summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-2/+1
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r2470: Fix bug 1797: winbind and nmbd ignored "-l" option.Volker Lendecke1-2/+6
Thanks to Igor Zhbanov bsg@uniyar.ac.ru. Volker (This used to be commit 8a28475a0b7659cb0cdefe57edf801d9958c3755)
2007-10-10r2265: Volkers change to HEAD looks very good. Commit messageJeremy Allison1-5/+12
from HEAD follows : While torturing winbind a bit I found the following unfortunate behaviour: Sending multiple requests at a high rate for a slow operation exposed that no response comes back until the last request in the queue has been processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the request, process the complete request. Before we enter the select system call the next time all requests have to have completed. This patch optimizes this by first looking at the sockets for writability. A write on a socket that came back from select does not block, so this additional loop might have a non-zero cost, but it can't prevent other operations from proceeding. After a possibly long-running winbindd_process() we directly start select() again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients. Jeremy. (This used to be commit bfdeb22c69d09eb73305b6034fa6d0ec67275789)
2007-10-10r1557: Add sigchld handling to winbindd. Next step is to have the child ↵Richard Sharpe1-0/+13
restarted if need be. We should also make sure the main line know we no longer have a child. (This used to be commit e3dc7934b50c8578d70fc01688a07bd369a7cf30)
2007-10-10r1297: Yes, it does survive valgrind for my tests :-)Volker Lendecke1-8/+5
Check in the 'winbind proxy only' mode -- no new parameter required :-) If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it will only proxy the netlogon request and thus speed up the authentication of domain users. Volker (This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-0/+2
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-0/+1
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-16BUG 1182: patch from john.klinger@lmco.com (John Klinger) to reanable the ↵Gerald Carter1-1/+1
-n 'no cache' option for winbindd (This used to be commit d1848988d9ee9fdd870bcdd32c938b907419558b)
2004-01-29Remove an unused parameter from reload_services_file.Richard Sharpe1-4/+3
(This used to be commit 0032c3f46aaef065e95d987dc0506016aabbe644)
2004-01-11update copyright to -2004Stefan Metzmacher1-1/+1
metze (This used to be commit 12d6bc3bd0684646e990c2fc6485fe1a92ac98fb)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-0/+2
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke1-0/+1
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
2003-11-25Add a comment, and a useful debug message.Andrew Bartlett1-0/+1
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell1-0/+1
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter1-3/+3
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-10-13Add a better error message to wb_common.c when unable to connect to a pipeRichard Sharpe1-0/+7
socket and add a comment to winbindd.c to explain the fancy calculation of buffer offset. (This used to be commit 7c7ef9680b7378e12ffdd0bf95ee7ad673bea2f5)
2003-08-25make sure we keep the trusted domain cache up to dateGerald Carter1-8/+2
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)
2003-08-20metze's autogenerate patch for version.hGerald Carter1-1/+1
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
2003-08-08fix 2 bugs:Gerald Carter1-1/+7
1) don't ask trusted DC's for a list of trusted domains. This causes us to treat non-transitive ones as if they were transitive. Not needed anyways 2) Fix dc lookup bug where we would always try to use DNS to resolve the DC's for a domain (even if it was a trusted NT4 domain). (This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-2/+2
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-8/+8
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-22Replace the eight (!) copies of dummy become/unbecome root with a single one.Tim Potter1-14/+0
(This used to be commit 8b818ce381595cdcb36631a2440d6aa0038805f1)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-3/+0
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15Add support for MSG_SMB_CONF_UPDATED and MSG_SHUTDOWN to all daemons (smbd, ↵Alexander Bokovoy1-4/+22
nmbd, winbindd). Reviewed by jerry and tridge. (This used to be commit 02c5e2fc6f0721ebd82a9e6a2b34190607de55fe)
2003-07-15remove -B and default to dual-daemon mode (-Y to run as a single process)Gerald Carter1-2/+2
