summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter9-28/+108
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-28add check for NT_STATUS_NOT_IMPLEMENTED in auth check so thatGerald Carter3-36/+50
map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
2003-06-28cleaning up after the s/in_addr/ip_service/ switch for the get_dc_list() patchGerald Carter1-6/+18
(This used to be commit 303fdc516c79b170d7c12fe2f6264d9636673347)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison10-95/+114
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-26Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLYJeremy Allison4-16/+38
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes for multi-process access. Jeremy. (This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-26As has been pointed out, ordering here doesn't matter so use normalJeremy Allison1-2/+2
add. Jeremy. (This used to be commit 030b35ca0fc9fe49610084c6c1be95241157564b)
2003-06-26Remove the MODULES_CLEAN variable. It's no longer necessary sinceJelmer Vernooij3-5/+2
object files for modules are in .po files, while object files for static use are in .o files. Pointed out by metze. This reduces the number of files that have to be recompiled after the Makefile changes. Preventing unnecessary recompiling of the other few is high on my todo list. (This used to be commit b9b46d43c7c39d6738c254c4a148bdb93cae02e3)
2003-06-26Move up intialisation of logging, so we catch errors in handling 'preload ↵Jelmer Vernooij1-4/+4
modules' (This used to be commit 13b81d0d92b9e28eaab18f5437060e79f6075f9e)
2003-06-26Document name resolve order suggested settings for security=ads as mentioned ↵Alexander Bokovoy1-1/+7
by Jerry (This used to be commit 0413385feb71e15c9b2f331417ce24c985f1fe8d)
2003-06-26cleaning up more build issues. TestedGerald Carter2-17/+19
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything" (This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a)
2003-06-26Fix immediate bug where the idmap can't tell the difference between an entryJeremy Allison2-17/+32
not being present (and so allocate another) and an entry that is present but of the wrong type. This code still has major problems... Jeremy. (This used to be commit a304bc5ff134df118754d9e8d2b2680b4101e438)
2003-06-25Add netlogon debug registry key infoJelmer Vernooij1-0/+19
(This used to be commit ffaddd8202aeb7a442aa565e19a76a5f407c9f91)
2003-06-25fix linking of some things that are not built by defaultGerald Carter1-14/+14
(This used to be commit 42133092a40e7979b29c8cc82c662d54bc399e6e)
2003-06-25ifdef out some functions that are not used when HAVE_ADS is not definedGerald Carter1-1/+1
(This used to be commit 2d192e0431c7b754cf9db2306acb01fbe4068a14)
2003-06-25fix build on non-ldap platformsGerald Carter1-0/+3
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
2003-06-25Ensure idmap backends are added in the correct order (DLIST_ADD putsJeremy Allison3-8/+26
things at the *front* of the list). Add more debug. Still broken.. :-(. Jeremy. (This used to be commit dd9251e6f51f229ca1fab23d9b06f5bb68644fab)
2003-06-25* fix typos in a few debug statementsGerald Carter3-5/+11
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25forgot one fileGerald Carter1-0/+158
(This used to be commit ef978bd851431da373e005177504dbef2611cf4f)
2003-06-25large change:Gerald Carter24-767/+533
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett4-738/+763
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25Metze assures me that this will fix Heimdal et al.Tim Potter1-1/+1
I think the lesson to take away here is that refactoring configure.in is a hazardous task and should only be attempted if you have a lot of time and patience! (This used to be commit 5ba121ac9d75de72261521cb1066ed585b68c307)
2003-06-25Fix a warning in a DEBUGVolker Lendecke1-12/+12
Clean up the init a little bit, less nested if-statements. Agreed upon with Simo. Volker (This used to be commit fdcfefd7f1be55307ccd59290efd249981198e1e)
2003-06-25Tought I already done.Simo Sorce2-32/+22
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on samba-technical. Tested and working so far. (This used to be commit e154e50fed8968567f75fcd581de2b41914ea2c1)
2003-06-25Only append to KRB5_LIBS when doing AC_CHECK_LIB for libkrb5.Tim Potter1-1/+1
I think we are done with MIT Kerberos for the moment. The Heimdal detection looks like it has been broken for ages so it's next on the list. (This used to be commit 7690a722f99485f717215787db168f6878422f2f)
2003-06-25Don't trash the values of CFLAGS and LIBS while engaged in KerberosTim Potter1-2/+0
