Age | Commit message (Collapse) | Author | Files | Lines |
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
|
|
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
|
|
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
|
|
have a primary ADS domain and a secondary (trusted) NT4 domain. This
caused winbindd to be *really* slow for that setup.
- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
gid_to_sid(). When you make changes to winbind *PLEASE* test using
nsstest.
(This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
|
|
<t.d.lee@durham.ac.uk>
(This used to be commit e48a8b5e9c1a75c6e4bffe022d0e25edae89bc58)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem
in winbindd to boot !). Adds a "last_access" field to winbindd connections,
and will close the oldest idle connection once the number of open connections
goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
currently).
Jeremy.
(This used to be commit 7a586552a3aeb4a26495f0965af4bd027456a011)
|
|
(This used to be commit cd6ad1f13b481ab22d98993db3fa80ec43dc1c8c)
|
|
(This used to be commit 09c6f6329d6ae9327b7ef06de0ea78d24d805456)
|
|
* add some files missing from a previous commit
(This used to be commit 29159c97371c75327e377f9d13406dad46095568)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
(This used to be commit b618b5943d53f33e6f03d8d47cf87efc5e1ad3e5)
|
|
This patch fixes the segfaults I introduced in the previous conneciton caching
patch. It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.
If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.
There is still a memory leak in here somewhere - but this code also cleans up a
number of these.
Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.
Andrew Bartlett
(This used to be commit 92cbefdf2783bf9dbbb2179c1b2f7cdb802d84a9)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
the list received at startup or we get an out of date list. I thought
there might be some sequence number that is incremented when a trusted
domain is added or removed - perhaps there is but I just haven't found it
yet.
- Renamed get_domain_info() to init_domain_list()
- Made an accessor function to return the list of trusted domains rather
than using a global so we don't have to remember to put a magic init
function
- The getent state can not keep a pointer to a winbind_domain structure as
it may be freed if init_domain_list() is called again so we keep the
domain name instead
(This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
IPC$ connections to domain controllers.
(This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)
|
|
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
(This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
|
|
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
|
|
consistent backends (like ADS) always give correct primary group
info, so we can play cache tricks to speed things up a lot
inconsistent backends (like MSRPC) need to fetch stuff more often
(This used to be commit 217c39f23282e20f96a61a0d5a2434b3f5f66a86)
|
|
the backends
at startup, loop until we get the domain sid for our primary domain,
trying every 10 seconds. This makes winbindd handle a room-wide power
failure better
(This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
|
|
this one looks like just another winbind backend, and has the
following properties:
- does -ve and +ve cacheing of all queries
- can be disabled with -n switch to winbindd
- stores all records packed, so even huge domains are not a problem
for a complete cache
- handles the server being down
- uses sequence numbers for all entries
This fixes a lot of problems with winbindd. Serving from cache is now
*very* fast.
(This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
|
|
sequence number via ldap when using ads
(This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
|
|
(This used to be commit 7de670cd15c1a87dd01ab22d74a7e6cbf5ae6673)
|
|
now do searches on SID. This allows me to do a true ldap sid_to_name()
function
one one function to go!
(This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
|
|
winbindd/ADS can now do initgroups()
(This used to be commit 43edeaca9f3a42699131939ed0d917111f57b678)
|
|
(This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
|
|
fixed a winbindd crash when the group membership can't be looked up
(This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
|
|
(This used to be commit 80010d80f93cfb32c53a1720c7564fb080846f35)
|
|
I spent quite a while trying to work out how to make this call
via ldap and failed. I then found that MS servers seem use rpc
for sid_to_name, and it works even when in native mode, I ended
up just implementing it via rpc
(This used to be commit 789833b44e342c0b5de463ed8f9b5f7474a99f27)
|
|
(This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
|
|
also created winbindd_rpc.c which contains the functions that
have been converted to the new structure. There will soon be
a winbindd_ads.c for the ldap backend
(This used to be commit e4ccc602ba65838646f2632120069f3274619dd9)
|
|
This just splits off the dispinfo call behind a methods structure.
I'll split off a few more functions soon, then we will be ready for
LDAP replacement methods
(This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
|
|
be easily added (a one liner) once we know the correct error codes returned
by a W2K DC.
All other winbindd calls should go through a similar transparent caching layer
(and will soon).
Jeremy.
(This used to be commit b16bb21d371772816a4331f5011c151be0e083d5)
|
|
as one memory leak that has been there for ages!
Changed the way talloc is used in get{pw,gr}nam routines.
(This used to be commit d52cd1854fdff18c223d6dd1eca0e26f1f0bf01b)
|
|
per-call basis rather than per-connection.
Had a bit more of a reformatting fest.
Still need to run it through insure and handle downed connections.
(This used to be commit 46fe5a8fb96974e1323bc3e5d94fda74edbeb852)
|
|
(This used to be commit 4f12df9fc569b73dcf037b476976cb3be47ac43f)
|
|
I've wrapped up all the decisions about managing, making and closing
connections into a connection manager in nsswitch/winbindd_cm.c.
It's rather incomplete at the moment - only querying basic user info works
at the moment (i.e finger -m DOMAIN/user) and everything else is broken.
Jeremy, please take a look and I'll start moving across the rest of
winbindd to this new system.
(This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
|
|
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
|
|
(This used to be commit 2af0a65e4c56e9361ee03286edcf26b5926b39e4)
|
|
but I haven't actually run it yet so it probably doesn't work. (-:
(This used to be commit 59f95416b66db6df05289bde224de29c721978e5)
|
|
renamed ntdom to winbind
I think that using winbind in /etc/nsswitch.conf is better than ntdom
(This used to be commit 80f85b5359c26dc26f8f88b984f27cfa4ac34e61)
|
|
this does not yet compile, but I'm working on that.
(This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)
|