summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23348: Fix connection reporting on SIGUSR2 (noticed byJeremy Allison1-0/+3
Herb). Jeremy. (This used to be commit dcb617e550c98de8a4bdcb9b1f7f78ba008fc138)
2007-10-10r23345: Stop Coverity from getting confused.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 8e83e4267260201777c753c4e3849d65fd20ae8f)
2007-10-10r23340: Fix typo in debug ouput. Found by Karolin Seeger <ks@sernet.de>.Michael Adam1-1/+1
Michael (This used to be commit 81c7d152b2cb8fafa3d510c3d35fb86bae1e0856)
2007-10-10r23330: always include "winbind_client.h" as first headerStefan Metzmacher2-2/+2
as it brings in "replace.h" this will bring in "config.h" metze (This used to be commit d0b7b77fc437288d2e14099209bfd435bd7f1da4)
2007-10-10r23312: As per Volker, rename the "windbind:ads" parameter "winbind:rpc only".James Peach1-4/+3
(This used to be commit cbd083efb9a00db68be24cde10b96da06390d970)
2007-10-10r23297: This introduces the winbind:ads parameter which defaults to True. ↵Volker Lendecke1-1/+3
Setting it to False makes winbind use RPC and not LDAP methods to connect to the DCs, even when it figured out they are AD. (This used to be commit 1c1f710e3e2e222c9d91a5650844c1db5ebd5a3a)
2007-10-10r23291: Undo the somewhat naive change of r23279:Michael Adam1-2/+10
The clear text presentaion of the sid in the ldap expression does work with w2k3 but not with w2k.... Thanks to Guenther for advising me of this issue. Michael (This used to be commit 7e6b0c19f816b52cca257c2837680e70f1af8594)
2007-10-10r23290: Fix another small and stupid but severe typo.Michael Adam1-1/+1
Hopfully, I have finally got this right... :-) Michael (This used to be commit 2190d838e49692fcba8f3a393dd30db937899fed)
2007-10-10r23287: Use talloc_move instead of talloc_steal as this is what I reallyMichael Adam1-1/+1
wanted to do. Michael (This used to be commit f2adae8fc197be1e40769dbda27ee5b1085c3c64)
2007-10-10r23284: Oh what a nasty typo! This gave me some headache,Michael Adam1-1/+1
with talloc randomly failing. Hey, shouldn't TALLOC_ARRAY _not_ return NULL when requested to allocate an array with zero entries? :-) Michael (This used to be commit 7170d2e9f5381b405e0ea902d2b2463e5ca804e6)
2007-10-10r23283: Use a temporary talloc context in ads:lookup_groupmem.Michael Adam1-13/+17
And clean up unused stuff at the end. Daringly, I use talloc_steal at some point, where it appears natural to me. Michael (This used to be commit f2a29643bdb08bf026eaf974424f4eadfc920ca0)
2007-10-10r23279: Replace occurrence of sid_binstring inside lookup_groupmemMichael Adam1-11/+4
by sid_string_static. (This used to be commit ba3026dce02d554313647c3d6825bfe0d30d6ffc)
2007-10-10r23263: Remove an unused variable -- Fix Coverity ID 358Volker Lendecke1-4/+0
(This used to be commit c5929aa82b20e8a3877e6196c17bc9118cb399b0)
2007-10-10r23253: Add some debugging output.Michael Adam1-1/+6
(This used to be commit bd90573fbb3ff243f343fcfc61b6228aa70b13e3)
2007-10-10r23252: Complete the reworking of the ads lookup_groupmem functionMichael Adam1-58/+109
started in r23070, r23072, r23073, r23078, r23081 and r23082: After retrieving the list of sids with the extended dn ldap query, instead of passing all sids to the lsa_lookup_sids call, now while extracting the sids from the extended dn member entries, we first try to lookup the sid from cache and only pass the sids that were not in cache to the lsa_lookup_sids call. Michael (This used to be commit 5520c7d8557fe48957c2a85eaba8c3a0e9d8b9e2)
2007-10-10r23244: Fix loop with nscd and NSS recusive calls.Gerald Carter11-18/+43
> Here's the problem I hit: > > getgrnam("foo") -> nscd -> NSS -> winbindd -> > winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() -> > getgrnam("foo") -> nscd -> .... > > This is in the SAMBA_3_0 specifically but in theory could happen > SAMBA_3_0_25 (or 26) for an unknown group. > > The attached patch passes down enough state for the > name_to_sid() call to be able to determine the originating > winbindd cmd that came into the parent. So we can avoid > making more NSS calls if the original call came in trough NSS > so we don't deadlock ? But you should still service > lookupname() calls which are needed for example when > doing the token access checks for a "valid groups" from > smb.conf. > > I've got this in testing now. The problem has shown up with the > DsProvider on OS X and with nscd on SOlaris and Linux. (This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
2007-10-10r23225: Attached find a patch that makes use of NetSamLogonEx inVolker Lendecke3-2/+71
