Age | Commit message (Collapse) | Author | Files | Lines |
|
a Klocwork issue (#1844). Remove it
Jeremy.
(This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
|
|
Guenther
(This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
|
|
own when runing on a Samba DC (since we don't implement the getdcname() call that well
(This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
|
|
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
|
|
query the samlogon cache first as well.
Guenther
(This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
|
|
winbindd server
(This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
|
|
* depreacte 'acl group control' after discussion with Jeremy
and implement functionality as part of 'dos filemode'
* fix winbindd on a non-member server to expand local groups
* prevent code previously only used by smbd from blindly
turning _NO_WINBINDD back on
(This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
|
|
(This used to be commit d9b85e3b287c24d2a3e2076da331fe06192b0eef)
|
|
Guenther
(This used to be commit c81eb71834dc827db63c8adb3f816bbbe916473c)
|
|
and want to just shutdown and exit.
Guenther
(This used to be commit 0aa6328ed6ba6d0d24169ffdff0099405c9bfb00)
|
|
Guenther
(This used to be commit 4157bfe9cfe79ff78e7e527a50058cf9103cab61)
|
|
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'
* Add a SID domain to the group mapping enumeration passdb call
to fix the checks for local and builtin groups. The SID can be
NULL if you want the old semantics for internal maintenance.
I only updated the tdb group mapping code.
* remove any group mapping from the tdb that have a
gid of -1 for better consistency with pdb_ldap.c.
The fixes the problem with calling add_group_map() in
the tdb code for unmapped groups which might have had
a record present.
* Ensure that we distinguish between groups in the
BUILTIN and local machine domains via getgrnam()
Other wise BUILTIN\Administrators & SERVER\Administrators
would resolve to the same gid.
* Doesn't strip the global_sam_name() from groups in the
local machine's domain (this is required to work with
'winbind default domain' code)
Still todo.
* Fix fallback Administrators membership for root and domain Admins
if nested groups = no or winbindd is not running
* issues with "su - user -c 'groups'" command
* There are a few outstanding issues with BUILTIN\Users that
Windows apparently tends to assume. I worked around this
presently with a manual group mapping but I do not think
this is a good solution. So I'll probably add some similar
as I did for Administrators.
(This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
|
|
startup; don't panic, shutdown instead.
Guenther
(This used to be commit f209192e26c12fd48feb6195b724715fbada8b85)
|
|
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.
This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.
Guenther
(This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
GUenther
(This used to be commit 3a6e41a0cb2872a656ea79c8d4fc4b8bce436492)
|
|
Fix winbind_lookup_name for the local domain, ie for aliases on a member
server.
Volker
(This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc)
|
|
Guenther
(This used to be commit 736dffb2a9907a6ca3fee51eb4a9f1da837303a0)
|
|
continuing. Found during investigation of bug 3105.
Volker
(This used to be commit 72546f185696235c9d5cb6196448178d9e15e858)
|
|
group)
* Give a better debug message when returning builtin groups.
Guenther
(This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
|
|
(This used to be commit 623d2e69319ffead31a780a4d6156dae45f386d7)
|
|
the child
in question is still initializing overwrites domain->dcname. Only overwrite if
the parent actually has sent a dcname and thus really knows it. Second,
ntlm_auth needs the error code, not just the fact it failed.
Jerry, the 3_0 part might qualify as a "recommended patch".
Thanks,
Volker
(This used to be commit d79b179b7f9d2efa4f8ee47bfe386e90d8b58322)
|
|
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
|
|
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
|
|
getting the SID for a domain
(This used to be commit 2e0941ebc1d6a9a9498cc5a9f072d501293f8933)
|
|
* ensure that we set full access on the handle
returned from _samr_create_dom_alias() so that
future set_alias commands succeed
* fix bug when looking for internal domains in winbindd
(caused winbindd_getgrgid() for local groups to fail).
(This used to be commit 4615c96ccb8906af4eb1fbe6d0cbf6bb3bcc3fcf)
|
|
* add synonym for idmap_rid in better lining with
other idmap backend names
* remove old debug messages when idmap {uid|gid} options
are not defined
(This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
|
|
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
|
|
initializable
statically.
Volker
(This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
|
|
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
"qualifiers". The
whole of samba comiles warning-free with the default compiler flags.
Temporarily defined -Wall to locate other potential problems. Found an
unused static function (#ifdefed out rather than deleted, in case it's
needed for something in progress).
There are also a number of uses of undeclared functions, mostly krb5_*.
Files with these problems need to have appropriate header files included,
but they are not fixed in this update.
oplock_linux.c.c has undefined functions capget() and capset(), which need
to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>,
but that could potentially have other side effects, so that remains uncorrected
as well.
The flag -Wall should be added permanently to CFLAGS, and all warnings then
generated should be eliminated.
(This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
|
|
netbios = yes'
(This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
|
|
Guenther
(This used to be commit 4f10666295ff7c086ac2a38e0a5f0ac80b57b9a0)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Use the fully qualified DOMAIN\user format for 'security = domain|ads'
and apply after authentication has succeeded.
* also change fill_domain_username() to only lowercase the username
and not the domain+username. This was a cosmetic fix only.
makes the output more consistent with %D and %U.
(This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
|
|
groupnames. In template homedir, leave %D alone uppercased.
Volker
(This used to be commit dcb577f1cd8cf60557c0d061afeec206f58a6b31)
|
|
from HEAD follows :
While torturing winbind a bit I found the following unfortunate behaviour:
Sending multiple requests at a high rate for a slow operation exposed that no
response comes back until the last request in the queue has been
processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the
request, process the complete request. Before we enter the select system call
the next time all requests have to have completed.
This patch optimizes this by first looking at the sockets for writability. A
write on a socket that came back from select does not block, so this
additional loop might have a non-zero cost, but it can't prevent other
operations from proceeding.
After a possibly long-running winbindd_process() we directly start select()
again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients.
Jeremy.
(This used to be commit bfdeb22c69d09eb73305b6034fa6d0ec67275789)
|
|
Andrew Bartlett
(This used to be commit 999b2501a14d1f611f6bfe1f800a852825a21526)
|
|
and AD) as well as on a Samba DC
(This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
|
|
(This used to be commit 3eab8ed5453f29516d8e0022bab87c271468d690)
|
|
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
|
|
(This used to be commit 4f97988dd652983b7cdbb2f2e5a85c9d97ec697e)
|
|
add static
smbd/uid.c:
remove unused function
Andrew Bartlett
(This used to be commit ab25af0e18d883757775a85f005775a79a86dcc8)
|
|
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
(This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
|
|
Volker
(This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
|
|
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
|
|
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
|