Age | Commit message (Collapse) | Author | Files | Lines |
|
Thanks to Igor Zhbanov bsg@uniyar.ac.ru.
Volker
(This used to be commit 8a28475a0b7659cb0cdefe57edf801d9958c3755)
|
|
from HEAD follows :
While torturing winbind a bit I found the following unfortunate behaviour:
Sending multiple requests at a high rate for a slow operation exposed that no
response comes back until the last request in the queue has been
processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the
request, process the complete request. Before we enter the select system call
the next time all requests have to have completed.
This patch optimizes this by first looking at the sockets for writability. A
write on a socket that came back from select does not block, so this
additional loop might have a non-zero cost, but it can't prevent other
operations from proceeding.
After a possibly long-running winbindd_process() we directly start select()
again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients.
Jeremy.
(This used to be commit bfdeb22c69d09eb73305b6034fa6d0ec67275789)
|
|
restarted if
need be. We should also make sure the main line know we no longer have a child.
(This used to be commit e3dc7934b50c8578d70fc01688a07bd369a7cf30)
|
|
Check in the 'winbind proxy only' mode -- no new parameter required :-)
If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it
will only proxy the netlogon request and thus speed up the authentication of
domain users.
Volker
(This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
|
|
and AD) as well as on a Samba DC
(This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
|
|
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
|
|
-n 'no cache' option for winbindd
(This used to be commit d1848988d9ee9fdd870bcdd32c938b907419558b)
|
|
(This used to be commit 0032c3f46aaef065e95d987dc0506016aabbe644)
|
|
metze
(This used to be commit 12d6bc3bd0684646e990c2fc6485fe1a92ac98fb)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
|
|
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
|
|
winbind functions to be accessed via NSS. This provides a much cleaner
way for applications that need (for example) to provide name->sid
mappings to do this via NSS rather than having to know the winbindd
pipe protocol (as this might change).
This patch also adds a varient of the winbindd_getgroups() call called
winbindd_getusersids() that provides direct SID->SIDs listing of a
users supplementary groups. This is enough to allow non-Samba
applications to do ACL checking.
A test program for the new functionality will be committed shortly.
I also added the 'wbinfo --user-sids' option to expose the new
function in wbinfo.
(This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
|
|
socket and add a comment to winbindd.c to explain the fancy calculation of
buffer offset.
(This used to be commit 7c7ef9680b7378e12ffdd0bf95ee7ad673bea2f5)
|
|
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
1) don't ask trusted DC's for a list of trusted domains. This causes
us to treat non-transitive ones as if they were transitive. Not
needed anyways
2) Fix dc lookup bug where we would always try to use DNS to resolve
the DC's for a domain (even if it was a trusted NT4 domain).
(This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
|
|
(This used to be commit 8b818ce381595cdcb36631a2440d6aa0038805f1)
|
|
and migrate an NT4 domain and still logon from domain members
(tested logon scripts, system policies, profiles, & home directories)
(passdb backend = tdbsam)
removed call to idmap_init_wellknown_sids() from winbindd.c
since the local domain should be handled by the guest passdb backend
(and you don't really always want the Administrator account to be root)
...and we didn't pay attention to this anyways now.
(This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
|
|
nmbd, winbindd). Reviewed by jerry and tridge.
(This used to be commit 02c5e2fc6f0721ebd82a9e6a2b34190607de55fe)
|
|
(This used to be commit 369a914ebefd5625af19b76d71b502e5e13a7147)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
(This used to be commit 389fe1e51abb533a781f69731a75771cb846d850)
|
|
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
|
|
pre-2.2.4 tdb database format.
tx volker for your work on this
(This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
|
|
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
|
|
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
|
|
initialisation code in winbindd_init_common() after the fork when
running in dual daemon mode.
The only tricky bit is we have to run a tdb_reopen_all() somewhere in
the child to avoid tdb corruption.
Fixed bug #60.
(This used to be commit 25e55aca0fe315c2ccf4e34a94107b2321313714)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
(This used to be commit 6735a9889f6629f4f77006c59c011570031e044f)
|
|
- Jelmer's latest popt changes
- debugging tdb messages now initialised and handled in lib/messages.c
(This used to be commit b11f35fddec8c3d3899a8bc78d093137f73b2dfb)
|
|
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem
in winbindd to boot !). Adds a "last_access" field to winbindd connections,
and will close the oldest idle connection once the number of open connections
goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
currently).
Jeremy.
(This used to be commit 7a586552a3aeb4a26495f0965af4bd027456a011)
|
|
- setenv() replacement
- mimir's ASN1/SPNEGO typo fixes
- (size_t)-1 fixes for push_* returns
- function argument signed/unsigned correction
- ASN1 error handling (ensure we don't use initiailsed data)
- extra net ads join error checking
- allow 'set security discriptor' to fail
- escape ldap strings in libads.
- getgrouplist() correctness fixes (include primary gid)
Andrew Bartlett
(This used to be commit e9d6e2ea9a3dc01d3849b925c50702cda6ddf225)
|
|
(This used to be commit 5cfb30551a713caa3d69406450c1eac4541a30fa)
|
|
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
- also consequential changes to the NTLMSSP and SPNEGO parsing functions
- and the client code that uses the same functions
- Add ntlm_auth, a NTLMSSP authentication interface for use by applications
like Squid and Apache.
- also consquential changes to use common code for base64 encode/decode.
- Winbind changes to support ntlm_auth (I don't want this program to need
to read smb.conf, instead getting all it's details over the pipe).
- nmbd changes for fstrcat() instead of fstrcpy().
Andrew Bartlett
(This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
|
|
(This used to be commit c8e77809adfb2ace18c219d9291651a4959bbcb7)
|
|
(This used to be commit a8db1b611d83bfd8dcf60f1e6d8fcbf57c798528)
|
|
warnings. (Adds a lot of const).
Andrew Bartlett
(This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
|
|
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
|
|
- null termination of winbind request fix
- bail out if we can't open winbind socket
(This used to be commit 102e490d683c0758a9798a3c15e748509690c95b)
|
|
before reading smb.conf parameters, not after.
(This used to be commit 7bdaa03f2fc7ea6ef0f56f7c73b951c177d64a2e)
|
|
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
|