| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
mappings.
rafal
(This used to be commit 3a9b5eabf97e892e761184da37465d850b5d774c)
|
|
A new wrapper tdb_validate_open() takes a filename an opens and closes
the tdb before and after calling tdb_validate() respectively.
winbindd_validata_cache_nobackup() now dynamically calls one of
the above functions depending on whether the cache tdb has already
been opened or not.
Michael
(This used to be commit dc0b08e6590caa4974fd4d9f34f39f261d1f1dee)
|
|
backup and corrupt file handling. (To be used in subsequent
changes.)
(This used to be commit b3dcadbed0b4a1b7bb2e83df2c66bca9dcbcad60)
|
|
(This used to be commit 90626652084c2ada6b2eb041db652720c03a1c3b)
|
|
store entries.
Thanks Michael for pointing this out.
Guenther
(This used to be commit c7047604446c3fc33b5e14833267ac8ad3a906b1)
|
|
commit fb52f971986dd298abbcd9745ddf702820ce0184
Author: Gerald Carter <coffeedude@plainjoe.org>
Date: Mon Aug 27 13:50:26 2007 -0500
Check correct return type for pam_winbind_request_log() wnibind_upn_to_username
which is an int and not NSS_STATUS.
commit 7382edf6fc0fe555df89d5b2a94d12b35049b279
Author: Gerald Carter <coffeedude@plainjoe.org>
Date: Mon Aug 27 13:30:26 2007 -0500
Allow wbinfo -n to convert a UPN to a SID
commit 8266c0fe1ccf2141e5a983f3213356419e626dda
Author: Gerald Carter <coffeedude@plainjoe.org>
Date: Fri Aug 3 09:53:16 2007 -0500
Merge some of Guenther UPN work for pam_winbind.c (check the winbind separator
and better pam logging when converting a upn to a username).
commit 15156c17bc81dbcadf32757015c4e5158823bf3f
Author: Gerald Carter <coffeedude@plainjoe.org>
Date: Fri Aug 3 08:52:50 2007 -0500
Include Universal groups from the cached PAC/SamLogon info when
generating the list of domain group SIDs for a user's token.
commit 979053c0307b051954261d539445102c55f309c7
Author: Gerald Carter <coffeedude@plainjoe.org>
Date: Thu Aug 2 17:35:41 2007 -0500
merge upnlogon patch from my tree
(This used to be commit 98fb5bcd5702d5086bdf9b58105a67efb90950f4)
|
|
Guenther
(This used to be commit 6a9af88a2d5daa0335a4596f7a826141ba81e303)
|
|
Guenther
(This used to be commit adaa5e423dd022e3dc2cbe657146f3978fb59de3)
|
|
tdb_validate
in winbindd cache validation.
Michael
(This used to be commit 2c2a1ff2c27861ca87afbd8bab39d257a69e9565)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
to the caller (winbindd_validate_cache in this case).
Next, there will be a backup handling for the tdb files.
Michael
(This used to be commit 821bc84109625c9d85edee38fa26d16f9f0a0fe2)
|
|
back to winbindd_cache.c. The generic mechanism
should open the cache tdb readonly and with default
flags.
Michael
(This used to be commit 062d8c61294a1e9f8588fa8af31954dd286c7bde)
|
|
code into a generic tdb validation code.
In lib/util_tdb.c for a start.
Michael
(This used to be commit 527edfa0cbcb233218ebabc395666d1d7228ee37)
|
|
the patch :-)
(This used to be commit 07b71a02aef15b75d281cabeb7140db1bc0bb283)
|
|
Guenther
(This used to be commit 23e25bba8fafb31492b517d63f0a00c5ec07d5da)
|
|
Jeremy.
(This used to be commit 8e83e4267260201777c753c4e3849d65fd20ae8f)
|
|
(This used to be commit cbd083efb9a00db68be24cde10b96da06390d970)
|
|
Setting it
to False makes winbind use RPC and not LDAP methods to connect to the DCs,
even when it figured out they are AD.
(This used to be commit 1c1f710e3e2e222c9d91a5650844c1db5ebd5a3a)
|
|
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
|
|
use a helper function to construct the TDB_DATA key
as strlen_m() is totally wrong here anyway
metze
(This used to be commit fb77cc7fbc0100c66365109ae6c3cc4824079a2e)
|
|
(#if inside DEBUG macro not allowed...)
Michael
(This used to be commit f0570dc3d9e07475764e466901d4abfe939590f8)
|
|
(This used to be commit d909a6064159bc746bd558238e81d57cc274a162)
|
|
a global error flag an returning), so cleanups and returns
subsequent to calls of smb_panic_fn have become unnecessary.
