Age | Commit message (Collapse) | Author | Files | Lines |
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
Guenther
(This used to be commit ec26c355b3ef1d3d809c4fbe911ce6fcef5db955)
|
|
(This used to be commit 53f7104b4fbb4f59c18458f589e25e7b536642cb)
|
|
Re-add the capability to specify an OU in which to create
the machine account. Done via LDAP prior to the RPC join.
(This used to be commit b69ac0e30441faea7a7d677b6bb551aa8ffbf55d)
|
|
* replace printf to stderr with DEBUG statements as they get printed in
daemons
* "net ads lookup" return code
Guenther
(This used to be commit 8dd925c5fbfcbe711c596d08e8eadc19607d5492)
|
|
unavailable; use "ldap timeout" handling.
Jerry, please check.
Guenther
(This used to be commit 821bbb4566c4b3f9798054ed3bf772db0c9ae3f2)
|
|
(This used to be commit 18f2e1a4e19a83afec6573a020f3a913f07d19dc)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|
|
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
|
|
ldap_get_values_len, because they were handed a NULL msgs pointer, for
example in ads_pull_sid().
This occurs when the AD server fails at the connect stage. (The
toubled AD server is actually Samba4 in my example).
Andrew Bartlett
(This used to be commit 221a6de7d028f5c9bb9da038650868582d44e7e5)
|
|
(This used to be commit 43f5d09a164ae111807222bdcbef949206766097)
|
|
host)
(This used to be commit b0160f893393a446927c751961d101ddbcba4db4)
|
|
locating AD DC's with out own DNS SRV queries.
Testing on Linux and Solaris.
(This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb)
|
|
Guenther
(This used to be commit f4af888282ff39665f186550b9ccbbf7a9128fc2)
|
|
mess, but there is no way the get NTSTATUS from the edata yet).
Guenther
(This used to be commit be2bd3945c057a4ad72251f809cffbe4694a7e3d)
|
|
sid"); works in all AD versions I tested. Also add "net ads sid" search
tool.
Guenther
(This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
|
|
Guenther
(This used to be commit 2922c7f5704e3cfcc80dc648bb3d6d9aa80aaf37)
|
|
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
|
|
smb_krb5_parse_name_norealm_conv that pull/push from unix charset
to utf8 (which krb5 uses on the wire). This should fix issues when
the unix charset is not compatible with or set to utf8.
Jeremy.
(This used to be commit 37ab42afbc9a79cf5b04ce6a1bf4060e9c961199)
|
|
I had to eliminate "\" as an OU path separator, because it is the escape
char in LDAP. We still accept "/", but using the escape char is just
not a good choice.
(This used to be commit 1953f63903e64e0a33eb981c51b8ca4beb673af2)
|
|
Guenther
(This used to be commit 90df68634b508b0a58f0a15ab62e9cead85765b6)
|
|
We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.
Guenther
(This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
|
|
kerberos_kinit_password_ext provides access to more options.
Guenther
(This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
|
|
krb5_rd_req could decrypt the ticket but that ticket is just not valid
at the moment (either not yet valid or already expired). (This also
prevents an MIT kerberos related crash)
Guenther
(This used to be commit 8a0c1933d3f354a8aff67482b8c7d0d1083e0c8f)
|
|
I'm disabling it for now until we have en effective
means of dealing with the ticket request flags for users
and computers.
(This used to be commit 635f0c9c01c2e389ca916e9004e9ea064bf69cbb)
|
|
Guenther
(This used to be commit 7b1fcb75dadd5ff232d60f93206867cf13322f2e)
|
|
more that coverity didn't find from asprintf.
(This used to be commit 37b6e2c8de41754a5a1a3a6f798d57aa5d533ada)
|
|
Fix Coverity bug #26. Guard against NULL ref.
Jeremy.
(This used to be commit c0f906ac8de850f4566b6b3be4e3c7d245e6e252)
|
|
a possible NULL ptr deref.
Jeremy.
(This used to be commit 78ac3f9cbdabc1df9480f75fb3910a3a108a0e91)
|
|
KRB5KRB_ERR_RESPONSE_TOO_BIG when the krb5 library does not know about
this.
Guenther
(This used to be commit 4a1a3c4808307e09fa8ff85da9a963a4a6f0e9ae)
|
|
Fix Coverity # 214.
Volker
(This used to be commit 4a75edf9deca2be18670d7f9f2e383ed0898512c)
|
|
with an existing account.
Guenther
(This used to be commit e4c12ab167ee83772a2bdd1946b8d73613fc0d7e)
|
|
This code was not used anyway :-)
Volker
(This used to be commit bbfb20569380529d60e3c61cd0be63a09eecfd17)
|
|
(This used to be commit cbf894c0e37964df57bd6a91ac10dfff571b1b3c)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
attribute when "winbind nss info = sfu" is set. Fixes #3539.
Guenther
(This used to be commit ffce0461de130828345c44293e564ca03227607d)
|
|
(This used to be commit 7b8ea1499124d1e1efe325339419a66ab8885b38)
|
|
(This used to be commit bab8c156a464c1beaa022e0026184e0de84c0bf9)
|
|
uint8 array and copy as such. Gunther please check (sorry
I reverted your earlier fix).
Jeremy.
(This used to be commit 7a17b39c80703909f102487690d2117d874b0e15)
|
|
overrun. Spoke to Jerry about the correct fix. Will add
this after.
Jeremy.
(This used to be commit 33e13aabd3825c59d15dc897536e2ccf8c8f6d5e)
|
|
PAC_LOGON_NAME structure. This was broken on big-endian machines
(Solaris SPARC and ppc). Fixes Bug #3330.
Jerry, this should be in 3.0.21c.
Guenther
(This used to be commit 9732490811f8f02ee547ddc6e2694e1122a3a518)
|
|
Guenther
(This used to be commit 9b19a68456c7b576750aaf64c178ba5323d9a95e)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
(This used to be commit 6c3480f9aecc061660ad5c06347b8f1d3e11a330)
|
|
(This used to be commit 58e48fef450f71ac15219f73897801c5a66a2c44)
|
|
(This used to be commit 95b231f0285c65bcdc62cd453cea634f9f5e7f91)
|
|
add" with "Server is unwilling to perform". Seems we have to put in the
same userAccountControl bits the server would pick when we wouldn't send
them at all.
Guenther
(This used to be commit fd5da5875cdc47fc6ef6ba1615a9635f9f157589)
|
|
Use the subtree delete ldap control when running 'net ads leave'
to ensure that the machine account is actually deleted.
(This used to be commit e96000c16cd182b2e2cbdc1a287002306d2965e6)
|
|
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c)
|