summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-68/+2
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30* rename samstrict auth method to samGerald Carter3-79/+94
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30fix for platforms that don't have unsetenv().Gerald Carter1-3/+7
we now have to check the value for _NO_WINBINDD. "1" enables, and != "1" disables (use "0" by convention). (This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
2003-06-30Fix more shadow variable warnings.Tim Potter1-20/+20
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter4-18/+69
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-28cleaning up after the s/in_addr/ip_service/ switch for the get_dc_list() patchGerald Carter1-6/+18
(This used to be commit 303fdc516c79b170d7c12fe2f6264d9636673347)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison1-1/+1
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-25* fix typos in a few debug statementsGerald Carter1-1/+1
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25large change:Gerald Carter3-33/+31
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-24Sequence number was not getting updated with ldap hack. Only a bug in thisJeremy Allison2-7/+4
branch. Jeremy. (This used to be commit 19629b41cb9b5e5f9e0d4a6d52af983a4d05c8cb)
2003-06-24Explain why winbindd is exiting.Jeremy Allison1-2/+4
Jeremy. (This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce2-0/+209
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter3-107/+20
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-23lp_security() is a function not an integerAndrew Tridgell1-1/+1
(This used to be commit 71907f32ba9c8700ba185b565a50c55a3a451758)
2003-06-23* set domain->last_status = NT_STATUS_SERVER_DISABLED on an ads_connect() ↵Gerald Carter4-30/+269
failure * Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains ( does no one ever test this? ) * add in LDAP code to get the sequence number for rpc based seqnum update. ( this is needed if the DC is upgraded and samba is not reconfigured to use security = ads; it's not pretty but it works (from app_head) ) * fix bug that caused us to enumerate domain local groups in domains other than our own (This used to be commit 14f2cd139a22454571cea8475d3b7c5c2787d378)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce4-18/+18
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter8-143/+379
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-18Remove the -A option of wbinfo, leaving only the long version,Jim McDonough1-1/+1
--set-auth-user. There was enough confusion, as in bug #158, when a user accidentally typed -A instead of -a, and would get themselves stuck with a non-working winbind. I've made the changes to docs/docbook/manpages/wbinfo.xml, but I'm not sure what to do beyond that. Is checking that in enough? (This used to be commit 70fe85e4698ce2c26372b050417986bf4a96680b)
2003-06-16Squelch one small compiler warningRichard Sharpe1-1/+2
(This used to be commit d9ac2540dd0d56d97625fa02e55a57a1f5ac4abf)
2003-06-16Fix some compiler warnings.Tim Potter1-2/+0
(This used to be commit eec1758e048f38e2ac48a7dda96b90a74ec95449)
2003-06-16made a debug statement more usefulAndrew Tridgell1-2/+3
(This used to be commit 3f7a24d183095a7e391fe35100a30fc572a8d769)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison1-6/+1
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-10Add in rety loop for query_user_list (from APP_HEAD). Deals with a bugJeremy Allison2-5/+56
using MSRPC backend and should be safe with ldap backend. Jeremy. (This used to be commit 67535329a2df8986c2d1d85e25cd5c558ee61405)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell5-41/+46
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-06-10More instrumentation for winbindd.Jeremy Allison1-0/+14
Jeremy. (This used to be commit 4161a122b74b75b0ed1758e3491e69bb9f1e8390)
2003-06-10Instrument cache with debug statements so I can have a clue as to whatJeremy Allison1-56/+208
is going on in remote large sites. Jeremy. (This used to be commit 5987dad1f1049f08bf4a94929f70b5eac96c7007)
2003-06-06compile errorGerald Carter1-1/+1
(This used to be commit 8804b059a4f453b29c8b0da975f5d6d8501f4b11)
