Age | Commit message (Collapse) | Author | Files | Lines |
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
Jeremy.
(This used to be commit cd192ed79a531c6775cdbfb35f0eb2e0fa230ce9)
|
|
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
|
|
Still needs some more testing ni domains with multiple DCs. Coming next....
(This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
|
|
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
(This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
that AD's builtin groups mixup with our own builtin groups.
Guenther
(This used to be commit 9930013161f1ae59e7aed1b397b79792d384f1ba)
|
|
Guenther
(This used to be commit d75bfce8cc9122ddcad149704e467c784f0a0872)
|
|
caused by users with no supplementary groups.
(This used to be commit dbdf8c631531c499965630bfae3b381f3dc8314a)
|
|
Jeremy.
(This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
|
|
upcoming changes for "unixinfo"-pipe.
Therefor (after speaking with Volker) replace "winbind sfu support" with
the list-parameter "winbind nss info" which defaults to "template". For
SFU-support set it to "winbind nss info = template sfu".
Note that nss_info_use() is just a dummy function at the moment.
Guenther
(This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
|
|
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
|
|
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
|
|
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
|
|
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
|
|
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
|
|
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
|
|
shows that this info is correctly returned to us in to info3 struct, so
check_info3_in_group does not need to be adapted.
Volker
(This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Guenther
(This used to be commit 86a61c86a49a7e4d67e61201458c9b0229fb0825)
|
|
and AD) as well as on a Samba DC
(This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
|
|
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
|
|
Winbind tickets expired. We now check the expiration time, and acquire
new tickets. We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them. Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway. Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
(This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
|
|
(This used to be commit 97a24d13892e292d31a1a6d7a1c96893508d6222)
|
|
memory (not the members though)
(This used to be commit 4449e0e251190b741f51348819669453f0758f36)
|
|
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
|
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
|
|
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
|
|
This introduces range retrieval of ADS attributes.
VL rewrote most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
|
|
Volker
(This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
|
|
a double-free(), and the resultant malloc heap corruption.
This may be one of our lurking winbind segfaults.
Andrew Bartlett
(This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
|
|
Volker
(This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
(This used to be commit 5eca81c66096a01eda1731892d044c09d4c18556)
|
|
down; bug 437
(This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
|
|
ads_search_XXX() calls.
(This used to be commit 74c02e5fbc411d6fd1b13a1e21599da030897efe)
|
|
already have ads_search_retry() for this. However, neither
domain_sid() nor sequence_nunber() used this function. So modify
them to us ads_do_search_retry() so we can specify the base search
DN and scope.
(This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
|
|
smb.conf
Fixes to ensure we work with disable netbios = yes
(This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
|
|
(This used to be commit e3f5afb83142f44369dcd341d6e66ed2fe51248f)
|
|
Ken Cross. Sometimes ads conenction get stale but we don't know
they are dead until we try them. This patch may need some optimization
after people bang on it for a while.
(This used to be commit 7021cf63a4501c90620cf6a5f117eef345bbd291)
|
|
Also make sure thet ads_startup uses lp_realm instead of
just relying on the workgroup name. Fixes bug in net ads join
when the workgroup defaults to "WORKGROUP" and we ignore the
realm name.
(This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
|
|
failure
* Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains
( does no one ever test this? )
* add in LDAP code to get the sequence number for rpc based seqnum update.
( this is needed if the DC is upgraded and samba is not reconfigured
to use security = ads; it's not pretty but it works (from app_head) )
* fix bug that caused us to enumerate domain local groups in domains
other than our own
(This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
|