrew Bartlett
Andrew Bartlett [Fri, 18 Jul 2008 08:40:19 +0000 (18:40 +1000)]
More 'must be ignored' options from the MS-SMB doc.
Also in particular the 'sync' flags (which Samba has traditionally
ignored).
Thanks to Olivier Salamin <olivier.salamin@gmail.com> for pointing out
more flags that needed to be handled.
Andrew Bartlett
Volker Lendecke [Wed, 16 Jul 2008 19:50:25 +0000 (21:50 +0200)]
Add the interface ID to the rpc_pipe_register_commands call in s3 srv code
Stefan Metzmacher [Wed, 16 Jul 2008 11:02:54 +0000 (13:02 +0200)]
drsuapi: print out the number of linked attribute values we got
metze
Stefan Metzmacher [Wed, 16 Jul 2008 11:01:56 +0000 (13:01 +0200)]
drsuapi: make use of the 'more_data' field in DsGetNCChangesCtr[1|6]
metze
Stefan Metzmacher [Wed, 16 Jul 2008 11:00:07 +0000 (13:00 +0200)]
drsuapi: check ctr6->drs_error
metze
Stefan Metzmacher [Wed, 16 Jul 2008 10:58:29 +0000 (12:58 +0200)]
drsuapi: get ctr6 out of xpress compressed level
metze
Stefan Metzmacher [Tue, 15 Jul 2008 14:59:09 +0000 (16:59 +0200)]
drsuapi: total_object_count was the wrong guess
The total_object_count member of DsGetNCChangesCtr[1|6] was wrong
it's the error code of an extended operation.
DsGetNCChangesCtr6 has a nc_object_count value which contains
the estimated amount of objects in the naming_context.
W2k seems to have a bug and sends this number of objects
in the extended_ret field. Maybe it's just a bug and
not a feature:-)
metze
Stefan Metzmacher [Tue, 15 Jul 2008 13:36:54 +0000 (15:36 +0200)]
drsuapi.idl: fix unknowns in drsuapi_DsGetNCChangesCtr*
metze
Stefan Metzmacher [Tue, 15 Jul 2008 14:58:16 +0000 (16:58 +0200)]
libnet/become_dc: an unknown field in drsuapi.idl changed to object_flags
metze
Stefan Metzmacher [Tue, 15 Jul 2008 13:35:47 +0000 (15:35 +0200)]
drsuapi.idl: fix unknowns in drsuapi_DsReplicaObject*
metze
Stefan Metzmacher [Tue, 15 Jul 2008 13:34:23 +0000 (15:34 +0200)]
drsuapi.idl: fix unknowns in drsuapi_DsReplicaCursor[2]
metze
Stefan Metzmacher [Fri, 11 Jul 2008 08:19:53 +0000 (08:19 +0000)]
drsuapi.idl: correctly handle xpress compressed payload
metze
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 16 Jul 2008 09:30:47 +0000 (11:30 +0200)]
become_dc: we need to replicate using krb5 auth to work against w2k
With NTLMSSP we just get strange responses with a random object count
and a NULL object list. On the domain partition where we try to replicate
the password fields.
metze
Stefan Metzmacher [Tue, 15 Jul 2008 16:28:25 +0000 (18:28 +0200)]
NET-API-BECOME-DC: fix crash bugs because of unintialized variables
metze
Andrew Bartlett [Wed, 16 Jul 2008 07:06:33 +0000 (17:06 +1000)]
Another kludge to let the OpenLDAP backend catch up.
This will go away when this is handled in an internal transation.
Andrew Bartlett
Andrew Bartlett [Wed, 16 Jul 2008 05:28:54 +0000 (15:28 +1000)]
Fix the build - this element was renamed.
Andrew Bartlett [Wed, 16 Jul 2008 04:04:24 +0000 (14:04 +1000)]
Reorder whitespace in generated slapd.conf
This helps us see the real groupings in the generated memberOf
handling.
Andrew Bartlett
Andrew Bartlett [Wed, 16 Jul 2008 04:00:18 +0000 (14:00 +1000)]
Ignore and handle more NT Create & X options.
The MS-SMB document explains that some of these options should be
ignored. The test proves it.
/* Must be ignored by the server, per MS-SMB 2.2.8 */
/* Must be ignored by the server, per MS-SMB 2.2.8 */
If we implement HSM in samba4 (likely) we should honour this bit.
/* Don't pull this file off tape in a HSM system */
Andrew Bartlett
Andrew Bartlett [Wed, 16 Jul 2008 01:11:25 +0000 (11:11 +1000)]
Don't keep an extra ldb around forever.
We just open it to figure out if we need to be a Global Catalog server.
Andrew Bartlett
Andrew Bartlett [Tue, 15 Jul 2008 12:22:34 +0000 (22:22 +1000)]
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Conflicts:
source/dsdb/samdb/ldb_modules/simple_ldap_map.c