Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
(This used to be commit 1e0124efc54810125bbfae6dce536b2c4fff62c1)
|
|
Guenther
(This used to be commit d50098518d77f9559457f558df7d11d3f026833e)
|
|
Guenther
(This used to be commit 499224f02a8722eea0d4644ca81ca55da0e9a86b)
|
|
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
|
|
around failed query_user calls. This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.
As per comments on samba-technical, I still need to add
(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away
Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
|
|
Still needs some more testing ni domains with multiple DCs. Coming next....
(This used to be commit aaed605206a8549cec575dab31e56bf6d32f26a6)
|
|
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
Will deal with any fallout from special environments using a non-cache solution
(This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
|
|
It was already gone in trunk anyways.
working on fixing BUG 3000 which does work now but we are flying
without a cache.
(This used to be commit 4936d6d8b28edc59a3d17defcdf255ea6e0ba4e0)
|
|
pointer in get_cache() by requiring that all domain structure be
initialized with the set_dc_type_and_flags().
(This used to be commit c064609b942e88c70fe0a868e52c57ad1016850c)
|
|
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
|
|
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
|
|
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
|
|
(This used to be commit fb561fe26cc61272e24965b81e276fa5420b146d)
|
|
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
|
|
Volker
(This used to be commit 78975ab9a996ac61be37410f18ddedb9df58d04b)
|
|
shows that this info is correctly returned to us in to info3 struct, so
check_info3_in_group does not need to be adapted.
Volker
(This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Qiao Yang.
(This used to be commit 30ae13cb9fbe5f04e46bcbd5e0c19da9b33341d5)
|
|
Volker
(This used to be commit 11f617eafd5512dab89bc363662f8e6953c359d4)
|
|
testing
it.
Volker
(This used to be commit 0a3413fbe378bc378aea7ffe9a6af8b65ce49f4a)
|
|
for setting up an schannel connection. This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
|
|
Jeremy.
(This used to be commit 2d52562691d59b44546225454f6fff5b64552de8)
|
|
and AD) as well as on a Samba DC
(This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
|
|
Volker
(This used to be commit 23c5769545dc8371a679ad4c679578c617f7d85b)
|
|
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
|
|
-1 rather than multiplying it by 8 (the default cache time is 5 minutes now)
(This used to be commit 8d6e370313b62556ba13d88e1ab5ff468ac103c8)
|
|
The reason for this are:
(a) the set_dc_type_and_flags() cannot tell the different
between connecting to an NT4 domain and an NT4 BDC
of a mixed mode domain.
(b) the connection management for the rpc backend only
provides on named pipe per cli_state. So it is possible
to connect to an NT4 BDC for netlogon and an AD mixed mode
DC for lsarpc. RPC is the lowest common demonimator here.
(c) Issue with the sequence number value between the
highestCommittedUSN LDAP attribute and the seq_num returned
via RPC.
We will revisit this later, but the changes need to make this
work right now are too broad and risky.
(This used to be commit 1ed2e521536108229d153c2996f4757d89461166)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
find_domain_from_name(lp_workgroup()).
(as find_domain_from_name() can change the data in lp_workgroup())
Andrew Bartlett
(This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
|
|
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)
|
|
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
numbers; reported by Ken Cross
(This used to be commit 10c7a1af67e556c17d4b3495934a2dad19728d77)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
fix the confusion when we tdb_lock_bystring() but
we retrieve an entry using tdb_fetch_by_string.
It's now always tdb.*bystring()
(This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
branch.
Jeremy.
(This used to be commit 19629b41cb9b5e5f9e0d4a6d52af983a4d05c8cb)
|
|
failure
* Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains
( does no one ever test this? )
* add in LDAP code to get the sequence number for rpc based seqnum update.
( this is needed if the DC is upgraded and samba is not reconfigured
to use security = ads; it's not pretty but it works (from app_head) )
* fix bug that caused us to enumerate domain local groups in domains
other than our own
(This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
|
|
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
|
|
using MSRPC backend and should be safe with ldap backend.
Jeremy.
(This used to be commit 67535329a2df8986c2d1d85e25cd5c558ee61405)
|
|
have a primary ADS domain and a secondary (trusted) NT4 domain. This
caused winbindd to be *really* slow for that setup.
- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
gid_to_sid(). When you make changes to winbind *PLEASE* test using
nsstest.
(This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
|
|
is going on in remote large sites.
Jeremy.
(This used to be commit 5987dad1f1049f08bf4a94929f70b5eac96c7007)
|
|
* quit obsessing over the sequence number so much
* share the updated sequence number between parent
and child winbindd processes in dual mode
(This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
|
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
Jeremy.
(This used to be commit 2006e36c18bb2d5e44179829c66934efad38b0c7)
|
|
(This used to be commit 09c6f6329d6ae9327b7ef06de0ea78d24d805456)
|