Age | Commit message (Collapse) | Author | Files | Lines |
|
the patch :-)
(This used to be commit 07b71a02aef15b75d281cabeb7140db1bc0bb283)
|
|
Guenther
(This used to be commit 23e25bba8fafb31492b517d63f0a00c5ec07d5da)
|
|
Jeremy.
(This used to be commit 8e83e4267260201777c753c4e3849d65fd20ae8f)
|
|
(This used to be commit cbd083efb9a00db68be24cde10b96da06390d970)
|
|
Setting it
to False makes winbind use RPC and not LDAP methods to connect to the DCs,
even when it figured out they are AD.
(This used to be commit 1c1f710e3e2e222c9d91a5650844c1db5ebd5a3a)
|
|
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
|
|
use a helper function to construct the TDB_DATA key
as strlen_m() is totally wrong here anyway
metze
(This used to be commit fb77cc7fbc0100c66365109ae6c3cc4824079a2e)
|
|
(#if inside DEBUG macro not allowed...)
Michael
(This used to be commit f0570dc3d9e07475764e466901d4abfe939590f8)
|
|
(This used to be commit d909a6064159bc746bd558238e81d57cc274a162)
|
|
a global error flag an returning), so cleanups and returns
subsequent to calls of smb_panic_fn have become unnecessary.
(This used to be commit 9d2db8c70f10a9285abd4a61fa66ee8aff2e7e6b)
|
|
* Replaced signal catching/longjmp magic by a fork:
Let the child do the actual validation of the entries.
Exit code and signals are intercepted by waitpid.
* Fix logic so that also encounter of an unknown key in the
tdb leads to an error.
* Extended status of validation is kept in a (as yet simple)
stuct and communicated over a pipe from child to parent.
* Added two validation_ functions for two new keys.
The call of winbindd_validate_cache is still commented out
in the winbindd main loop. But I am currently testing it
and so far it seems to work fine.
The next step in my plan is to generalize the validation
mechanism to a tdb_open_log_validate function in lib/util_tdb.c.
There ist nothing very special about the cache tdb here,
and this might be useful elsewhere...
Michael
(This used to be commit 417325b9e6f9ac0afe1f2f3b552527788f6a7cee)
|
|
(This used to be commit a66a04e9f11f6c4462f2b56b447bae4eca7b177c)
|
|
take care not to expire the name2sid cache entry just because
that child does not know that the primary domain is offline.
(This used to be commit 0399f52a1cdbb1acf8d41afddf498529ff4923cf)
|
|
* Log the NTSTATUS when saving name/sid cache entry
* Allow the backend loolkup_usergroups() call in winbindd_{rpc,ads}.c
to inform the wcache manager that the group list should not be cached
(needed for one-way trusts).
(This used to be commit 693ab48408dbb775b57dcc5140e27ad9221852a1)
|
|
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
|
|
daemon to manage the complete trusted domain cache
(This used to be commit 3a9152a2acfc7b615a5c6b8764ea9462443f00d1)
|
|
list of trusted domains without requiring each winbindd process
to aquire this on its own. This is needed for various idmap
plugins and for dealing with different trust topoligies.
list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d965a9701e16e644fd6bc728b43f28489)
|
|
offline.
Guenther
(This used to be commit 37f9f466fd05bb06d8539bdb2cb72a730c2af4f4)
|
|
We certainly don't want to crash winbind on each sucessfull
centry_uint{8,16,32,64} read.
Jeremy, please check :-)
Guenther
(This used to be commit bfcd10766bcac1d50f7624bbe5a72eca57b5e278)
|
|
Jeremy.
(This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
|
|
Guenther
(This used to be commit d6f259e91862df043f14430a60e9d646e30fe632)
|
|
Jeremy.
(This used to be commit 1dd8d3a723ac2262a45fcd717daef79bffbf30d5)
|
|
Jeremy.
