summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2004-02-10fix more compiler warning after the latest static rampageGerald Carter1-28/+28
(This used to be commit 98d9278c81ede2a931a2c2c8371c0499601a1457)
2004-02-08(merge from 3.0)Andrew Bartlett1-1/+1
nsswitch/winbindd_util.c: add static smbd/uid.c: remove unused function Andrew Bartlett (This used to be commit 4822a3f73610f6e468c447f1282246f13a378cde)
2004-01-13sync HEAD with recent changes in 3.0Gerald Carter1-15/+30
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit 36d985a75faa5ebda1c8c7de1e3ab5d7a51a9c10)
2004-01-06Merge winbind from Samba 3.0 onto HEAD.Andrew Bartlett1-1/+2
Changes include: - header changes for better pre-compiled headers (tridge) - get a list of sids for a given user (tridge) - fix function prototype and a few other minor things Andrew Bartlett (This used to be commit 60107efdc61247034424d008c6f1eb4d46a19881)
2004-01-06(merge from 3.0)Andrew Bartlett1-6/+4
Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
2004-01-05(merge from 3.0)Andrew Bartlett1-3/+1
Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
2004-01-05(merge from 3.0)Andrew Bartlett1-15/+65
auth/auth_util.c: - Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. -- Jerry rightly complained that we can't assume that the first domain is our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). -- Forgot to commit this for the 'get our primary domain' change. Andrew Bartlett (This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-4/+4
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+0
(This used to be commit 585764305aa84a7732f71f2e01227e1a6a08664f)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter1-45/+86
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce1-5/+80
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter1-13/+222
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-06-03* set winbind cache time to 5 minutesGerald Carter1-6/+4
* quit obsessing over the sequence number so much * share the updated sequence number between parent and child winbindd processes in dual mode (This used to be commit 6fb5bdb30e2b1341ba600ce0dfd397394f7a831c)
2003-04-02THE Idmap patch :-)Simo Sorce1-2/+2
includes a --with-idmap=no switch to disable idmap usage if you find problems. cosmetic fixes and param aliases to separate winbind from idamp roles. A temporarily remote idmap winbind compatibility backend. As I have time I will further change code to not call directly winbind (partly done but not tested) and a specilized module will be built in place for the current glue hack. The patch has been tested locally in my limited time, the patch is simple and clear and should not reserve problems, if any just disable it. As usual, comments and fisex are welcome :-) Simo. (This used to be commit 02781320476ed1b7ee5d943fa36f9a66ab67f208)
2003-03-23NTLM Authentication:Andrew Bartlett1-0/+24
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-02-26Kill RID-only and domain+RID madness from winbind.Andrew Bartlett1-3/+26
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-14Fix for trusted domains scan not working inspired by Ken Cross.Tim Potter1-6/+7
(Sorry - I should have checked this in yesterday but forgot) (This used to be commit 7420ddcda8e7189cedacb2c60f5ea265b8c35bda)
2003-01-13Merge of remove "winbindd holding pattern" from appliance. It's a bitTim Potter1-21/+5
simpler as the rescanning of trusted domains helps us out a bit. (This used to be commit 089729c02cb2088e85f0e7f8ec79afb58fe98be7)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-2/+2
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-26Having waited for *way* too long, this is mimir's namecache and trusted domainAndrew Bartlett1-6/+11
cache code. This uses gencache, mimir's new caching code that stores at text-based cache of various data. Mimir has done a *lot* of work on this patch, and it is finally time to get it in CVS. Andrew Bartlett (This used to be commit 47f3bfe9564e7f3aff60cefaefd599e0abb30a31)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-5/+4
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-07Remove lp_security() checks for winbindd as this is how we act as a PDC.Tim Potter1-6/+0
Keep the rest of the cleanups though. (This used to be commit f0a1177acf82fceb174df1852d87a6e16d63fd63)
2002-11-07Call winbindd_param_init() earlier on in the piece so we don't get stuck inTim Potter1-1/+7
the holding pattern when started up when security = user or security = ads. Clean up return value of winbindd_common_init() - what a mess! (This used to be commit 8a6d37752182e0de7fd04b2c31f90e145dde783b)
2002-11-05Merge of lp_talloc_free() call in init_domain_list() from APPLIANCE.Tim Potter1-0/+7
(This used to be commit 48ed9dce0dab53066d3304baa0f24639a1f1755b)
2002-11-02Some winbindd cleanups I made trying to fix cr1020:Tim Potter1-0/+86
- move winbindd client handling into accessor functions in winbindd_util.c - move some winbindd socket routines into accessor functions in winbindd_utils.c (The deadlock situation mentioned in the appliance branch is probably not applicable since we don't clear the connection cache on SIGHUP. Perhaps we should?) (This used to be commit 846b5494942c73e68616e7eae0d2fd5ae4b2bc05)
2002-10-23if trusted domains are disabled then we should not try to connect toAndrew Tridgell1-1/+6
them in winbindd (This used to be commit 6c7748b001836e4aa3e23dedfe28db3c8acc197a)
2002-10-15- we need to rescan the trusted domain list regularly to cope withAndrew Tridgell1-1/+1
transitive trusts, and trusts that are added while winbindd is running - removed an unnecessary call to time() (This used to be commit 14489ff30bb9eca2c55d36a69c0b45a2db339061)
2002-10-08merge from APP_HEADGerald Carter1-1/+1
* s/driverlocation/comment * detect native mode domain and enumerate local groups Also * Added sendfile stats from SAMBA_2_2 (This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
2002-10-04merge native_mode flag in winbindd_domain struct from app-headGerald Carter1-1/+10
(This used to be commit dd948a302ad6bd4307ecdfb10510e12185150eae)
2002-08-18be a bit more paranoid about not getting duplicate domain names (canAndrew Tridgell1-2/+8
happen when the LDAP call to get the flatname for the primary domain fails) (This used to be commit 8d40f34e2f5188f15f414e807d023bfea7bd8c8e)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-41/+77
