summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2002-09-06Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de>Andrew Bartlett1-4/+4
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-70/+49
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-11this implements a completely new strategy for fetching groupAndrew Tridgell1-33/+83
membership from an ADS server. We now use a 'member' query on the group and do a separate call to convert the resulting distinguished name to a name, rid etc. This is *much* faster for very large numbers of groups (on a quantum test system with 10000 groups it drops the time from an hour to about 35 seconds). strangely enough, this actually *increases* the amount of ldap traffic, its just that the MS LDAP server answers these queries much faster. (This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
2002-07-01fixed a bug handling startup when the ads server is not contactableAndrew Tridgell1-1/+1
(This used to be commit dbfd4e5101599bcb85600e4c5c93ce5390b9aa91)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-5/+5
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-06-03fixed some debug messagesAndrew Tridgell1-2/+2
(This used to be commit 8b5ac00ac60135f83145c65425d7b33a751a15b4)
2002-04-19fixed trust relationships in ADS winbindd after breaking them with my BDC ↵Andrew Tridgell1-1/+1
changes ... (This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
2002-04-18fixed the fallback to a BDC for ADS connectionsAndrew Tridgell1-1/+3
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
2002-04-14pull_username() is a local functionAndrew Tridgell1-1/+1
(This used to be commit fbf154bcfb68b90eb43ada9de317c93f43711608)
2002-04-14hanle the case where the win2000 username is completely different fromAndrew Tridgell1-8/+3
the pre-win2000 username (This used to be commit aa139ba507e4b898377fdfc9b27f7febf029d5a4)
2002-04-14modified the ADS backend to accept either the long or short versionsAndrew Tridgell1-11/+44
of long usernames (win2000 usernames can be longer than 20 characters) (This used to be commit 0719e756f60950b9ec04450fda5cc3776752e9a9)
2002-04-11possibly fix the 15000 user problemAndrew Tridgell1-6/+6
I think its caused by a rpc operation failing and us giving invalid data back to the cache layer. Using talloc_zero() should solve this. (This used to be commit dfa990170bb9a665ba48443258e2a87f50baa75c)
2002-03-21fixed the secondary group mappings for ADS usersAndrew Tridgell1-8/+56
(This used to be commit be399f5823bb8dfe6cc28d58aaeceb51f1b7382b)
2002-03-19updated winbindd to used paged ldap searches for all ldap queriesAndrew Tridgell1-1/+1
(This used to be commit 41e1560798b7eb19575b0d97a5e489eb170bcfd5)
2002-03-12fixed 2 reconnection bugs in the ADS backend supportAndrew Tridgell1-7/+11
(This used to be commit 1aaa2091d54e7e50cf75927d658e57776792d6ae)
2002-03-09better detection of dead ADS connections, so we have some chance ofAndrew Tridgell1-0/+6
reconnecting (This used to be commit 58b79c0dc882fa402423e44a594e30c27177f490)
2002-01-30Removed version number from file header.Tim Potter1-1/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-10/+2
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2001-12-20added ads_domain_sid() functionAndrew Tridgell1-15/+5
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
2001-12-19use "ads server" option if set for primary domainAndrew Tridgell1-4/+10
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
2001-12-19add support for mixtures of ADS/NT4 domains, as long as the primaryAndrew Tridgell1-0/+9
domain is ADS (This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
2001-12-19much better ADS error handling systemAndrew Tridgell1-63/+59
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-0/+2
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-12-19- added initial support for trusted domains in winbindd_adsAndrew Tridgell1-10/+47
- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo (This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
2001-12-11Replace backslash with winbind separator before calling parse_domain_user(). ↵Jim McDonough1-2/+4
Winbind separators other than backslash didn't work. (This used to be commit 6688781331e046adc77783792fc009cda7c8b5b8)
2001-12-11handle systems without setenv()Andrew Tridgell1-1/+1
(This used to be commit 87090652460e57703b40f21e9ed08c18770b61c3)
2001-12-11removed the start_ndx parameter from group enumerationAndrew Tridgell1-7/+1
