summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r22737: Fix crash bug (info3 is now talloced).Günther Deschner1-1/+1
Guenther (This used to be commit 08a7ee8d968b493a17fd669f3dc6fed7abe3d36e)
2007-10-10r22711: Fix a compile warnign in query_user(). Ensure that user_ridGerald Carter1-2/+1
is initialized. (This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
2007-10-10r22710: Support one-way trusts.Gerald Carter1-6/+107
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r22706: missed one reference to domain->native_mode in the previous commitGerald Carter1-1/+1
(This used to be commit aa2ac5a1944884586c9f7e97c3a0b1b6c418b554)
2007-10-10r22704: Implement three step method for enumerating domain trusts.Gerald Carter1-5/+77
(a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-10-10r22590: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-10/+15
That should be it.... Jeremy. (This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
2007-10-10r22511: Remove unused LDAPMessage.Günther Deschner1-3/+0
Guenther (This used to be commit 31a193b02a08d2323d93659105c0fd5650b33419)
2007-10-10r22461: Use ranged LDAP queries in lookup_usergroups_member() and start to ↵Günther Deschner1-99/+75
optinmize lookup_groupmem(). In the later, at least try to avoid those massive LDAP dn_lookups by looking in the cache before. Guenther (This used to be commit eb1566869c5493f2a1d1ff9fcaaa45c143ad12a0)
2007-10-10r22015: Fix for memory leak from Steven Danneman <steven.danneman@isilon.com>Jeremy Allison1-0/+5
Jeremy. (This used to be commit 61a1574f50d35435a55de62fa6f1d281eed90a25)
2007-10-10r21636: Was almost right before. We have to specify the short domain name ↵Gerald Carter1-1/+1
to get the Krb5 config stuff to work in the server affinity settings. (This used to be commit 518052be38385ad089c0cb092d07ccd210a27ef3)
2007-10-10r21633: First real fix from me found during the bug hunt.Gerald Carter1-0/+8
ads_cached_connection() does not call get_dc_name() before ads_connect() and therefore does not setup the environment to look at krb5.conf.DOMAIN file before sending the TGT request. The failure I'm seeing occurs ni a multi-DC domain where we get back preuath failed after we just joined the domain. (This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)
2007-10-10r21606: Implement escaping function for ldap RDN valuesSimo Sorce1-9/+1
Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-10-10r21566: If we're going to be broken, at least be *consistently*Jeremy Allison1-1/+9
broken :-). This will do until Simo fixes the escape calls properly. Jeremy. (This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-11/+21
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21001: * Use a simple '#define LDAPMessage void' to fix the buildGerald Carter1-4/+0
problems in the nss_info interface when HAVE_LDAP is undefined. * Revert previous ifdef HAVE_ADS brakets * Remove an unused init function wrapper. (This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
2007-10-10r20986: Commit the prototype of the nss_info plugin interface.Gerald Carter1-59/+15
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-1/+1
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r20124: clean up nested extern declaration warningsHerb Lewis1-1/+2
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-9/+27
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r20035: Fix obvious horrible bug in falling back to MS-RPCJeremy Allison1-6/+3
methods. Jeremy. (This used to be commit 7ac4ae4b517a18e97673e95d862a5b18175252c1)
2007-10-10r19657: Correctly check for malloc failureVolker Lendecke1-1/+1
(This used to be commit e5b5c9b058b7f2a6188684019ffe42e497ac6b6c)
2007-10-10r19656: Correctly check for malloc failureVolker Lendecke1-1/+1
(This used to be commit 3d0661b0393804707eb42d9ee9377a622333f252)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-11/+11
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-0/+1
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16361: Fix Klocwork ID 1731 1770 1771 1775 1796Volker Lendecke1-1/+5
Volker (This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
2007-10-10r16285: On a 64-bit box, size_t != uint32. Ensure we useJeremy Allison1-2/+4
the right parameter type. Jeremy. (This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
2007-10-10r16187: Fix memleak.Günther Deschner1-9/+12
Guenther (This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
2007-10-10r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).Günther Deschner1-1/+1
Guenther (This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-16/+112
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-12/+36
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15562: Attempt to fix Coverity bug # 283Volker Lendecke1-0/+8
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
2007-10-10r15460: Prefer to use the indexed objectCategory attribute (instead ofGünther Deschner1-2/+2
objectClass which is not indexed on AD) in LDAP queries. Guenther (This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
2007-10-10r15307: Ignore builtin groups we're a member of on the DC as those membershipsGünther Deschner1-1/+6
are not valid locally. Guenther (This used to be commit 177da7754b53348d8754d46098dbd11300234bb5)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-2/+10
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15305: Let winbind search by sid directly (or in windows terms: "bind to aGünther Deschner1-6/+16
sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-1/+1
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14148: Removing the not very well tested krb5 ticket refresh handling activatedGünther Deschner1-4/+0
over --with-kcm. No time to look after it for the moment. Guenther (This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
2007-10-10r14145: Add missing WITH_KCM hunks from my local tree.Günther Deschner1-0/+4
Guenther (This used to be commit 977079a0583497255fbd4a48de52ebd404710b62)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-11/+24
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-6/+13
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12045: More warning fixes... Just a few more to go.Jeremy Allison1-1/+1
Jeremy. (This used to be commit cd192ed79a531c6775cdbfb35f0eb2e0fa230ce9)
2007-10-10r11704: methods->alternate_name is not used anymore -- remove itVolker Lendecke1-37/+0
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
2007-10-10r11651: After talking to Jeremy, commit my winbindd "Do the Right Thing" patch.Gerald Carter1-3/+31
Still needs some more testing ni domains with multiple DCs. Coming next.... (This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
2007-10-10r11242: use LDAP bitwise machting rule when searching for groups in ADS.Günther Deschner1-17/+36
This avoids that each time a full-group-dump is requested from ADS; the bitwise match allows to only query those groups we are interested in. The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap filter with extensible match in the latest SPs (fixes). From the patch: /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o * rollup-fixes: * * According to Section 5.1(4) of RFC 2251 if a value of a type is it's * default value, it MUST be absent. In case of extensible matching the * "dnattr" boolean defaults to FALSE and so it must be only be present * when set to TRUE. * * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a * filter using bitwise matching rule then a buggy AD fails to decode * the extensible match. As a workaround set it to TRUE and thereby add * the dnAttributes "dn" field to cope with those older AD versions. * It should not harm and won't put any additional load on the AD since * none of the dn components have a bitmask-attribute. * * Thanks to Ralf Haferkamp for input and testing */ Guenther (This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-12/+18
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-8/+3
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10474: We better ignore builtin SIDs from the Active Directory DC to preventGünther Deschner1-1/+8
that AD's builtin groups mixup with our own builtin groups. Guenther (This used to be commit 9930013161f1ae59e7aed1b397b79792d384f1ba)
2007-10-10r10261: Don't bother to peek rids in builtin-sids.Günther Deschner1-0/+3
Guenther (This used to be commit d75bfce8cc9122ddcad149704e467c784f0a0872)
2007-10-10r9361: patch from Ed Plese to fix a faulty error in winbinddGerald Carter1-13/+12
caused by users with no supplementary groups. (This used to be commit dbdf8c631531c499965630bfae3b381f3dc8314a)
2007-10-10r9252: 2 type fixes from Luke Mewburn <lukem@NetBSD.org>. Bugid #2934.Jeremy Allison1-1/+2
Jeremy. (This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)