(This used to be commit 369a914ebefd5625af19b76d71b502e5e13a7147)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-1/+10
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09fix linking issues in winbindd with become/unbecome_root() in passdb.cGerald Carter1-0/+14
(This used to be commit 389fe1e51abb533a781f69731a75771cb846d850)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison1-1/+1
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce1-0/+3
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-2/+12
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-3/+5
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-10Reverse previous patch from Stefan and me after comments by Andrew BartlettJelmer Vernooij1-2/+0
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
2003-05-10Patch from metze and me that adds dummy smb_register_*() functions soJelmer Vernooij1-0/+2
that is now possible to, for example, load a module which contains an auth method into a binary without the auth/ subsystem built in. (This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
2003-05-06There appears to be no reason why we have to execute theTim Potter1-57/+45
initialisation code in winbindd_init_common() after the fork when running in dual daemon mode. The only tricky bit is we have to run a tdb_reopen_all() somewhere in the child to avoid tdb corruption. Fixed bug #60. (This used to be commit 25e55aca0fe315c2ccf4e34a94107b2321313714)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-1/+2
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-04-22update copyright notice that is written to the logsGerald Carter1-1/+1
(This used to be commit 6735a9889f6629f4f77006c59c011570031e044f)
2003-04-14Merge:Tim Potter1-91/+27
- Jelmer's latest popt changes - debugging tdb messages now initialised and handled in lib/messages.c (This used to be commit b11f35fddec8c3d3899a8bc78d093137f73b2dfb)
2003-04-07Winbind merges from HEAD:Andrew Bartlett1-4/+4
- fix winbindd_pam bugs - give a better error message for unauthorized access to auth_crap - show this message in wbinfo - fix spelling: privilaged -> privileged ** This changes the location of the winbindd privileged pipe ** (thanks to tpot) Andrew Bartlett (This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
2003-03-24(merge from HEAD)Andrew Bartlett1-5/+25
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-28*Excellent* patch from Michael Steffens <michael_steffens@hp.com> to limitJeremy Allison1-5/+48
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem in winbindd to boot !). Adds a "last_access" field to winbindd connections, and will close the oldest idle connection once the number of open connections goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 currently). Jeremy. (This used to be commit 7a586552a3aeb4a26495f0965af4bd027456a011)
2003-02-19Merge minor library fixes from HEAD to 3.0.Andrew Bartlett1-1/+1
- setenv() replacement - mimir's ASN1/SPNEGO typo fixes - (size_t)-1 fixes for push_* returns - function argument signed/unsigned correction - ASN1 error handling (ensure we don't use initiailsed data) - extra net ads join error checking - allow 'set security discriptor' to fail - escape ldap strings in libads. - getgrouplist() correctness fixes (include primary gid) Andrew Bartlett (This used to be commit e9d6e2ea9a3dc01d3849b925c50702cda6ddf225)
2003-02-14Mop and bucket for trusted domain enumeration fix.Tim Potter1-1/+1
(This used to be commit 5cfb30551a713caa3d69406450c1eac4541a30fa)
2003-01-28Merge from HEAD:Andrew Bartlett1-0/+1
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-15playing janitor for tpot; remove holding patternGerald Carter1-6/+0
(This used to be commit c8e77809adfb2ace18c219d9291651a4959bbcb7)
2003-01-03patch to include support for daemontools from Michael HandlerGerald Carter1-3/+21
(This used to be commit a8db1b611d83bfd8dcf60f1e6d8fcbf57c798528)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett1-1/+1
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-0/+20
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-12-20Merge from HEAD.Tim Potter1-1/+7
- null termination of winbind request fix - bail out if we can't open winbind socket (This used to be commit 102e490d683c0758a9798a3c15e748509690c95b)
2002-11-18Bug fix from appliance - we must initialise the winbindd server stateTim Potter1-2/+2
before reading smb.conf parameters, not after. (This used to be commit 7bdaa03f2fc7ea6ef0f56f7c73b951c177d64a2e)