summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2002-09-17Reverted my earlier change. It was incorrect. We must be protected byJeremy Allison1-5/+4
pidfile before doing secrets_init(). Jeremy. (This used to be commit f8a0e6ad8b25d405ff2bcb492974d2f0bef81036)
2002-09-17Only create the pidfile once we're ready to receive requests.Jeremy Allison1-3/+5
This allows external programs to correctly synchronise with us. Jeremy. (This used to be commit ffb7632d05191342ecfc5f78fbfd7beacfe257ad)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-1/+1
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-15Put unixsocket calls between #ifdef HAVE_UNIXSOCKET's - required for Stratus VOSJelmer Vernooij1-0/+4
(Double checked) (This used to be commit dc3c14fc2b661a62a1876149e96af6de07a2c4a6)
2002-09-12Merge undone cleanups.Tim Potter3-26/+27
(This used to be commit d87c1f507d38444e627bce59b6c765d9c9479ac6)
2002-09-12Merge of winbind auth cleanups from appliance.Tim Potter3-30/+34
(This used to be commit 26d486aa740e283f546efc1f2ca40af3452a4f52)
2002-09-12Merge of cut&paste fix from appliance.Tim Potter1-1/+1
(This used to be commit f75d61b03a3377f3a791b56fc307dc7e56e4707a)
2002-09-12Spelling fix.Tim Potter1-2/+2
(This used to be commit d9fa865e5ce8ba0b7539f9a218fc7dd132eb3d38)
2002-09-11Put pid number in invalid request size debug.Tim Potter1-2/+2
(This used to be commit e63afabf98350353fac79ffc2ae2ddf88d61260f)
2002-09-11Bugfix merge:Tim Potter1-0/+1
>Initialise user_rid value in WINBIND_USERINFO structure returned by >the rpc version of query_user(). This fixes a caching bug found by >Gavrie Philipson from disksite. (This used to be commit 77bde1fa33cc387accda8f38bf654377310f5dbe)
2002-09-07This is the 'main' inclue for for winbind clients - all clients should includeAndrew Bartlett1-0/+16
only this file, and not any others. It includes the function prototypes. (Forgot to commit with earlier patch) Andrew Bartlett (This used to be commit 3ec3861445e7da1347c3b5ba180b33441f59640c)
2002-09-07Don't leak file desciptors in this (impossible?) error case.Andrew Bartlett1-0/+1
(This used to be commit b440418f13b840860be42690bf475c1ee3cb3647)
2002-09-07Winbind client-side cleanups.Andrew Bartlett6-37/+94
The global winbind file descriptor can cause havoc in some situations - particulary when it becomes 0, 1 or 2. This patch (based on some very nice work by Hannes Schmidt <mail@schmidt-net.via.t-online.de>) starts to recitfy the problem by ensuring that the close-on-exec flag is set, and that we move above 3 in the file descriptor table. I've also decided that the PAM module can close it's pipe handle on every request - this isn't performance-critical code. The next step is to do the same for nss_winbind. (But things like getent() might get in our way there). This also cleans up some function prototypes, puts them in just one place. Andrew Bartlett (This used to be commit 442eb39657b98f67cd229ed3110b63aae8bf4e3c)
2002-09-06Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de>Andrew Bartlett1-4/+4
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
2002-09-04Quietened some debugs.Tim Potter1-2/+2
(This used to be commit ea26b3e8efcb83e16f7eb5add031a8df99046a69)
2002-08-30added cli_net_auth_3 client code.Jean-François Micouleau1-3/+3
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch. pass also the negociation flags all the way. all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient. in the future we will be able to call auth_2 or auth_3 as we want. J.F. (This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
2002-08-29fix connecting to a BDC when the PDC is down but in WINS and no bcastAndrew Tridgell1-5/+3
can be used to find a BDC 2nd try .... (This used to be commit f757223ebe88148b83e1a32b87c014c15c0a68dd)
2002-08-29fix connecting to a BDC when the PDC is down but in WINS and no bcastAndrew Tridgell1-0/+7
can be used to find a BDC (This used to be commit e95d8e2c9ee5cf22b628f3e0d99fb74bcc632ea0)
2002-08-29Use popt for --helpJelmer Vernooij1-54/+24
(This used to be commit 073106ad25fba8c8aaa57c296ce8e7cb7b3e3e97)
2002-08-27Fix typo in debug.Tim Potter1-1/+1
(This used to be commit 86433a3492a3b70a051257940ae28ada8788a650)
2002-08-23Moved calculation of secure channel type into a new function.Tim Potter1-4/+3
