summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_group.c
AgeCommit message (Collapse)AuthorFilesLines
2003-04-27make winbind use idmap as well.Simo Sorce1-12/+19
change idmap_init call removed ldap backend for winbind idmap, seem it had problems anyway and it have to be reworked to work with idmap without calling winbind code. simo (This used to be commit 9d7d007443fc75264b2764b90f272ffc40c9be6c)
2003-02-26Kill RID-only and domain+RID madness from winbind.Andrew Bartlett1-55/+59
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-22Fix a DEBUG() formatting, add some more debug to our SID pulling code andAndrew Bartlett1-1/+1
inline the call to prs_copy_all_data_out() so that we can know we are not overrunning our buffer. Also check more return values. Andrew Bartlett (This used to be commit e3b73d5d658584428c81c9ef3ccf024687a56e2f)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-3/+3
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-26After consultation with tpot, remove the 'winbind_domain' environmentAndrew Bartlett1-13/+0
variable hack, the feild on the pipe, and the server-side. It only controlled some enum operations in any case. This is to try and have less 'magic' environment variables. Andrew Bartlett (This used to be commit e4be82e4e2c7cdf15f3e20f73fe9f281f6384423)
2002-10-18NULL enum_local_groups for ads winbindd (temporary workaround).Gerald Carter1-1/+1
(This used to be commit 06eea39abdb49d9d547707dcb170c988d7276c1d)
2002-10-08merge from APP_HEADGerald Carter1-8/+49
* s/driverlocation/comment * detect native mode domain and enumerate local groups Also * Added sendfile stats from SAMBA_2_2 (This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
2002-07-31Winbind updates!Andrew Bartlett1-0/+6
This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df)
2002-07-14this is a trick to work around the fact that posix does not supplyAndrew Tridgell1-8/+15
a getgr*() function that lists groups without numerating all the group members. Instead of definiing a new nss method (which might cause problems) I added an environment variable WINBIND_GETGRLST that tells winbind not to fill in the group members in a gergrent() request. This can speed up group listing by a factor of 20 or more (on my test system with 50000 groups it reduces the time from an hour to 2 minutes) (This used to be commit e3f73256d31ab9914daae49f41e984a534996870)
2002-06-25Add a couple more DEBUG()s to winbindd.Andrew Bartlett1-4/+9
Andrew Bartlett (This used to be commit 3b2464ffdad5e64a05e227b50116cb59f6d34204)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-1/+2
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-03-26Don't do a zero-length malloc (caught with dmalloc library).Jeremy Allison1-1/+1
Jeremy. (This used to be commit 05f214202c02c0d585787cd21652edbbf338e50c)
2002-02-27this allows us to support foreign SIDs in winbindd and smbdAndrew Tridgell1-3/+2
this means "xcopy /o" has a chance of working with ACLs that contain ACEs that use SIDs that the Samba server has no knowledge of. It's a bit hackish, Tim, can you look at my uid.c changes? (This used to be commit fe2db3148587937aa7b674c1c99036d42a3776b3)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Change the winbind interface to use seperate 'domain' and 'username' feilds forAndrew Bartlett1-2/+2
the sid->uid and uid->sid conversions. Remove some duplicate arguments from these funcitons, and update the request/response structures for this and the 'winbind domain name' feature. As such 'winbindd_lookup_name' now takes both a domain and username. (This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-24/+18
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2002-01-18This is the 'winbind default domain' patch from Alexander BokovoyAndrew Bartlett1-7/+5
