summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-2/+1
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-6/+4
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+1
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-5/+0
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r4258: strlower username, not (non-existing) domain_username.Günther Deschner1-1/+1
Guenther (This used to be commit 4f10666295ff7c086ac2a38e0a5f0ac80b57b9a0)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-2/+2
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3140: * try to ensure consistent usage of the username map.Gerald Carter1-3/+4
Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
2007-10-10r2584: After talking to jerry, commit the strlower patch to getent username andVolker Lendecke1-0/+1
groupnames. In template homedir, leave %D alone uppercased. Volker (This used to be commit dcb577f1cd8cf60557c0d061afeec206f58a6b31)
2007-10-10r2265: Volkers change to HEAD looks very good. Commit messageJeremy Allison1-0/+8
from HEAD follows : While torturing winbind a bit I found the following unfortunate behaviour: Sending multiple requests at a high rate for a slow operation exposed that no response comes back until the last request in the queue has been processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the request, process the complete request. Before we enter the select system call the next time all requests have to have completed. This patch optimizes this by first looking at the sockets for writability. A write on a socket that came back from select does not block, so this additional loop might have a non-zero cost, but it can't prevent other operations from proceeding. After a possibly long-running winbindd_process() we directly start select() again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients. Jeremy. (This used to be commit bfdeb22c69d09eb73305b6034fa6d0ec67275789)
2007-10-10r1127: Finding trusted domains is not so important as to require a DEBUG(1).Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 999b2501a14d1f611f6bfe1f800a852825a21526)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-35/+69
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r139: Apply some constVolker Lendecke1-1/+1
(This used to be commit 3eab8ed5453f29516d8e0022bab87c271468d690)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-2/+41
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-02-10fix more compiler warning after the latest static rampageGerald Carter1-28/+28
(This used to be commit 4f97988dd652983b7cdbb2f2e5a85c9d97ec697e)
2004-02-08nsswitch/winbindd_util.c:Andrew Bartlett1-1/+1
add static smbd/uid.c: remove unused function Andrew Bartlett (This used to be commit ab25af0e18d883757775a85f005775a79a86dcc8)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-10/+29
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-07Machines are people too!Andrew Bartlett1-5/+1
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-05Fix warningVolker Lendecke1-1/+1
Volker (This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-6/+4
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett1-3/+1
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett1-14/+46
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-4/+4
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+0
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-11/+24
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-08-27Typo fix.Rafal Szczesniak1-1/+1
(This used to be commit 934fb418a3a3628ee4cde699df872bc1035fc769)
2003-08-27Update last scan time in rescan_trusted_domains().Tim Potter1-0/+2
Fix from Ken Cross. (This used to be commit 45775b48a0d91390aa698b750d59cda0150cfbd0)
2003-08-25make sure we keep the trusted domain cache up to dateGerald Carter1-2/+31
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)
2003-08-15get rid of more compiler warningsHerb Lewis1-1/+1
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-08fix 2 bugs:Gerald Carter1-32/+29
1) don't ask trusted DC's for a list of trusted domains. This causes us to treat non-transitive ones as if they were transitive. Not needed anyways 2) Fix dc lookup bug where we would always try to use DNS to resolve the DC's for a domain (even if it was a trusted NT4 domain). (This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
2003-08-01fix cut-n-paste error found by abartletGerald Carter1-8/+10
(This used to be commit 042492b862c4f2389086275dd8a0e044d7432537)
2003-07-31make sure the domain sid is set when enumerating trusted domainsGerald Carter1-1/+24
(we don't always get it back) (This used to be commit 6e8f23d1b1dd5122691cd9363a5c572fcab182af)
2003-07-31working on transtive trusts issue:Gerald Carter1-4/+54
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-10Just a few formatting fixed caught while testing.Rafal Szczesniak1-4/+0
rafal (This used to be commit 156554738cf4e4ffa5a811d9979acd19418e7908)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-6/+10
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-1/+1
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-06-24Explain why winbindd is exiting.Jeremy Allison1-2/+4
Jeremy. (This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce1-0/+206
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell1-2/+3
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-06-03* set winbind cache time to 5 minutesGerald Carter1-6/+4
* quit obsessing over the sequence number so much * share the updated sequence number between parent and child winbindd processes in dual mode (This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-5/+4
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-04-29remove convert_smbpasswd and addtosmbpass from tree; people can get them ↵Gerald Carter1-2/+3
from 2.2. if they still need them (This used to be commit 237857a760974bb02000e5d3a776240ec73ca6b6)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-7/+33
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-03-24(merge from HEAD)Andrew Bartlett1-0/+24
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-14Mop and bucket for trusted domain enumeration fix.Tim Potter1-6/+7
(This used to be commit 5cfb30551a713caa3d69406450c1eac4541a30fa)
2003-01-15Merge of holding pattern stuff from HEAD.Tim Potter1-21/+5
(This used to be commit bf8bb62023bcd38e5bc53ef1ac2183360d6ff734)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-2/+2
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)