| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
shadowed variable warnings. Fix that.
Volker
(This used to be commit 3846c0afa1db96239b3aaf2e7ee2427b48f6e2f0)
|
|
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
|
|
Volker to commit. Woo Hoo !
Jeremy.
(This used to be commit 316df944a456f150944761dab34add5e8c4ab699)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
(This used to be commit f3f315b14d261fa56ab040db036a6f858ac06e65)
|
|
(This used to be commit cc6c769c3c26164919dd13777d671abe02c084d9)
|
|
netbios = yes'
(This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
|
|
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
|
|
Make all LDAP timeouts consistent.
Jeremy.
(This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
|
|
<buckh@pobox.com>
Jeremy.
(This used to be commit 5c22cb082c86088add0db21541a8079c516c9fd9)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Volker
(This used to be commit fc454c8ef6321fba9efa42a704c8e8c707361af3)
|
|
Check for malloc fail. Fixes for bug #2036.
Jeremy.
(This used to be commit b815247747214ba413c054746e9732d5f2b10535)
|
|
interop.
Modified the redhat patch some...
Jeremy.
(This used to be commit 2ae717cd2c876649464f91093e55bed64ac5588d)
|
|
Jeremy.
(This used to be commit 0f3f7b035b37bfc51d3a59d0472003c3d4ac1511)
|
|
User-, Group- and Machine-Accounts in Active Directory (this got lost
during the last trunk-merge).
This way we match e.g. default containers moved by redircmp.exe and
redirusr.exe in Windows 2003 and don't blindly default to cn=Users or
cn=Computers.
Further wkguids can be examied via "net ads search wellknownobjects=*".
This should still keep a samba3-client joining a samba4 dc. Fixes
Bugzilla #1343.
Guenther
(This used to be commit 8836621694c95779475fa9a1acf158e5e0577288)
|
|
winbindd (lookup_name() only works with the sAMAccountName) -- *please* test this change. My tests all pass but there is probably something I missed
(This used to be commit 2bf08aaa37f41681b3154514792bf29a3abfdbfd)
|
|
userPrincipalName value (host/hostname@REALM) and not the servicePrincipalName (host/fqdn@REALM) in the SASL binds
(This used to be commit 959da6e176da9f6a687265e50489b7db3d6712c0)
|
|
(This used to be commit b7267121af45d7173c310299bb52ae031ae1d501)
|
|
add a timeout to the ldap open calls. New parameter, ldap timeout
added.
Jeremy.
(This used to be commit e5b3094c4cc75eb07f667dd1aeb73921ed7366ac)
|
|
Can't fix the krb5 memory leaks inside that library :-(.
Jeremy.
(This used to be commit ad440213aaae58fb5bff6e8a6fcf811c5ba83669)
|
|
haven't broken krb5 ticket verification in the mainline code path,
also need to check with valgrind. Everything now compiles (MIT, need
to also check Heimdal) and the "net keytab" utility code will follow.
Jeremy.
(This used to be commit f0f2e28958cb9abfed216c71f291f19ea346d630)
|
|
Jeremy.
(This used to be commit 9647394e7c79c81ac4cf276a2c4b9e16eb053ec2)
|
|
Jeremy.
(This used to be commit ac501348f473045a7846ffd9bc6b9eb4682b8987)
|
|
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
|
|
hardcoded into it.
This didn't matter, as we only use it for 'member' so far...
Andrew Bartlett
(This used to be commit 8621899112e720411715ea53558d5146ff04eeb0)
|
|
(This used to be commit 3a4c56e4c60854bbd291adc7d321d3869e6dedab)
|
|
This introduces range retrieval of ADS attributes.
VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
|
|
Volker
(This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
|
|
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
(This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
|
|
re-used, rather than created from scratch.
Jeremy.
(This used to be commit 6d46e66ac2048352ca60f92fc384f60406024d4b)
|
|
Volker
(This used to be commit 94860687c535ace0c962ca3fe7da59df05325c62)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
down; bug 437
(This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
|
|
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
(This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
|
|
already have ads_search_retry() for this. However, neither
domain_sid() nor sequence_nunber() used this function. So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
(This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
(This used to be commit 6edc7e0a744a5d8c6332758b800a2646ef16dd77)
|
|
(This used to be commit 83376671c511be4bb10d3fca8e49e5f6ef792b9c)
|
|
treating the returned message id as an error code.
(This used to be commit 42fdcef324d7a04e69c0078482e1a6b8a67ade94)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
(This used to be commit ae6c05ea726da13fc1a18398d1ffe56f34e1edb9)
|
|
* check negative connection cache before ads_try_connect()
in ads_find_dc()
(This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
* move back to qsort() for sorting IP address in get_dc_list()
* remove dc_name_cache in cm_get_dc_name() since it slowed
things down more than it helped. I've made a note of where
to add in the negative connection cache in the ads code.
Will come back to that.
* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
of MAX_ALLOWED)
* only enumerate domain local groups in our domain
* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
|
|
otherwise we can segv or return garbage
(This used to be commit d1316656b03e2bc85263b65d24977923ee6f39b7)
|
|
versions. Fixes bug #154.
(This used to be commit 986eae40f7669d15dc75aed340e628aa7efafddc)
|
