Age | Commit message (Collapse) | Author | Files | Lines |
|
pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.
The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.
Volker
(This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
"qualifiers". The
whole of samba comiles warning-free with the default compiler flags.
Temporarily defined -Wall to locate other potential problems. Found an
unused static function (#ifdefed out rather than deleted, in case it's
needed for something in progress).
There are also a number of uses of undeclared functions, mostly krb5_*.
Files with these problems need to have appropriate header files included,
but they are not fixed in this update.
oplock_linux.c.c has undefined functions capget() and capset(), which need
to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>,
but that could potentially have other side effects, so that remains uncorrected
as well.
The flag -Wall should be added permanently to CFLAGS, and all warnings then
generated should be eliminated.
(This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
|
|
(This used to be commit 67f8a1e3bc545d4ebbe0f7d05ea16c6231f2e82c)
|
|
use AF_UNIX instead of AF_LOCAL (thanks to Doug VanLeuven
<roamdad-at-sonic.net>) and make smbldap_open() a bit more readable.
Guenther
(This used to be commit 526d6a9493cd091f2a9b8e072f11e673133fe5c1)
|
|
LDAP-Server.
Guenther
(This used to be commit 8017a7a150023dc3353181f7737b2363d38593fa)
|
|
*attr[]. This
gives some new warnings in smbldap.c, but a the callers are cleaned up.
Volker
(This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
|
|
passdb in 3_0 (they are still in trunk).
Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
|
|
Guenther
(This used to be commit d433c7b476005064b9cfd339bbd8a25b40de59c1)
|
|
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
|
|
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in
ldapsam).
Guenther
(This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
|
|
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
|
|
retry-loop.
This fixes a deadlock-situation when ldapsam is used with the ldapi
interface: getpeername won't fail while trying to detect dead
connections on unix domain sockets. When the ldapi-connection was closed
server-side (due to OpenLDAP's idletimeout) we *never* got a new LDAP
connection.
Guenther
(This used to be commit ac8032bacff10451fa03f155d43f0d20389512fa)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
session
setups on its way to open a pipe. This gets rid of many round-trips to the
LDAP server during logon by setting up the server_info_guest once and not
asking the LDAP server and nss every time. Make sure that the ldap connection
is reopened in the child. (I did not look at the sql backends.)
Volker
(This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
|
|
Volker
(This used to be commit ef057e9534cc3713d3bcd7427cf34c74f7e3ea13)
|
|
attributes to
delete.
Richard, IMHO this is the better solution to the problem you currently
have. Please review.
Thanks,
Volker
(This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
|
|
but this
definitely fixes two segfaults.
Volker
(This used to be commit 270740189995c56c4d0341aeded364efffec86f2)
|
|
logon hours attributes in an LDAP database.
Jeremy.
(This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
|
|
coding have passed, but I could not find a way to get the OpenLDAP libraries
to reliably time out on any of the queries we make, *and* get correct error
returns. No, async calls and ldap_result does NOT work, or I was simply too
stupid to correctly interpret the OpenLDAP manpage and source.
We can not allow to hang indefinitely in an ldap query, especially not for
winbindd. "ldap timeout" now specifies the overall timeout for the complete
operation, that's why I increased that to 15 seconds.
Volker
(This used to be commit 269f0750872e5f8757e0a9667e007a0410319fcd)
|
|
core dump) but compiles and links correctly. I will run the full set of
tests on the ldap sam and the tdb sam for password history tomorrow.
Jeremy.
(This used to be commit ac846420d0ef2c60d2dc71319b24401c73699249)
|
|
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to
linearised pstring due to ordering issues. A few other changes to
fix race conditions. I will add the tdb backend code next. This code
compiles but has not yet been tested with password history policy
set to greater than zero. Targeted for 3.0.6.
Jeremy.
(This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
|
|
sleep time is not more than 5 seconds. Should fix issue
reported by Chris Garrigues <cwg@deepeddy.com>.
