summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2002-11-02Some winbindd cleanups I made trying to fix cr1020:Tim Potter1-0/+86
- move winbindd client handling into accessor functions in winbindd_util.c - move some winbindd socket routines into accessor functions in winbindd_utils.c (The deadlock situation mentioned in the appliance branch is probably not applicable since we don't clear the connection cache on SIGHUP. Perhaps we should?) (This used to be commit 846b5494942c73e68616e7eae0d2fd5ae4b2bc05)
2002-10-23if trusted domains are disabled then we should not try to connect toAndrew Tridgell1-1/+6
them in winbindd (This used to be commit 6c7748b001836e4aa3e23dedfe28db3c8acc197a)
2002-10-15- we need to rescan the trusted domain list regularly to cope withAndrew Tridgell1-1/+1
transitive trusts, and trusts that are added while winbindd is running - removed an unnecessary call to time() (This used to be commit 14489ff30bb9eca2c55d36a69c0b45a2db339061)
2002-10-08merge from APP_HEADGerald Carter1-1/+1
* s/driverlocation/comment * detect native mode domain and enumerate local groups Also * Added sendfile stats from SAMBA_2_2 (This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
2002-10-04merge native_mode flag in winbindd_domain struct from app-headGerald Carter1-1/+10
(This used to be commit dd948a302ad6bd4307ecdfb10510e12185150eae)
2002-08-18be a bit more paranoid about not getting duplicate domain names (canAndrew Tridgell1-2/+8
happen when the LDAP call to get the flatname for the primary domain fails) (This used to be commit 8d40f34e2f5188f15f414e807d023bfea7bd8c8e)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-41/+77
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett1-1/+1
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-07-11Merge of init_domain_list() fix from APPLIANCE_HEAD.Tim Potter1-3/+0
(This used to be commit 66c9cab369e38284c71572bfb3643538e253a451)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-06-10Remove "sids.h" as it really wasn't being used anywhere, and was exportingAndrew Bartlett1-1/+0
the (now static) global_sam_sid. The only place it was being used was to return global_sid_NULL to some uid->sid functions - and I'm not convinced this is correct in any case. Andrew Bartlett (This used to be commit e2a76a7fc94dd59c09bba3cda91446fad9f8c0e0)
2002-03-09prevent a segv when a trusted domain is unavailable at startupAndrew Tridgell1-3/+2
(This used to be commit d5b5d3f8400a80c943809db9578a2d7317aa6d2d)
2002-02-27this allows us to support foreign SIDs in winbindd and smbdAndrew Tridgell1-1/+1
this means "xcopy /o" has a chance of working with ACLs that contain ACEs that use SIDs that the Samba server has no knowledge of. It's a bit hackish, Tim, can you look at my uid.c changes? (This used to be commit fe2db3148587937aa7b674c1c99036d42a3776b3)
2002-01-30Removed version number from file header.Tim Potter1-1/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Change the winbind interface to use seperate 'domain' and 'username' feilds forAndrew Bartlett1-1/+0
the sid->uid and uid->sid conversions. Remove some duplicate arguments from these funcitons, and update the request/response structures for this and the 'winbind domain name' feature. As such 'winbindd_lookup_name' now takes both a domain and username. (This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-22/+5
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2002-01-18This is the 'winbind default domain' patch from Alexander BokovoyAndrew Bartlett1-4/+52
<a.bokovoy@sam-solutions.net>. The idea is the domain\username is rather harsh for unix systems - people don't expect to have to FTP, SSH and (in particular) e-mail with a username like that. This 'corrects' that - but is not without its own problems. As you can see from the changes to files like username.c and wb_client.c (smbd's winbind client code) a lot of assumptions are made in a lot of places about lp_winbind_seperator determining a users's status as a domain or local user. The main change I will shortly be making is to investigate and kill off winbind_initgroups() - as far as I know it was a workaround for an old bug in winbind itself (and a bug in RH 5.2) and should no longer be relevent. I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters to determine a user/groups's 'local' status, rather than the presence of the seperator. As such, this functionality is recommended for servers providing unix services, but is currently less than optimal for windows clients. (TODO: remove all references to lp_winbind_seperator() and lp_winbind_use_default_domain() from smbd) Andrew Bartlett (This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