I tried testing this by lowering the buffer size in cli_samr_enum_dom_groups() but that didn't work - I think this needs more looking into (This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
2001-12-11got rid of start_ndx from query_user_list()Andrew Tridgell1-7/+1
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
2001-12-10robustness fixes and moved ccache location into winbindd_ads codeAndrew Tridgell1-0/+12
(This used to be commit 24aa09ff3dd128c6f12b4cb072943ff668a29a67)
2001-12-10use objectCategory instead of objectClass for faster searchingAndrew Tridgell1-3/+3
(This used to be commit 4d3b827e5ac1ac20ec31acdc1e2a0264f1c18e43)
2001-12-10winbindd backends can now be marked "consistent" or "inconsistent"Andrew Tridgell1-0/+1
consistent backends (like ADS) always give correct primary group info, so we can play cache tricks to speed things up a lot inconsistent backends (like MSRPC) need to fetch stuff more often (This used to be commit 217c39f23282e20f96a61a0d5a2434b3f5f66a86)
2001-12-10moved the domain sid lookup and enumeration of trusted domains intoAndrew Tridgell1-1/+38
the backends at startup, loop until we get the domain sid for our primary domain, trying every 10 seconds. This makes winbindd handle a room-wide power failure better (This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
2001-12-10make sid_binstring available without HAVE_ADSAndrew Tridgell1-4/+4
(This used to be commit 4a6d29768665f71b72cf48ee34ee9a9c451232f6)
2001-12-09completely new winbindd cache infrastructureAndrew Tridgell1-5/+8
this one looks like just another winbind backend, and has the following properties: - does -ve and +ve cacheing of all queries - can be disabled with -n switch to winbindd - stores all records packed, so even huge domains are not a problem for a complete cache - handles the server being down - uses sequence numbers for all entries This fixes a lot of problems with winbindd. Serving from cache is now *very* fast. (This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
2001-12-09- use accountype not accountcontrolAndrew Tridgell1-8/+26
- better debug code (This used to be commit 01f63b9c92137e6de906412952c7a2c8da21dfbe)
2001-12-09fixed type passed to ads_searchAndrew Tridgell1-2/+1
(This used to be commit 0ff30848f3ef4f38e9bc80dc96be4f37bb2dcb0e)
2001-12-08added internal sasl/gssapi code. This means we are no longer dependent on ↵Andrew Tridgell1-11/+69
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm (This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
2001-12-05fixed a memory leakAndrew Tridgell1-1/+4
(This used to be commit 45c328800e42ba01c8d6113c0691546804137677)
2001-12-05added a REALLY gross hack into kerberos_kinit_password so thatAndrew Tridgell1-1/+1
winbindd can do a kinit this will be removed once we have code that gets a tgt and puts it in a place where cyrus-sasl can see it (This used to be commit 7d94f1b7365215a020d3678d03d820a7d086174f)
2001-12-05moved the sequence number fetch into the backend, and fetch theAndrew Tridgell1-1/+16
sequence number via ldap when using ads (This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
2001-12-05don't double free ldap message listsAndrew Tridgell1-3/+0
(This used to be commit f64612b89bae1148d73555cac00f6019a01f9304)
2001-12-05fixed another leak - memory usage now seems to be quite smallAndrew Tridgell1-0/+2
(This used to be commit a45e3968590a021c1b464db5265a09ba48cb5797)
2001-12-05added very basic ads connection cacheingAndrew Tridgell1-84/+45
(This used to be commit 7de670cd15c1a87dd01ab22d74a7e6cbf5ae6673)
2001-12-05plugged most of the memory leaksAndrew Tridgell1-74/+120
(This used to be commit 60b5d4432abd905ee61fe381487ed87139134685)
2001-12-05added the last winbindd/ads backend functionAndrew Tridgell1-1/+66
winbindd is now fully functional with a native mode w2k server now for the memory leaks and speed ... (This used to be commit fad564c177049eb47e5bf48c98b62281c6348ffc)
2001-12-05finally worked out how to do ldap lookups by binary blobs, so I canAndrew Tridgell1-35/+112
now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05Fixed parse_domain_user to be bool.Jeremy Allison1-2/+4
Jeremy. (This used to be commit 9563de2ef8c1197f4941671d2fdade7d933c32d0)
2001-12-04added lookup_groups() to the ads backendAndrew Tridgell1-3/+63
winbindd/ADS can now do initgroups() (This used to be commit 43edeaca9f3a42699131939ed0d917111f57b678)
2001-12-04moved lookup_usergroups() into the backend structureAndrew Tridgell1-1/+11
(This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)