Jeremy.
(This used to be commit fbc06831d3a7e8645409158ee1ae1f9f192913a7)
|
|
add a timeout to the ldap open calls. New parameter, ldap timeout
added.
Jeremy.
(This used to be commit e5b3094c4cc75eb07f667dd1aeb73921ed7366ac)
|
|
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
|
|
cache entry time comparisons in password lockout. Fixes problems where
pdb_ldap tries to delete the operational attribute modifyTimestamp when
deleting a user account.
(This used to be commit 5ebcb9081e435d54c39d4d3a1ef1d7b651ccb53f)
|
|
bad time locally, updating the directory only for hitting the policy limit
or resetting.
This needed to be done at the passdb level rather than auth, because some
of the functions need to be supported from tools such as pdbedit. It was
done at the LDAP backend level instead of generically after discussion,
because of the complexity of inserting it at a higher level.
The login cache read/write/delete is outside of the ldap backend, so it could
easily be called by other backends. tdbsam won't call it for obvious
reasons, and authors of other backends need to decide if they want to
implement it.
(This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
|
|
"allow_bad_conv"
boolean parameter that allows broken iconv conversions to work. Gets rid of the
nasty errno checks in mangle_hash2 and check_path_syntax and allows correct
return code checking.
Jeremy.
(This used to be commit 7b96765c23637613f079d37566d95d5edd511f05)
|
|
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring. There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
|
|
(This used to be commit e6e8b59f53d5ac618dcec13a46c356f0abe5950a)
|
|
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
|
|
(This used to be commit 003318939f7e476f5f2a5f345e8a81a228fc89a7)
|
|
Andrew Bartlett
(This used to be commit 128c328ddbc9f2283badde95ce743e696f94f6a4)
|
|
value in the previous code.
Andrew Bartlett
(This used to be commit c97d3eb1622ee25c24b0cd81b65ec7d4b854e604)
|
|
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
|
|
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
|
|
This patch will change order how attributes are modified
from: add, delete
to: delete, add
This is needed to update single valued attributes in Novell NDS and
should not harm anyone else.
(This used to be commit fabf80169079483a1378aa0177d8d8335bd98bb3)
|
|
While writing documentation for metze's patch, it became clear that this is a
better name.
Andrew Bartlett
(This used to be commit 6f828ff3d3622c56ee732b976e7ab90b7897a8d3)
|
|
When smb.conf tells us to write to a read-only LDAP replica and we are
redirected by the LDAP server, the replication might take some seconds,
especially over slow links. This patch delays the next read after a rebind for
'ldap rebind sleep' milliseconds.
Metze, thanks for your patience.
Volker
(This used to be commit 63ffa770b67d700f138d19b4982da152f57674fc)
|
|
to have ldap_initialize.
Thanks to abartlet for the fix (and the bug in the first place ;-))
Volker
(This used to be commit 17473a65eb119ca2240b40a8c029d9a499cde177)
|
|
(This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
|
|
Jeremy.
(This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
so I'm putting it back in.
(This used to be commit ec49fc8ab73b26f86da155475df90843650f0e63)
|
|
(This used to be commit 299eb0abd36072af51cbcb761fa9fb6a77584585)
|
|
values.
Jeremy.
(This used to be commit 41e4479aa9f186d68300086984d6f4c8f9fd2a27)
|
|
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
(This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
|
|
* bug #280 (my fault) - initialize sambaNextUserRid and
sambaNextGroupRid
* Unix users shared vis LDAP or NIS between a samba domain member
of a Samba domain are not seen as domain users on the member servers.
not as local users.
(This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
Not strictly a bugfix, but it should considerably reduce the load we
put on LDAP servers given that at least nss_ldap on Linux keeps a
connection open.
And it should also stress our reconnect-code a bit more ;-)
Thanks to metze for this!
Volker
(This used to be commit e68d8eabeb9c64dc45d057619f9b3dd0cd507444)
|