summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_group.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6627: Fix debug messageVolker Lendecke1-2/+2
(This used to be commit 6a5a9f17fb3c18e9dd8d447889b527055e5e3bd5)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-5/+2
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r6217: After talking to jerry, commit the partial fix for wbinfo -r. This ↵Volker Lendecke1-15/+23
fixes the expansion of domain local groups in case the netsamlogon_cache is valid. The non-samlogon-cache side needs more work, as well as the samlogon cache itself. Volker (This used to be commit b6352a3c46f8e67503945eeac33e157ecea01bfb)
2007-10-10r6216: Brown paper-bag bug fix for wbinfo --user-sids.... Nobody seems to ↵Volker Lendecke1-2/+2
really use domain local groups ... Volker (This used to be commit ed2d76d663a4388acc26a724cf2cdb5c40763def)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-4/+53
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r6036: patch from Lin Li <linl@xandros.com> to ensure trusted domains are ↵Gerald Carter1-0/+4
initialized whenenumerating users and groups (This used to be commit 105a63c207e8d2b03a30dec2b8b55b92047cba80)
2007-10-10r5945: BUG 2516: fix compile issue on True64Gerald Carter1-1/+1
(This used to be commit 5205949dac4566a815ea443114309c284270ba91)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+41
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4128: Cron jobs etc seem to do an initgroups for root quite frequently. SoVolker Lendecke1-1/+1
log.winbindd is spammed with 'user root does not exist'. Increase debug level. Volker (This used to be commit 7256771dd01029ed103896c0825bb91b88757015)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-16/+12
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3776: Fix for bug #2038 from Johann Hanne <jhml@gmx.net>. Don't checkJeremy Allison1-9/+4
for no groups after every lookup - move check to the end as we should only fail if all lookups fail. Jeremy. (This used to be commit 3b40c1e4365f37b967e14be02c6aa52893a80f51)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-5/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r2868: Well, I'm not quite sure what I'm doing back in Samba 3.0, but anyway...Andrew Bartlett1-18/+0
I've been grumbling about under-efficient calls in SAMR, and finally got around to fixing some of them. We now call sys_getgroups() (which in turn calls initgroups(), until glibc 3.4 is released) to figure out a user's group membership. This is far, far more efficient than scanning all the groups looking for a match, and is still the 'posix way', just using an effiecient call. The seperate issue of 'who is in this group' remains, but this one has been biting some people. I need to talk to VL about how best to exersise nasty corner cases, but my initial tests hold strong. (The code is also much simpiler than before, which has to count for something :-) Andrew Bartlett (This used to be commit dc19f161698dab5b71d61fa2bacc7e7b8da5fbba)
2007-10-10r2450: don't limit the number of groups returned by winbindd_getgroups()Gerald Carter1-4/+1
(This used to be commit 4ba98cb469ad938bbc2e46cffaa48cc1c46b8e4e)
2007-10-10r2378: Remove two confusing #definesVolker Lendecke1-2/+0
(This used to be commit 639cb4ced6b6c08b0665890c815f2e1361e7879f)
2007-10-10r1658: Expand aliases for getusersids as well.Volker Lendecke1-0/+56
Volker (This used to be commit d5060c30e38b46b322615f0e0b465fbf73ed5245)
2007-10-10r989: Calling sid_to_gid from within winbind makes no sense, as this callsVolker Lendecke1-1/+9
winbind_sid_to_gid. For the consistency check, local_sid_to_gid must set the name_type it found. Volker (This used to be commit 5070c1b68f2add16916ba3135984f6e70bbe42cf)
2007-10-10r988: When adding local aliases' gids to the user token, don't do a ↵Volker Lendecke1-11/+31
idmap_sid_to_gid on the user sid. This might lead to a user SID entered as a GID in the idmap. Volker (This used to be commit 98e10d149710d9b70404e77a4bc0560c2e48aeaf)
2007-10-10r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-0/+3
Jeremy. (This used to be commit c23a73324b335e42877551283b274f6d12f2c1a7)
2007-10-10r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fixGerald Carter1-0/+6
user/group enumeration on systems whose libc does not call setgrent() before trying to enumerate users (i.e. FreeBSD 5.2) (This used to be commit 8106d8097258eae260ed834399881bf0be9b515b)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-10/+7
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r288: combination of BUG 1081 and patch from J. Klinger -- added ↵Gerald Carter1-0/+2
remove_duplicate_gids() to smbd and winbindd (This used to be commit 95c68103ea9dbd02651e26fcaa15dd054b157529)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-41/+95
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-16BUG 1182: patch from john.klinger@lmco.com (John Klinger) to reanable the ↵Gerald Carter1-1/+3
-n 'no cache' option for winbindd (This used to be commit d1848988d9ee9fdd870bcdd32c938b907419558b)
2004-01-15And another memory corruption in winbind. Arg 3 of safe_strcpy does notVolker Lendecke1-1/+1
include the terminating 0. Volker (This used to be commit 945c7807641e82500c84e833f03f381497f0a2d0)
2004-01-15Fix a segfault in winbindd. Calling getusersids with a SID that results in 0Volker Lendecke1-1/+1
groups winbind ended up freeing an uninitialised pointer. Volker (This used to be commit cd89288e21ba13a9e97c548eccc15cef21a98d07)
2004-01-08use SAFE_FREE(), not free().Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)
2004-01-08Move more of winbind to use 'find_our_domain()' rather than the dangerousAndrew Bartlett1-25/+24
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
2004-01-07Machines are people too!Andrew Bartlett1-8/+3
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell1-0/+85
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-08-10add --domain=DOMAINNAME to wbinfoGerald Carter1-0/+12
Add support for geting the sequence number, list of users, and list of groups for a specific domain (assuming on reported back by wbinfo -m) wbinfo -u --domain=DOA (This used to be commit 34fc6e1bf97d514d3b1763a808d08d730191e03b)
2003-07-22Another round of uid/gid/pid format string changes I missed theTim Potter1-1/+1
first time. (This used to be commit 6616485dbad74dab7506609c6bfd183fc9c1f93c)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-12/+12
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-9/+78
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07and so it begins....Gerald Carter1-11/+15
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-06-30* rename samstrict auth method to samGerald Carter1-3/+8
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-0/+11
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-8/+8
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-23lp_security() is a function not an integerAndrew Tridgell1-1/+1
(This used to be commit 71907f32ba9c8700ba185b565a50c55a3a451758)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter1-9/+15
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-6/+6
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-24/+105
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-16made a debug statement more usefulAndrew Tridgell1-2/+3
(This used to be commit 3f7a24d183095a7e391fe35100a30fc572a8d769)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell1-1/+1
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-06-03* set winbind cache time to 5 minutesGerald Carter1-3/+4
* quit obsessing over the sequence number so much * share the updated sequence number between parent and child winbindd processes in dual mode (This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-29/+8
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-04-29remove convert_smbpasswd and addtosmbpass from tree; people can get them ↵Gerald Carter1-0/+18
from 2.2. if they still need them (This used to be commit 237857a760974bb02000e5d3a776240ec73ca6b6)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-55/+59
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)