summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r24330: Fix a 64-bit errorVolker Lendecke1-1/+1
(This used to be commit 30fd90346550f1c672edb51ab63b8139a6c4053e)
2007-10-10r24329: Fix a 64-bit bugVolker Lendecke1-1/+1
enums are not necessarily represented as 32-bit uints. On assignment (see line 1029) implicit conversion happens, but not when pointers are taken. (This used to be commit 67ec6863dd91ca2421e4541add99dfd739805242)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups.Lars Müller1-1/+6
Credits to Ralf Haferkamp for the discussion and help on this. (This used to be commit 5be96d09a7c457b1763d7ad482b5a5a92c02d157)
2007-10-10r23730: Squashed commit of the following:Gerald Carter1-2/+5
commit 3941269fa01038fca242a197e8d7c1f234d45ea7 Author: Gerald (Jerry) Carter <jerry@samba.org> Date: Thu Jul 5 14:52:03 2007 -0500 Two fixes for "winbind expand groups". (a) Update the counter for the number of new groups to resolve else we'll only expand one group member per level and drop the rest. (b) Don't reset the num_names counter in winbindd_ads.c:lookup_groupmem() or we'll drop the SIDs resolved to names via cache from the resulting list. (This used to be commit dfb89dfcaa02f497ff22ac0213b70add6e4d5b8f)
2007-10-10r23471: Here's a rough patch for expanding domain group membershipGerald Carter1-1/+5
in the winbindd_getgrnam() call. Couple of comments: * Adds "winbind expand groups" parameter which defines the max depth winbindd will expand group members. The default is the current behavior of one level of expansion. * The entire getrgnam() interface should be async. I haven't done that. * Refactors the domain users hack in fill_grent_mem() into its own function. (This used to be commit 3d3a8130351753dc5caa2a270d130e2150da6b54)
2007-10-10r23355: Fix some more build warnings.Günther Deschner1-2/+2
Guenther (This used to be commit 23e25bba8fafb31492b517d63f0a00c5ec07d5da)
2007-10-10r23291: Undo the somewhat naive change of r23279:Michael Adam1-2/+10
The clear text presentaion of the sid in the ldap expression does work with w2k3 but not with w2k.... Thanks to Guenther for advising me of this issue. Michael (This used to be commit 7e6b0c19f816b52cca257c2837680e70f1af8594)
2007-10-10r23290: Fix another small and stupid but severe typo.Michael Adam1-1/+1
Hopfully, I have finally got this right... :-) Michael (This used to be commit 2190d838e49692fcba8f3a393dd30db937899fed)
2007-10-10r23287: Use talloc_move instead of talloc_steal as this is what I reallyMichael Adam1-1/+1
wanted to do. Michael (This used to be commit f2adae8fc197be1e40769dbda27ee5b1085c3c64)
2007-10-10r23284: Oh what a nasty typo! This gave me some headache,Michael Adam1-1/+1
with talloc randomly failing. Hey, shouldn't TALLOC_ARRAY _not_ return NULL when requested to allocate an array with zero entries? :-) Michael (This used to be commit 7170d2e9f5381b405e0ea902d2b2463e5ca804e6)
2007-10-10r23283: Use a temporary talloc context in ads:lookup_groupmem.Michael Adam1-13/+17
And clean up unused stuff at the end. Daringly, I use talloc_steal at some point, where it appears natural to me. Michael (This used to be commit f2a29643bdb08bf026eaf974424f4eadfc920ca0)
2007-10-10r23279: Replace occurrence of sid_binstring inside lookup_groupmemMichael Adam1-11/+4
by sid_string_static. (This used to be commit ba3026dce02d554313647c3d6825bfe0d30d6ffc)
2007-10-10r23263: Remove an unused variable -- Fix Coverity ID 358Volker Lendecke1-4/+0
(This used to be commit c5929aa82b20e8a3877e6196c17bc9118cb399b0)
2007-10-10r23253: Add some debugging output.Michael Adam1-1/+6
(This used to be commit bd90573fbb3ff243f343fcfc61b6228aa70b13e3)
2007-10-10r23252: Complete the reworking of the ads lookup_groupmem functionMichael Adam1-58/+109
started in r23070, r23072, r23073, r23078, r23081 and r23082: After retrieving the list of sids with the extended dn ldap query, instead of passing all sids to the lsa_lookup_sids call, now while extracting the sids from the extended dn member entries, we first try to lookup the sid from cache and only pass the sids that were not in cache to the lsa_lookup_sids call. Michael (This used to be commit 5520c7d8557fe48957c2a85eaba8c3a0e9d8b9e2)
2007-10-10r23078: Don't handle return code NT_STATUS_NONE_MAPPED from lookup sidsMichael Adam1-1/+1
as an error. (This is purely cosmetic here, issuing a success message at the end.) (This used to be commit 4d9e8c91dc387cef37ea9035ac4483916e854732)
2007-10-10r23072: In winbindd_ads.c:lookup_groupmem, replace the bottleneckMichael Adam1-107/+77
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070) call. This replaces one ldap search per member sid by one rpc call per 1000 sids. This greatly speeds up groupmem lookups for groups with lots of users. Since the loop in lookup_groupmem was the only use of dn_lookup, the function is removed. Michael (This used to be commit 88dac65ab1b951d445f0eedb638e9ace93139872)
