Age | Commit message (Collapse) | Author | Files | Lines |
|
Nothing of major interest. Will fix a few problems with one way trusts.
(This used to be commit 3d48a7e72d9268fd495e0ca4b6e73bed5bb57214)
|
|
winbindd main function.
I have tested and somewhat extended the code, and it seems
to do a good job. I have possibly not caught all error
conditions though.
Michael
(This used to be commit 8c517f9aacef300e4280896e36ff71dc9aa35dc3)
|
|
use a helper function to construct the TDB_DATA key
as strlen_m() is totally wrong here anyway
metze
(This used to be commit fb77cc7fbc0100c66365109ae6c3cc4824079a2e)
|
|
(This used to be commit a8082a3c7c3d1e68c27fc3bf42f3d44402cc6f9f)
|
|
(This used to be commit caece8975b0c2bad56d6a6a576bf8ce54626183f)
|
|
(This used to be commit 330946ad2307ca34f0a8d068a0193fcb8a0d6036)
|
|
(This used to be commit 3fdfb5b7cdf25f4db7bbacb416523d75cab1b103)
|
|
Guenther
(This used to be commit dcf5375aa4b2488dccd64c3bbee90183d244bc09)
|
|
better
decide whether it's worth to register a krb5 ticket gain handler while users
logon offline.
Guenther
(This used to be commit 203391623b31bce71268c6e8fc955eab348e92f0)
|
|
fallback to ntlm
in the kerberized PAM_AUTH.
Guenther
(This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
|
|
(This used to be commit c8b98273406242a89a7e5d1fb5d79120ebe5822a)
|
|
(#if inside DEBUG macro not allowed...)
Michael
(This used to be commit f0570dc3d9e07475764e466901d4abfe939590f8)
|
|
(This used to be commit d909a6064159bc746bd558238e81d57cc274a162)
|
|
a global error flag an returning), so cleanups and returns
subsequent to calls of smb_panic_fn have become unnecessary.
(This used to be commit 9d2db8c70f10a9285abd4a61fa66ee8aff2e7e6b)
|
|
* Replaced signal catching/longjmp magic by a fork:
Let the child do the actual validation of the entries.
Exit code and signals are intercepted by waitpid.
* Fix logic so that also encounter of an unknown key in the
tdb leads to an error.
* Extended status of validation is kept in a (as yet simple)
stuct and communicated over a pipe from child to parent.
* Added two validation_ functions for two new keys.
The call of winbindd_validate_cache is still commented out
in the winbindd main loop. But I am currently testing it
and so far it seems to work fine.
The next step in my plan is to generalize the validation
mechanism to a tdb_open_log_validate function in lib/util_tdb.c.
There ist nothing very special about the cache tdb here,
and this might be useful elsewhere...
Michael
(This used to be commit 417325b9e6f9ac0afe1f2f3b552527788f6a7cee)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
Johann Hanne <jhml@gmx.net> and also Kaya Bekiro?lu <kaya.bekiroglu@isilon.com>
Jeremy.
(This used to be commit c0ba891be06f49968317a90079554cfce2344f39)
|
|
the silent
argument when parsing pam configuration file options.
Guenther
(This used to be commit 5b4a4df26f32fe1947a0c4fb741a4cb89e308f92)
|
|
Fixes the strange behavior we were seeing about idmap_ldap creating
a new connection for each query.
Jerry we need this in for 3.0.25
(This used to be commit 4fb3e0f65562059bd717ea28df701256e8fa9a77)
|
|
(This used to be commit a66a04e9f11f6c4462f2b56b447bae4eca7b177c)
|
|
merging to 3_0_26 once Michael's net conf changes have been merged. It
depends on token_utils.c.
(This used to be commit a99ab3a2ed44522054175f03b60e63fa05a0378a)
|
|
the domain.
(This used to be commit f4f0d7137758cc674876517590807cc3d634043d)
|
|
Günther, please check this!
Thanks,
Volker
(This used to be commit 8a038b8cd3f43bb8743eda160b852efdbc80ed70)
|
|
Guenther
(This used to be commit 08a7ee8d968b493a17fd669f3dc6fed7abe3d36e)
|
|
patch.
This changes "struct process_id" to "struct server_id", keeping both is
just too much hassle. No functional change (I hope ;-))
Volker
(This used to be commit 0ad4b1226c9d91b72136310d3bbb640d2c5d67b8)
|
|
names"
and the username has been munged. Make sure to munge it back before
performing the change_password() request.
