summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16422: winbindd_demote_client isn't used and generatesJeremy Allison1-8/+0
a Klocwork issue (#1844). Remove it Jeremy. (This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
2007-10-10r15976: Set our internal domains to "online" by default in winbindd.Günther Deschner1-1/+1
Guenther (This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
2007-10-10r15842: patch from volker to instruct winbindd to find a trusted DC on its ↵Gerald Carter1-1/+1
own when runing on a Samba DC (since we don't implement the getdcname() call that well (This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner1-1/+4
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner1-0/+46
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-2/+2
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14855: Various fixes:Gerald Carter1-15/+12
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
2007-10-10r14480: Kill one boolean flag passed down :-)Volker Lendecke1-8/+6
(This used to be commit d9b85e3b287c24d2a3e2076da331fe06192b0eef)
2007-10-10r14474: Also flush the nscd caches before entering the main winbindd loop.Günther Deschner1-0/+22
Guenther (This used to be commit c81eb71834dc827db63c8adb3f816bbbe916473c)
2007-10-10r14468: Better fix to avoid winbind panic when we have an inproper configurationGünther Deschner1-3/+9
and want to just shutdown and exit. Guenther (This used to be commit 0aa6328ed6ba6d0d24169ffdff0099405c9bfb00)
2007-10-10r14467: Reverting 13660. This needs to be fixed differently.Günther Deschner1-8/+4
Guenther (This used to be commit 4157bfe9cfe79ff78e7e527a50058cf9103cab61)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-2/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13660: Attempt to better handle the failure that we cannot find our sid uponGünther Deschner1-4/+8
startup; don't panic, shutdown instead. Guenther (This used to be commit f209192e26c12fd48feb6195b724715fbada8b85)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-4/+5
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-6/+7
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13024: Add is_null_sid.Günther Deschner1-2/+1
GUenther (This used to be commit 3a6e41a0cb2872a656ea79c8d4fc4b8bce436492)
2007-10-10r12133: Fix an uninitialized variable in new code in rpc_server/srv_samr_nt.c.Volker Lendecke1-1/+15
Fix winbind_lookup_name for the local domain, ie for aliases on a member server. Volker (This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc)
2007-10-10r10270: lowercase groupnames and groupmembers again.Günther Deschner1-0/+1
Guenther (This used to be commit 736dffb2a9907a6ca3fee51eb4a9f1da837303a0)
2007-10-10r10267: Exit if winbind can't find or generate a SID -- there's no point inVolker Lendecke1-1/+1
continuing. Found during investigation of bug 3105. Volker (This used to be commit 72546f185696235c9d5cb6196448178d9e15e858)
2007-10-10r10262: * Fix for getgrnam not returning builtin group (which is done by getentGünther Deschner1-1/+1
group) * Give a better debug message when returning builtin groups. Guenther (This used to be commit ec79971dc7606c1dfea3acf87cd19fa4153ae417)
2007-10-10r9780: Clean up a bunch of compiler warnings.James Peach1-1/+1
(This used to be commit 623d2e69319ffead31a780a4d6156dae45f386d7)
2007-10-10r9709: Fix two bugs found by Brian Moran: Any request sent to winbind while ↵Volker Lendecke1-1/+3
the child in question is still initializing overwrites domain->dcname. Only overwrite if the parent actually has sent a dcname and thus really knows it. Second, ntlm_auth needs the error code, not just the fact it failed. Jerry, the 3_0 part might qualify as a "recommended patch". Thanks, Volker (This used to be commit d79b179b7f9d2efa4f8ee47bfe386e90d8b58322)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-17/+17
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-222/+378
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6682: patch from Qiao Yang <qyang@stbernard.com> to use out own DC when ↵Gerald Carter1-2/+7
getting the SID for a domain (This used to be commit 2e0941ebc1d6a9a9498cc5a9f072d501293f8933)
2007-10-10r6566: fix a couple of local group bugs.Gerald Carter1-1/+6
* ensure that we set full access on the handle returned from _samr_create_dom_alias() so that future set_alias commands succeed * fix bug when looking for internal domains in winbindd (caused winbindd_getgrgid() for local groups to fail). (This used to be commit 4615c96ccb8906af4eb1fbe6d0cbf6bb3bcc3fcf)
2007-10-10r6450: * fix typo in htlm_auth help messageGerald Carter1-4/+2
* add synonym for idmap_rid in better lining with other idmap backend names * remove old debug messages when idmap {uid|gid} options are not defined (This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-7/+1
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-2/+1
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-6/+4
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+1
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r5336: BUG 2329: fix to re-enable winbindd to locate DC's when 'disable ↵Gerald Carter1-5/+0
netbios = yes' (This used to be commit 75a223f1188ae0041c9e3c748af107d642f73810)
2007-10-10r4258: strlower username, not (non-existing) domain_username.Günther Deschner1-1/+1
Guenther (This used to be commit 4f10666295ff7c086ac2a38e0a5f0ac80b57b9a0)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-2/+2
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3140: * try to ensure consistent usage of the username map.Gerald Carter1-3/+4
Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8)
2007-10-10r2584: After talking to jerry, commit the strlower patch to getent username andVolker Lendecke1-0/+1
groupnames. In template homedir, leave %D alone uppercased. Volker (This used to be commit dcb577f1cd8cf60557c0d061afeec206f58a6b31)
2007-10-10r2265: Volkers change to HEAD looks very good. Commit messageJeremy Allison1-0/+8
from HEAD follows : While torturing winbind a bit I found the following unfortunate behaviour: Sending multiple requests at a high rate for a slow operation exposed that no response comes back until the last request in the queue has been processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the request, process the complete request. Before we enter the select system call the next time all requests have to have completed. This patch optimizes this by first looking at the sockets for writability. A write on a socket that came back from select does not block, so this additional loop might have a non-zero cost, but it can't prevent other operations from proceeding. After a possibly long-running winbindd_process() we directly start select() again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients. Jeremy. (This used to be commit bfdeb22c69d09eb73305b6034fa6d0ec67275789)
2007-10-10r1127: Finding trusted domains is not so important as to require a DEBUG(1).Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 999b2501a14d1f611f6bfe1f800a852825a21526)
2007-10-10r294: checking in volker's winbindd patches; tested on domain members (Samba ↵Gerald Carter1-35/+69
and AD) as well as on a Samba DC (This used to be commit 157d53782d6a7d0b7e30676a674ff2a25a15369c)
2007-10-10r139: Apply some constVolker Lendecke1-1/+1
(This used to be commit 3eab8ed5453f29516d8e0022bab87c271468d690)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-2/+41
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-02-10fix more compiler warning after the latest static rampageGerald Carter1-28/+28
(This used to be commit 4f97988dd652983b7cdbb2f2e5a85c9d97ec697e)
2004-02-08nsswitch/winbindd_util.c:Andrew Bartlett1-1/+1
add static smbd/uid.c: remove unused function Andrew Bartlett (This used to be commit ab25af0e18d883757775a85f005775a79a86dcc8)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-10/+29
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-07Machines are people too!Andrew Bartlett1-5/+1
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-05Fix warningVolker Lendecke1-1/+1
Volker (This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-6/+4
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett1-3/+1
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)