2007-10-10r22737: Fix crash bug (info3 is now talloced).Günther Deschner1-1/+1
Guenther (This used to be commit 08a7ee8d968b493a17fd669f3dc6fed7abe3d36e)
2007-10-10r22711: Fix a compile warnign in query_user(). Ensure that user_ridGerald Carter1-2/+1
is initialized. (This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
2007-10-10r22710: Support one-way trusts.Gerald Carter1-6/+107
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r22706: missed one reference to domain->native_mode in the previous commitGerald Carter1-1/+1
(This used to be commit aa2ac5a1944884586c9f7e97c3a0b1b6c418b554)
2007-10-10r22704: Implement three step method for enumerating domain trusts.Gerald Carter1-5/+77
(a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-10-10r22590: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-10/+15
That should be it.... Jeremy. (This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
2007-10-10r22511: Remove unused LDAPMessage.Günther Deschner1-3/+0
Guenther (This used to be commit 31a193b02a08d2323d93659105c0fd5650b33419)
2007-10-10r22461: Use ranged LDAP queries in lookup_usergroups_member() and start to ↵Günther Deschner1-99/+75
optinmize lookup_groupmem(). In the later, at least try to avoid those massive LDAP dn_lookups by looking in the cache before. Guenther (This used to be commit eb1566869c5493f2a1d1ff9fcaaa45c143ad12a0)
2007-10-10r22015: Fix for memory leak from Steven Danneman <steven.danneman@isilon.com>Jeremy Allison1-0/+5
Jeremy. (This used to be commit 61a1574f50d35435a55de62fa6f1d281eed90a25)
2007-10-10r21636: Was almost right before. We have to specify the short domain name ↵Gerald Carter1-1/+1
to get the Krb5 config stuff to work in the server affinity settings. (This used to be commit 518052be38385ad089c0cb092d07ccd210a27ef3)
2007-10-10r21633: First real fix from me found during the bug hunt.Gerald Carter1-0/+8
ads_cached_connection() does not call get_dc_name() before ads_connect() and therefore does not setup the environment to look at krb5.conf.DOMAIN file before sending the TGT request. The failure I'm seeing occurs ni a multi-DC domain where we get back preuath failed after we just joined the domain. (This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)
2007-10-10r21606: Implement escaping function for ldap RDN valuesSimo Sorce1-9/+1
Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-10-10r21566: If we're going to be broken, at least be *consistently*Jeremy Allison1-1/+9
broken :-). This will do until Simo fixes the escape calls properly. Jeremy. (This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-11/+21
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21001: * Use a simple '#define LDAPMessage void' to fix the buildGerald Carter1-4/+0
problems in the nss_info interface when HAVE_LDAP is undefined. * Revert previous ifdef HAVE_ADS brakets * Remove an unused init function wrapper. (This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
2007-10-10r20986: Commit the prototype of the nss_info plugin interface.Gerald Carter1-59/+15
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-1/+1
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r20124: clean up nested extern declaration warningsHerb Lewis1-1/+2
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-9/+27
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r20035: Fix obvious horrible bug in falling back to MS-RPCJeremy Allison1-6/+3
methods. Jeremy. (This used to be commit 7ac4ae4b517a18e97673e95d862a5b18175252c1)
2007-10-10r19657: Correctly check for malloc failureVolker Lendecke1-1/+1
(This used to be commit e5b5c9b058b7f2a6188684019ffe42e497ac6b6c)
2007-10-10r19656: Correctly check for malloc failureVolker Lendecke1-1/+1
(This used to be commit 3d0661b0393804707eb42d9ee9377a622333f252)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-11/+11
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-0/+1
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16361: Fix Klocwork ID 1731 1770 1771 1775 1796Volker Lendecke1-1/+5
Volker (This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
2007-10-10r16285: On a 64-bit box, size_t != uint32. Ensure we useJeremy Allison1-2/+4
the right parameter type. Jeremy. (This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
2007-10-10r16187: Fix memleak.Günther Deschner1-9/+12
Guenther (This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
2007-10-10r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).Günther Deschner1-1/+1
Guenther (This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-16/+112
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-12/+36
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15562: Attempt to fix Coverity bug # 283Volker Lendecke1-0/+8
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)