| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
Credits to Ralf Haferkamp for the discussion and help on this.
(This used to be commit 5be96d09a7c457b1763d7ad482b5a5a92c02d157)
|
|
commit 3941269fa01038fca242a197e8d7c1f234d45ea7
Author: Gerald (Jerry) Carter <jerry@samba.org>
Date: Thu Jul 5 14:52:03 2007 -0500
Two fixes for "winbind expand groups".
(a) Update the counter for the number of new groups to resolve else
we'll only expand one group member per level and drop the rest.
(b) Don't reset the num_names counter in winbindd_ads.c:lookup_groupmem()
or we'll drop the SIDs resolved to names via cache from the resulting
list.
(This used to be commit dfb89dfcaa02f497ff22ac0213b70add6e4d5b8f)
|
|
in the winbindd_getgrnam() call. Couple of comments:
* Adds "winbind expand groups" parameter which defines the
max depth winbindd will expand group members. The default
is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async. I
haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
its own function.
(This used to be commit 3d3a8130351753dc5caa2a270d130e2150da6b54)
|
|
Guenther
(This used to be commit 23e25bba8fafb31492b517d63f0a00c5ec07d5da)
|
|
The clear text presentaion of the sid in the ldap expression
does work with w2k3 but not with w2k....
Thanks to Guenther for advising me of this issue.
Michael
(This used to be commit 7e6b0c19f816b52cca257c2837680e70f1af8594)
|
|
Hopfully, I have finally got this right... :-)
Michael
(This used to be commit 2190d838e49692fcba8f3a393dd30db937899fed)
|
|
wanted to do.
Michael
(This used to be commit f2adae8fc197be1e40769dbda27ee5b1085c3c64)
|
|
with talloc randomly failing.
Hey, shouldn't TALLOC_ARRAY _not_ return NULL when
requested to allocate an array with zero entries? :-)
Michael
(This used to be commit 7170d2e9f5381b405e0ea902d2b2463e5ca804e6)
|
|
And clean up unused stuff at the end.
Daringly, I use talloc_steal at some point, where it
appears natural to me.
Michael
(This used to be commit f2a29643bdb08bf026eaf974424f4eadfc920ca0)
|
|
by sid_string_static.
(This used to be commit ba3026dce02d554313647c3d6825bfe0d30d6ffc)
|
|
(This used to be commit c5929aa82b20e8a3877e6196c17bc9118cb399b0)
|
|
(This used to be commit bd90573fbb3ff243f343fcfc61b6228aa70b13e3)
|
|
started in r23070, r23072, r23073, r23078, r23081 and r23082:
After retrieving the list of sids with the extended dn
ldap query, instead of passing all sids to the lsa_lookup_sids
call, now while extracting the sids from the extended dn member
entries, we first try to lookup the sid from cache and only pass
the sids that were not in cache to the lsa_lookup_sids call.
Michael
(This used to be commit 5520c7d8557fe48957c2a85eaba8c3a0e9d8b9e2)
|
|
as an error. (This is purely cosmetic here, issuing a success
message at the end.)
(This used to be commit 4d9e8c91dc387cef37ea9035ac4483916e854732)
|
|
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070)
call. This replaces one ldap search per member sid by one
rpc call per 1000 sids. This greatly speeds up groupmem
lookups for groups with lots of users.
Since the loop in lookup_groupmem was the only use of dn_lookup,
the function is removed.
Michael
(This used to be commit 88dac65ab1b951d445f0eedb638e9ace93139872)
|
|
Guenther
(This used to be commit 08a7ee8d968b493a17fd669f3dc6fed7abe3d36e)
|
|
is initialized.
(This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
|
|
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
|
|
(This used to be commit aa2ac5a1944884586c9f7e97c3a0b1b6c418b554)
|
|
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.
This will give us a complete trust topology including
domains via transitive Krb5 trusts. We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.
"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
|
|
That should be it....
Jeremy.
(This used to be commit 603233a98bbf65467c8b4f04719d771c70b3b4c9)
|
|
Guenther
(This used to be commit 31a193b02a08d2323d93659105c0fd5650b33419)
|
|
optinmize
lookup_groupmem(). In the later, at least try to avoid those massive LDAP
dn_lookups by looking in the cache before.
Guenther
(This used to be commit eb1566869c5493f2a1d1ff9fcaaa45c143ad12a0)
|
|
Jeremy.
(This used to be commit 61a1574f50d35435a55de62fa6f1d281eed90a25)
|
|
to get the
Krb5 config stuff to work in the server affinity settings.
(This used to be commit 518052be38385ad089c0cb092d07ccd210a27ef3)
|
|
ads_cached_connection() does not call get_dc_name()
before ads_connect() and therefore does not setup
the environment to look at krb5.conf.DOMAIN file
before sending the TGT request. The failure I'm seeing
occurs ni a multi-DC domain where we get back preuath
failed after we just joined the domain.
(This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)
|
|
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs
revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.
- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).
- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.
DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries
DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.
Simo.
(This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
|
|
broken :-). This will do until Simo fixes the escape
calls properly.
Jeremy.
(This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
so that
in the next step we can store them in LDAP to be replicated across DCs.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
|
|
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
|
|
we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
|
|
methods.
Jeremy.
(This used to be commit 7ac4ae4b517a18e97673e95d862a5b18175252c1)
|
|
(This used to be commit e5b5c9b058b7f2a6188684019ffe42e497ac6b6c)
|
|
(This used to be commit 3d0661b0393804707eb42d9ee9377a622333f252)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Volker
(This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
|
|
the right parameter type.
Jeremy.
(This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
|
|
Guenther
(This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
|
|
Guenther
(This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
|
|
objectClass which is not indexed on AD) in LDAP queries.
Guenther
(This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
|
|
are not valid locally.
Guenther
(This used to be commit 177da7754b53348d8754d46098dbd11300234bb5)
|
|
query the samlogon cache first as well.
Guenther
(This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
|
