| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
getgrnam() for machine and domain local groups.
(This used to be commit 4d4c1eca30ce57b4072e9f8c59fcc49bf3a5c48e)
|
|
when verifying a ticket from winbindd_pam.c.
I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.
There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator. Checked against MIT 1.5.1. Have not
researched how Heimdal does it.
My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
|
|
in the winbindd_getgrnam() call. Couple of comments:
* Adds "winbind expand groups" parameter which defines the
max depth winbindd will expand group members. The default
is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async. I
haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
its own function.
(This used to be commit 3d3a8130351753dc5caa2a270d130e2150da6b54)
|
|
kill call as that sets pid = 0 ! :-).
Jeremy.
(This used to be commit bcfce39094ef30a1d1ae4dba5a90738e2678bcbf)
|
|
to Jerry add to 3.0.25b.
Jeremy.
(This used to be commit ade91e78cbe2871d3a8df18fa1f92bc16a7600a8)
|
|
(This used to be commit 5b983957e3a0a05f77bfb8a10a7986c22b81088d)
|
|
there, do some reformatting.
Jeremy, I think we should also kill the child. It might hang in
something (an fcntl lock for example) that the next child might run into
immediately again.
(This used to be commit 6729a4df4b57f638161ec55f9b1edd0bc8bb947e)
|
|
winbindd: Exceeding 200 client connections, no idle connection found"
bug #3204. This fixes it in Jerry's testing !
Jeremy.
(This used to be commit 0c7ce6a68286fa98258828545fc869aaac19a028)
|
|
I'm 100% certain I've forgotten to merge something, but the main code
should be in. It's mainly in dbwrap_ctdb.c, ctdbd_conn.c and
messages_ctdbd.c.
There should be no changes to the non-cluster case, it does survive make
test on my laptop.
It survives some very basic tests with ctdbd enables, I did not do the
full test suite for clusters yet.
Phew...
Volker
(This used to be commit 15553d6327a3aecdd2b0b94a3656d04bf4106323)
|
|
init also in idmap_nss and idmap_passdb for coherency and to
prevent errors in future if we change the init functions to
actually do something and not just return NT_STATUS_OK
(This used to be commit 86f532c1b0cf7961b8331bb212c3ed2084fda3fc)
|
|
evaluation loop
Fixes one of the segfaults in bug #4667
(This used to be commit 176e1c0b692b9509a29bbbb2b35ad821dfb0d5aa)
|
|
the patch :-)
(This used to be commit 07b71a02aef15b75d281cabeb7140db1bc0bb283)
|
|
Guenther
(This used to be commit 23e25bba8fafb31492b517d63f0a00c5ec07d5da)
|
|
Herb).
Jeremy.
(This used to be commit dcb617e550c98de8a4bdcb9b1f7f78ba008fc138)
|
|
Jeremy.
(This used to be commit 8e83e4267260201777c753c4e3849d65fd20ae8f)
|
|
Michael
(This used to be commit 81c7d152b2cb8fafa3d510c3d35fb86bae1e0856)
|
|
as it brings in "replace.h" this will bring in "config.h"
metze
(This used to be commit d0b7b77fc437288d2e14099209bfd435bd7f1da4)
|
|
(This used to be commit cbd083efb9a00db68be24cde10b96da06390d970)
|
|
Setting it
to False makes winbind use RPC and not LDAP methods to connect to the DCs,
even when it figured out they are AD.
(This used to be commit 1c1f710e3e2e222c9d91a5650844c1db5ebd5a3a)
|
|
The clear text presentaion of the sid in the ldap expression
does work with w2k3 but not with w2k....
Thanks to Guenther for advising me of this issue.
Michael
(This used to be commit 7e6b0c19f816b52cca257c2837680e70f1af8594)
|
|
Hopfully, I have finally got this right... :-)
Michael
(This used to be commit 2190d838e49692fcba8f3a393dd30db937899fed)
|
|
wanted to do.
Michael
(This used to be commit f2adae8fc197be1e40769dbda27ee5b1085c3c64)
|
|
with talloc randomly failing.
Hey, shouldn't TALLOC_ARRAY _not_ return NULL when
requested to allocate an array with zero entries? :-)
Michael
(This used to be commit 7170d2e9f5381b405e0ea902d2b2463e5ca804e6)
|
|
And clean up unused stuff at the end.
Daringly, I use talloc_steal at some point, where it
appears natural to me.
Michael
(This used to be commit f2a29643bdb08bf026eaf974424f4eadfc920ca0)
|
|
by sid_string_static.