(This used to be commit b8dba26978c281259e02b9d6ebacaa7cba4f7787)
2002-08-21Patch from Paul Green <Paul.Green@stratus.com> to be more POSIX-compatibleJelmer Vernooij1-0/+4
(This used to be commit addf29e6765393b25c35bd833d29e29e4581c233)
2002-08-18be a bit more paranoid about not getting duplicate domain names (canAndrew Tridgell1-2/+8
happen when the LDAP call to get the flatname for the primary domain fails) (This used to be commit 8d40f34e2f5188f15f414e807d023bfea7bd8c8e)
2002-08-17Becouse of changes to the meaning of this feild over time, this doesn'tAndrew Bartlett1-17/+0
actually work. Also, the idea of 'loopback winbind' isn't that bad an idea anyway (potential PDC/BDC applications). Given all that, remove it... Andrew Bartlett (This used to be commit fc0d6e53fce1d05b16ec58c0bdc38aa8da4422c0)
2002-08-16Merge of netbios namecache code from APPLIANCE_HEAD.Tim Potter1-0/+2
Tridge suggested a generic caching mechanism for Samba to avoid the proliferation of little cache files hanging around limpet like in the locks directory. Someone should probably implement this at some stage. (This used to be commit dad31483b3bd1790356ef1e40ac62624a403bce8)
2002-08-07Add some more const :-)Andrew Bartlett1-3/+3
This also makes it a easier to see which paramaters are 'in', and which are 'out'. Andrew Bartlett (This used to be commit 122cf648d7f364c68ecb7a576a42e94a954e9e56)
2002-08-05fixed wbinfo -t for netbiosless domainsAndrew Tridgell1-1/+7
(This used to be commit 68e70b000b273ba72206c87ad1efd6efc2c7c487)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell6-125/+172
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-07-31Winbind updates!Andrew Bartlett7-29/+151
This updates the 'winbind' authentication module and winbind's 'PAM' (actually netlogon) code to allow smbd to cache connections to the DC. This is particulary relevent when we need mutex locks already - there is no parallelism to be gained anyway. The winbind code authenticates the user, and if successful, passes back the 'info3' struct describing the user. smbd then interprets that in exactly the same way as an 'ntdomain' logon. Also, add parinoia to winbind about null termination. Andrew Bartlett (This used to be commit 167f122b670d4ef67d78e6f79a2bae3f6e8d67df)
2002-07-31support netbiosless search for the DC using ADS in the winbindd AUTHAndrew Tridgell1-58/+110
code. (This used to be commit 3929532e3bfb98b925d73d331c8cbb319fdc8b9a)
2002-07-30Fixed for memory leak in connection caching code when a dc isTim Potter1-1/+13
permanently down. Found by Dan Coppock. (This used to be commit 13c0cc830e3d787a0c3a1aedd47641597026541e)
2002-07-24Add another message rather than 'internal module error'Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit e09c4bd69aaec0dc43b5bf69f651cbfad3c5f4ad)
2002-07-21Another smattering of static and constAndrew Bartlett2-8/+8
(This used to be commit 897cc4a610932e596f8a9807213166e380ef0203)
2002-07-21Renamed all the new_cli_netlogon_* functions to cli_netlogon_*Tim Potter1-2/+2
as they're no longer new! (This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc)
2002-07-21Compilers do find bugs :-)Andrew Bartlett1-2/+1
This was a mixup between the enum type NSS_STATUS and a BOOL (extra test for equality). Andrew Bartlett (This used to be commit 63b7820b6585608c0ebb582ec8b28ed3c949a1f4)
2002-07-20Try to fix up warnings - particularly on the IRIX 64 bit compiler (which had aAndrew Bartlett3-5/+5
distinction between uchar and char). Lots of const etc. Andrew Bartlett (This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
2002-07-15fixed a number of real bugs found by warnings on the 64 bit irix compilerAndrew Tridgell1-4/+4
(This used to be commit 04de6bbc8055e5547af41b10e284b722f40e726d)
2002-07-14after thinking about the env variable hack for avoiding group membershipAndrew Tridgell1-14/+20
enumeration I realised it could be a security hole for setuid progs. This adds a proper nss function instead. (This used to be commit c7c49d87af5e9a0bef058e6d79188d8b11fefc02)
2002-07-14this is a trick to work around the fact that posix does not supplyAndrew Tridgell6-9/+53
