summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r22710: Support one-way trusts.Gerald Carter1-3/+40
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r22705: Implement new set_dc_type_and_flags() called based on theGerald Carter1-0/+30
information return from our DC in the DsEnumerateDomainTrusts() call. If the fails, we callback ot the older connect-to-the-remote-domain method. Note that this means we can only reliably expect the native_mode flag to be set for our own domain as this information in not available outside our primary domain from the trusted information. This is ok as we only really need the flag when trying to determine to enumerate domain local groups via RPC. Use the AD flag rather than the native_mode flag when using ldap to obtain the seq_num for a domain. (This used to be commit 4b4148a9642f03b8f27dda2132708bcc0cbb3b8e)
2007-10-10r22704: Implement three step method for enumerating domain trusts.Gerald Carter1-14/+205
(a) Query our primary domain for trusts (b) Query all tree roots in our forest (c) Query all forest roots in trusted forests. This will give us a complete trust topology including domains via transitive Krb5 trusts. We also store the trust type, flags, and attributes so we can determine one-way trusted domains (outgoing only trust path). Patch for one-way trusts coming in a later check-in. "wbinfo -m" now lists all domains in the domain_list() as held by the main winbindd process. (This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
2007-10-10r22702: Convert both lookup name and lookup sid to follow theGerald Carter1-8/+1
same heuristic. First try our DC and then try a DC in the root of our forest. Use a temporary state since winbindd_lookupXXX_async() is called from various winbindd API entry points. Note this will break the compile. That will be fixed in the next commit. (This used to be commit b442644bac2a7d5853440254257ca34a8e7c25de)
2007-10-10r22647: Avoid leaking a full info3 structure on each winbindd cached login ↵Günther Deschner1-4/+4
by making netsamlogon_cache_get() return a talloc'ed structure. Guenther (This used to be commit 5b149967cc3ab68057db015e67b688c9b9577f0d)
2007-10-10r22507: Wrap the method of obtaining sockets to listen on.James Peach1-56/+0
(This used to be commit e027322b769b896184484155fef7c2ba247412a4)
2007-10-10r22283: Remove very old bug where we assigned the online mode ofGerald Carter1-2/+0
the domain to queried to our own domain. (This used to be commit 2abeec576805b5e921b3606ab09ce9c1fd809566)
2007-10-10r21927: Removed unused variable.Jeremy Allison1-1/+0
Jeremy. (This used to be commit 2d951c91a5ac9779dcb124190e3e7f86cee9efdf)
2007-10-10r21918: Reverting this change as it is now causing aborts() inGerald Carter1-6/+1
find_builtin_domain(). This all needs more testing before anyone starts changing these lookup routines again. (This used to be commit add225e1c8fef1d3ddb7fd43c1744858df45ecfd)
2007-10-10r21913: fix one bug in build 717: correctly check the return from ↵Gerald Carter1-1/+1
sid_peek_check_rid() when trying to find a matching domain (This used to be commit c63bc300376e5be10585366013449a359b0778c1)
2007-10-10r21881: Make sure we are very specific when testing whether a backand can ↵James Peach1-1/+7
handle a particular SID. Make sure that the passdb backend will accept the same set range of local SIDs that the idmap system sends it. Simo, Jerry - this is a 3_0_25 candidate. Can you please review? (This used to be commit 86a70adb6a2d277f235857451bbee7d530d15310)
2007-10-10r21308: Fix some typos and ensure to null terminate the correct strings.Günther Deschner1-1/+1
Guenther (This used to be commit 16c90f30b93f32c4f8fed00a6cc154c596e4244d)
2007-10-10r21070: * Add the new boolean 'winbind normalize names' option as discussedGerald Carter1-0/+34
on the samba-technical ml. The replacement character is hardcoded as a '_' for now. (This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
2007-10-10r21018: Removing the set_domain_online_request again in trustdom_recv().Günther Deschner1-9/+0
Jeremy, we really can't do that. There are setups with hundred and more trusted domains out there, I have one customer who tells me it takes more then half an hour for him after winbind is up and running. That request registers the check_domain_online_handler which in turn forks off the child immediately. Also discussed with Volker. Guenther (This used to be commit ccd4812c0b436a12b809668d09c5681111125f3d)
2007-10-10r20530: Don't want this call to get inadvertently re-added :-).Jeremy Allison1-3/+0
Jeremy. (This used to be commit 68c4fbcf3397d6c43a3e5809b20a23116b1f8a31)
2007-10-10r20488: When joined to a child domain in a multi-domain/single domain tree,Gerald Carter1-0/+17
the child domain cannot always resolve SIDs in sibling domains. Windows tries to contact a DC in its own domain and then the root domain in the forest. This async changes makes winbindd's name2sid() call do the same. (This used to be commit 7b2bf0e5a6b8d4119657c7a34aa53c9a0c1d5723)
2007-10-10r20287: Allow a NULL sid when setting up the list of trusted domains.Gerald Carter1-2/+7
(This used to be commit ccea7155bc8c22816f2622e604e0ef76109487f1)
2007-10-10r20270: Even with the dual daemon mode the parent winbinddJeremy Allison1-1/+17
still needs to contact the DC's for non async requests like enumerate users/groups etc. Now that online DC detection is tied to async events we must enable the processing of events in the main loop of winbindd. Finally got rid of the last hard coded domain->initialized = 1 code in init_child_recv() - now all domain->initialized = True gets done only in the connection manager code when either we're online and have spoken to the DC or are offline and we know we can't talk to the DC. Jeremy. (This used to be commit b3c98057fbad182f6c05c5daec6cd258dd491064)