(This used to be commit b89ecbcac651034d818a41d8a1d0c5e7313f37b8)
|
|
same load/store function as NTTIME). Add a version number
string to the winbindd cache so we can tell if it needs
upgrading. THIS WILL DELETE ANY EXISTING winbindd_cache.tdb
on first startup regardless of offline auth status. Once
this is done we're in good shape though.
Jeremy.
(This used to be commit c52c7f91af80d5fbb2574b5acf10e6afef3b0c7e)
|
|
Jeremy.
(This used to be commit fc2b9e860ef9512eb074622e0ad134ff3f30bfe7)
|
|
Jeremy.
(This used to be commit 9be463eb0cb4d65c40e35c504059289696419486)
|
|
Jeremy
(This used to be commit b773ea2c8a107344fc524b41a2c81ecc723bd9ec)
|
|
problems when validating the winbindd cache. Wish I'd have
thought of that.
Jeremy.
(This used to be commit 6b0a8cbbb883b7041ed4b1f6c1ae90233921d154)
|
|
and fix all compiler warnings in the users
metze
(This used to be commit 3a28443079c141a6ce8182c65b56ca210e34f37f)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
to avoid creating the TDB_DATA struct from strings "by hand"
metze
(This used to be commit a8bc20d67f481a790524cad24e253436227af721)
|
|
Guenther
(This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
|
|
a network but not one on which any home DC's can
be found (hotel network problem). Still testing
but this is getting close.
Jeremy.
(This used to be commit 369c9e4138b93f7cfb6680f0beb541f58554e856)
|
|
Fix code that mistakenly assumed tdb_traverse
returned 0 or -1, it actually returns -1 or the
number of entries traversed. Add a static as another
way to return the bad cache value.
Jeremy.
(This used to be commit 5266a70ae9971eb54fa769f89bec7c688285e811)
|
|
names (all except SEQNUM are *not* null terminated
strings).
Jeremy.
(This used to be commit bcb68260ba4e6a1ae6b681603367008309b9bfde)
|
|
Jeremy.
(This used to be commit 270e84db6de66b4f20dc0a564f706dae4c00b0b2)
|
|
against tdb corruption. Needs fleshing out
(and I forgot one record type) and needs helpful
suggestion from Volker to validate freelist,
but should give an idea of how this will look.
Jeremy.
(This used to be commit 8eb53f74e414483afde7b1e38ea2a3f56ae3ec66)
|
|
get paranoid. I don't think this can really happen, but let's be
sure.
Jeremy.
(This used to be commit be4709984b8548abf10a5e9fabba21d53440c42a)
|
|
That one was hard to find: when coming from offline mode and switching
to online, a refresh sequence number call (using the default MS-RPC
mechanism) may reset domain->backend to NULL (by the set_domain_online
event). We need to make sure to reidentify the remote domain in that
case.
Guenther
(This used to be commit 4d6503d1377a262ba8b87f344be7daf04e011ef2)
|
|
just before writing to the winbind cache tdb.
Guenther
(This used to be commit bd8548998b06a84c2e66acbcb68542a4b5d8b8df)
|
|
anymore in 3_0. I'm just adding a time(NULL) as value for the
WINBINDD_OFFLINE key.
Guenther
(This used to be commit 2bdf9f140f76d6eb73b34148c47f7d3447e2e563)
|
|
work again. Still under test.
Jeremy.
(This used to be commit 40a455db78f805daa6bfeb9e78fb78dcc12fd9a7)
|
|
(This used to be commit 763cbe924b78b206985db6552e20cb4830446d35)
|
|
Guenther
(This used to be commit 20de0b4823abb59518b7ffb495120494e705df7a)
|
|
Guenther
(This used to be commit b04c8d46efc67e013b976e0ba1be558b70a1f899)
|
|
better - don't just panic - delete them.
Jeremy.
(This used to be commit 4c54b75076442d239ae374b236c6f33aafece981)
|
|
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
gen_ndr/ndr_security.c in SAMBA_4_0
The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
|
|
Instead of trying to do this in the winbindd_cache
entries, add a timed even handler to probe every
5 mins when disconnected.
Fix events to run all pending events, rather than
only one.
Jeremy.
(This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
|