Age | Commit message (Collapse) | Author | Files | Lines |
|
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better
general infrustructure for his sam_ads work.
I've also added some extra failure mode DEBUG()s to parts of the code.
NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without
the final set of brakets, the test is essentially inverted - causing some
intersting 'error = success' messages...
Andrew Bartlett
(This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
membership from an ADS server. We now use a 'member' query on the
group and do a separate call to convert the resulting distinguished
name to a name, rid etc. This is *much* faster for very large numbers
of groups (on a quantum test system with 10000 groups it drops the
time from an hour to about 35 seconds).
strangely enough, this actually *increases* the amount of ldap
traffic, its just that the MS LDAP server answers these queries much
faster.
(This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
|
|
(This used to be commit dbfd4e5101599bcb85600e4c5c93ce5390b9aa91)
|
|
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
|
|
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
(This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
|
|
(This used to be commit 8b5ac00ac60135f83145c65425d7b33a751a15b4)
|
|
changes ...
(This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
|
|
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
|
|
(This used to be commit fbf154bcfb68b90eb43ada9de317c93f43711608)
|
|
the pre-win2000 username
(This used to be commit aa139ba507e4b898377fdfc9b27f7febf029d5a4)
|
|
of long usernames (win2000 usernames can be longer than 20 characters)
(This used to be commit 0719e756f60950b9ec04450fda5cc3776752e9a9)
|
|
I think its caused by a rpc operation failing and us giving invalid
data back to the cache layer. Using talloc_zero() should solve this.
(This used to be commit dfa990170bb9a665ba48443258e2a87f50baa75c)
|
|
(This used to be commit be399f5823bb8dfe6cc28d58aaeceb51f1b7382b)
|
|
(This used to be commit 41e1560798b7eb19575b0d97a5e489eb170bcfd5)
|
|
(This used to be commit 1aaa2091d54e7e50cf75927d658e57776792d6ae)
|
|
reconnecting
(This used to be commit 58b79c0dc882fa402423e44a594e30c27177f490)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
|
|
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
|
|
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
|
|
domain is ADS
(This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
|
|
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
|
|
Winbind separators other than backslash didn't work.
(This used to be commit 6688781331e046adc77783792fc009cda7c8b5b8)
|
|
(This used to be commit 87090652460e57703b40f21e9ed08c18770b61c3)
|
|
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
(This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
|
|
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
|
|
(This used to be commit 24aa09ff3dd128c6f12b4cb072943ff668a29a67)
|
|
(This used to be commit 4d3b827e5ac1ac20ec31acdc1e2a0264f1c18e43)
|
|
consistent backends (like ADS) always give correct primary group
info, so we can play cache tricks to speed things up a lot
inconsistent backends (like MSRPC) need to fetch stuff more often
(This used to be commit 217c39f23282e20f96a61a0d5a2434b3f5f66a86)
|
|
the backends
at startup, loop until we get the domain sid for our primary domain,
trying every 10 seconds. This makes winbindd handle a room-wide power
failure better
(This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
|
|
(This used to be commit 4a6d29768665f71b72cf48ee34ee9a9c451232f6)
|
|
this one looks like just another winbind backend, and has the
following properties:
- does -ve and +ve cacheing of all queries
- can be disabled with -n switch to winbindd
- stores all records packed, so even huge domains are not a problem
for a complete cache
- handles the server being down
- uses sequence numbers for all entries
This fixes a lot of problems with winbindd. Serving from cache is now
*very* fast.
(This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
|
|
- better debug code
(This used to be commit 01f63b9c92137e6de906412952c7a2c8da21dfbe)
|
|
(This used to be commit 0ff30848f3ef4f38e9bc80dc96be4f37bb2dcb0e)
|
|
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
|
|
(This used to be commit 45c328800e42ba01c8d6113c0691546804137677)
|
|
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
|
|
sequence number via ldap when using ads
(This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
|
|
(This used to be commit f64612b89bae1148d73555cac00f6019a01f9304)
|
|
(This used to be commit a45e3968590a021c1b464db5265a09ba48cb5797)
|
|
(This used to be commit 7de670cd15c1a87dd01ab22d74a7e6cbf5ae6673)
|
|
(This used to be commit 60b5d4432abd905ee61fe381487ed87139134685)
|
|
winbindd is now fully functional with a native mode w2k server
now for the memory leaks and speed ...
(This used to be commit fad564c177049eb47e5bf48c98b62281c6348ffc)
|
|
now do searches on SID. This allows me to do a true ldap sid_to_name()
function
one one function to go!
(This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
|
|
Jeremy.
(This used to be commit 9563de2ef8c1197f4941671d2fdade7d933c32d0)
|
|
winbindd/ADS can now do initgroups()
(This used to be commit 43edeaca9f3a42699131939ed0d917111f57b678)
|
|
(This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
|