summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r19686: Fix the buildVolker Lendecke1-1/+1
(This used to be commit 28ac0235810c53eccb449201ac933d7eaf8eb38f)
2007-10-10r19413: Now we're calling init_dc_connection, this codeJeremy Allison1-16/+0
is completely useless (and in fact harmful :-) in that it causes a winbindd error where there should be none. Jeremy. (This used to be commit acf5419d62f4ac64449d4722c5ff3c9be35c0570)
2007-10-10r19212: Make sure domains marked internal don't doJeremy Allison1-9/+11
network queries. Jeremy. (This used to be commit e4d5e1d90b40fee1edc5cf0134b276645eea63bf)
2007-10-10r19207: Properly canonicalize incoming names to theJeremy Allison1-0/+20
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy. (This used to be commit dbd2454d3337f64cddbdaf39e9efd6505e6b2590)
2007-10-10r19148: Finish last nights patch - make offlineJeremy Allison1-3/+15
work again. Still under test. Jeremy. (This used to be commit 40a455db78f805daa6bfeb9e78fb78dcc12fd9a7)
2007-10-10r19066: Fix a memleakVolker Lendecke1-0/+1
(This used to be commit c53e2e54750764c9a0eb57a86fd226b4f8711a66)
2007-10-10r18703: Fix the annoying effect that happens when nscd is running:Günther Deschner1-21/+0
We usually do not get the results from user/group script modifications immediately. A lot of users do add nscd restart/refresh commands into their scripts to workaround that while we could flush the nscd caches directly using libnscd. Guenther (This used to be commit 7db6ce295afbedfada7b207ad56566d2195a0d21)
2007-10-10r18509: We must always canonicalise the usernames to be UPPERCASE DOMAIN,Jeremy Allison1-2/+3
lowercase username. We cache names as keys in this form, and we weren't always returning this.... Jeremy. (This used to be commit 205aa2b70d647460ca5a273caad7717312f53aab)
2007-10-10r18271: Big change:Gerald Carter1-2/+2
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-1/+1
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17159: Bug 3920: Restore wnibind use default domain behavior for domain groups.Gerald Carter1-7/+21
This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. (This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-1/+1
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16940: libnscd sets errno, use that to display error message.Günther Deschner1-2/+2
Guenther (This used to be commit df10448e2c6166d1c129c2d9a9a74c5b4a42555f)
2007-10-10r16422: winbindd_demote_client isn't used and generatesJeremy Allison1-8/+0
a Klocwork issue (#1844). Remove it Jeremy. (This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
2007-10-10r15976: Set our internal domains to "online" by default in winbindd.Günther Deschner1-1/+1
Guenther (This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
2007-10-10r15842: patch from volker to instruct winbindd to find a trusted DC on its ↵Gerald Carter1-1/+1
own when runing on a Samba DC (since we don't implement the getdcname() call that well (This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-1/+4
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-0/+46
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-2/+2
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14855: Various fixes:Gerald Carter1-15/+12
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
2007-10-10r14480: Kill one boolean flag passed down :-)Volker Lendecke1-8/+6
(This used to be commit d9b85e3b287c24d2a3e2076da331fe06192b0eef)
2007-10-10r14474: Also flush the nscd caches before entering the main winbindd loop.Günther Deschner1-0/+22
Guenther (This used to be commit c81eb71834dc827db63c8adb3f816bbbe916473c)
2007-10-10r14468: Better fix to avoid winbind panic when we have an inproper configurationGünther Deschner1-3/+9
and want to just shutdown and exit. Guenther (This used to be commit 0aa6328ed6ba6d0d24169ffdff0099405c9bfb00)
2007-10-10r14467: Reverting 13660. This needs to be fixed differently.Günther Deschner1-8/+4
Guenther (This used to be commit 4157bfe9cfe79ff78e7e527a50058cf9103cab61)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-2/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13660: Attempt to better handle the failure that we cannot find our sid uponGünther Deschner1-4/+8
startup; don't panic, shutdown instead. Guenther (This used to be commit f209192e26c12fd48feb6195b724715fbada8b85)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-4/+5
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-6/+7
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13024: Add is_null_sid.Günther Deschner1-2/+1
GUenther (This used to be commit 3a6e41a0cb2872a656ea79c8d4fc4b8bce436492)
2007-10-10r12133: Fix an uninitialized variable in new code in rpc_server/srv_samr_nt.c.Volker Lendecke1-1/+15
Fix winbind_lookup_name for the local domain, ie for aliases on a member server. Volker (This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc)
2007-10-10r10270: lowercase groupnames and groupmembers again.Günther Deschner1-0/+1
Guenther (This used to be commit 736dffb2a9907a6ca3fee51eb4a9f1da837303a0)
2007-10-10r10267: Exit if winbind can't find or generate a SID -- there's no point inVolker Lendecke1-1/+1
continuing. Found during investigation of bug 3105. Volker (This used to be commit 72546f185696235c9d5cb6196448178d9e15e858)
2007-10-10r10262: * Fix for getgrnam not returning builtin group (which is done by getentGünther Deschner1-1/+1
group) * Give a better debug message when returning builtin groups. Guenther (This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
2007-10-10r9780: Clean up a bunch of compiler warnings.James Peach1-1/+1
(This used to be commit 623d2e69319ffead31a780a4d6156dae45f386d7)
2007-10-10r9709: Fix two bugs found by Brian Moran: Any request sent to winbind while ↵Volker Lendecke1-1/+3
the child in question is still initializing overwrites domain->dcname. Only overwrite if the parent actually has sent a dcname and thus really knows it. Second, ntlm_auth needs the error code, not just the fact it failed. Jerry, the 3_0 part might qualify as a "recommended patch". Thanks, Volker (This used to be commit d79b179b7f9d2efa4f8ee47bfe386e90d8b58322)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-17/+17
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-222/+378
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6682: patch from Qiao Yang <qyang@stbernard.com> to use out own DC when ↵Gerald Carter1-2/+7
getting the SID for a domain (This used to be commit 2e0941ebc1d6a9a9498cc5a9f072d501293f8933)
2007-10-10r6566: fix a couple of local group bugs.Gerald Carter1-1/+6
* ensure that we set full access on the handle returned from _samr_create_dom_alias() so that future set_alias commands succeed * fix bug when looking for internal domains in winbindd (caused winbindd_getgrgid() for local groups to fail). (This used to be commit 4615c96ccb8906af4eb1fbe6d0cbf6bb3bcc3fcf)
2007-10-10r6450: * fix typo in htlm_auth help messageGerald Carter1-4/+2
* add synonym for idmap_rid in better lining with other idmap backend names * remove old debug messages when idmap {uid|gid} options are not defined (This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-7/+1
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-2/+1
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-6/+4
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+1
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-5/+0
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r4258: strlower username, not (non-existing) domain_username.Günther Deschner1-1/+1
Guenther (This used to be commit 4f10666295ff7c086ac2a38e0a5f0ac80b57b9a0)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-2/+2
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3140: * try to ensure consistent usage of the username map.Gerald Carter1-3/+4
Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
2007-10-10r2584: After talking to jerry, commit the strlower patch to getent username andVolker Lendecke1-0/+1
groupnames. In template homedir, leave %D alone uppercased. Volker (This used to be commit dcb577f1cd8cf60557c0d061afeec206f58a6b31)