winbind. With this and W2k3 DCs around it is possible to use more than one winbind on the same machine account, because NetSamLogonEx does not use the credentials chain. I added the flag domain->can_do_samlogon_ex because this only works against W2k3 and with schannel. The theory is to try if we're AD and have schannel, and fall back to NetSamLogon if this fails. can_do_samlogon_ex is thus a protection against multiple failures. Only checking into 3_0, this needs more review before going into a production release. Feel free to comment :-) (This used to be commit f5d525399b0b03a3d0b223fe72ef0a8a631fc599)
2007-10-10r23210: Very funny, we thought to use netr_GetDcName (e.g. in winbind) but ↵Günther Deschner2-8/+8
were using netr_GetDcAnyName all the time (which is the correct thing to do). Fix the naming and opcode mixup in all branches. Guenther (This used to be commit def6464c872a5939f0028837254f2c019d2d71c8)
2007-10-10r23117: Factor out local messaging.Volker Lendecke2-14/+0
This removes message_block / message_unblock. I've talked to Jeremy and Günther, giving them my reasons why I believe they have no effect. Neither could come up with a counter-argument, so they go :-) (This used to be commit a925e0991ffbaea4a533bab3a5d61e5d367d46c8)
2007-10-10r23116: Fix typo, found by Karolin SeegerVolker Lendecke1-1/+1
(This used to be commit a7b9581a5c01b701129cdd5a7a330748f9e3859e)
2007-10-10r23095: Support systems that have their PAM headers in /usr/include/pam.James Peach1-2/+10
(This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4)
2007-10-10r23078: Don't handle return code NT_STATUS_NONE_MAPPED from lookup sidsMichael Adam1-1/+1
as an error. (This is purely cosmetic here, issuing a success message at the end.) (This used to be commit 4d9e8c91dc387cef37ea9035ac4483916e854732)
2007-10-10r23075: more duplicate code blocks from bad mergeGerald Carter1-4/+0
(This used to be commit 86b6a41d5784a0214810c9cbc52ca5e99952898d)
2007-10-10r23074: Remove duplicate code blocks from bad mergeGerald Carter1-10/+0
(This used to be commit 2c64638934e83e5716e47986adbb1fa07c057486)
2007-10-10r23072: In winbindd_ads.c:lookup_groupmem, replace the bottleneckMichael Adam1-107/+77
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070) call. This replaces one ldap search per member sid by one rpc call per 1000 sids. This greatly speeds up groupmem lookups for groups with lots of users. Since the loop in lookup_groupmem was the only use of dn_lookup, the function is removed. Michael (This used to be commit 88dac65ab1b951d445f0eedb638e9ace93139872)
2007-10-10r23055: Rewrite messages.c to use auto-generated marshalling in the tdb. I'mVolker Lendecke2-2/+2
doing this because for the clustering the marshalling is needed in more than one place, so I wanted a decent routine to marshall a message_rec struct which was not there before. Tridge, this seems about the same speed as it used to be before, the librpc/ndr overhead in my tests was under the noise. Volker (This used to be commit eaefd00563173dfabb7716c5695ac0a2f7139bb6)
2007-10-10r23054: Move the check for the lookup_domain of S-1-22-{1,2} before theGerald Carter1-18/+17
check for IS_DC. Otherwise we will for example fail to lookup a sid of S-1-22-1-780 because it has no valid struct winbindd_domain* in the list. Thanks to Simo for the catch. (This used to be commit f53aa56998411b90de238e12e9c3de7f2ff0d2b6)
2007-10-10r23048: Simo is correct in that winbind_lookup{sid,name}_async() needsGerald Carter3-2/+29
to be able to handle SIDs in the S-1-22-{1,2} domain in order for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a, we will short circuit in the sid_to_uid() family of functions so that smbd is ok. For 3.0.26, we need to allow winbindd to handle all types of SIDs. (This used to be commit d70cec31965de41d3296c9b585ff0aea4f2bcffe)
2007-10-10r23046: Few missing merges from cleaning out the Centeris winbindd tree.Gerald Carter3-0/+20
Nothing of major interest. Will fix a few problems with one way trusts. (This used to be commit 3d48a7e72d9268fd495e0ca4b6e73bed5bb57214)
2007-10-10r23040: Activate the winbindd cache validation code in theMichael Adam1-2/+0
winbindd main function. I have tested and somewhat extended the code, and it seems to do a good job. I have possibly not caught all error conditions though. Michael (This used to be commit 8c517f9aacef300e4280896e36ff71dc9aa35dc3)
2007-10-10r23039: merge from SAMBA_3_0_26:Stefan Metzmacher1-2/+1