(This used to be commit 9d2db8c70f10a9285abd4a61fa66ee8aff2e7e6b)
|
|
* Replaced signal catching/longjmp magic by a fork:
Let the child do the actual validation of the entries.
Exit code and signals are intercepted by waitpid.
* Fix logic so that also encounter of an unknown key in the
tdb leads to an error.
* Extended status of validation is kept in a (as yet simple)
stuct and communicated over a pipe from child to parent.
* Added two validation_ functions for two new keys.
The call of winbindd_validate_cache is still commented out
in the winbindd main loop. But I am currently testing it
and so far it seems to work fine.
The next step in my plan is to generalize the validation
mechanism to a tdb_open_log_validate function in lib/util_tdb.c.
There ist nothing very special about the cache tdb here,
and this might be useful elsewhere...
Michael
(This used to be commit 417325b9e6f9ac0afe1f2f3b552527788f6a7cee)
|
|
(This used to be commit a66a04e9f11f6c4462f2b56b447bae4eca7b177c)
|
|
take care not to expire the name2sid cache entry just because
that child does not know that the primary domain is offline.
(This used to be commit 0399f52a1cdbb1acf8d41afddf498529ff4923cf)
|
|
* Log the NTSTATUS when saving name/sid cache entry
* Allow the backend loolkup_usergroups() call in winbindd_{rpc,ads}.c
to inform the wcache manager that the group list should not be cached
(needed for one-way trusts).
(This used to be commit 693ab48408dbb775b57dcc5140e27ad9221852a1)
|
|
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
|
|
daemon to manage the complete trusted domain cache
(This used to be commit 3a9152a2acfc7b615a5c6b8764ea9462443f00d1)
|
|
list of trusted domains without requiring each winbindd process
to aquire this on its own. This is needed for various idmap
plugins and for dealing with different trust topoligies.
list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d965a9701e16e644fd6bc728b43f28489)
|
|
offline.
Guenther
(This used to be commit 37f9f466fd05bb06d8539bdb2cb72a730c2af4f4)
|
|
We certainly don't want to crash winbind on each sucessfull
centry_uint{8,16,32,64} read.
Jeremy, please check :-)
Guenther
(This used to be commit bfcd10766bcac1d50f7624bbe5a72eca57b5e278)
|
|
Jeremy.
(This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
|
|
Guenther
(This used to be commit d6f259e91862df043f14430a60e9d646e30fe632)
|
|
Jeremy.
(This used to be commit 1dd8d3a723ac2262a45fcd717daef79bffbf30d5)
|
|
Jeremy.
(This used to be commit b89ecbcac651034d818a41d8a1d0c5e7313f37b8)
|
|
same load/store function as NTTIME). Add a version number
string to the winbindd cache so we can tell if it needs
upgrading. THIS WILL DELETE ANY EXISTING winbindd_cache.tdb
on first startup regardless of offline auth status. Once
this is done we're in good shape though.
Jeremy.
(This used to be commit c52c7f91af80d5fbb2574b5acf10e6afef3b0c7e)
|
|
Jeremy.
(This used to be commit fc2b9e860ef9512eb074622e0ad134ff3f30bfe7)
|
|
Jeremy.
(This used to be commit 9be463eb0cb4d65c40e35c504059289696419486)
|
|
Jeremy
(This used to be commit b773ea2c8a107344fc524b41a2c81ecc723bd9ec)
|
|
problems when validating the winbindd cache. Wish I'd have
thought of that.
Jeremy.
(This used to be commit 6b0a8cbbb883b7041ed4b1f6c1ae90233921d154)
|
|
and fix all compiler warnings in the users
metze
(This used to be commit 3a28443079c141a6ce8182c65b56ca210e34f37f)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
to avoid creating the TDB_DATA struct from strings "by hand"
metze
(This used to be commit a8bc20d67f481a790524cad24e253436227af721)
|
|
Guenther
(This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
|
|
a network but not one on which any home DC's can
be found (hotel network problem). Still testing
but this is getting close.
Jeremy.
(This used to be commit 369c9e4138b93f7cfb6680f0beb541f58554e856)
|
|
Fix code that mistakenly assumed tdb_traverse
returned 0 or -1, it actually returns -1 or the
number of entries traversed. Add a static as another
way to return the bad cache value.
Jeremy.
(This used to be commit 5266a70ae9971eb54fa769f89bec7c688285e811)
|
