Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
|
|
|
|
The generic NDR-based cache in winbindd_dual_ndr.c replaces this.
|
|
|
|
|
|
|
|
|
|
Guenther
|
|
Guenther
|
|
|
|
This is a small performance optimization. Instead of opening the tdb
on every smb connection in the forked child process, we now open it in
the parent and share the fd.
This also reduces the total fd usage in the system.
|
|
|
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
Guenther
|
|
Guenther
|
|
|
|
Explictly pass the facility from both smbd and full_audit to syslog.
Really the only major change is to not call openlog() in full_audit if
WITH_SYSLOG is defined, which implies that smbd is already using
syslog. This allows full audit to piggy-back on the same ident as
smbd, while still differentiating the logging via the facility.
|
|
file was requested
full_audit will now print out whether the createfile was requested for
a file or directory. The create disposition is also printed out.
|
|
|
|
metze
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.
The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.
Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
|
|
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
...to allow long option names.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
|
|
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
|
|
This allows us to turn a python LdbMessage back into a string.
Andrew Bartlett
|
|
Also add tests to prove that we got this correct, and correct the
existing tests which used the wrong constants.
Andrew Bartlett
|
|
This changes dsdb_write_prefixes_from_schema_to_ldb() to use an
internal talloc hirarchy, so we can safely give it a NULL context from
the python.
It also fixes manual construction of the ldb_message - we now use the
right helper functions.
Andrew Bartlett
|
|
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
|
|
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
|
|
|
|
The aim is to create a function that is more easily wrapped for
python, so that we can write the updated prefixMap in an upgrade
script.
Andrew Bartlett
|
|
This revises tridge's commit 61ca4c491e1c13eb7d97847f743b0f540f1117c4
to use ldb_request_add_control() instead of a manual construction.
Andrew Bartlett
|
|
opcodes.
Guenther
|
|
Tim, I am reverting this as this eliminates "_netr_LogonSamLogonEx" from the
debug messages completely. Followup fix to come immediately.
This reverts commit add9b4afb14d3426d1f3bf5b8e7c86926f462578.
|
|
Guenther
|
|
(in preparation of credential merge).
Guenther
|
|
_netr_ServerAuthenticate3.
Guenther
|
|
Fix set_namearray to allow for strings that don't end in a slash. Also
remove unnecessary strdup()s.
Signed-off-by: Tim Prouty <tprouty@samba.org>
|
|
|
|
|
|
#6099 for details).
Guenther
|