use a helper function to construct the TDB_DATA key as strlen_m() is totally wrong here anyway metze (This used to be commit fb77cc7fbc0100c66365109ae6c3cc4824079a2e)
2007-10-10r23015: Make message_(de)register static to messages.cVolker Lendecke1-2/+4
(This used to be commit a8082a3c7c3d1e68c27fc3bf42f3d44402cc6f9f)
2007-10-10r22943: More message_register -> messaging_registerVolker Lendecke3-60/+102
(This used to be commit caece8975b0c2bad56d6a6a576bf8ce54626183f)
2007-10-10r22908: All callers of message_init now also call messaging_init. Unify those.Volker Lendecke1-1/+1
(This used to be commit 330946ad2307ca34f0a8d068a0193fcb8a0d6036)
2007-10-10r22905: cli_send_mailslot had a message_send_pid insideVolker Lendecke1-1/+2
(This used to be commit 3fdfb5b7cdf25f4db7bbacb416523d75cab1b103)
2007-10-10r22904: Fix indent.Günther Deschner1-1/+1
Guenther (This used to be commit dcf5375aa4b2488dccd64c3bbee90183d244bc09)
2007-10-10r22903: Now that we have the on-disc trustdomaincache with type flags we can ↵Günther Deschner1-3/+6
better decide whether it's worth to register a krb5 ticket gain handler while users logon offline. Guenther (This used to be commit 203391623b31bce71268c6e8fc955eab348e92f0)
2007-10-10r22901: When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to ↵Günther Deschner1-0/+8
fallback to ntlm in the kerberized PAM_AUTH. Guenther (This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
2007-10-10r22895: Convert some more calls from message_send_buf to messaging_send_bufVolker Lendecke3-29/+53
(This used to be commit c8b98273406242a89a7e5d1fb5d79120ebe5822a)
2007-10-10r22855: fix the buildMichael Adam1-7/+5
(#if inside DEBUG macro not allowed...) Michael (This used to be commit f0570dc3d9e07475764e466901d4abfe939590f8)
2007-10-10r22848: Fix brace alignment.Michael Adam1-1/+1
(This used to be commit d909a6064159bc746bd558238e81d57cc274a162)
2007-10-10r22847: The new validate_panic function calls exit (instead of settingMichael Adam1-19/+0
a global error flag an returning), so cleanups and returns subsequent to calls of smb_panic_fn have become unnecessary. (This used to be commit 9d2db8c70f10a9285abd4a61fa66ee8aff2e7e6b)
2007-10-10r22845: Modified and extended the winbindd cache validation code:Michael Adam1-137/+283
* Replaced signal catching/longjmp magic by a fork: Let the child do the actual validation of the entries. Exit code and signals are intercepted by waitpid. * Fix logic so that also encounter of an unknown key in the tdb leads to an error. * Extended status of validation is kept in a (as yet simple) stuct and communicated over a pipe from child to parent. * Added two validation_ functions for two new keys. The call of winbindd_validate_cache is still commented out in the winbindd main loop. But I am currently testing it and so far it seems to work fine. The next step in my plan is to generalize the validation mechanism to a tdb_open_log_validate function in lib/util_tdb.c. There ist nothing very special about the cache tdb here, and this might be useful elsewhere... Michael (This used to be commit 417325b9e6f9ac0afe1f2f3b552527788f6a7cee)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke2-3/+3
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22812: Fix bug #3024 (and also the group varient). Patch fromJeremy Allison2-6/+17
Johann Hanne <jhml@gmx.net> and also Kaya Bekiro?lu <kaya.bekiroglu@isilon.com> Jeremy. (This used to be commit c0ba891be06f49968317a90079554cfce2344f39)
2007-10-10r22794: Add "debug_state" and "silent" to pam_winbind.conf template. Honor ↵Günther Deschner1-0/+2
the silent argument when parsing pam configuration file options. Guenther (This used to be commit 5b4a4df26f32fe1947a0c4fb741a4cb89e308f92)
2007-10-10r22771: One liner fix for idmap_ldapSimo Sorce1-0/+1
Fixes the strange behavior we were seeing about idmap_ldap creating a new connection for each query. Jerry we need this in for 3.0.25 (This used to be commit 4fb3e0f65562059bd717ea28df701256e8fa9a77)
2007-10-10r22747: Fix some C++ warningsVolker Lendecke1-2/+2
(This used to be commit a66a04e9f11f6c4462f2b56b447bae4eca7b177c)
2007-10-10r22745: Add local groups to the --required-membership-sid test. This needsVolker Lendecke1-90/+62
merging to 3_0_26 once Michael's net conf changes have been merged. It depends on token_utils.c. (This used to be commit a99ab3a2ed44522054175f03b60e63fa05a0378a)
2007-10-10r22744: Fix a valgrind error. parse_domain_username does not necessarily fill inVolker Lendecke1-0/+3
the domain. (This used to be commit f4f0d7137758cc674876517590807cc3d634043d)