summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_group.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16284: Start fixing up gcc4 -O6 warnings on an x86_64 box. size_t != unsignedJeremy Allison1-4/+4
int in a format string. Jeremy. (This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
2007-10-10r16114: Make winbindd's group enumeration (set|get|endgrent) work again (whenGünther Deschner1-1/+1
enabled). Do not bail out when a group just has 0 members. Jeremy, please check, this has been removed with r13915. Guenther (This used to be commit 3a738a855d335e44e167351e6396bf3fe81a03af)
2007-10-10r15107: 64 bit fixes. size_t on a 64-bit box is not uint32.Jeremy Allison1-3/+12
Jeremy. (This used to be commit 634e0dc3c73968da8f1f50186ca15f8873f380ce)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-14/+14
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14421: This does two thingsGerald Carter1-2/+10
* Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-6/+21
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14270: Fix coverity #203. Ensure we free on error exit.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 9fa2e1bdedb61557b43f86c2898b7bf8762bbb63)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison1-23/+11
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-1/+1
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-23/+76
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-13/+13
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-15/+8
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10263: Fix debug which got more instead of less confusing.Günther Deschner1-1/+1
Guenther (This used to be commit ac3786a7a7dfc77d3b305ae67c97ab4f7f63961e)
2007-10-10r10262: * Fix for getgrnam not returning builtin group (which is done by getentGünther Deschner1-3/+5
group) * Give a better debug message when returning builtin groups. Guenther (This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
2007-10-10r10152: 64-bit fix for bug #3082. Thanks to Robin Hill for tracking this ↵Volker Lendecke1-1/+3
down with valgrind. Jerry, if this patch proves to fix his problem, it is definitely a candidate for the recommended patches page. Volker (This used to be commit 5232034b0daca8486fd55e53c2d910e4fbf0299d)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-12/+12
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7877: Attempt to fix a smb_panic reported by Pavel Rochnyack.Volker Lendecke1-7/+14
Volker (This used to be commit 7d1b890fead61551465e2a972e4097d9c1a4d6fd)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-73/+98
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-372/+219
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-65/+1
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r6627: Fix debug messageVolker Lendecke1-2/+2
(This used to be commit 6a5a9f17fb3c18e9dd8d447889b527055e5e3bd5)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-5/+2
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r6217: After talking to jerry, commit the partial fix for wbinfo -r. This ↵Volker Lendecke1-15/+23
fixes the expansion of domain local groups in case the netsamlogon_cache is valid. The non-samlogon-cache side needs more work, as well as the samlogon cache itself. Volker (This used to be commit b6352a3c46f8e67503945eeac33e157ecea01bfb)
2007-10-10r6216: Brown paper-bag bug fix for wbinfo --user-sids.... Nobody seems to ↵Volker Lendecke1-2/+2
really use domain local groups ... Volker (This used to be commit ed2d76d663a4388acc26a724cf2cdb5c40763def)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-4/+53
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r6036: patch from Lin Li <linl@xandros.com> to ensure trusted domains are ↵Gerald Carter1-0/+4
initialized whenenumerating users and groups (This used to be commit 105a63c207e8d2b03a30dec2b8b55b92047cba80)
2007-10-10r5945: BUG 2516: fix compile issue on True64Gerald Carter1-1/+1
(This used to be commit 5205949dac4566a815ea443114309c284270ba91)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+41
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4128: Cron jobs etc seem to do an initgroups for root quite frequently. SoVolker Lendecke1-1/+1
log.winbindd is spammed with 'user root does not exist'. Increase debug level. Volker (This used to be commit 7256771dd01029ed103896c0825bb91b88757015)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-16/+12
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3776: Fix for bug #2038 from Johann Hanne <jhml@gmx.net>. Don't checkJeremy Allison1-9/+4
for no groups after every lookup - move check to the end as we should only fail if all lookups fail. Jeremy. (This used to be commit 3b40c1e4365f37b967e14be02c6aa52893a80f51)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-5/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r2868: Well, I'm not quite sure what I'm doing back in Samba 3.0, but anyway...Andrew Bartlett1-18/+0
I've been grumbling about under-efficient calls in SAMR, and finally got around to fixing some of them. We now call sys_getgroups() (which in turn calls initgroups(), until glibc 3.4 is released) to figure out a user's group membership. This is far, far more efficient than scanning all the groups looking for a match, and is still the 'posix way', just using an effiecient call. The seperate issue of 'who is in this group' remains, but this one has been biting some people. I need to talk to VL about how best to exersise nasty corner cases, but my initial tests hold strong. (The code is also much simpiler than before, which has to count for something :-) Andrew Bartlett (This used to be commit dc19f161698dab5b71d61fa2bacc7e7b8da5fbba)
2007-10-10r2450: don't limit the number of groups returned by winbindd_getgroups()Gerald Carter1-4/+1
(This used to be commit 4ba98cb469ad938bbc2e46cffaa48cc1c46b8e4e)
2007-10-10r2378: Remove two confusing #definesVolker Lendecke1-2/+0
(This used to be commit 639cb4ced6b6c08b0665890c815f2e1361e7879f)
2007-10-10r1658: Expand aliases for getusersids as well.Volker Lendecke1-0/+56
Volker (This used to be commit d5060c30e38b46b322615f0e0b465fbf73ed5245)
2007-10-10r989: Calling sid_to_gid from within winbind makes no sense, as this callsVolker Lendecke1-1/+9
winbind_sid_to_gid. For the consistency check, local_sid_to_gid must set the name_type it found. Volker (This used to be commit 5070c1b68f2add16916ba3135984f6e70bbe42cf)
2007-10-10r988: When adding local aliases' gids to the user token, don't do a ↵Volker Lendecke1-11/+31
idmap_sid_to_gid on the user sid. This might lead to a user SID entered as a GID in the idmap. Volker (This used to be commit 98e10d149710d9b70404e77a4bc0560c2e48aeaf)
2007-10-10r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-0/+3
Jeremy. (This used to be commit c23a73324b335e42877551283b274f6d12f2c1a7)
2007-10-10r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fixGerald Carter1-0/+6
user/group enumeration on systems whose libc does not call setgrent() before trying to enumerate users (i.e. FreeBSD 5.2) (This used to be commit 8106d8097258eae260ed834399881bf0be9b515b)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-10/+7
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r288: combination of BUG 1081 and patch from J. Klinger -- added ↵Gerald Carter1-0/+2
remove_duplicate_gids() to smbd and winbindd (This used to be commit 95c68103ea9dbd02651e26fcaa15dd054b157529)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-41/+95
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-16BUG 1182: patch from john.klinger@lmco.com (John Klinger) to reanable the ↵Gerald Carter1-1/+3
-n 'no cache' option for winbindd (This used to be commit d1848988d9ee9fdd870bcdd32c938b907419558b)
2004-01-15And another memory corruption in winbind. Arg 3 of safe_strcpy does notVolker Lendecke1-1/+1
include the terminating 0. Volker (This used to be commit 945c7807641e82500c84e833f03f381497f0a2d0)
2004-01-15Fix a segfault in winbindd. Calling getusersids with a SID that results in 0Volker Lendecke1-1/+1
groups winbind ended up freeing an uninitialised pointer. Volker (This used to be commit cd89288e21ba13a9e97c548eccc15cef21a98d07)
2004-01-08use SAFE_FREE(), not free().Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)
2004-01-08Move more of winbind to use 'find_our_domain()' rather than the dangerousAndrew Bartlett1-25/+24
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
2004-01-07Machines are people too!Andrew Bartlett1-8/+3
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)