<a.bokovoy@sam-solutions.net>. The idea is the domain\username is rather harsh for unix systems - people don't expect to have to FTP, SSH and (in particular) e-mail with a username like that. This 'corrects' that - but is not without its own problems. As you can see from the changes to files like username.c and wb_client.c (smbd's winbind client code) a lot of assumptions are made in a lot of places about lp_winbind_seperator determining a users's status as a domain or local user. The main change I will shortly be making is to investigate and kill off winbind_initgroups() - as far as I know it was a workaround for an old bug in winbind itself (and a bug in RH 5.2) and should no longer be relevent. I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters to determine a user/groups's 'local' status, rather than the presence of the seperator. As such, this functionality is recommended for servers providing unix services, but is currently less than optimal for windows clients. (TODO: remove all references to lp_winbind_seperator() and lp_winbind_use_default_domain() from smbd) Andrew Bartlett (This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
2002-01-11Always query the PDC for the list of trusted domains rather than interatingTim Potter1-19/+32
the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-10A big tidyup while thinking about getting trusted domains being re-readTim Potter1-58/+56
when they are added or removed on the PDC. - renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID} - renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID} - use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in preparation for moving to smbcontrol type messages (not sure whether to ditch this altogether or not) - tidy debugging messages in top level winbind user and group routines - convert talloc_init() to talloc_init_named() - make enumerations of the domain list use the same local variable names (This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
2001-12-18fixed handling of empty or dead domain in wbinfo -gAndrew Tridgell1-60/+9
(This used to be commit 2c54cfbc475cd22d0e906898a07d4e0576c64c80)
2001-12-11removed the start_ndx parameter from group enumerationAndrew Tridgell1-68/+42
I tried testing this by lowering the buffer size in cli_samr_enum_dom_groups() but that didn't work - I think this needs more looking into (This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
2001-12-11got rid of start_ndx from query_user_list()Andrew Tridgell1-2/+2
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
2001-12-10Merge of memory leak fixes from APPLIANCE_TNG.Tim Potter1-0/+7
(This used to be commit b198de92d2149ba2f5010c76e715d274b8f29c2a)
2001-12-09completely new winbindd cache infrastructureAndrew Tridgell1-83/+2
this one looks like just another winbind backend, and has the following properties: - does -ve and +ve cacheing of all queries - can be disabled with -n switch to winbindd - stores all records packed, so even huge domains are not a problem for a complete cache - handles the server being down - uses sequence numbers for all entries This fixes a lot of problems with winbindd. Serving from cache is now *very* fast. (This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
2001-12-06Fixed typo in fix for typo in debug. (-:Tim Potter1-1/+1
(This used to be commit 7c64e5f1481e832767ae07e63d7d9d116131b331)
2001-12-05finally worked out how to do ldap lookups by binary blobs, so I canAndrew Tridgell1-5/+5
now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05Fixed parse_domain_user to be bool.Jeremy Allison1-13/+3
Jeremy. (This used to be commit 9563de2ef8c1197f4941671d2fdade7d933c32d0)
2001-12-04added lookup_groups() to the ads backendAndrew Tridgell1-1/+1
winbindd/ADS can now do initgroups() (This used to be commit 43edeaca9f3a42699131939ed0d917111f57b678)
2001-12-04moved lookup_usergroups() into the backend structureAndrew Tridgell1-10/+6
(This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
2001-12-04added a query_user backendAndrew Tridgell1-5/+4
fixed a winbindd crash when the group membership can't be looked up (This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
2001-12-03added name_to_sid to the backendAndrew Tridgell1-2/+2
(This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
2001-12-03split winbindd_enum_dom_groups into the new backend structureAndrew Tridgell1-18/+6
