summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_rpc.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter1-5/+6
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r23046: Few missing merges from cleaning out the Centeris winbindd tree.Gerald Carter1-0/+6
Nothing of major interest. Will fix a few problems with one way trusts. (This used to be commit 3d48a7e72d9268fd495e0ca4b6e73bed5bb57214)
2007-10-10r22711: Fix a compile warnign in query_user(). Ensure that user_ridGerald Carter1-1/+1
is initialized. (This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
2007-10-10r22710: Support one-way trusts.Gerald Carter1-6/+77
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r22705: Implement new set_dc_type_and_flags() called based on theGerald Carter1-1/+1
information return from our DC in the DsEnumerateDomainTrusts() call. If the fails, we callback ot the older connect-to-the-remote-domain method. Note that this means we can only reliably expect the native_mode flag to be set for our own domain as this information in not available outside our primary domain from the trusted information. This is ok as we only really need the flag when trying to determine to enumerate domain local groups via RPC. Use the AD flag rather than the native_mode flag when using ldap to obtain the seq_num for a domain. (This used to be commit 4b4148a9642f03b8f27dda2132708bcc0cbb3b8e)
2007-10-10r22647: Avoid leaking a full info3 structure on each winbindd cached login ↵Günther Deschner1-1/+1
by making netsamlogon_cache_get() return a talloc'ed structure. Guenther (This used to be commit 5b149967cc3ab68057db015e67b688c9b9577f0d)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-7/+14
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter1-3/+3
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r21387: Another important fix for non-AD domains:Günther Deschner1-0/+2
Avoid assigning 0 as primary group id for users in NSS calls. Jerry, please check. Guenther (This used to be commit 03f5f7d0140c99411c137e7e2eac7e2d0c08202e)
2007-10-10r21308: Fix some typos and ensure to null terminate the correct strings.Günther Deschner1-1/+1
Guenther (This used to be commit 16c90f30b93f32c4f8fed00a6cc154c596e4244d)
2007-10-10r21146: Fix debug typos.Günther Deschner1-1/+1
Guenther (This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
2007-10-10r21112: fix const compile warningGerald Carter1-2/+2
(This used to be commit 6b754f7c96400d5d1f14e807aac0aa925c45eefb)
2007-10-10r21070: * Add the new boolean 'winbind normalize names' option as discussedGerald Carter1-2/+9
on the samba-technical ml. The replacement character is hardcoded as a '_' for now. (This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-2/+4
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r19340: Wait longer then 10 seconds for a samr_query_groupmem lookup to succeed.Günther Deschner1-0/+9
Guenther (This used to be commit 37dd019e21cab2f0df314b0b741f79422fc10d1b)
2007-10-10r19105: Ok - this is currently untested (but I'm testing it atJeremy Allison1-40/+6
the moment) but winbindd isn't run in the build farm so hopefully won't break anything too badly - I don't want to lose this. If winbindd starts offline then it falls back to using MS-RPC backend. On going online it needs to reset the backend and try and go to using the AD backend code if possible, as the MS-RPC sequence number fetch just returns 1 as the sequence number if run against an AD DC. In addition, the winbindd async child may end up with the AD backend whilst the main winbindd - which still contacts the DC for some non-async calls, is left using MS-RPC. This can cause some trouble (as you can imagine :-). Attempt to ensure both main winbindd and async children us AD backends on going online. Jeremy. (This used to be commit 5efd4b04b89ace4b264e9ac37a90e202749792be)
2007-10-10r18271: Big change:Gerald Carter1-6/+6
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18192: Fix the build.Jeremy Allison1-1/+1
Jeremy. (This used to be commit aa62bb6b4ccb46a58bbe8f46d552a062ca06c238)
2007-10-10r18191: Fix the online/offline state handling of winbindd.Jeremy Allison1-6/+6
Instead of trying to do this in the winbindd_cache entries, add a timed even handler to probe every 5 mins when disconnected. Fix events to run all pending events, rather than only one. Jeremy. (This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
2007-10-10r18188: merge 3.0-libndr branchJelmer Vernooij1-2/+2
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
2007-10-10r17881: Another microstep towards better error reporting: Make ↵Volker Lendecke1-1/+2
