summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit a2e384262d0203772a6237b566c294f15bfd8948)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit a2aa6e41e552abfb6d1056ab3a7c75e8fd0a150c)
2003-10-13make sure to use the escaped DN; patch from Guenther Deschner; bug 592Gerald Carter1-1/+1
(This used to be commit fe6aa4a95181bb2ad4352710cfc7868918609274)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter1-4/+11
down; bug 437 (This used to be commit 9da4d1f7dbb289dd1db5e57a4fd78004bbfbd26b)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-35/+39
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-9/+76
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-38/+105
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-1/+1
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-02-27Fix possible memory leak on failure.Andrew Bartlett1-0/+1
(This used to be commit 052ebc44cde8d31571ed1edb602794349825be11)
2003-02-26Kill RID-only and domain+RID madness from winbind.Andrew Bartlett1-82/+96
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-25After some comments from tridge, clean the new usergroups code into a helperAndrew Bartlett1-71/+94
function. Andrew Bartlett (This used to be commit 212a52b3d2ca39fcea2990f9293754b08e9b68e4)
2003-02-25Fix a really nasty bug where some users in AD domains (particularly childAndrew Bartlett1-14/+90
domains) would not have the tokenGroups or memberOf attributes filled in. This would cause a user to have no supplementary group membership. Detect this by the fact that the primaryGid must be present in the tokenGroups, and if it isn't (ie, if there is no tokenGroups at all), do a server-side search on all groups using the 'member' attribute and the user's DN. Andrew Bartlett (This used to be commit a074f74e627e1d947a76bcf3a39e3c5df4d4ffe5)
2003-02-21Fix another compiler warning.Tim Potter1-1/+0
(This used to be commit 1ea27d7987d2c0f67977371a99efec3ded13c872)
2003-02-20for some (very weird) reason, the domain I was testing aginst would notAndrew Bartlett1-0/+4
return a DN for the user. Make sure we don't segfault. Andrew Bartlett (This used to be commit 9fdedeff6a3a9f8e8d048e6afd7001ad676c4e91)
2003-02-19Move to a in-memory ccache for winbind, and replace setenv() properly.Andrew Bartlett1-3/+1
(According to the manpages, you cannot put a stack variable into putenv()). Yes, this leaks memory. Andrew Bartlett (This used to be commit 50bced1e26434ecc7474964062746e2831e5f433)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett1-1/+8
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-1/+1
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-15enable enumeration of domain local groups using LDAP (and in a native mode ↵Gerald Carter1-5/+30
domain) (This used to be commit 3ac98b59632fd771b8819f88a479ef4c0daade68)
2002-10-18NULL enum_local_groups for ads winbindd (temporary workaround).Gerald Carter1-0/+1
(This used to be commit 06eea39abdb49d9d547707dcb170c988d7276c1d)
2002-09-27Move a number of ADS related functions out into utility libs, so that thingsAndrew Bartlett1-186/+11
like metze's sam_ads can also use them. Also add error checking etc to a few more functions. Andrew Bartlett (This used to be commit c864edf4fbf8a6c37888a14b861d7c12cf503d4f)
2002-09-06Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de>Andrew Bartlett1-4/+4
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-70/+49
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-11this implements a completely new strategy for fetching groupAndrew Tridgell1-33/+83
membership from an ADS server. We now use a 'member' query on the group and do a separate call to convert the resulting distinguished name to a name, rid etc. This is *much* faster for very large numbers of groups (on a quantum test system with 10000 groups it drops the time from an hour to about 35 seconds). strangely enough, this actually *increases* the amount of ldap traffic, its just that the MS LDAP server answers these queries much faster. (This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
2002-07-01fixed a bug handling startup when the ads server is not contactableAndrew Tridgell1-1/+1
(This used to be commit dbfd4e5101599bcb85600e4c5c93ce5390b9aa91)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-5/+5
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-06-03fixed some debug messagesAndrew Tridgell1-2/+2
(This used to be commit 8b5ac00ac60135f83145c65425d7b33a751a15b4)
2002-04-19fixed trust relationships in ADS winbindd after breaking them with my BDC ↵Andrew Tridgell1-1/+1
changes ... (This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
2002-04-18fixed the fallback to a BDC for ADS connectionsAndrew Tridgell1-1/+3
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
2002-04-14pull_username() is a local functionAndrew Tridgell1-1/+1
(This used to be commit fbf154bcfb68b90eb43ada9de317c93f43711608)
2002-04-14hanle the case where the win2000 username is completely different fromAndrew Tridgell1-8/+3
the pre-win2000 username (This used to be commit aa139ba507e4b898377fdfc9b27f7febf029d5a4)
2002-04-14modified the ADS backend to accept either the long or short versionsAndrew Tridgell1-11/+44
of long usernames (win2000 usernames can be longer than 20 characters) (This used to be commit 0719e756f60950b9ec04450fda5cc3776752e9a9)
2002-04-11possibly fix the 15000 user problemAndrew Tridgell1-6/+6
I think its caused by a rpc operation failing and us giving invalid data back to the cache layer. Using talloc_zero() should solve this. (This used to be commit dfa990170bb9a665ba48443258e2a87f50baa75c)
2002-03-21fixed the secondary group mappings for ADS usersAndrew Tridgell1-8/+56
(This used to be commit be399f5823bb8dfe6cc28d58aaeceb51f1b7382b)
2002-03-19updated winbindd to used paged ldap searches for all ldap queriesAndrew Tridgell1-1/+1
(This used to be commit 41e1560798b7eb19575b0d97a5e489eb170bcfd5)
2002-03-12fixed 2 reconnection bugs in the ADS backend supportAndrew Tridgell1-7/+11
(This used to be commit 1aaa2091d54e7e50cf75927d658e57776792d6ae)
2002-03-09better detection of dead ADS connections, so we have some chance ofAndrew Tridgell1-0/+6
reconnecting (This used to be commit 58b79c0dc882fa402423e44a594e30c27177f490)
2002-01-30Removed version number from file header.Tim Potter1-1/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-10/+2
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2001-12-20added ads_domain_sid() functionAndrew Tridgell1-15/+5
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
2001-12-19use "ads server" option if set for primary domainAndrew Tridgell1-4/+10
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
2001-12-19add support for mixtures of ADS/NT4 domains, as long as the primaryAndrew Tridgell1-0/+9
domain is ADS (This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
2001-12-19much better ADS error handling systemAndrew Tridgell1-63/+59
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-0/+2
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-12-19- added initial support for trusted domains in winbindd_adsAndrew Tridgell1-10/+47
- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo (This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
2001-12-11Replace backslash with winbind separator before calling parse_domain_user(). ↵Jim McDonough1-2/+4
Winbind separators other than backslash didn't work. (This used to be commit 6688781331e046adc77783792fc009cda7c8b5b8)
2001-12-11handle systems without setenv()Andrew Tridgell1-1/+1
(This used to be commit 87090652460e57703b40f21e9ed08c18770b61c3)
2001-12-11removed the start_ndx parameter from group enumerationAndrew Tridgell1-7/+1
I tried testing this by lowering the buffer size in cli_samr_enum_dom_groups() but that didn't work - I think this needs more looking into (This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
2001-12-11got rid of start_ndx from query_user_list()Andrew Tridgell1-7/+1
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
2001-12-10robustness fixes and moved ccache location into winbindd_ads codeAndrew Tridgell1-0/+12
(This used to be commit 24aa09ff3dd128c6f12b4cb072943ff668a29a67)