2003-06-06merge from APP_HEAD. Push negative connection cacheGerald Carter1-317/+4
into rpc_find_dc(). Should probably be extended some more in 3.0 but this is what we have for the moment. (This used to be commit 0e23abf95cf7ba2d0a314a34bddb4d46de2a3cd1)
2003-06-03* set winbind cache time to 5 minutesGerald Carter3-18/+95
* quit obsessing over the sequence number so much * share the updated sequence number between parent and child winbindd processes in dual mode (This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
2003-05-27Fix extra arg for cm_get_netlogon_cli()Tim Potter1-1/+1
(This used to be commit a0c3f1d31c4888d33061bb011fcb8e701bba30bc)
2003-05-27Whoops - tried to merge to wrong branch for bug #60 merge. This redosTim Potter1-3/+0
the original fix. (This used to be commit 711f65bee0e7955fdb415182abe4812eae8ec4c3)
2003-05-26Formatting syncup.Tim Potter1-3/+1
(This used to be commit f4b050932a44d836b11299c158666f6804cceda5)
2003-05-26Merge of fix for bug #60.Tim Potter1-0/+3
(This used to be commit 0583dc358e918cf8bfb4d17bae0f42c4b385d313)
2003-05-23Bug 83: fixes for building when $srcdir != $builddir from David LeeTim Potter1-1/+1
<t.d.lee@durham.ac.uk> (This used to be commit e48a8b5e9c1a75c6e4bffe022d0e25edae89bc58)
2003-05-19Updates for AIX winbind client from Stephen Roylance.Tim Potter1-62/+58
(This used to be commit 3983f3a1f30deae8d66c1f4c099bb56eabe3586b)
2003-05-15Fix for winbindd segfault (finally I think this is the correct one :-)Jeremy Allison1-1/+1
from "Roylance, Stephen D." <SROYLANCE@PARTNERS.ORG>. Jeremy. (This used to be commit 459fb6519bc9bc9bbb151291ff795ecc0c014d63)
2003-05-14Ok, try and fix this correctly... Simplify the nasty loop logic.Jeremy Allison1-7/+7
Jeremy. (This used to be commit c19599a5624ac7ea63b529bf7d36cdcd7c8ef89f)
2003-05-14Fix winbindd coredump. Remember to set a ** pointer to null beforeJeremy Allison1-0/+2
searching and not finding otherwise we return a valid looking pointer that was whatever crap was on the stack. Jeremy. (This used to be commit 5d3ac0e39b2b3c60de7c1fe562e4da1f508a2884)
2003-05-12And finally IDMAP in 3_0Simo Sorce6-58/+35
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-10Reverse previous patch from Stefan and me after comments by Andrew BartlettJelmer Vernooij1-2/+0
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
2003-05-10Patch from metze and me that adds dummy smb_register_*() functions soJelmer Vernooij1-0/+2
that is now possible to, for example, load a module which contains an auth method into a binary without the auth/ subsystem built in. (This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke3-81/+135
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-05-06There appears to be no reason why we have to execute theTim Potter2-60/+45
initialisation code in winbindd_init_common() after the fork when running in dual daemon mode. The only tricky bit is we have to run a tdb_reopen_all() somewhere in the child to avoid tdb corruption. Fixed bug #60. (This used to be commit 25e55aca0fe315c2ccf4e34a94107b2321313714)
2003-05-03This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+360
used to be commit f1e59906577a59269f1821d9e438fc56278b9dbe)
2003-05-03fixes to *_util.c filesSimo Sorce2-1/+366
add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1)
2003-05-01proper wellknown sids initialization at startupSimo Sorce1-0/+3
(This used to be commit 568feee8977ee1be210344c8ab1896512894cba2)
2003-05-01*id_to_*id call reshape to return NTSTATUS errorsSimo Sorce3-48/+17
plus internal fixes 1st stage (This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
2003-04-29remove convert_smbpasswd and addtosmbpass from tree; people can get them ↵Gerald Carter3-2/+26
from 2.2. if they still need them (This used to be commit 237857a760974bb02000e5d3a776240ec73ca6b6)
2003-04-27make winbind use idmap as well.Simo Sorce7-1079/+54
change idmap_init call removed ldap backend for winbind idmap, seem it had problems anyway and it have to be reworked to work with idmap without calling winbind code. simo (This used to be commit 9d7d007443fc75264b2764b90f272ffc40c9be6c)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett10-760/+642
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)