Age | Commit message (Collapse) | Author | Files | Lines |
|
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
|
|
Jeremy.
(This used to be commit 1bd96b3094b530c3426b22b6f891c7fc055e7033)
|
|
(This used to be commit 6b123adda901ff05b0271eeda060297448f64eec)
|
|
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
|
|
(This used to be commit 4fcaec53de18220ff6662f62a1430f67757cdcc5)
|
|
after further testing in 2.2 branch.
(This used to be commit d5cdbc7e4ff48273bd7616694eef98c61e6f1f33)
|
|
memory.
The winbind connection caching code isn't exactly a plesent beast, and there is
more work that needs to be done to nail this properly.
Andrew Bartlett
(This used to be commit dd40ce54b7f170854d63e08ac737f1b4306bd95b)
|
|
to move this from being a static to matching its mate in lib/util_sock.c.
In any case, this should discorage anybody from using the 'wrong' version of
this function. (ie the one from TNG, which needs a bit more error checking
depending on use).
Andrew Bartlett
(This used to be commit e6a3a01f795a85d908180ff19469ce09a2803512)
|
|
This work was sponsored by Optifacio Software Services, Inc.
Andrew Bartlett
(various e-mails announcements merged into some form of commit message below:)
This patch which adds basics of universal groups support
into Samba 3. Currently, only Winbind with RPC calls supports this, ADS
support requires additional (possibly huge) work on KRB5 PAC. However,
basic infrastructure is here.
This patch adds:
1. Storing of universal groups for particular user logged into Samba
software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array
of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb.
2. Fetching of unversal groups for given user rid and domain sid from
netlogon_unigrp.tdb.
Since this is used in both smbd and winbindd, main code is in
source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as
UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ.
This patch has had a few versions, the final version in particular:
Many thanks to Andrew Bartlett for critics and comments, and partly
rewritten code.
New:
- updated fetching code to changed byte order macros
- moved functions to proper namespace
- optimized memory usage by reusing caller's memory context
- enhanced code to more follow Samba coding rules
Todo:
- proper universal group expiration after timeout
(This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
|
|
with the local machine time changing
(This used to be commit 116c0a0e3baa6a100a816f1ff2722782941ac3dc)
|
|
when switching from rpc to ADS this now should make sense
(This used to be commit ec73d26c7f9a2bbd4b91e9c22850e032b91666e2)
|
|
the list received at startup or we get an out of date list. I thought
there might be some sequence number that is incremented when a trusted
domain is added or removed - perhaps there is but I just haven't found it
yet.
- Renamed get_domain_info() to init_domain_list()
- Made an accessor function to return the list of trusted domains rather
than using a global so we don't have to remember to put a magic init
function
- The getent state can not keep a pointer to a winbind_domain structure as
it may be freed if init_domain_list() is called again so we keep the
domain name instead
(This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
|
|
(This used to be commit da4db0373b65d975d5129715d6b1fa725b188766)
|
|
swedish" test to client calls. This is putting a length field at the
start of a request so we can disconnect clients talking with an out of date
libnss_winbind.so rather than deadlock them.
Misc cleanups:
- made some int values uint32
- moved WINBIND_INTERFACE_VERSION to start of cmd list
(This used to be commit a4af65b9b93671f13f277d49279a85042a8fd1d5)
|
|
of a define you need to grep for the old name and change ALL places.
(This used to be commit 09e3276fb7207dff73f181072851bd542fb64263)
|
|
smb.conf to get it right.
While wb_client needs its lp_load() for samba dependency reasons, it now uses
the new method both to example and test the new code.
Also add an interface version function, and return the winbind's samba version
string.
In preperation for default domains, its now up to winbindd to reject plaintext
auths that don't have a seperator, but NTLM (CRAP) auths now have two feilds,
hence need parsing.
Andrew Bartlett
(This used to be commit 2bd2a092ee3d49a74d896385688d7c7256aa297e)
|
|
It adds a 'ping' request, just to check winbind is in fact alive
It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.
(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)
Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).
Andrew Bartlett
(This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)
|
|
when they are added or removed on the PDC.
- renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID}
- renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID}
- use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in
preparation for moving to smbcontrol type messages (not sure whether to
ditch this altogether or not)
- tidy debugging messages in top level winbind user and group routines
- convert talloc_init() to talloc_init_named()
- make enumerations of the domain list use the same local variable names
(This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
|
|
Jeremy.
