summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_group.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23730: Squashed commit of the following:Gerald Carter1-0/+1
commit 3941269fa01038fca242a197e8d7c1f234d45ea7 Author: Gerald (Jerry) Carter <jerry@samba.org> Date: Thu Jul 5 14:52:03 2007 -0500 Two fixes for "winbind expand groups". (a) Update the counter for the number of new groups to resolve else we'll only expand one group member per level and drop the rest. (b) Don't reset the num_names counter in winbindd_ads.c:lookup_groupmem() or we'll drop the SIDs resolved to names via cache from the resulting list. (This used to be commit dfb89dfcaa02f497ff22ac0213b70add6e4d5b8f)
2007-10-10r23632: Correctly return the new_group list pointer from expand_groupsGerald Carter1-1/+1
or else getgrnam() always acts like 'winbind expand groups = 1' (This used to be commit 04ae193ec44c0ecefa64ca44ad0cdb5968087319)
2007-10-10r23619: Fix compile warning in fill_grent_mem() caused by mismatched counter ↵Gerald Carter1-1/+1
size. (This used to be commit 05520d6b0a86c1cd5abbf6252c4a32629cdf8619)
2007-10-10r23515: Ensure status isn't used uninitialized.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 5b2836e2d5f9081b5e39637538d8f2d19e1115c4)
2007-10-10r23496: Fix logic error in getgrnam_recv() that brokeGerald Carter1-1/+1
getgrnam() for machine and domain local groups. (This used to be commit 4d4c1eca30ce57b4072e9f8c59fcc49bf3a5c48e)
2007-10-10r23471: Here's a rough patch for expanding domain group membershipGerald Carter1-154/+342
in the winbindd_getgrnam() call. Couple of comments: * Adds "winbind expand groups" parameter which defines the max depth winbindd will expand group members. The default is the current behavior of one level of expansion. * The entire getrgnam() interface should be async. I haven't done that. * Refactors the domain users hack in fill_grent_mem() into its own function. (This used to be commit 3d3a8130351753dc5caa2a270d130e2150da6b54)
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter1-2/+2
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r22812: Fix bug #3024 (and also the group varient). Patch fromJeremy Allison1-2/+7
Johann Hanne <jhml@gmx.net> and also Kaya Bekiro?lu <kaya.bekiroglu@isilon.com> Jeremy. (This used to be commit c0ba891be06f49968317a90079554cfce2344f39)
2007-10-10r22744: Fix a valgrind error. parse_domain_username does not necessarily fill inVolker Lendecke1-0/+3
the domain. (This used to be commit f4f0d7137758cc674876517590807cc3d634043d)
2007-10-10r22703: Convert winbindd_getgrgid() and winbindd_getgetpwnam()Gerald Carter1-113/+113
to use the same code path after we resolve the name/gid to a SID. Use the async lookupname/lookupsid interface. (This used to be commit d12b8147d6bd34fad680cb8705dc6d7bbea1db12)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter1-1/+3
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r21609: Fix memory leaks in error code paths (and one in winbindd_group.c).Jeremy Allison1-2/+4
Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-10-10r21357: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit e3c32583795631212dc0d5cd01981b27cde2a489)
2007-10-10r21149: Only say we are a groupmember for the optimized (rid 513) membershipGünther Deschner1-1/+4
lookup when we actually are. Although the Linux nss winbind backend protects against num_mem != 0 && buf == NULL. Guenther (This used to be commit a9ac4630b46242f88bd7a4e92511b55cc82e9940)
2007-10-10r21130: Don't mix SAFE_FREE() and TALLOC_FREE().Gerald Carter1-1/+1
(This used to be commit 5c36d67d272a52f58532daa3c3c09b8f8b6a34e0)
2007-10-10r21101: Remove "unused" warning from Jerry's code. We stillJeremy Allison1-1/+0
have a build failure in 3.0.24 in event_add_timed ? Jeremy (This used to be commit ede30a8b4b705808d9c46ae848f5cbd89a808cdc)
2007-10-10r21070: * Add the new boolean 'winbind normalize names' option as discussedGerald Carter1-0/+3
on the samba-technical ml. The replacement character is hardcoded as a '_' for now. (This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
2007-10-10r21014: move some functionss to winbindd_group.c and make staticGerald Carter1-3/+144
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
2007-10-10r20207: Fix a couple more places where extra_data wasJeremy Allison1-3/+6
being talloc'ed off the NULL context instead of being malloced. Jeremy. (This used to be commit 47bdeb4efeaa5a441ad2d39bb3b94d72263e66e4)
2007-10-10r20186: Fix winbind crash bug in WINBIND_GETGROUPS.Günther Deschner1-2/+3
response_extra_sent() expects to free a malloced extra_data.data while the add_XX_to_array functions all return talloced memory now. Jeremy, please check. Guenther (This used to be commit 9f34c9f3695757819d728a17a1497247ea479ebf)
2007-10-10r20150: better memory handling for some functions, make sure we don'tSimo Sorce1-2/+2