a getgr*() function that lists groups without numerating all the group members. Instead of definiing a new nss method (which might cause problems) I added an environment variable WINBIND_GETGRLST that tells winbind not to fill in the group members in a gergrent() request. This can speed up group listing by a factor of 20 or more (on my test system with 50000 groups it reduces the time from an hour to 2 minutes) (This used to be commit e3f73256d31ab9914daae49f41e984a534996870)
2002-07-13I just noticed that I never added my copyright when I messed with thisAndrew Bartlett1-0/+1
previously. Fix that. Andrew Bartlett (This used to be commit c552910477f0baca4d2173c2bdf4748de3c3b8ad)
2002-07-11Usage fixes from APPLIANCE_HEAD.Tim Potter1-1/+2
(This used to be commit 952d722a3bba15b7a10b4cbabb5548f4dde682d7)
2002-07-11Merge of init_domain_list() fix from APPLIANCE_HEAD.Tim Potter1-3/+0
(This used to be commit 66c9cab369e38284c71572bfb3643538e253a451)
2002-07-11this implements a completely new strategy for fetching groupAndrew Tridgell1-33/+83
membership from an ADS server. We now use a 'member' query on the group and do a separate call to convert the resulting distinguished name to a name, rid etc. This is *much* faster for very large numbers of groups (on a quantum test system with 10000 groups it drops the time from an hour to about 35 seconds). strangely enough, this actually *increases* the amount of ldap traffic, its just that the MS LDAP server answers these queries much faster. (This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
2002-07-03Kill off codepage related stuff, now we don't use codepages any more.Andrew Bartlett1-4/+0
Andrew Bartlett (This used to be commit d1ca2b9f23ce701eb6b6becafb1acd813fc8fc3a)
2002-07-01used findstatic.pl to make some variables static and remove some deadAndrew Tridgell1-1/+1
code (This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
2002-07-01fixed a bug handling startup when the ads server is not contactableAndrew Tridgell1-1/+1
(This used to be commit dbfd4e5101599bcb85600e4c5c93ce5390b9aa91)
2002-06-27The next phase in the WINS rewrite!Andrew Tridgell1-2/+0
We now cope wiith multiple WINS groups and multiple failover servers for release and refresh as well as registration. We also do the regitrations in the same fashion as W2K does, where we don't try to register the next IP in the list for a name until the WINS server has acked the previos IP. This prevents us flooding the WINS server and also seems to make for much more reliable multi-homed registration. I also changed the dead WINS server code to mark pairs of IPs dead, not individual IPs. The idea is that a WINS server might be dead from the point of view of one of our interfaces, but not another, so we need to keep talking to it on one while moving onto a failover WINS server on the other interface. This copes much better with partial LAN outages and weird routing tables. (This used to be commit 313f2c9ff7a513802e4f893324865e70912d419e)
2002-06-26This commit finally gives us multiple wins server groups. We nowAndrew Tridgell2-33/+17
accept an extended syntax for 'wins server' like this: wins server = group1:192.168.2.10 group2:192.168.3.99 group1:192.168.0.1 The tags before the IPs don't mean anything, they are just a way of grouping IPs together. If you use the old syntax (ie. no ':') then an implicit group name of '*' is used. In general I'd recommend people use interface names for the group names, but it doesn't matter much. When we register in nmbd we try to register all our IPs with each group of WINS servers. We keep trying until all of them are registered with every group, falling back to the failover WINS servers for each group as we go. When we do a WINS lookup we try each of the WINS servers for each group. If a WINS server for a group gives a negative answer then we give up on that group and move to the next group. If it times out then we move to the next failover wins server in the group. In either case, if a WINS server doesn't respond then we mark it dead for 10 minutes, to prevent lengthy waits for dead servers. (This used to be commit e125f06058b6b51382cf046b1dbb30728b8aeda5)
2002-06-25Update cli_full_connection() to take a 'flags' paramater, and try to get aAndrew Bartlett1-1/+1
few more places to use it. Andrew Bartlett (This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7)
2002-06-25Add a couple more DEBUG()s to winbindd.Andrew Bartlett1-4/+9
Andrew Bartlett (This used to be commit 3b2464ffdad5e64a05e227b50116cb59f6d34204)