summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2003-07-31make sure the domain sid is set when enumerating trusted domainsGerald Carter1-1/+24
(we don't always get it back) (This used to be commit 6e8f23d1b1dd5122691cd9363a5c572fcab182af)
2003-07-31working on transtive trusts issue:Gerald Carter5-69/+154
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison1-1/+2
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-26fix typo in debugGerald Carter1-1/+1
(This used to be commit ed61628d8b051049636f48ec4372b2e19090628c)
2003-07-25domain in schannel bind credentials must be the dest domain, not oursGerald Carter1-0/+5
(This used to be commit e12f6a8c13f27c3caea96b467cc4294e20dad341)
2003-07-25Make wbinfo -p work again. Fixes bug 251.Tim Potter1-1/+1
(This used to be commit ad4dd4909ffa29dbfbbd9a4f234e976fd253846b)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter4-16/+16
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23Move a function to avoid a warning.Tim Potter1-24/+24
(This used to be commit a3b4c57503e0966145b0adab247297e4c8e0f165)
2003-07-22Another round of uid/gid/pid format string changes I missed theTim Potter5-9/+9
first time. (This used to be commit 6616485dbad74dab7506609c6bfd183fc9c1f93c)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter8-76/+77
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-22Replace the eight (!) copies of dummy become/unbecome root with a single one.Tim Potter1-14/+0
(This used to be commit 8b818ce381595cdcb36631a2440d6aa0038805f1)
2003-07-20Typo fixes.Rafal Szczesniak1-1/+1
(This used to be commit 85df8213fc67a9c8e8712cb64f27e5559dc11af9)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter2-17/+21
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15Add support for MSG_SMB_CONF_UPDATED and MSG_SHUTDOWN to all daemons (smbd, ↵Alexander Bokovoy1-4/+22
nmbd, winbindd). Reviewed by jerry and tridge. (This used to be commit 02c5e2fc6f0721ebd82a9e6a2b34190607de55fe)
2003-07-15remove -B and default to dual-daemon mode (-Y to run as a single process)Gerald Carter1-2/+2
(This used to be commit 369a914ebefd5625af19b76d71b502e5e13a7147)
2003-07-11patch for domain groups with no members (rpc only) from Ken CrossGerald Carter1-1/+1
(This used to be commit 05ec9c40f40be4d4dbb10b33e0def2374468ff8a)
2003-07-11fix sid_to_[uid|gid] (spotted by Volker).Gerald Carter1-70/+76
Still testing this, but I'm checking it in so Volker can test it as well. Should be right. (This used to be commit 8edf193722f699cc33baed410917a78a5e28d0a4)
2003-07-11moving more code around.Gerald Carter5-47/+350
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-10Just a few formatting fixed caught while testing.Rafal Szczesniak1-4/+0
rafal (This used to be commit 156554738cf4e4ffa5a811d9979acd19418e7908)
2003-07-10i guess i'm the only one this ever annyoed...Gerald Carter2-22/+105
fix the confusion when we tdb_lock_bystring() but we retrieve an entry using tdb_fetch_by_string. It's now always tdb.*bystring() (This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter12-1059/+1430
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09fix linking issues in winbindd with become/unbecome_root() in passdb.cGerald Carter1-0/+14
(This used to be commit 389fe1e51abb533a781f69731a75771cb846d850)
2003-07-08fix some formattingGerald Carter1-25/+24
(This used to be commit fca08b1c8766ef1961a9dedc127224249cac9543)
2003-07-07and so it begins....Gerald Carter8-66/+179
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison4-6/+6
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03fix for bug #200. flush connections if the machine trsut accountGerald Carter1-1/+31
changed underneath us. (This used to be commit 6a1ad1ded1d619394ed4ca9e05fdffaa3b902b3b)
2003-07-01* fix the trustdom_cache to work when winbindd is not running.Gerald Carter1-0/+14
smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-68/+2
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30* rename samstrict auth method to samGerald Carter3-79/+94
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30fix for platforms that don't have unsetenv().Gerald Carter1-3/+7
we now have to check the value for _NO_WINBINDD. "1" enables, and != "1" disables (use "0" by convention). (This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
2003-06-30Fix more shadow variable warnings.Tim Potter1-20/+20
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter4-18/+69
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-28cleaning up after the s/in_addr/ip_service/ switch for the get_dc_list() patchGerald Carter1-6/+18
(This used to be commit 303fdc516c79b170d7c12fe2f6264d9636673347)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison1-1/+1
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-25* fix typos in a few debug statementsGerald Carter1-1/+1
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25large change:Gerald Carter3-33/+31
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-24Sequence number was not getting updated with ldap hack. Only a bug in thisJeremy Allison2-7/+4
branch. Jeremy. (This used to be commit 19629b41cb9b5e5f9e0d4a6d52af983a4d05c8cb)
2003-06-24Explain why winbindd is exiting.Jeremy Allison1-2/+4
Jeremy. (This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce2-0/+209
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter3-107/+20
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-23lp_security() is a function not an integerAndrew Tridgell1-1/+1
(This used to be commit 71907f32ba9c8700ba185b565a50c55a3a451758)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter4-30/+269
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce4-18/+18
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter8-143/+379
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-18Remove the -A option of wbinfo, leaving only the long version,Jim McDonough1-1/+1
--set-auth-user. There was enough confusion, as in bug #158, when a user accidentally typed -A instead of -a, and would get themselves stuck with a non-working winbind. I've made the changes to docs/docbook/manpages/wbinfo.xml, but I'm not sure what to do beyond that. Is checking that in enough? (This used to be commit 70fe85e4698ce2c26372b050417986bf4a96680b)
2003-06-16Squelch one small compiler warningRichard Sharpe1-1/+2
(This used to be commit d9ac2540dd0d56d97625fa02e55a57a1f5ac4abf)
2003-06-16Fix some compiler warnings.Tim Potter1-2/+0
(This used to be commit eec1758e048f38e2ac48a7dda96b90a74ec95449)
2003-06-16made a debug statement more usefulAndrew Tridgell1-2/+3
(This used to be commit 3f7a24d183095a7e391fe35100a30fc572a8d769)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison1-6/+1
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-10Add in rety loop for query_user_list (from APP_HEAD). Deals with a bugJeremy Allison2-5/+56
using MSRPC backend and should be safe with ldap backend. Jeremy. (This used to be commit 67535329a2df8986c2d1d85e25cd5c558ee61405)