leak memory by using the wrong(long lived) mem context (This used to be commit a28cdd6e742cb72a728bd337546ee95fd4160ed8)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-33/+19
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-3/+6
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r19809: remove winbind blacklist parameterGerald Carter1-24/+0
(This used to be commit 40cff1449886449b34b896e31fd43b7dff436a3f)
2007-10-10r19272: Ensure we return 1 member in the optimized case.Jeremy Allison1-0/+1
(This used to be commit cc6cdabf19e9a610be064e26fdf3a9d2a3c76c2c)
2007-10-10r19271: Test the "hack" for "Domain Users" as agreed withJeremy Allison1-9/+120
Jerry. If "enum users" is set to false, and the group being looked up is the Domain Users SID: S-1-5-domain-513, then for the list of members check if the querying user is in that group, and if so only return that user as the gr_mem array. We can change this to a different parameter than "enum users" if neccessaey, or parameterize the group list we do this for. Jeremy. (This used to be commit 91b40e25cc38ed6e8df9e448da975d3e202d919f)
2007-10-10r19255: Add blacklist of accounts when NSS initgroups calls are coming in andGünther Deschner1-0/+24
"winbind use default domain" is set. Defaults to "root, nobody, lp" currently. Guenther (This used to be commit b5b42196a6f2869deefc700dc98060f5ab832e40)
2007-10-10r19155: Fix debug message.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 42e5481ce4bebc65040d466b49e3c45cd4e79f5d)
2007-10-10r18271: Big change:Gerald Carter1-7/+7
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-9/+15
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17459: As by Jerry's word commit this without his review.Simo Sorce1-39/+65
This patch add some missing async functions to solve UID/GID -> SID requests not just out of the cache, but down the remote idmap if necessary. This patch solves the problem of servers not showing users/groups names for allocated UID/GIDs when joined to a group of servers that share a prepopulated idmap backend. Also correctly resolve UID/GIDs to SIDs when looking ACLs from the windows security tab on teh same situation. Simo. (This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
2007-10-10r17159: Bug 3920: Restore wnibind use default domain behavior for domain groups.Gerald Carter1-11/+4
This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. (This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
2007-10-10r17021: remove unsupported smbwrapper codeGerald Carter1-1/+8
(This used to be commit 07c67fbfc0790169ee748c0e62da14c89d3add23)
2007-10-10r16284: Start fixing up gcc4 -O6 warnings on an x86_64 box. size_t != unsignedJeremy Allison1-4/+4
int in a format string. Jeremy. (This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
2007-10-10r16114: Make winbindd's group enumeration (set|get|endgrent) work again (whenGünther Deschner1-1/+1
enabled). Do not bail out when a group just has 0 members. Jeremy, please check, this has been removed with r13915. Guenther (This used to be commit 3a738a855d335e44e167351e6396bf3fe81a03af)
2007-10-10r15107: 64 bit fixes. size_t on a 64-bit box is not uint32.Jeremy Allison1-3/+12
Jeremy. (This used to be commit 634e0dc3c73968da8f1f50186ca15f8873f380ce)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-14/+14
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14421: This does two thingsGerald Carter1-2/+10
* Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-6/+21
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14270: Fix coverity #203. Ensure we free on error exit.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 9fa2e1bdedb61557b43f86c2898b7bf8762bbb63)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison1-23/+11
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-1/+1
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-23/+76
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-13/+13
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-15/+8
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10263: Fix debug which got more instead of less confusing.Günther Deschner1-1/+1
Guenther (This used to be commit ac3786a7a7dfc77d3b305ae67c97ab4f7f63961e)
2007-10-10r10262: * Fix for getgrnam not returning builtin group (which is done by getentGünther Deschner1-3/+5
group) * Give a better debug message when returning builtin groups. Guenther (This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
2007-10-10r10152: 64-bit fix for bug #3082. Thanks to Robin Hill for tracking this ↵Volker Lendecke1-1/+3
down with valgrind. Jerry, if this patch proves to fix his problem, it is definitely a candidate for the recommended patches page. Volker (This used to be commit 5232034b0daca8486fd55e53c2d910e4fbf0299d)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-12/+12
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7877: Attempt to fix a smb_panic reported by Pavel Rochnyack.Volker Lendecke1-7/+14
Volker (This used to be commit 7d1b890fead61551465e2a972e4097d9c1a4d6fd)