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett1-1/+1
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-07-11Merge of init_domain_list() fix from APPLIANCE_HEAD.Tim Potter1-3/+0
(This used to be commit 66c9cab369e38284c71572bfb3643538e253a451)
2002-06-18more debug classess activatedSimo Sorce1-0/+3
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
2002-06-10Remove "sids.h" as it really wasn't being used anywhere, and was exportingAndrew Bartlett1-1/+0
the (now static) global_sam_sid. The only place it was being used was to return global_sid_NULL to some uid->sid functions - and I'm not convinced this is correct in any case. Andrew Bartlett (This used to be commit e2a76a7fc94dd59c09bba3cda91446fad9f8c0e0)
2002-03-09prevent a segv when a trusted domain is unavailable at startupAndrew Tridgell1-3/+2
(This used to be commit d5b5d3f8400a80c943809db9578a2d7317aa6d2d)
2002-02-27this allows us to support foreign SIDs in winbindd and smbdAndrew Tridgell1-1/+1
this means "xcopy /o" has a chance of working with ACLs that contain ACEs that use SIDs that the Samba server has no knowledge of. It's a bit hackish, Tim, can you look at my uid.c changes? (This used to be commit fe2db3148587937aa7b674c1c99036d42a3776b3)
2002-01-30Removed version number from file header.Tim Potter1-1/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Change the winbind interface to use seperate 'domain' and 'username' feilds forAndrew Bartlett1-1/+0
the sid->uid and uid->sid conversions. Remove some duplicate arguments from these funcitons, and update the request/response structures for this and the 'winbind domain name' feature. As such 'winbindd_lookup_name' now takes both a domain and username. (This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-22/+5
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2002-01-18This is the 'winbind default domain' patch from Alexander BokovoyAndrew Bartlett1-4/+52
<a.bokovoy@sam-solutions.net>. The idea is the domain\username is rather harsh for unix systems - people don't expect to have to FTP, SSH and (in particular) e-mail with a username like that. This 'corrects' that - but is not without its own problems. As you can see from the changes to files like username.c and wb_client.c (smbd's winbind client code) a lot of assumptions are made in a lot of places about lp_winbind_seperator determining a users's status as a domain or local user. The main change I will shortly be making is to investigate and kill off winbind_initgroups() - as far as I know it was a workaround for an old bug in winbind itself (and a bug in RH 5.2) and should no longer be relevent. I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters to determine a user/groups's 'local' status, rather than the presence of the seperator. As such, this functionality is recommended for servers providing unix services, but is currently less than optimal for windows clients. (TODO: remove all references to lp_winbind_seperator() and lp_winbind_use_default_domain() from smbd) Andrew Bartlett (This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
2002-01-11Always query the PDC for the list of trusted domains rather than interatingTim Potter1-55/+90
the list received at startup or we get an out of date list. I thought there might be some sequence number that is incremented when a trusted domain is added or removed - perhaps there is but I just haven't found it yet. - Renamed get_domain_info() to init_domain_list() - Made an accessor function to return the list of trusted domains rather than using a global so we don't have to remember to put a magic init function - The getent state can not keep a pointer to a winbind_domain structure as it may be freed if init_domain_list() is called again so we keep the domain name instead (This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
2002-01-10A big tidyup while thinking about getting trusted domains being re-readTim Potter1-17/+22
when they are added or removed on the PDC. - renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID} - renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID} - use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in preparation for moving to smbcontrol type messages (not sure whether to ditch this altogether or not) - tidy debugging messages in top level winbind user and group routines - convert talloc_init() to talloc_init_named() - make enumerations of the domain list use the same local variable names (This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
2001-12-19added trusted realm support to ADS authenticationAndrew Tridgell1-1/+5
the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
2001-12-19- added initial support for trusted domains in winbindd_adsAndrew Tridgell1-3/+7
- gss error code patch from a.bokovoy@sam-solutions.net - better sid dumping in ads_dump - fixed help in wbinfo (This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
2001-12-10moved the domain sid lookup and enumeration of trusted domains intoAndrew Tridgell1-105/+24
the backends at startup, loop until we get the domain sid for our primary domain, trying every 10 seconds. This makes winbindd handle a room-wide power failure better (This used to be commit 7c60ae59378be1b2af2e57ee3927966a29a797a5)
2001-12-09completely new winbindd cache infrastructureAndrew Tridgell1-144/+7
this one looks like just another winbind backend, and has the following properties: - does -ve and +ve cacheing of all queries - can be disabled with -n switch to winbindd - stores all records packed, so even huge domains are not a problem for a complete cache - handles the server being down - uses sequence numbers for all entries This fixes a lot of problems with winbindd. Serving from cache is now *very* fast. (This used to be commit fddb4f4c04473a60a97212c0c8e143d6a4d68380)
2001-12-05moved the sequence number fetch into the backend, and fetch theAndrew Tridgell1-21/+1
sequence number via ldap when using ads (This used to be commit 9a084f0bb91883224ad44e2b76417d10c15cce42)
2001-12-05finally worked out how to do ldap lookups by binary blobs, so I canAndrew Tridgell1-101/+0
now do searches on SID. This allows me to do a true ldap sid_to_name() function one one function to go! (This used to be commit 7d44aa3915bc88fd2b2f8454f190b11677cbb848)