(This used to be commit ff025d451e165383ad7d524e0e8176d987554049)
|
|
(This used to be commit e8f9bd655829f671e9ce395aa9b4b94ff4bab36a)
|
|
take care not to expire the name2sid cache entry just because
that child does not know that the primary domain is offline.
(This used to be commit 0399f52a1cdbb1acf8d41afddf498529ff4923cf)
|
|
* Log the NTSTATUS when saving name/sid cache entry
* Allow the backend loolkup_usergroups() call in winbindd_{rpc,ads}.c
to inform the wcache manager that the group list should not be cached
(needed for one-way trusts).
(This used to be commit 693ab48408dbb775b57dcc5140e27ad9221852a1)
|
|
previous call was unsuccessful. needed for offline
logons.
(This used to be commit c3a8dc5d136e33b66849c38bfa910cd044cd521f)
|
|
Assume that "NO_DOMAIN_CONTROLLERS_FOUND" means that the domain
is offline.
(This used to be commit 30f9cc52bf8270652624c79691d147e05e476583)
|
|
settings from one trusted domain with no incoming trust path.
Guenther, I think this is ok as we only need the pw policy
to give feedback on upcoming expiration times.
(This used to be commit c79ae57388d087496777129d6936cd51aab38d5b)
|
|
for use by the require-membership-of pam_winbind option.
(This used to be commit 11f81c5997a014cca9d98c474e7870ebb07c4642)
|
|
(This used to be commit 32fd8558bd4531a745a04810a1cb6392dfab16a5)
|
|
to the idmap child.
Also remove the check for the global offline state in child_msg_offline()
as this means we cannot mark domains offline due to network outages.
(This used to be commit 1b99e8b521eae3e9fa775577de01116bb20fb8b3)
|
|
(a) Ignore the negative cache when the domain is offline
(b) don't delete expired entries from the cache as these
can be used when offline (same model as thw wcache entries)
(c) Delay idmap backend initialization when offline
as the backend routines will not be called until we go
online anyways. This prevents idmap_init() from failing
when a backend's init() function fails becuase of lack of
network connectivity
(This used to be commit 4086ef15b395f1a536fb669af2103a33ecc14de4)
|
|
and the krb5 tkt cache could not be created due to clock skew.
(This used to be commit 24616f7d6be40b090dc74851b1ea7d09d6976811)
|
|
is initialized.
(This used to be commit ef0304268284df7166ecd1b17328076e7ce40de9)
|
|
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
|
|
need some fixing here for a Samba DC)
(This used to be commit 3d2123383d9dab6f0c8832e0f04238aa9a972c70)
|
|
daemon to manage the complete trusted domain cache
(This used to be commit 3a9152a2acfc7b615a5c6b8764ea9462443f00d1)
|
|
when calling the async lookupsid() routine
(This used to be commit 3d814862af7382a9ea56b2c8d3cc9a31dca4bdb6)
|
|
(This used to be commit aa2ac5a1944884586c9f7e97c3a0b1b6c418b554)
|
|
information return from our DC in the DsEnumerateDomainTrusts()
call. If the fails, we callback ot the older
connect-to-the-remote-domain method.
Note that this means we can only reliably expect the native_mode
flag to be set for our own domain as this information in not
available outside our primary domain from the trusted information.
This is ok as we only really need the flag when trying to
determine to enumerate domain local groups via RPC.
Use the AD flag rather than the native_mode flag when using
ldap to obtain the seq_num for a domain.
(This used to be commit 4b4148a9642f03b8f27dda2132708bcc0cbb3b8e)
|
|
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.
This will give us a complete trust topology including
domains via transitive Krb5 trusts. We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.
"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e0a1063d331af17aa493140497b96ef)
|
|
to use the same code path after we resolve the name/gid to
a SID. Use the async lookupname/lookupsid interface.
(This used to be commit d12b8147d6bd34fad680cb8705dc6d7bbea1db12)
|
|
same heuristic. First try our DC and then try a DC in the
root of our forest. Use a temporary state since
winbindd_lookupXXX_async() is called from various winbindd
API entry points.
Note this will break the compile. That will be fixed in the
next commit.
(This used to be commit b442644bac2a7d5853440254257ca34a8e7c25de)
|
|
list of trusted domains without requiring each winbindd process
to aquire this on its own. This is needed for various idmap
plugins and for dealing with different trust topoligies.
list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d965a9701e16e644fd6bc728b43f28489)
|
|
Jerry, please add this for 3.0.25 final
(This used to be commit e04ca2d7f8ea2d4c70c2a35201a98c5ecd672d59)
|
|
to examine parse_misc.c fix.
Jeremy.
(This used to be commit 80d981265cd3bc9d73c5da3c514ec736e2dfa73a)
|