summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter1-0/+1
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r23225: Attached find a patch that makes use of NetSamLogonEx inVolker Lendecke1-0/+8
winbind. With this and W2k3 DCs around it is possible to use more than one winbind on the same machine account, because NetSamLogonEx does not use the credentials chain. I added the flag domain->can_do_samlogon_ex because this only works against W2k3 and with schannel. The theory is to try if we're AD and have schannel, and fall back to NetSamLogon if this fails. can_do_samlogon_ex is thus a protection against multiple failures. Only checking into 3_0, this needs more review before going into a production release. Feel free to comment :-) (This used to be commit f5d525399b0b03a3d0b223fe72ef0a8a631fc599)
2007-10-10r22716: Clarify comment in winbindd_domain structureGerald Carter1-2/+2
(This used to be commit 32fd8558bd4531a745a04810a1cb6392dfab16a5)
2007-10-10r22713: Offline logon fixes for idmap manager:Gerald Carter1-0/+3
(a) Ignore the negative cache when the domain is offline (b) don't delete expired entries from the cache as these can be used when offline (same model as thw wcache entries) (c) Delay idmap backend initialization when offline as the backend routines will not be called until we go online anyways. This prevents idmap_init() from failing when a backend's init() function fails becuase of lack of network connectivity (This used to be commit 4086ef15b395f1a536fb669af2103a33ecc14de4)
2007-10-10r22704: Implement three step method for enumerating domain trusts.Gerald Carter1-1/+1
(a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-10-10r22700: Add a simple wcache TRUSTDOM api for maintaing a completeGerald Carter1-0/+15
list of trusted domains without requiring each winbindd process to aquire this on its own. This is needed for various idmap plugins and for dealing with different trust topoligies. list_trusted_domain() patches coming next. (This used to be commit 2da62a3d965a9701e16e644fd6bc728b43f28489)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter1-0/+2
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r20986: Commit the prototype of the nss_info plugin interface.Gerald Carter1-0/+2
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10r20488: When joined to a child domain in a multi-domain/single domain tree,Gerald Carter1-0/+1
the child domain cannot always resolve SIDs in sibling domains. Windows tries to contact a DC in its own domain and then the root domain in the forest. This async changes makes winbindd's name2sid() call do the same. (This used to be commit 7b2bf0e5a6b8d4119657c7a34aa53c9a0c1d5723)
2007-10-10r20206: Start cleaning up the talloc_ctx mess.Jeremy Allison1-1/+0
child->mem_ctx isn't actually used for anything, so remove it. Jeremy. (This used to be commit a7f294b59238826c11e579a7b1a4dca7284bb89d)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-10/+0
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r20057: Attempt to fix connect timeouts when connected onJeremy Allison1-0/+1
a network but not one on which any home DC's can be found (hotel network problem). Still testing but this is getting close. Jeremy. (This used to be commit 369c9e4138b93f7cfb6680f0beb541f58554e856)
2007-10-10r18980: Be a little more intelligent about "startup_time",Jeremy Allison1-1/+2
move into the domain struct. Allow message to go online to set this state and cope with removing it. Jeremy. (This used to be commit 51f0e60cc3a652b0ff1658d4c07bfc9493fbc51a)
2007-10-10r18551: Implement a 30 seconds from startup, during which weJeremy Allison1-0/+1
try hard to connect a DC even if we might be offline. Jeremy. (This used to be commit a9f115140700487767bafa058db744eea5ee8f77)
2007-10-10r18271: Big change:Gerald Carter1-4/+4
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18191: Fix the online/offline state handling of winbindd.Jeremy Allison1-0/+4
Instead of trying to do this in the winbindd_cache entries, add a timed even handler to probe every 5 mins when disconnected. Fix events to run all pending events, rather than only one. Jeremy. (This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-0/+9
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r15634: Prevent passwords of winbindd's list of credential caches from beeingGünther Deschner1-0/+4
swapped to disc using mlock(). (patch was reviewed by Jeremy). Guenther (This used to be commit 206cdbb8e9a4a0900060d56510e58b85a2b8aec5)
2007-10-10r14505: Rename the timed_event to lockout_policy_event.Günther Deschner1-1/+1
Guenther (This used to be commit 3e607aa69ae2d43fb6ec170d03221a6b22d3f35d)
2007-10-10r14321: When we have libnscd and winbindd comes (back) online, try to flush theGünther Deschner1-0/+4
nscd caches so that NSS-calls can deliver accurate information. Guenther (This used to be commit a32a423a0e9e0d4dd21282fd528bcd3247fddbd1)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-2/+15
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11704: methods->alternate_name is not used anymore -- remove itVolker Lendecke1-3/+0
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
2007-10-10r11319: read_buf_len and write_buf_len are no longer used, remove them.Volker Lendecke1-1/+0
Volker (This used to be commit 6948f748f689708c396e52097553ff222b1af744)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-8/+8
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-0/+4
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-3/+3
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-6/+0
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-8/+75
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6755: removing domain_sid() since it is not referenced anymoreGerald Carter1-4/+0
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
2007-10-10r6040: finish out 'net rpc service list'Gerald Carter1-1/+0
(This used to be commit 42588ba50cb1b47a00f3e0bed33ca3431eb8af14)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+8
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r3843: If a connection to a DC is requested, open connections ↵Volker Lendecke1-0/+4
simultaeneously to all DCs found. The first one to reply wins. Volker (This used to be commit 84ac54aef2bd56b5c889d3b05b8828aceb8ae00e)
2007-10-10r2835: Since we always have -I. and -I$(srcdir) in CFLAGS, we can get rid ofTim Potter1-1/+1
'..' from all #include preprocessor commands. This fixes bugzilla #1880 where OpenVMS gets confused about the '.' characters. (This used to be commit 7f161702fa4916979602cc0295919b541912acd6)
2007-10-10r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fixGerald Carter1-0/+2
user/group enumeration on systems whose libc does not call setgrent() before trying to enumerate users (i.e. FreeBSD 5.2) (This used to be commit 8106d8097258eae260ed834399881bf0be9b515b)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-0/+3
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-0/+1
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-30Apply some constVolker Lendecke1-3/+3
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-1/+2
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-1/+1
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2003-12-31Forgot to commit this for the 'get our primary domain' change.Andrew Bartlett1-0/+1
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-1/+0
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough1-1/+1
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
2003-08-01Fix copyright statements for various pieces of Anthony Liguori's work.Jim McDonough1-1/+1
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-0/+1
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell1-1/+4
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-05-23Bug 83: fixes for building when $srcdir != $builddir from David LeeTim Potter1-1/+1
<t.d.lee@durham.ac.uk> (This used to be commit e48a8b5e9c1a75c6e4bffe022d0e25edae89bc58)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-9/+30
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-04-07Winbind merges from HEAD:Andrew Bartlett1-1/+1
- fix winbindd_pam bugs - give a better error message for unauthorized access to auth_crap - show this message in wbinfo - fix spelling: privilaged -> privileged ** This changes the location of the winbindd privileged pipe ** (thanks to tpot) Andrew Bartlett (This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
2003-03-24(merge from HEAD)Andrew Bartlett1-0/+2
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-28*Excellent* patch from Michael Steffens <michael_steffens@hp.com> to limitJeremy Allison1-10/+11
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem in winbindd to boot !). Adds a "last_access" field to winbindd connections, and will close the oldest idle connection once the number of open connections goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 currently). Jeremy. (This used to be commit 7a586552a3aeb4a26495f0965af4bd027456a011)