samba.git/source3/auth, branch talloc-2.0.0 Unnamed repository; edit this file 'description' to name the repository. Implement Metze's suggestion of trying getpwuid(0) then getpwnam(root). 2009-08-22T16:40:58+00:00 Jeremy Allison jra@samba.org 2009-08-22T16:40:58+00:00 da9356711b14d7475bcfe4cf0bb1874c018db276 Jeremy. 
Jeremy.
Try and fix the buildfarm by using getpwnam(root) instead 2009-08-22T04:08:02+00:00 Jeremy Allison jra@samba.org 2009-08-22T04:08:02+00:00 47c7063dc62dc06d0cdd50e1946c088f8bf1ee1d of getpwuid(0) if DEVELOPER is defined. I'm hoping the build farm defines DEVELOPER... Jeremy. 
of getpwuid(0) if DEVELOPER is defined. I'm hoping the
build farm defines DEVELOPER...
Jeremy.
s3: fix bug #6650, authentication at member servers when winbindd is not running 2009-08-21T19:41:31+00:00 Michael Adam obnox@samba.org 2009-08-21T11:59:16+00:00 6afb02cb53f47e0fd7e7df3935b067e7e1f8a9de Authentication of domain users on the member server fails when winbindd is not running. This is because the is_trusted_domain() check behaves differently when winbindd is running and when it isn't: Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also give a result for our own domain, this succeeds for the member server's own domain when winbindd is running. When winbindd is not running, is_trusted_domain() checks (and possibly updates) the trustdom cache, and this does the lsa_EnumTrustDom() rpc call to the DC which does not return its own domain. In case of winbindd not running, before 3.4, the domain part was _silently_ mapped to the workgroup in auth_util.c:make_user_info_map(), which effectively did nothing in the member case. But then the parameter "map untrusted to domain" was introduced and the mapping was made to the workstation name instead of the workgroup name by default unless "map untrusted to domain = yes". (Commits d8c54fddda2dba3cbc5fc13e93431b152813892e, 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and fbca26923915a70031f561b198cfe2cc0d9c3aa6) This was ok as long as winbindd was running, but with winbindd not running, these changes actually uncovered the above logic bug in the check. So the correct check is to treat the workgroup as trusted / or known in the member case. This is most easily achieved by not comparing the domain name against get_global_sam_name() which is the host name unless for a DC but against my_sam_name() which is the workgroup for a DC and for a member, too. (These names are not very intuitive...) I admit that this is a very long commit message for a one-liner, but this has needed some tracking down, and I think the change deserves some justification. Michael 
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check  behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.

In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.

But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
 d8c54fddda2dba3cbc5fc13e93431b152813892e,
 5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and
 fbca26923915a70031f561b198cfe2cc0d9c3aa6)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.

So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)

I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.

Michael
Fix bug #6647 - get_root_nt_token: getpwnam("root") failed! 2009-08-19T23:55:26+00:00 Jeremy Allison jra@samba.org 2009-08-19T23:55:26+00:00 8c347ed1775acc124ff7887e2f14776529e40298 Not all systems may have a "root" user, but all must have a passwd entry for a uid of zero. Jeremy. 
Not all systems may have a "root" user, but all must have a passwd
entry for a uid of zero.
Jeremy.
Added prefer_ipv4 bool parameter to resolve_name(). 2009-07-28T18:51:58+00:00 Jeremy Allison jra@samba.org 2009-07-28T18:51:58+00:00 5d05d2299983b5d34615cd269b04806bba173c0d W2K3 DC's can have IPv6 addresses but won't serve krb5/ldap or cldap on those addresses. Make sure when we're asking for DC's we prefer IPv4. If you have an IPv6-only network this prioritizing code will be a no-op. And if you have a mixed network then you need to prioritize IPv4 due to W2K3 DC's. Jeremy. 
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
Remove an unused talloc context. 2009-07-17T01:12:17+00:00 Jeremy Allison jra@samba.org 2009-07-17T01:12:17+00:00 9f0bdd4e17ef5fe0b28a8ec4676d19eb4ffe6786 Jeremy. 
Jeremy.
Tidyup prompted by #6554 - Wrong deallocation in sam_account_ok. 2009-07-16T16:54:14+00:00 Jeremy Allison jra@samba.org 2009-07-16T16:54:14+00:00 74c405db406d0971ba4fe2abae4ebd950d27ab1c Jeremy. 
Jeremy.
s3:smbd: move more session specific globals to struct smbd_server_connection 2009-06-03T15:54:37+00:00 Stefan Metzmacher metze@samba.org 2009-05-26T14:38:45+00:00 75d03970b78538346308c612ca6be15559e15b5b metze 
metze
s3:smbd: move negprot related globals to struct smbd_server_connection 2009-06-03T15:54:37+00:00 Stefan Metzmacher metze@samba.org 2009-05-26T10:48:58+00:00 e16e7146b378e8e89bf25adc66d806bac7feaeb6 metze 
metze
s3/auth map NULL domains to our global sam name 2009-05-28T20:21:15+00:00 Steven Danneman steven.danneman@isilon.com 2009-05-28T00:14:49+00:00 fbca26923915a70031f561b198cfe2cc0d9c3aa6 This is an addendum to d8c54fdd, which made make_user_info_map() match Windows behavior by mapping untrusted domains given to smbd on the wire with the users credentials to smbd's global sam name. This fix was being circumvented in the case where the client passed a NULL domain. Vista clients do this. In that case smbd was always remapping the name to the machine workgroup. The NULL domain case should also be mapped to the global sam name. Removing the code in this patch, causes us to fall down to the logic added in d8c54fdd and properly map the domain. 
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.

This fix was being circumvented in the case where the client passed
a NULL domain.  Vista clients do this.  In that case smbd was always
remapping the name to the machine workgroup.  The NULL domain case
should also be mapped to the global sam name.

Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.