Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
(This used to be commit 08a7ee8d968b493a17fd669f3dc6fed7abe3d36e)
|
|
is initialized.
(This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
|
|
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
|
|
(This used to be commit aa2ac5a1944884586c9f7e97c3a0b1b6c418b554)
|
|
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.
This will give us a complete trust topology including
domains via transitive Krb5 trusts. We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.
"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
|
|
That should be it....
Jeremy.
(This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
|
|
Guenther
(This used to be commit 31a193b02a08d2323d93659105c0fd5650b33419)
|
|
optinmize
lookup_groupmem(). In the later, at least try to avoid those massive LDAP
dn_lookups by looking in the cache before.
Guenther
(This used to be commit eb1566869c5493f2a1d1ff9fcaaa45c143ad12a0)
|
|
Jeremy.
(This used to be commit 61a1574f50d35435a55de62fa6f1d281eed90a25)
|
|
to get the
Krb5 config stuff to work in the server affinity settings.
(This used to be commit 518052be38385ad089c0cb092d07ccd210a27ef3)
|
|
ads_cached_connection() does not call get_dc_name()
before ads_connect() and therefore does not setup
the environment to look at krb5.conf.DOMAIN file
before sending the TGT request. The failure I'm seeing
occurs ni a multi-DC domain where we get back preuath
failed after we just joined the domain.
(This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)
|
|
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
|
|
broken :-). This will do until Simo fixes the escape
calls properly.
Jeremy.
(This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
so that
in the next step we can store them in LDAP to be replicated across DCs.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
|
|
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
|
|
we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
|
|
methods.
Jeremy.
(This used to be commit 7ac4ae4b517a18e97673e95d862a5b18175252c1)
|
|
(This used to be commit e5b5c9b058b7f2a6188684019ffe42e497ac6b6c)
|
|
(This used to be commit 3d0661b0393804707eb42d9ee9377a622333f252)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Volker
(This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
|
|
the right parameter type.
Jeremy.
(This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
|
|
Guenther
(This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
|
|
Guenther
(This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
|
|
objectClass which is not indexed on AD) in LDAP queries.
Guenther
(This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
|
|
are not valid locally.
Guenther
(This used to be commit 177da7754b53348d8754d46098dbd11300234bb5)
|
|
query the samlogon cache first as well.
Guenther
(This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
|
|
sid"); works in all AD versions I tested. Also add "net ads sid" search
tool.
Guenther
(This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
|
|
We were using a far too short renewable_time in the request; newer MIT
releases take care interally that the renewable time is never shorter
then the default ticket lifetime.
Guenther
(This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
|
|
over --with-kcm. No time to look after it for the moment.
Guenther
(This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
|
|
Guenther
(This used to be commit 977079a0583497255fbd4a48de52ebd404710b62)
|
|
attribute when "winbind nss info = sfu" is set. Fixes #3539.
Guenther
(This used to be commit ffce0461de130828345c44293e564ca03227607d)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
Jeremy.
(This used to be commit cd192ed79a531c6775cdbfb35f0eb2e0fa230ce9)
|
|
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
|
|
Still needs some more testing ni domains with multiple DCs. Coming next....
(This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
|
|
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
(This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
that AD's builtin groups mixup with our own builtin groups.
Guenther
(This used to be commit 9930013161f1ae59e7aed1b397b79792d384f1ba)
|
|
Guenther
(This used to be commit d75bfce8cc9122ddcad149704e467c784f0a0872)
|
|
caused by users with no supplementary groups.
(This used to be commit dbdf8c631531c499965630bfae3b381f3dc8314a)
|
|
Jeremy.
(This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
|