(This used to be commit ba3026dce02d554313647c3d6825bfe0d30d6ffc)
|
|
(This used to be commit c5929aa82b20e8a3877e6196c17bc9118cb399b0)
|
|
(This used to be commit bd90573fbb3ff243f343fcfc61b6228aa70b13e3)
|
|
started in r23070, r23072, r23073, r23078, r23081 and r23082:
After retrieving the list of sids with the extended dn
ldap query, instead of passing all sids to the lsa_lookup_sids
call, now while extracting the sids from the extended dn member
entries, we first try to lookup the sid from cache and only pass
the sids that were not in cache to the lsa_lookup_sids call.
Michael
(This used to be commit 5520c7d8557fe48957c2a85eaba8c3a0e9d8b9e2)
|
|
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290aaa0d2620e9d391ffbbf65541f6d742)
|
|
winbind. With this and W2k3 DCs around it is possible to use
more than one winbind on the same machine account, because
NetSamLogonEx does not use the credentials chain.
I added the flag domain->can_do_samlogon_ex because this
only works against W2k3 and with schannel. The theory is to
try if we're AD and have schannel, and fall back to
NetSamLogon if this fails. can_do_samlogon_ex is thus a
protection against multiple failures.
Only checking into 3_0, this needs more review before going
into a production release.
Feel free to comment :-)
(This used to be commit f5d525399b0b03a3d0b223fe72ef0a8a631fc599)
|
|
were using
netr_GetDcAnyName all the time (which is the correct thing to do).
Fix the naming and opcode mixup in all branches.
Guenther
(This used to be commit def6464c872a5939f0028837254f2c019d2d71c8)
|
|
This removes message_block / message_unblock. I've talked to Jeremy and
Günther, giving them my reasons why I believe they have no effect.
Neither could come up with a counter-argument, so they go :-)
(This used to be commit a925e0991ffbaea4a533bab3a5d61e5d367d46c8)
|
|
(This used to be commit a7b9581a5c01b701129cdd5a7a330748f9e3859e)
|
|
(This used to be commit f1e8de4b576b3954d456cb64c02417908bab8da4)
|
|
as an error. (This is purely cosmetic here, issuing a success
message at the end.)
(This used to be commit 4d9e8c91dc387cef37ea9035ac4483916e854732)
|
|
(This used to be commit 86b6a41d5784a0214810c9cbc52ca5e99952898d)
|
|
(This used to be commit 2c64638934e83e5716e47986adbb1fa07c057486)
|
|
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070)
call. This replaces one ldap search per member sid by one
rpc call per 1000 sids. This greatly speeds up groupmem
lookups for groups with lots of users.
Since the loop in lookup_groupmem was the only use of dn_lookup,
the function is removed.
Michael
(This used to be commit 88dac65ab1b951d445f0eedb638e9ace93139872)
|
|
doing this because for the clustering the marshalling is needed in more
than one place, so I wanted a decent routine to marshall a message_rec
struct which was not there before.
Tridge, this seems about the same speed as it used to be before, the
librpc/ndr overhead in my tests was under the noise.
Volker
(This used to be commit eaefd00563173dfabb7716c5695ac0a2f7139bb6)
|
|
check for IS_DC. Otherwise we will for example fail to lookup a
sid of S-1-22-1-780 because it has no valid struct winbindd_domain*
in the list. Thanks to Simo for the catch.
(This used to be commit f53aa56998411b90de238e12e9c3de7f2ff0d2b6)
|
|
to be able to handle SIDs in the S-1-22-{1,2} domain in order
for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a,
we will short circuit in the sid_to_uid() family of functions
so that smbd is ok.
For 3.0.26, we need to allow winbindd to handle all types of SIDs.
(This used to be commit d70cec31965de41d3296c9b585ff0aea4f2bcffe)
|
|
Nothing of major interest. Will fix a few problems with one way trusts.
(This used to be commit 3d48a7e72d9268fd495e0ca4b6e73bed5bb57214)
|
|
winbindd main function.
I have tested and somewhat extended the code, and it seems
to do a good job. I have possibly not caught all error
conditions though.
Michael
(This used to be commit 8c517f9aacef300e4280896e36ff71dc9aa35dc3)
|
|
use a helper function to construct the TDB_DATA key
as strlen_m() is totally wrong here anyway
metze
(This used to be commit fb77cc7fbc0100c66365109ae6c3cc4824079a2e)
|
|
(This used to be commit a8082a3c7c3d1e68c27fc3bf42f3d44402cc6f9f)
|
|
(This used to be commit caece8975b0c2bad56d6a6a576bf8ce54626183f)
|
|
(This used to be commit 330946ad2307ca34f0a8d068a0193fcb8a0d6036)
|
|
(This used to be commit 3fdfb5b7cdf25f4db7bbacb416523d75cab1b103)
|
|
Guenther
(This used to be commit dcf5375aa4b2488dccd64c3bbee90183d244bc09)
|
|
better
decide whether it's worth to register a krb5 ticket gain handler while users
logon offline.
Guenther
(This used to be commit 203391623b31bce71268c6e8fc955eab348e92f0)
|
