Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 052ebc44cde8d31571ed1edb602794349825be11)
|
|
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions
remain, but I'm looking into them - they use non-winbind structs ATM).
This has particular benifits in returning out-of-domain SIDs for group
membership (Need to look into this a bit more) as well as general code quality.
This also removes much of the complexity from the idmap interface, which now
only deals with mapping IDs, not with SID->domain translations.
Breifly tested, but needs more. Fixes some valgrind-found bugs from my
previous commit.
Winbind cache chagned to using SID strings in some places, as I could not
follow exactly how to save and restore multiple packed sids properly.
Andrew Bartlett
(This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
|
|
function.
Andrew Bartlett
(This used to be commit 212a52b3d2ca39fcea2990f9293754b08e9b68e4)
|
|
domains) would not have the tokenGroups or memberOf attributes filled in.
This would cause a user to have no supplementary group membership.
Detect this by the fact that the primaryGid must be present in the tokenGroups,
and if it isn't (ie, if there is no tokenGroups at all), do a server-side
search on all groups using the 'member' attribute and the user's DN.
Andrew Bartlett
(This used to be commit a074f74e627e1d947a76bcf3a39e3c5df4d4ffe5)
|
|
(This used to be commit 1ea27d7987d2c0f67977371a99efec3ded13c872)
|
|
return a DN for the user. Make sure we don't segfault.
Andrew Bartlett
(This used to be commit 9fdedeff6a3a9f8e8d048e6afd7001ad676c4e91)
|
|
(According to the manpages, you cannot put a stack variable into putenv()).
Yes, this leaks memory.
Andrew Bartlett
(This used to be commit 50bced1e26434ecc7474964062746e2831e5f433)
|
|
blame for the realloc() stuff.
Plus a couple of minor updates to libads.
Andrew Bartlett
(This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
|
|
named. Ensure we can query them.
Jeremy.
(This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
|
|
domain)
(This used to be commit 3ac98b59632fd771b8819f88a479ef4c0daade68)
|
|
(This used to be commit 06eea39abdb49d9d547707dcb170c988d7276c1d)
|
|
like metze's sam_ads can also use them.
Also add error checking etc to a few more functions.
Andrew Bartlett
(This used to be commit c864edf4fbf8a6c37888a14b861d7c12cf503d4f)
|
|
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better
general infrustructure for his sam_ads work.
I've also added some extra failure mode DEBUG()s to parts of the code.
NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without
the final set of brakets, the test is essentially inverted - causing some
intersting 'error = success' messages...
Andrew Bartlett
(This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
membership from an ADS server. We now use a 'member' query on the
group and do a separate call to convert the resulting distinguished
name to a name, rid etc. This is *much* faster for very large numbers
of groups (on a quantum test system with 10000 groups it drops the
time from an hour to about 35 seconds).
strangely enough, this actually *increases* the amount of ldap
traffic, its just that the MS LDAP server answers these queries much
faster.
(This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
|
|
(This used to be commit dbfd4e5101599bcb85600e4c5c93ce5390b9aa91)
|
|
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
|
|
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
(This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
|
|
(This used to be commit 8b5ac00ac60135f83145c65425d7b33a751a15b4)
|
|
changes ...
(This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
|
|
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
|
|
(This used to be commit fbf154bcfb68b90eb43ada9de317c93f43711608)
|
|
the pre-win2000 username
(This used to be commit aa139ba507e4b898377fdfc9b27f7febf029d5a4)
|
|
of long usernames (win2000 usernames can be longer than 20 characters)
(This used to be commit 0719e756f60950b9ec04450fda5cc3776752e9a9)
|
|
I think its caused by a rpc operation failing and us giving invalid
data back to the cache layer. Using talloc_zero() should solve this.
(This used to be commit dfa990170bb9a665ba48443258e2a87f50baa75c)
|
|
(This used to be commit be399f5823bb8dfe6cc28d58aaeceb51f1b7382b)
|
|
(This used to be commit 41e1560798b7eb19575b0d97a5e489eb170bcfd5)
|
|
(This used to be commit 1aaa2091d54e7e50cf75927d658e57776792d6ae)
|
|
reconnecting
(This used to be commit 58b79c0dc882fa402423e44a594e30c27177f490)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
|
|
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
|
|
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
|
|
domain is ADS
(This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
|
|
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
|
|
Winbind separators other than backslash didn't work.
(This used to be commit 6688781331e046adc77783792fc009cda7c8b5b8)
|
|
(This used to be commit 87090652460e57703b40f21e9ed08c18770b61c3)
|
|
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
(This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
|
|
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
|
|
(This used to be commit 24aa09ff3dd128c6f12b4cb072943ff668a29a67)
|
|
(This used to be commit 4d3b827e5ac1ac20ec31acdc1e2a0264f1c18e43)
|
|
consistent backends (like ADS) always give correct primary group
info, so we can play cache tricks to speed things up a lot
inconsistent backends (like MSRPC) need to fetch stuff more often
(This used to be commit 217c39f23282e20f96a61a0d5a2434b3f5f66a86)
|
|
the backends
at startup, loop until we get the domain sid for our primary domain,
trying every 10 seconds. This makes winbindd handle a room-wide power
failure better
(This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
|
|
(This used to be commit 4a6d29768665f71b72cf48ee34ee9a9c451232f6)
|
|
this one looks like just another winbind backend, and has the
following properties:
- does -ve and +ve cacheing of all queries
- can be disabled with -n switch to winbindd
- stores all records packed, so even huge domains are not a problem
for a complete cache
- handles the server being down
- uses sequence numbers for all entries
This fixes a lot of problems with winbindd. Serving from cache is now
*very* fast.
(This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
|
|
- better debug code
(This used to be commit 01f63b9c92137e6de906412952c7a2c8da21dfbe)
|
|
(This used to be commit 0ff30848f3ef4f38e9bc80dc96be4f37bb2dcb0e)
|
|
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
|