summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_user.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23884: Fix Coverity ID 379Volker Lendecke1-0/+6
(This used to be commit 86476efc7a6adfe70c0437c2ff1bbd4b2b4ade5e)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter1-1/+2
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r22812: Fix bug #3024 (and also the group varient). Patch fromJeremy Allison1-4/+10
Johann Hanne <jhml@gmx.net> and also Kaya Bekiro?lu <kaya.bekiroglu@isilon.com> Jeremy. (This used to be commit c0ba891be06f49968317a90079554cfce2344f39)
2007-10-10r22727: remove outdated comment about templatre shell and homedirGerald Carter1-3/+1
(This used to be commit e8f9bd655829f671e9ce395aa9b4b94ff4bab36a)
2007-10-10r22710: Support one-way trusts.Gerald Carter1-2/+35
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter1-1/+3
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r21775: make messages more understandable - don't leave part dangling after ↵Herb Lewis1-2/+2
newline (This used to be commit f57e4f8adaa3b8cfc300ee6625fdbca968bb81d3)
2007-10-10r21613: perform variable subsitution on home directories and shells provided ↵Gerald Carter1-12/+13
by the nss_info backend (This used to be commit a9028612a3f614579b28f9560cc67aef90b31cf8)
2007-10-10r21387: Another important fix for non-AD domains:Günther Deschner1-7/+1
Avoid assigning 0 as primary group id for users in NSS calls. Jerry, please check. Guenther (This used to be commit 03f5f7d0140c99411c137e7e2eac7e2d0c08202e)
2007-10-10r21336: Fix indent (as pointed out by Volker).Günther Deschner1-6/+6
Guenther (This used to be commit dcbf7a1250aa5c6293ffba6a930ee23537ec9484)
2007-10-10r21070: * Add the new boolean 'winbind normalize names' option as discussedGerald Carter1-0/+3
on the samba-technical ml. The replacement character is hardcoded as a '_' for now. (This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
2007-10-10r20986: Commit the prototype of the nss_info plugin interface.Gerald Carter1-1/+21
This allows a provider to supply the homedirectory, etc... attributes for a user without requiring support in core winbindd code. The idmap_ad.c module has been modified to provide the idmap 'ad' library as well as the rfc2307 and sfu "winbind nss info" support. The SID/id mapping is working in idmap_ad but the nss_info still has a few quirks that I'm in the process of resolving. (This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
2007-10-10r20155: revert, I misreadSimo Sorce1-1/+1
(This used to be commit 20aa6322efe617f928c5cf2224a7660ca6525297)
2007-10-10r20154: Fix nasty typo, hunting another bugSimo Sorce1-1/+1
(This used to be commit bf8dc44cc2892a784ec3a118abc0abb1018fbde4)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-23/+4
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r19301: Correct debug statement.Jeremy Allison1-1/+1
(This used to be commit 3ea8399bc9ae9de0a6eb0efe0f5b96f923b62082)
2007-10-10r19300: Fix null deref in debug statement.Jeremy Allison1-3/+3
Jeremy. (This used to be commit c55b9111f60debe4c5a7765273fc86ac3829f31c)
2007-10-10r18271: Big change:Gerald Carter1-2/+2
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-4/+7
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17459: As by Jerry's word commit this without his review.Simo Sorce1-7/+25
This patch add some missing async functions to solve UID/GID -> SID requests not just out of the cache, but down the remote idmap if necessary. This patch solves the problem of servers not showing users/groups names for allocated UID/GIDs when joined to a group of servers that share a prepopulated idmap backend. Also correctly resolve UID/GIDs to SIDs when looking ACLs from the windows security tab on teh same situation. Simo. (This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-13/+5
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16687: Fix bugs #3901, #3902, #3903 reported by jason@ncac.gwu.edu.Jeremy Allison1-7/+12
Jeremy (This used to be commit c4896b17faa6802f18cc1cec7fcc6168bde2eef0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner1-1/+1
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-4/+4
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-3/+3
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison1-14/+8
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-1/+1
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-4/+4
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r9758: make sure to lower case usernames in winbindd's getpwnam()Gerald Carter1-1/+4
(This used to be commit 9fc539088eda7f9b5d212b7df50594bec51e16f5)
2007-10-10r8145: When inventing a new parameter for SFU-support, be aware of Volker'sGünther Deschner1-1/+1
upcoming changes for "unixinfo"-pipe. Therefor (after speaking with Volker) replace "winbind sfu support" with the list-parameter "winbind nss info" which defaults to "template". For SFU-support set it to "winbind nss info = template sfu". Note that nss_info_use() is just a dummy function at the moment. Guenther (This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-41/+77
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-12/+12
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7877: Attempt to fix a smb_panic reported by Pavel Rochnyack.Volker Lendecke1-8/+15
Volker (This used to be commit 7d1b890fead61551465e2a972e4097d9c1a4d6fd)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-48/+61
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7454: couple of winbindd fixesGerald Carter1-4/+4
* make sure to use our domain as the account name in the net_req_auth2() request when running on a Samba DC * make sure to lookup the correct domain (not default to ours) when getting an async getpwnam() call (This used to be commit c9c3e3c122a6a04847c448d298b6f1adb4f35a60)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-138/+246
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-21/+0
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r6036: patch from Lin Li <linl@xandros.com> to ensure trusted domains are ↵Gerald Carter1-0/+3
initialized whenenumerating users and groups (This used to be commit 105a63c207e8d2b03a30dec2b8b55b92047cba80)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-9/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r2584: After talking to jerry, commit the strlower patch to getent username andVolker Lendecke1-0/+2
groupnames. In template homedir, leave %D alone uppercased. Volker (This used to be commit dcb577f1cd8cf60557c0d061afeec206f58a6b31)
2007-10-10r2378: Remove two confusing #definesVolker Lendecke1-2/+0
(This used to be commit 639cb4ced6b6c08b0665890c815f2e1361e7879f)
2007-10-10r1613: Patch from Tom Shaw <tomisfaraway@gmail.com> to useJeremy Allison1-4/+4
winbindd_fill_pwent consistently. Jeremy. (This used to be commit 8d355b9b9ddd6edf15c70977f5a719b549a56378)
2007-10-10r538: Mem leak fix from kawasa_r@itg.hitachi.co.jpJeremy Allison1-0/+2
Jeremy. (This used to be commit 4cbcd164147d25286fe8dd460c6123e961c4f657)
2007-10-10r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fixGerald Carter1-0/+6
user/group enumeration on systems whose libc does not call setgrent() before trying to enumerate users (i.e. FreeBSD 5.2) (This used to be commit 8106d8097258eae260ed834399881bf0be9b515b)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-1/+1
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2004-01-08Move more of winbind to use 'find_our_domain()' rather than the dangerousAndrew Bartlett1-7/+7
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
2004-01-07Machines are people too!Andrew Bartlett1-20/+18
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)