2007-10-10r20150: better memory handling for some functions, make sure we don'tSimo Sorce1-1/+3
leak memory by using the wrong(long lived) mem context (This used to be commit a28cdd6e742cb72a728bd337546ee95fd4160ed8)
2007-10-10r20124: clean up nested extern declaration warningsHerb Lewis1-3/+3
(This used to be commit ac3eb7813e33b9a2e78c9158433f7ed62c3b62bb)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-249/+9
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r20090: Fix a class of bugs found by James Peach. EnsureJeremy Allison1-3/+9
we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24)
2007-10-10r20057: Attempt to fix connect timeouts when connected onJeremy Allison1-8/+1
a network but not one on which any home DC's can be found (hotel network problem). Still testing but this is getting close. Jeremy. (This used to be commit 369c9e4138b93f7cfb6680f0beb541f58554e856)
2007-10-10r19686: Fix the buildVolker Lendecke1-1/+1
(This used to be commit 28ac0235810c53eccb449201ac933d7eaf8eb38f)
2007-10-10r19413: Now we're calling init_dc_connection, this codeJeremy Allison1-16/+0
is completely useless (and in fact harmful :-) in that it causes a winbindd error where there should be none. Jeremy. (This used to be commit acf5419d62f4ac64449d4722c5ff3c9be35c0570)
2007-10-10r19212: Make sure domains marked internal don't doJeremy Allison1-9/+11
network queries. Jeremy. (This used to be commit e4d5e1d90b40fee1edc5cf0134b276645eea63bf)
2007-10-10r19207: Properly canonicalize incoming names to theJeremy Allison1-0/+20
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy. (This used to be commit dbd2454d3337f64cddbdaf39e9efd6505e6b2590)
2007-10-10r19148: Finish last nights patch - make offlineJeremy Allison1-3/+15
work again. Still under test. Jeremy. (This used to be commit 40a455db78f805daa6bfeb9e78fb78dcc12fd9a7)
2007-10-10r19066: Fix a memleakVolker Lendecke1-0/+1
(This used to be commit c53e2e54750764c9a0eb57a86fd226b4f8711a66)
2007-10-10r18703: Fix the annoying effect that happens when nscd is running:Günther Deschner1-21/+0
We usually do not get the results from user/group script modifications immediately. A lot of users do add nscd restart/refresh commands into their scripts to workaround that while we could flush the nscd caches directly using libnscd. Guenther (This used to be commit 7db6ce295afbedfada7b207ad56566d2195a0d21)
2007-10-10r18509: We must always canonicalise the usernames to be UPPERCASE DOMAIN,Jeremy Allison1-2/+3
lowercase username. We cache names as keys in this form, and we weren't always returning this.... Jeremy. (This used to be commit 205aa2b70d647460ca5a273caad7717312f53aab)
2007-10-10r18271: Big change:Gerald Carter1-2/+2
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-1/+1
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17159: Bug 3920: Restore wnibind use default domain behavior for domain groups.Gerald Carter1-7/+21
This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. (This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-1/+1
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16940: libnscd sets errno, use that to display error message.Günther Deschner1-2/+2
Guenther (This used to be commit df10448e2c6166d1c129c2d9a9a74c5b4a42555f)
2007-10-10r16422: winbindd_demote_client isn't used and generatesJeremy Allison1-8/+0
a Klocwork issue (#1844). Remove it Jeremy. (This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
2007-10-10r15976: Set our internal domains to "online" by default in winbindd.Günther Deschner1-1/+1
Guenther (This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
2007-10-10r15842: patch from volker to instruct winbindd to find a trusted DC on its ↵Gerald Carter1-1/+1
own when runing on a Samba DC (since we don't implement the getdcname() call that well (This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-1/+4
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-0/+46
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-2/+2
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14855: Various fixes:Gerald Carter1-15/+12
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
2007-10-10r14480: Kill one boolean flag passed down :-)Volker Lendecke1-8/+6
(This used to be commit d9b85e3b287c24d2a3e2076da331fe06192b0eef)
2007-10-10r14474: Also flush the nscd caches before entering the main winbindd loop.Günther Deschner1-0/+22
Guenther (This used to be commit c81eb71834dc827db63c8adb3f816bbbe916473c)
2007-10-10r14468: Better fix to avoid winbind panic when we have an inproper configurationGünther Deschner1-3/+9
and want to just shutdown and exit. Guenther (This used to be commit 0aa6328ed6ba6d0d24169ffdff0099405c9bfb00)
2007-10-10r14467: Reverting 13660. This needs to be fixed differently.Günther Deschner1-8/+4
Guenther (This used to be commit 4157bfe9cfe79ff78e7e527a50058cf9103cab61)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-2/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13660: Attempt to better handle the failure that we cannot find our sid uponGünther Deschner1-4/+8
startup; don't panic, shutdown instead. Guenther (This used to be commit f209192e26c12fd48feb6195b724715fbada8b85)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-4/+5
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)