summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r8145: When inventing a new parameter for SFU-support, be aware of Volker'sGünther Deschner1-7/+14
upcoming changes for "unixinfo"-pipe. Therefor (after speaking with Volker) replace "winbind sfu support" with the list-parameter "winbind nss info" which defaults to "template". For SFU-support set it to "winbind nss info = template sfu". Note that nss_info_use() is just a dummy function at the moment. Guenther (This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-3/+21
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-5/+5
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-104/+62
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6755: removing domain_sid() since it is not referenced anymoreGerald Carter1-31/+0
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-1/+2
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)Gerald Carter1-1/+2
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+1
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-17/+17
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r1967: Fix a couple of krb5-DEBUG-messages.Günther Deschner1-1/+1
Guenther (This used to be commit 86a61c86a49a7e4d67e61201458c9b0229fb0825)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-44/+2
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2004-03-30Apply some constVolker Lendecke1-3/+3
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
2004-03-24Fix bugzilla # 1208Jim McDonough1-1/+5
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-22missed one on BUG 1195; make sure to set the private * to NULLGerald Carter1-5/+2
(This used to be commit 97a24d13892e292d31a1a6d7a1c96893508d6222)
2004-03-22bug 1195: add flag to ADS_STRUCT so we know who owns the main structure's ↵Gerald Carter1-1/+22
memory (not the members though) (This used to be commit 4449e0e251190b741f51348819669453f0758f36)
2004-01-12fixing compile problems due to my recent ads.h changesGerald Carter1-1/+1
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
2004-01-07Machines are people too!Andrew Bartlett1-1/+1
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-05shorten some more lines.Andrew Bartlett1-7/+14
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-3/+1
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-75/+35
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-22/+72
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-10-13make sure to use the escaped DN; patch from Guenther Deschner; bug 592Gerald Carter1-1/+1
(This used to be commit 5eca81c66096a01eda1731892d044c09d4c18556)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter1-4/+11
down; bug 437 (This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
2003-09-06finish off bug 282. AAdd extra checks for pointers afterGerald Carter1-7/+7
ads_search_XXX() calls. (This used to be commit 74c02e5fbc411d6fd1b13a1e21599da030897efe)
2003-09-06revert retry loops in winbindd_ads as abartket points out, weGerald Carter1-312/+151
already have ads_search_retry() for this. However, neither domain_sid() nor sequence_nunber() used this function. So modify them to us ads_do_search_retry() so we can specify the base search DN and scope. (This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-2/+4
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-09-05Fix for bug 282 that didn't get checked in.Tim Potter1-1/+1
(This used to be commit e3f5afb83142f44369dcd341d6e66ed2fe51248f)
2003-09-05should fix bug 364 & 311: Retry patch based on suggestion fromGerald Carter1-142/+316
Ken Cross. Sometimes ads conenction get stale but we don't know they are dead until we try them. This patch may need some optimization after people bang on it for a while. (This used to be commit 7021cf63a4501c90620cf6a5f117eef345bbd291)
2003-09-04Check in Andrew's fix for bug #305 (always use lp_realm() )Gerald Carter1-13/+2
Also make sure thet ads_startup uses lp_realm instead of just relying on the workgroup name. Fixes bug in net ads join when the workgroup defaults to "WORKGROUP" and we ignore the realm name. (This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)
2003-08-15get rid of more compiler warningsHerb Lewis1-1/+1
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-07-31working on transtive trusts issue:Gerald Carter1-9/+76
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-2/+2
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-06-30Fix more shadow variable warnings.Tim Potter1-20/+20
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter1-14/+63
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell1-2/+6
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-06-10More instrumentation for winbindd.Jeremy Allison1-0/+14
Jeremy. (This used to be commit 4161a122b74b75b0ed1758e3491e69bb9f1e8390)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-72/+190
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-1/+1
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-1/+0
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
2003-02-19Merge some random looking setenv related kerberos stuff that makesTim Potter1-4/+9
winbindd build again. (This used to be commit c4f46890fe7f0dc16520cd5ed0fd06dcd7682703)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-1/+1
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-11-15enable enumeration of domain local groups using LDAP (and in a native mode ↵Gerald Carter1-5/+30
domain) (This used to be commit ff4b2411d146b72f5f578b2e78701f125fec8f08)
2002-10-18NULL enum_local_groups for ads winbindd (temporary workaround).Gerald Carter1-0/+1
(This used to be commit 5a2f1edb5848dc054cfaa71b0fb3b473ad930b7d)
2002-10-01syncing up with HEAD. Seems to be a lot of differences creeping inGerald Carter1-186/+11
(i ignored the new SAMBA stuff, but the rest of this looks like it should have been merged already). (This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-4/+4
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
generated by cgit (git 2.34.1) at 2024-11-03 16:55:26 +0000