summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16361: Fix Klocwork ID 1731 1770 1771 1775 1796Volker Lendecke1-1/+5
Volker (This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
2007-10-10r16285: On a 64-bit box, size_t != uint32. Ensure we useJeremy Allison1-2/+4
the right parameter type. Jeremy. (This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
2007-10-10r16187: Fix memleak.Günther Deschner1-9/+12
Guenther (This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
2007-10-10r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).Günther Deschner1-1/+1
Guenther (This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-16/+112
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-12/+36
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15562: Attempt to fix Coverity bug # 283Volker Lendecke1-0/+8
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
2007-10-10r15460: Prefer to use the indexed objectCategory attribute (instead ofGünther Deschner1-2/+2
objectClass which is not indexed on AD) in LDAP queries. Guenther (This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
2007-10-10r15307: Ignore builtin groups we're a member of on the DC as those membershipsGünther Deschner1-1/+6
are not valid locally. Guenther (This used to be commit 177da7754b53348d8754d46098dbd11300234bb5)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-2/+10
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15305: Let winbind search by sid directly (or in windows terms: "bind to aGünther Deschner1-6/+16
sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-1/+1
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14148: Removing the not very well tested krb5 ticket refresh handling activatedGünther Deschner1-4/+0
over --with-kcm. No time to look after it for the moment. Guenther (This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
2007-10-10r14145: Add missing WITH_KCM hunks from my local tree.Günther Deschner1-0/+4
Guenther (This used to be commit 977079a0583497255fbd4a48de52ebd404710b62)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-11/+24
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-6/+13
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12045: More warning fixes... Just a few more to go.Jeremy Allison1-1/+1
Jeremy. (This used to be commit cd192ed79a531c6775cdbfb35f0eb2e0fa230ce9)
2007-10-10r11704: methods->alternate_name is not used anymore -- remove itVolker Lendecke1-37/+0
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
2007-10-10r11651: After talking to Jeremy, commit my winbindd "Do the Right Thing" patch.Gerald Carter1-3/+31
Still needs some more testing ni domains with multiple DCs. Coming next.... (This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
2007-10-10r11242: use LDAP bitwise machting rule when searching for groups in ADS.Günther Deschner1-17/+36
This avoids that each time a full-group-dump is requested from ADS; the bitwise match allows to only query those groups we are interested in. The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap filter with extensible match in the latest SPs (fixes). From the patch: /* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o * rollup-fixes: * * According to Section 5.1(4) of RFC 2251 if a value of a type is it's * default value, it MUST be absent. In case of extensible matching the * "dnattr" boolean defaults to FALSE and so it must be only be present * when set to TRUE. * * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a * filter using bitwise matching rule then a buggy AD fails to decode * the extensible match. As a workaround set it to TRUE and thereby add * the dnAttributes "dn" field to cope with those older AD versions. * It should not harm and won't put any additional load on the AD since * none of the dn components have a bitmask-attribute. * * Thanks to Ralf Haferkamp for input and testing */ Guenther (This used to be commit db38ed6be607d08515920d46fb8a12f8cb4ddd6e)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-12/+18
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-8/+3
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10474: We better ignore builtin SIDs from the Active Directory DC to preventGünther Deschner1-1/+8
that AD's builtin groups mixup with our own builtin groups. Guenther (This used to be commit 9930013161f1ae59e7aed1b397b79792d384f1ba)
2007-10-10r10261: Don't bother to peek rids in builtin-sids.Günther Deschner1-0/+3
Guenther (This used to be commit d75bfce8cc9122ddcad149704e467c784f0a0872)
2007-10-10r9361: patch from Ed Plese to fix a faulty error in winbinddGerald Carter1-13/+12
caused by users with no supplementary groups. (This used to be commit dbdf8c631531c499965630bfae3b381f3dc8314a)
2007-10-10r9252: 2 type fixes from Luke Mewburn <lukem@NetBSD.org>. Bugid #2934.Jeremy Allison1-1/+2
Jeremy. (This used to be commit c63ad85b8c1aedd04a65e46c27a6e2661093847a)
2007-10-10r8145: When inventing a new parameter for SFU-support, be aware of Volker'sGünther Deschner1-7/+14
upcoming changes for "unixinfo"-pipe. Therefor (after speaking with Volker) replace "winbind sfu support" with the list-parameter "winbind nss info" which defaults to "template". For SFU-support set it to "winbind nss info = template sfu". Note that nss_info_use() is just a dummy function at the moment. Guenther (This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-3/+21
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-5/+5
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-104/+62
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6755: removing domain_sid() since it is not referenced anymoreGerald Carter1-31/+0
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-1/+2
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)Gerald Carter1-1/+2
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+1
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-17/+17
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r1967: Fix a couple of krb5-DEBUG-messages.Günther Deschner1-1/+1
Guenther (This used to be commit 86a61c86a49a7e4d67e61201458c9b0229fb0825)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-44/+2
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2004-03-30Apply some constVolker Lendecke1-3/+3
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
2004-03-24Fix bugzilla # 1208Jim McDonough1-1/+5
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-22missed one on BUG 1195; make sure to set the private * to NULLGerald Carter1-5/+2
(This used to be commit 97a24d13892e292d31a1a6d7a1c96893508d6222)
2004-03-22bug 1195: add flag to ADS_STRUCT so we know who owns the main structure's ↵Gerald Carter1-1/+22
memory (not the members though) (This used to be commit 4449e0e251190b741f51348819669453f0758f36)
2004-01-12fixing compile problems due to my recent ads.h changesGerald Carter1-1/+1
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
2004-01-07Machines are people too!Andrew Bartlett1-1/+1
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-05shorten some more lines.Andrew Bartlett1-7/+14
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-3/+1
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-75/+35
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-22/+72
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)