get_sorted_dc_list return NTSTATUS. If we want to differentiate different name resolution problems we might want to introduce yet another error class for Samba-internal errors. Things like no route to host to the WINS server, a DNS server explicitly said host not found etc might be worth passing up. Because we can not stash everything into the existing NT_STATUS codes, what about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP? Volker (This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-3/+53
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16678: Fix bug #3898 reported by jason@ncac.gwu.edu.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
2007-10-10r16644: Fix bug #3887 reported by jason@ncac.gwu.eduJeremy Allison1-2/+2
by converting the lookup_XX functions to correctly return SID_NAME_TYPE enums. Jeremy. (This used to be commit ee2b2d96b60c668e37592c79e86c2fd851e15f69)
2007-10-10r16358: ALWAYS compile this stuff on a 64-bit box beforeJeremy Allison1-1/+3
checking in. size_t != uint32 on a 64-bit machine. Jeremy. (This used to be commit 09c89732869eae0d8c8971ac78235d34e4dcecb9)
2007-10-10r16349: Another fix to make winbind more robust in large domains:Günther Deschner1-11/+52
We may only feed rpc_useraliases with chunks of 1024 entries. This is important as the token generation otherwise fails when a user is member of more then 1024 groups. Volker, please check. Guenther (This used to be commit d8fd94648f965eb043f957b154ce63b245a90328)
2007-10-10r16222: Fix DEBUG statements.Günther Deschner1-1/+1
Guenther (This used to be commit 5ecfaf7d505e6acc23a06dd64d00f5e6fb8efe6f)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-18/+4
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15244: Fix debug typo.Günther Deschner1-1/+1
Guenther (This used to be commit 01787bd45b4186d3e997f750b08c50df9d3cbbe1)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-1/+68
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11704: methods->alternate_name is not used anymore -- remove itVolker Lendecke1-8/+0
(This used to be commit 4a4f85f0ef8545b7062e9a49392d4488aa108036)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+52
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-52/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-1/+8
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-407/+262
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6755: removing domain_sid() since it is not referenced anymoreGerald Carter1-39/+0
(This used to be commit 8104149e6f490fa1a298e61becc8df01ddd92008)
2007-10-10r6682: patch from Qiao Yang <qyang@stbernard.com> to use out own DC when ↵Gerald Carter1-5/+8
getting the SID for a domain (This used to be commit 2e0941ebc1d6a9a9498cc5a9f072d501293f8933)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+2
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r5654: Fix bug 1604 -- make winbind work with more than 10 trusted domains.Volker Lendecke1-3/+34
TODO: This needs to be merged to trunk separately, it has changed a little, but it's friday evening here. Volker (This used to be commit 49c3e04632e9fcdf552259412e8ec54d18269516)
2007-10-10r5471: In cli_samr_lookup_rids, flags is not a flags but an array size. W2k3 ↵Volker Lendecke1-1/+1
rejects everything but 1000 here, so there's no point in exposing that to the caller. Thanks, Volker (This used to be commit 03ec1bd9e54b065c0494bc57a3d78ac0ae28e234)
2007-10-10r5428: Apply some const. LDAP attribs should now be declared const char ↵Volker Lendecke1-1/+1
*attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2007-10-10r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testingVolker Lendecke1-0/+62
shows that this info is correctly returned to us in to info3 struct, so check_info3_in_group does not need to be adapted. Volker (This used to be commit a84e778cafcefdc1809474c2123e757c8c9d9b70)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-3/+20
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-11/+8
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r1317: Patch from Joe Meadows "Joe Meadows" <jameadows@webopolis.com> toJeremy Allison1-32/+2
add a timeout to the ldap open calls. New parameter, ldap timeout added. Jeremy. (This used to be commit e5b3094c4cc75eb07f667dd1aeb73921ed7366ac)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-12/+9
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2004-03-30Apply some constVolker Lendecke1-3/+3
(This used to be commit 8037750df568e6b51b2b0cba9192468110470388)
2004-02-08Make more functions static, and remove duplication in the use of functionsAndrew Bartlett1-1/+1
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c (These should perhaps be pulled back out to smbpasswd.c, but that can occour later). Andrew Bartlett (This used to be commit fcdc5efb1e245c8fa95cd031f67ec56093b9056e)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-2/+11
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)