summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_passdb.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter1-3/+15
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r23048: Simo is correct in that winbind_lookup{sid,name}_async() needsGerald Carter1-1/+6
to be able to handle SIDs in the S-1-22-{1,2} domain in order for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a, we will short circuit in the sid_to_uid() family of functions so that smbd is ok. For 3.0.26, we need to allow winbindd to handle all types of SIDs. (This used to be commit d70cec31965de41d3296c9b585ff0aea4f2bcffe)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-6/+12
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r21014: move some functionss to winbindd_group.c and make staticGerald Carter1-145/+0
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-2/+1
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r18271: Big change:Gerald Carter1-4/+4
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-9/+55
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r15977: Fillup the password_policy method in winbindd for winbindd_passdb. ThisGünther Deschner1-2/+41
should make pam_winbind work again on a Samba PDC (and fix Bug #3800). Guenther (This used to be commit 4addabd054a2627133d3fff71234db18cf2c822c)
2007-10-10r15068: Fix a shadowed variable warningVolker Lendecke1-2/+2
(This used to be commit 066f69fe88b360b856f3dc49089f8c21b721cce9)
2007-10-10r14855: Various fixes:Gerald Carter1-1/+22
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
2007-10-10r14421: This does two thingsGerald Carter1-3/+4
* Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-5/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-40/+132
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11704: methods->alternate_name is not used anymore -- remove itVolker Lendecke1-12/+0
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
2007-10-10r11580: fix an uninitialized variable that was causing winbindd to die in ↵Gerald Carter1-1/+1
winbindd_dual_getsidaliases() (This used to be commit c0c181826ea535adcbffb8790ad31356f7e9fc04)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-15/+15
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-7/+12
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6755: removing domain_sid() since it is not referenced anymoreGerald Carter1-8/+0
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-12/+22
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r5751: fix another (correct) compiler warningGerald Carter1-1/+1
(This used to be commit 642a2d5a0aecd507d4f26dc2250de3667af3abbf)
2007-10-10r5724: Fix compiler warningVolker Lendecke1-1/+1
(This used to be commit c2f710e3219aab647c0ed294d1d3481f5578b930)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+8
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-11/+7
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r914: Fix from "Jerome Borsboom" <j.borsboom@erasmusmc.nl> to ensureJeremy Allison1-2/+9
correct sid type returned for builtin sids. Jeremy. (This used to be commit 14cf55abb8239e7c90f8891565ac7ed8c51423eb)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-5/+55
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-0/+339
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-360/+0
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07and so it begins....Gerald Carter1-2/+2
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-4/+4
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-05-03fixes to *_util.c filesSimo Sorce1-0/+360
add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1)