(This used to be commit a99e0cec1e2596c5bc89932e64de301f3fb9ae86)
|
|
Jeremy.
(This used to be commit 1f12e310e5d8b01d3d29132d1bb1f41196165f7f)
|
|
Jeremy.
(This used to be commit 012a9144124b5bde5fb1fe12c6147f32ccf2046e)
|
|
defined. This is done with --enable-developer mode.
(This used to be commit caff5dc1d66953cb52f94cd6407778b23e1810eb)
|
|
Also removed the dependency on auth_util.o, which makes things nicer.
Finally, this kills off the NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ
makefile variable - becouse Samba dependencies are starting to be sane again!
Andrew Bartlett
(This used to be commit 4609edcac3b70c11025f0c5aa0ddbeed93369c84)
|
|
signal management.
Jeremy.
(This used to be commit fffae94dd5699f44c0b1c8081587deafd89b3fc0)
|
|
(This used to be commit 52e9d2c383371e64e498bbdb4a3f0e8583ca77a0)
|
|
(This used to be commit 20c5f042e3bb79ff96a993c70b843908dcfafb65)
|
|
smbd/nmbd behaviour.
(This used to be commit 54d276561524213302e7bb2d759d7d4082fd6e8a)
|
|
(This used to be commit ff002a458afa6ca378f0c6d2ec9fb74233c839a7)
|
|
Fixed winbindd to finally stop leaving log. file droppings :-).
Jeremy.
(This used to be commit 0bea6cf79a44f79fa3a4f2c8381e898e79c66509)
|
|
Jeremy.
(This used to be commit 057e91c1c3833516d03b492f3ebe489d8216a0ba)
|
|
(This used to be commit 412e79c448bf02e3097b5c14a36fe0172d8d2895)
|
|
(This used to be commit 1bf5c1a46f4c3f44054ce8fcbc551cdb72683f2b)
|
|
domain is ADS
(This used to be commit e97b40e09427c2c5f0a497f9432af08d6d6762f2)
|
|
(This used to be commit 05a90a28843e0d69183a49a76617c5f32817df16)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
|
|
(This used to be commit 2c54cfbc475cd22d0e906898a07d4e0576c64c80)
|
|
Jeremy.
(This used to be commit 59e01a22c5cb1046758c8cd6b09333c19d6cd26e)
|
|
(This used to be commit 7db718d44a62aee9610a9dfd9e671345a0ea7737)
|
|
(This used to be commit 564bfd77287b3006c7246065990ca9b91f79826a)
|
|
(This used to be commit fe0db4c55f8bfc70004edd60a29359337fa40723)
|
|
(This used to be commit 6194f874bbc50cb40228b29fb783a7716104b824)
|
|
added multiple include protection
added IRIX defines
(This used to be commit b9dbb38bf2d1fbe1ca5d0aa53b89f76844d6209c)
|
|
Winbind separators other than backslash didn't work.
(This used to be commit 6688781331e046adc77783792fc009cda7c8b5b8)
|
|
(This used to be commit b110f57e49bcb4e3c648020850ee18d1888b9152)
|
|
(This used to be commit 87090652460e57703b40f21e9ed08c18770b61c3)
|
|
IPC$ connections to domain controllers.
(This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)
|
|
Added a --set-auth-user function to set a username and password that can be
used by winbindd when making connections to domain controllers. This is
necessary when restrictions have been placed on anonymous connections
either through the RestrictAnonymous registry setting, or the win2k Local
Security Policy -> Security Settings -> Local Policies -> Security Options
-> Additional restrictions for anonymous connections. (phew)
Two new keys are set in secrets.tdb: SECRETS/AUTH_USER and
SECRETS/AUTH_PASSWORD which hold the username and plaintext password of the
user to connect as.
To reset these values, run wbinfo --set-auth-user ""
(This used to be commit 507003522b70443f79b8b69a836dcd38d309cfca)
|
|
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
(This used to be commit 34328e30315e4b42087d0ee11ed0c3fb715bc250)
|
|
(This used to be commit 1c909afe76566807fb576c965eb869f98e72f2bd)
|