Age | Commit message (Collapse) | Author | Files | Lines |
|
Jeremy.
(This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
|
|
Jeremy.
(This used to be commit ba112bb3fdb4e81d8f6ab1ccc4a68960f71ccb23)
|
|
* is_trusted_domain() is broken without winbind. Still working on this.
* get_global_sam_name() should return the workgroup name unless we
are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
if 'user' exists in the local list of accounts (on domain members w/o
winbind)
Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.
notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd. disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
|
|
length of what the pointer points to).
Jeremy.
(This used to be commit 492a96e9922c1ef96b967f2965f8bba1f5bc8f23)
|
|
not sorting returned ACE's correctly w.r.t. W2K - implemented the correct
algorithm.
Jeremy.
(This used to be commit fa23a4158ec23c0b8dbdc6c53f29958243107dee)
|
|
(This used to be commit 80df684b72f273f9efc0c00646f26d17f1b4bc70)
|
|
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
|
|
we now have to check the value for _NO_WINBINDD.
"1" enables, and != "1" disables (use "0" by convention).
(This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
|
|
guest account != ""
Volker
(This used to be commit 21d330af107f744af9569b5577afc6e7ba6a269c)
|
|
(This used to be commit b401e78b6eb7efa2af74a7e645c3b34091041769)
|
|
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
|
|
(This used to be commit 5ffb8e0920be2da19ac3f442b9bf56c159011822)
|
|
- changed --enable-developer debug to use -gstabs as it makes the
samba binaries about 10x smaller and is still quite functional for
samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
|
|
to handle domain trusts. Jeremy and I talked about this
and it's going in as working code. It keeps winbind clean
and solves the trust problem with minimal changes.
To summarize, there are 2 basic cases where the deadlock would
occur. (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.
o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
the username includes the 'winbind separator'.
o Case #2 is handled by adding checks in winbindd to return failure
if we are a DC and the domain matches our own.
This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain'). The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.
Other misc fixes:
* we need to fix check_ntlm_password() to be able to determine
if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
etc...). I worked around my specific situation, but this needs to be
fixed. the winbindd auth module was causing delays.
* fix named server mutex deadlock between trust domain auth module
and winbindd looking up a uid
* make sure SAM_ACCOUNT gets stored in the server_info struct for the
_net_sam_logon() reply.
Configuration details:
The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.
* set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
* create domain trusts like normal
* join winbind on the pdc to the Samba domain using 'net rpc join'
* add normal parameters to smb.conf for winbind
* set 'auth method = guest sam winbind'
* start smbd, nmbd, & winbindd
Problems that remain:
* join a Windows 2k/XP box to a Samba domain.
* create a 2-way trust between the Samba domain
and an NT domain
* logon to the windows client as a user from theh trusted
domain
* try to browse server in the trusted domain (or other
workstations). an NT client seems to work ok, but 2k
and XP either prompt for passwords or fail with errors.
apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
|
|
map to guest = bad user works again when "trustdomain" is listed
as last auth method.
Also clean up some more DC location calls.
(This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06)
|
|
(This used to be commit 303fdc516c79b170d7c12fe2f6264d9636673347)
|
|
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
|
|
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes
for multi-process access.
Jeremy.
(This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
|
|
add.
Jeremy.
(This used to be commit 030b35ca0fc9fe49610084c6c1be95241157564b)
|
|
object files for modules are in .po files, while object files for
static use are in .o files. Pointed out by metze.
This reduces the number of files that have to be recompiled after the Makefile
changes. Preventing unnecessary recompiling of the other few is high
on my todo list.
(This used to be commit b9b46d43c7c39d6738c254c4a148bdb93cae02e3)
|
|
modules'
(This used to be commit 13b81d0d92b9e28eaab18f5437060e79f6075f9e)
|
|
by Jerry
(This used to be commit 0413385feb71e15c9b2f331417ce24c985f1fe8d)
|
|
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything"
(This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a)
|
|
not being present (and so allocate another) and an entry that is present but
of the wrong type. This code still has major problems...
Jeremy.
(This used to be commit a304bc5ff134df118754d9e8d2b2680b4101e438)
|
|
(This used to be commit ffaddd8202aeb7a442aa565e19a76a5f407c9f91)
|
|
(This used to be commit 42133092a40e7979b29c8cc82c662d54bc399e6e)
|
|
(This used to be commit 2d192e0431c7b754cf9db2306acb01fbe4068a14)
|
|
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
|
|
things at the *front* of the list). Add more debug. Still broken.. :-(.
Jeremy.
(This used to be commit dd9251e6f51f229ca1fab23d9b06f5bb68644fab)
|
|
* check negative connection cache before ads_try_connect()
in ads_find_dc()
(This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
|
|
(This used to be commit ef978bd851431da373e005177504dbef2611cf4f)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
The functions are unchanged. Next step is to make idmap_ldap use them.
Andrew Bartlett
(This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
|
|
I think the lesson to take away here is that refactoring configure.in
is a hazardous task and should only be attempted if you have a lot
of time and patience!
(This used to be commit 5ba121ac9d75de72261521cb1066ed585b68c307)
|
|
Clean up the init a little bit, less nested if-statements.
Agreed upon with Simo.
Volker
(This used to be commit fdcfefd7f1be55307ccd59290efd249981198e1e)
|
|
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on
samba-technical.
Tested and working so far.
(This used to be commit e154e50fed8968567f75fcd581de2b41914ea2c1)
|
|
I think we are done with MIT Kerberos for the moment. The Heimdal detection
looks like it has been broken for ages so it's next on the list.
(This used to be commit 7690a722f99485f717215787db168f6878422f2f)
|
|
detection. On Solaris 9 extra libraries -lber and -lresolv are
required for Kerberos tests. We used to have an extra check for
-lresolv only but I think the correct solution is not to forget about it
in the first place.
This should fix bug #125 although I don't have access to a
system to test it out on.
(This used to be commit 4ddfab4a572782cd83588eff4fbb599f6c4e770c)
|
|
Jeremy.
(This used to be commit a118648d9505d54850ffad1e9ce7a2c3d279df9f)
|
|
Jeremy.
(This used to be commit 705915d9f71504f8ae04444352c80811c5a6f1ac)
|
|
causes mapping to dissapear...
Jeremy.
(This used to be commit bdffc81c9d1eeab26e4dba017a99bb9cc9131493)
|
|
branch.
Jeremy.
(This used to be commit 19629b41cb9b5e5f9e0d4a6d52af983a4d05c8cb)
|
|
Jeremy.
(This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
|
|
Reviewed by vl, metze.
Andrew Bartlett
(This used to be commit 9804ad458ad35c9ea7de3e2e86bf8b2f85ae6533)
|
|
(This used to be commit 73e13b9bafa070a1dceaf21a0e098dda207ba7fd)
|
|
pre-2.2.4 tdb database format.
tx volker for your work on this
(This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
|
|
when we have already decided that we can't do it.
(This used to be commit db792ed530da4e040084d4b42b716ffdcdd13bd3)
|
|
explicitly
configured using --with-ads then give an error, otherwise fall back to compiling
without ADS.
Tested on redhat 8.0 with and without MIT kerberos packages installed. Metze,
let me know if this is working OK for you now!
(This used to be commit 7ea81535b8180314acbf0873104a8c942ce4ec14)
|
|
the requested parts of the ACL.
Jeremy.
(This used to be commit c35a88201c619f0ebbaf38adbd0ec2af77e23981)
|
|
Jeremy.
(This used to be commit 076d9a3c9bc264d9456a67da9366bd73d3ce69d5)
|