detection. On Solaris 9 extra libraries -lber and -lresolv are required for Kerberos tests. We used to have an extra check for -lresolv only but I think the correct solution is not to forget about it in the first place. This should fix bug #125 although I don't have access to a system to test it out on. (This used to be commit 4ddfab4a572782cd83588eff4fbb599f6c4e770c)
2003-06-25More debugs for this... (these should have been here already !).Jeremy Allison1-1/+8
Jeremy. (This used to be commit a118648d9505d54850ffad1e9ce7a2c3d279df9f)
2003-06-25More instrumentation tracking down this bug...Jeremy Allison1-1/+5
Jeremy. (This used to be commit 705915d9f71504f8ae04444352c80811c5a6f1ac)
2003-06-25Start to instrument this code as I try and track down a nasty bug thatJeremy Allison1-3/+34
causes mapping to dissapear... Jeremy. (This used to be commit bdffc81c9d1eeab26e4dba017a99bb9cc9131493)
2003-06-24Sequence number was not getting updated with ldap hack. Only a bug in thisJeremy Allison2-7/+4
branch. Jeremy. (This used to be commit 19629b41cb9b5e5f9e0d4a6d52af983a4d05c8cb)
2003-06-24Explain why winbindd is exiting.Jeremy Allison1-2/+4
Jeremy. (This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
2003-06-24Fix pdb_ldap segfaults, and wrong default values for ldapsam_compat.Andrew Bartlett1-4/+3
Reviewed by vl, metze. Andrew Bartlett (This used to be commit 9804ad458ad35c9ea7de3e2e86bf8b2f85ae6533)
2003-06-24do not forget the include file :-)Simo Sorce1-0/+23
(This used to be commit 73e13b9bafa070a1dceaf21a0e098dda207ba7fd)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce5-171/+413
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-24More tuning of Kerberos detection - don't fall through to detect kerberos libsTim Potter1-3/+6
when we have already decided that we can't do it. (This used to be commit db792ed530da4e040084d4b42b716ffdcdd13bd3)
2003-06-24More sensible behaviour for bug 152. If we don't have krb5.h and were ↵Tim Potter1-10/+36
explicitly configured using --with-ads then give an error, otherwise fall back to compiling without ADS. Tested on redhat 8.0 with and without MIT kerberos packages installed. Metze, let me know if this is working OK for you now! (This used to be commit 7ea81535b8180314acbf0873104a8c942ce4ec14)
2003-06-24Fixes from Martin Dorey <mdorey@bluearc.com> to only ask for and changeJeremy Allison1-7/+6
the requested parts of the ACL. Jeremy. (This used to be commit c35a88201c619f0ebbaf38adbd0ec2af77e23981)
2003-06-24Move the map acl inherit parameter into the protocol section.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 076d9a3c9bc264d9456a67da9366bd73d3ce69d5)
2003-06-23Add documentation for "map acl inherit" parameter.Jeremy Allison1-0/+17
Jeremy. (This used to be commit a97f25c78591db3f6326610ea62b183fa3b9434d)
2003-06-23Fixed the merge_default_aces() code to work correctly with inheritance.Jeremy Allison1-11/+38
Hopefully will fix jcmd bugs :-). Jeremy. (This used to be commit 482e6c79edefc8aaacbb37f807d2076e59b40e26)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter8-178/+43
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-23wrap group enuemration in brcome/unbecome_root() (bug #110)Gerald Carter1-0/+14
(This used to be commit 3918fffc7f07202f4c0b940f877184eea7561135)
2003-06-23fix typo (bug #170)Gerald Carter1-1/+1
(This used to be commit d376b67de9ff7a43c9c03c8640d9fe1671d223cb)
2003-06-23fix bug #178; available space in devmode should be intGerald Carter1-1/+1
(This used to be commit 944480b89a829f159cabff100d83a72400aa6b6c)
2003-06-23lp_security() is a function not an integerAndrew Tridgell1-1/+1
(This used to be commit 71907f32ba9c8700ba185b565a50c55a3a451758)
2003-06-23Change AC_MSG_ERROR() in krb5.h detection code to AC_MSG_WARN()Tim Potter1-1/+1
until I repair my destroyed development system and check in a proper fix for this. (This used to be commit efad5dab522c466ae9e6bc114d0a0e6d1a7ed06d)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter5-36/+276
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-23Produce an error if Active Directory support is requested and we don'tTim Potter1-0/+4
have krb5.h Should fix bug 152. (This used to be commit 82d3dd757be5c56fdeb97e66f64ec25d5e202614)
2003-06-23Repair indentation in autoconf Kerberos detection code. This shouldTim Potter1-120/+169
make it easier to understand/debug. (This used to be commit 86b6ff134c2631be1346cea1cd7a17ae815a3759)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce22-60/+60
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21(fixing bug in my last commit)Andrew Bartlett1-6/+6
This isn't C++ - start your code *after* all the variables are declared... Andrew Bartlett (This used to be commit b7760faedc2181538ffc325e727808e6df8f943f)