2002-01-11Always query the PDC for the list of trusted domains rather than interatingTim Potter1-55/+90
the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-10A big tidyup while thinking about getting trusted domains being re-readTim Potter1-17/+22
when they are added or removed on the PDC. - renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID} - renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID} - use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in preparation for moving to smbcontrol type messages (not sure whether to ditch this altogether or not) - tidy debugging messages in top level winbind user and group routines - convert talloc_init() to talloc_init_named() - make enumerations of the domain list use the same local variable names (This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-1/+5
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-12-19- added initial support for trusted domains in winbindd_adsAndrew Tridgell1-3/+7
- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo (This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
2001-12-10moved the domain sid lookup and enumeration of trusted domains intoAndrew Tridgell1-105/+24
the backends at startup, loop until we get the domain sid for our primary domain, trying every 10 seconds. This makes winbindd handle a room-wide power failure better (This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
2001-12-09completely new winbindd cache infrastructureAndrew Tridgell1-144/+7
this one looks like just another winbind backend, and has the following properties: - does -ve and +ve cacheing of all queries - can be disabled with -n switch to winbindd - stores all records packed, so even huge domains are not a problem for a complete cache - handles the server being down - uses sequence numbers for all entries This fixes a lot of problems with winbindd. Serving from cache is now *very* fast. (This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
2001-12-05moved the sequence number fetch into the backend, and fetch theAndrew Tridgell1-21/+1
sequence number via ldap when using ads (This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
2001-12-05finally worked out how to do ldap lookups by binary blobs, so I canAndrew Tridgell1-101/+0
now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)
2001-12-05Fixed parse_domain_user to be bool.Jeremy Allison1-16/+5
Jeremy. (This used to be commit 9563de2ef8c1197f4941671d2fdade7d933c32d0)
2001-12-04moved lookup_usergroups() into the backend structureAndrew Tridgell1-56/+0
(This used to be commit 689f45d2079d06b09947b2cdd314867df98c938d)
2001-12-04added a query_user backendAndrew Tridgell1-55/+0
fixed a winbindd crash when the group membership can't be looked up (This used to be commit 088f4cc5be4a1a38781e4d019146d53993ed8c6f)
2001-12-03put sid_to_name behind the winbindd backend interfaceAndrew Tridgell1-27/+7
I spent quite a while trying to work out how to make this call via ldap and failed. I then found that MS servers seem use rpc for sid_to_name, and it works even when in native mode, I ended up just implementing it via rpc (This used to be commit 789833b44e342c0b5de463ed8f9b5f7474a99f27)
2001-12-03added name_to_sid to the backendAndrew Tridgell1-78/+32
(This used to be commit 816e40a51af80a7f703c0451304de406deab3dd8)
2001-12-03added a basic ADS backend to winbind. More work needed, but atAndrew Tridgell1-2/+16
least basic operations work (This used to be commit 88241cab983b2c7db7d477c6c4654694a7a56cd3)
2001-12-03split winbindd_enum_dom_groups into the new backend structureAndrew Tridgell1-71/+2
also created winbindd_rpc.c which contains the functions that have been converted to the new structure. There will soon be a winbindd_ads.c for the ldap backend (This used to be commit e4ccc602ba65838646f2632120069f3274619dd9)
