summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_group.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-13/+13
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-15/+8
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10263: Fix debug which got more instead of less confusing.Günther Deschner1-1/+1
Guenther (This used to be commit ac3786a7a7dfc77d3b305ae67c97ab4f7f63961e)
2007-10-10r10262: * Fix for getgrnam not returning builtin group (which is done by getentGünther Deschner1-3/+5
group) * Give a better debug message when returning builtin groups. Guenther (This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
2007-10-10r10152: 64-bit fix for bug #3082. Thanks to Robin Hill for tracking this ↵Volker Lendecke1-1/+3
down with valgrind. Jerry, if this patch proves to fix his problem, it is definitely a candidate for the recommended patches page. Volker (This used to be commit 5232034b0daca8486fd55e53c2d910e4fbf0299d)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-12/+12
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7877: Attempt to fix a smb_panic reported by Pavel Rochnyack.Volker Lendecke1-7/+14
Volker (This used to be commit 7d1b890fead61551465e2a972e4097d9c1a4d6fd)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-73/+98
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-372/+219
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-65/+1
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r6627: Fix debug messageVolker Lendecke1-2/+2
(This used to be commit 6a5a9f17fb3c18e9dd8d447889b527055e5e3bd5)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-5/+2
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r6217: After talking to jerry, commit the partial fix for wbinfo -r. This ↵Volker Lendecke1-15/+23
fixes the expansion of domain local groups in case the netsamlogon_cache is valid. The non-samlogon-cache side needs more work, as well as the samlogon cache itself. Volker (This used to be commit b6352a3c46f8e67503945eeac33e157ecea01bfb)
2007-10-10r6216: Brown paper-bag bug fix for wbinfo --user-sids.... Nobody seems to ↵Volker Lendecke1-2/+2
really use domain local groups ... Volker (This used to be commit ed2d76d663a4388acc26a724cf2cdb5c40763def)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-4/+53
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r6036: patch from Lin Li <linl@xandros.com> to ensure trusted domains are ↵Gerald Carter1-0/+4
initialized whenenumerating users and groups (This used to be commit 105a63c207e8d2b03a30dec2b8b55b92047cba80)
2007-10-10r5945: BUG 2516: fix compile issue on True64Gerald Carter1-1/+1
(This used to be commit 5205949dac4566a815ea443114309c284270ba91)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+41
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4128: Cron jobs etc seem to do an initgroups for root quite frequently. SoVolker Lendecke1-1/+1
log.winbindd is spammed with 'user root does not exist'. Increase debug level. Volker (This used to be commit 7256771dd01029ed103896c0825bb91b88757015)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-16/+12
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3776: Fix for bug #2038 from Johann Hanne <jhml@gmx.net>. Don't checkJeremy Allison1-9/+4
for no groups after every lookup - move check to the end as we should only fail if all lookups fail. Jeremy. (This used to be commit 3b40c1e4365f37b967e14be02c6aa52893a80f51)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-5/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r2868: Well, I'm not quite sure what I'm doing back in Samba 3.0, but anyway...Andrew Bartlett1-18/+0
I've been grumbling about under-efficient calls in SAMR, and finally got around to fixing some of them. We now call sys_getgroups() (which in turn calls initgroups(), until glibc 3.4 is released) to figure out a user's group membership. This is far, far more efficient than scanning all the groups looking for a match, and is still the 'posix way', just using an effiecient call. The seperate issue of 'who is in this group' remains, but this one has been biting some people. I need to talk to VL about how best to exersise nasty corner cases, but my initial tests hold strong. (The code is also much simpiler than before, which has to count for something :-) Andrew Bartlett (This used to be commit dc19f161698dab5b71d61fa2bacc7e7b8da5fbba)
2007-10-10r2450: don't limit the number of groups returned by winbindd_getgroups()Gerald Carter1-4/+1
(This used to be commit 4ba98cb469ad938bbc2e46cffaa48cc1c46b8e4e)
2007-10-10r2378: Remove two confusing #definesVolker Lendecke1-2/+0
(This used to be commit 639cb4ced6b6c08b0665890c815f2e1361e7879f)
2007-10-10r1658: Expand aliases for getusersids as well.Volker Lendecke1-0/+56
Volker (This used to be commit d5060c30e38b46b322615f0e0b465fbf73ed5245)
2007-10-10r989: Calling sid_to_gid from within winbind makes no sense, as this callsVolker Lendecke1-1/+9
winbind_sid_to_gid. For the consistency check, local_sid_to_gid must set the name_type it found. Volker (This used to be commit 5070c1b68f2add16916ba3135984f6e70bbe42cf)
2007-10-10r988: When adding local aliases' gids to the user token, don't do a ↵Volker Lendecke1-11/+31
idmap_sid_to_gid on the user sid. This might lead to a user SID entered as a GID in the idmap. Volker (This used to be commit 98e10d149710d9b70404e77a4bc0560c2e48aeaf)
2007-10-10r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-0/+3
Jeremy. (This used to be commit c23a73324b335e42877551283b274f6d12f2c1a7)
2007-10-10r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fixGerald Carter1-0/+6
user/group enumeration on systems whose libc does not call setgrent() before trying to enumerate users (i.e. FreeBSD 5.2) (This used to be commit 8106d8097258eae260ed834399881bf0be9b515b)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-10/+7
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r288: combination of BUG 1081 and patch from J. Klinger -- added ↵Gerald Carter1-0/+2
remove_duplicate_gids() to smbd and winbindd (This used to be commit 95c68103ea9dbd02651e26fcaa15dd054b157529)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-41/+95
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-16BUG 1182: patch from john.klinger@lmco.com (John Klinger) to reanable the ↵Gerald Carter1-1/+3
-n 'no cache' option for winbindd (This used to be commit d1848988d9ee9fdd870bcdd32c938b907419558b)
2004-01-15And another memory corruption in winbind. Arg 3 of safe_strcpy does notVolker Lendecke1-1/+1
include the terminating 0. Volker (This used to be commit 945c7807641e82500c84e833f03f381497f0a2d0)
2004-01-15Fix a segfault in winbindd. Calling getusersids with a SID that results in 0Volker Lendecke1-1/+1
groups winbind ended up freeing an uninitialised pointer. Volker (This used to be commit cd89288e21ba13a9e97c548eccc15cef21a98d07)
2004-01-08use SAFE_FREE(), not free().Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)
2004-01-08Move more of winbind to use 'find_our_domain()' rather than the dangerousAndrew Bartlett1-25/+24
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
2004-01-07Machines are people too!Andrew Bartlett1-8/+3
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell1-0/+85
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-08-10add --domain=DOMAINNAME to wbinfoGerald Carter1-0/+12
Add support for geting the sequence number, list of users, and list of groups for a specific domain (assuming on reported back by wbinfo -m) wbinfo -u --domain=DOA (This used to be commit 34fc6e1bf97d514d3b1763a808d08d730191e03b)
2003-07-22Another round of uid/gid/pid format string changes I missed theTim Potter1-1/+1
first time. (This used to be commit 6616485dbad74dab7506609c6bfd183fc9c1f93c)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-12/+12
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-9/+78
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07and so it begins....Gerald Carter1-11/+15
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-06-30* rename samstrict auth method to samGerald Carter1-3/+8
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-0/+11
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter1-8/+8
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)