also created winbindd_rpc.c which contains the functions that have been converted to the new structure. There will soon be a winbindd_ads.c for the ldap backend (This used to be commit e4ccc602ba65838646f2632120069f3274619dd9)
2001-11-27Added negative caching to group lookups.Jeremy Allison1-45/+84
Jeremy. (This used to be commit fceba7dea5b09ac9ce509c5252a46be8e4d3de85)
2001-11-27nsswitch/winbindd_group.c nsswitch/winbindd_user.c: formatting fixups.Jeremy Allison1-5/+5
smbd/open.c: Fix "delete on close" for directories. Jeremy. (This used to be commit 014b0973a3b3b9eb22cce3053171fa55f5c16a63)
2001-11-26Removed bogus SAFE_FREE() call of talloced return data fromTim Potter1-10/+13
winbindd_lookup_usergroups() (This used to be commit dd2048c418da7a08bc71305491953731fc427f5a)
2001-11-15Caching user, group and domain sam handles was a stupid idea.Tim Potter1-3/+13
Now we just keep a record of the open pipes. (This used to be commit 77c287e9460eed7bde7004c7e6c8cb0099c6ba6f)
2001-11-15Fixed display of uninitialised buffer in debug.Tim Potter1-2/+8
Get list of trusted domains if we haven't fetched them yet. (This used to be commit a7ef2d20b1bb4bdb1b9a2769b5c654bd0be791b3)
2001-10-31Added some extra fields to the auth_serversupplied_info structure.Tim Potter1-1/+3
To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
2001-10-21Fix for fussy Solaris compiler.Tim Potter1-3/+1
(This used to be commit d50005d4c118ae32d1ddbdee4feec479db4682b9)
2001-10-19Fixed some memory leaks introduced by connection handling rewrite, as wellTim Potter1-10/+13
as one memory leak that has been there for ages! Changed the way talloc is used in get{pw,gr}nam routines. (This used to be commit d52cd1854fdff18c223d6dd1eca0e26f1f0bf01b)
2001-10-19Converted some more functions to create and dispose of a talloc context on aTim Potter1-21/+24
per-call basis rather than per-connection. Had a bit more of a reformatting fest. Still need to run it through insure and handle downed connections. (This used to be commit 46fe5a8fb96974e1323bc3e5d94fda74edbeb852)
2001-10-14Pass domain structure around in cache code rather than the domain name.Tim Potter1-6/+6
(This used to be commit c6338d7eaeb31db2666603fcdd9179e61891a1c9)
2001-10-10Got the rest of the group functions working. Did some reformatting (manTim Potter1-28/+8
what was I thinking with those 4 character tabs?) We now pass our winbindd test suite again! Still to do: - talloc_ctx on a per winbindd request basis not per connection - clean up old crap we don't use any more - test against multiple BDCs (I know this isn't going to work - group/user handles have to be made against the same DC the domain and basic handles are. - implement network and dc failure recovery (This used to be commit dc4ca0e0bd779b9157ea3b2a8f17eb455abf0f26)
2001-10-09Implemented sam group handle stuff. getent group now works.Tim Potter1-63/+46
(This used to be commit 63731d4a00e7a70b48d0c25677c76ec6b2e04ce1)
2001-10-05This is the start of a bit of a rewrite of winbindd's connection handling.Tim Potter1-6/+13
I've wrapped up all the decisions about managing, making and closing connections into a connection manager in nsswitch/winbindd_cm.c. It's rather incomplete at the moment - only querying basic user info works at the moment (i.e finger -m DOMAIN/user) and everything else is broken. Jeremy, please take a look and I'll start moving across the rest of winbindd to this new system. (This used to be commit c369cf5af787ed9c642778d21f162716fbf0620e)
2001-10-03fix some possible memleaks and not tested reallocs spotted by Andreas MoroderSimo Sorce1-5/+12
(This used to be commit d30939a091b48f4d77f7618c75668ae151a5592e)
2001-09-17move to SAFE_FREE()Simo Sorce1-19/+14
(This used to be commit 03dc67788f68c9e01b5a82fdf43f837cb19f4608)
2001-09-05more warning fixes on solarisAndrew Tridgell1-1/+1
(This used to be commit c04c67fec85b1c81ef0b3cebacde304a1de0d854)
2001-09-04don't do pointer arithmetic on void* (some compilers can't do it)Andrew Tridgell1-1/+1
(This used to be commit c65e8db7ae765f844f8b0adb1e5de3651561ad96)