2001-12-01The beginnings of alternative backends for winbinddAndrew Tridgell1-10/+37
This just splits off the dispinfo call behind a methods structure. I'll split off a few more functions soon, then we will be ready for LDAP replacement methods (This used to be commit 0216b0fca115c903ec31ed21427a83c62077dc95)
2001-11-27Added negative caching to the user pw lookup by name and by uid.Jeremy Allison1-80/+82
Jeremy. (This used to be commit 4013ae87a1c73ceba346de2a0b905e7c8df355c4)
2001-11-26Another merge from appliance-head: in [ug]id_to_sid don't call theTim Potter1-47/+7
winbind function if the id is obviously going to be local. Cleanup of winbind [ug]id parameter handling. (This used to be commit 4ab9ca31a02b3388aa89a00e0390ea9e4c76283a)
2001-11-26Removed bogus SAFE_FREE() call of talloced return data fromTim Potter1-8/+2
winbindd_lookup_usergroups() (This used to be commit dd2048c418da7a08bc71305491953731fc427f5a)
2001-11-26Fixed some indentation.Tim Potter1-2/+2
(This used to be commit 1dd462844a9b90b498ee79ca33e4048980e2af5f)
2001-11-23Set type to NOTUSED if lookup fail.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 20a4167599ce211f239d0f324e7e73a1c2d8a5a6)
2001-11-23Finish 1.45 by removing redundant sid->string conversion inMartin Pool1-14/+44
winbindd_lookup_sid_by_name. Also if the lookup fails then clobber the output parameters rather than leaving them looking potentially valid. Add doxygen. (This used to be commit 61dba52a549039255e46393be1618d3eb54b79dd)
2001-11-23I think you were passing the name of the SID, rather than the DOM_SIDMartin Pool1-1/+1
pointer itself. (Whatever that is.... ;-) (This used to be commit 1393c7c4ede1d6d624c3f5d0bfa4c18b0c6dc27f)
2001-11-22Got positive and negative name caching working correctly with ↵Jeremy Allison1-43/+47
lookupname/lookupsid. There was a bug in cli_lsa_lookup_name/lookup_sid where NT_STATUS_NONE_MAPPED was being mapped to NT_STATUS_OK, and also the *wrong* number of entries mapped was being returned. The correct field is mapped_count, *NOT* num_entries. Jeremy. (This used to be commit 9f8c644abc455510c06dbd5dbac49c6270746560)
2001-11-22Fixed +ve caching. Still problems with -ve caching.Jeremy Allison1-105/+115
Jeremy. (This used to be commit 7883a2288a6e3198e10ab4e02ed4585e7bb313f6)
2001-11-22Fixed caching of lookupname/lookupsid. Error in check of success !Jeremy Allison1-2/+8
Jeremy. (This used to be commit d039d4fa507a7284e7e1cada0026c63863fe0a2d)
2001-11-21W2K doesn't seem to respond to *#0 names in node status. Ensure nameJeremy Allison1-25/+24
lookup uses password server parameter when looking for PDCs. Jeremy. (This used to be commit 54c968913d6553c6d834b068234ab176917075eb)
2001-11-21Added transparent +ve caching for lookupname/lookupsid. -ve caching canJeremy Allison1-105/+231
be easily added (a one liner) once we know the correct error codes returned by a W2K DC. All other winbindd calls should go through a similar transparent caching layer (and will soon). Jeremy. (This used to be commit b16bb21d371772816a4331f5011c151be0e083d5)
2001-11-19Merge from 2.2.Tim Potter1-1/+1
(This used to be commit ebd46aebf921c0026791ffb0afdcffaecb496e8c)
2001-11-15Caching user, group and domain sam handles was a stupid idea.Tim Potter1-20/+133
Now we just keep a record of the open pipes. (This used to be commit 77c287e9460eed7bde7004c7e6c8cb0099c6ba6f)
2001-11-15Added free_domain_info() function.Tim Potter1-0/+27
Get list of trusted domains if we haven't fetched them yet. (This used to be commit ed16aa88a422e759d27dbfae39afc72250c80e8d)
2001-10-31Added some extra fields to the auth_serversupplied_info structure.Tim Potter1-3/+7
To obtain the full group membership of a user (i.e nested groups on a win2k native mode server) it is necessary to merge this list of groups with the groups returned by winbindd when creating an nt access token. This breaks winbindd linking while AB and I sync up our changes to the authentication subsystem. (This used to be commit 4eeb7bcd783d7cfb3ac232f1faa035773007401d)
2001-10-29Don't reference tallocated memory that has already been disposed of. TheTim Potter1-7/+2
cli_samr_query_userinfo function used to do this. (This used to be commit da2c167660ec12360354f96dc672d935f58dd9c0)