| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(This used to be commit fed98658a5cc82e9fdc65aa73f74e118c1104178)
|
|
string.
(This used to be commit e522663717f6b6141580f34502ad8686d326f8c8)
|
|
Re-add adding the local aliases to winbindd_getgroups.
Volker
(This used to be commit ae080f2cfaa50cf16c91d760f63db2c721e251c5)
|
|
(This used to be commit 3acac5d626b2897fd2c4b291dd4e0a6c9ceffcfe)
|
|
to winbindd. idmap_allocate_rid wants information about whether this will be a
user or a group, I did not export this to the winbind interface.
The reason for idmap to get that info is to keep consistent with the
algorithmic convention to alloc only even rids for users and odd rids for
groups. I'm not fully convinced that this really gains us anything. Any real
good arguments?
Volker
(This used to be commit 7f62cf933cad69799204bfdc773e08ff0dde0b20)
|
|
about the user and group...
Volker
(This used to be commit 87fa7904f7da5f4a80ca465c09ae4ad274e81690)
|
|
much of your winbindd_passdb, users are currently not provided by that, only
aliases. Currently the code to maintain that stuff is not yet in, this will be
next, see my next posting to samba-technical.
Volker
(This used to be commit 9e0fb457ba77a55f8271b6acc91a07f0a8df3760)
|
|
replaced by a winbindd_passdb.c checkin soon.
Volker
(This used to be commit 4e96b46a8481bdf4f3408574ccc8c921ade7018b)
|
|
(This used to be commit e2696b81bb5e4d12281cf99dc50f91844ae51c2e)
|
|
should work as expected :-)
Fix wb_delgrpmember.
Volker
(This used to be commit 2a2b4a159a973678b7279a8d91060c7c27aa22e8)
|
|
(This used to be commit 00c998c5030560d096d7f3c0f9d89ce18e2d006b)
|
|
very efficient though, it only does one group at a time. Needs improving, but
the structures are not particularly easy to set up, so check in the basically
working part for others to review.
I'm close to saying that I would like to remove aliases from general group
mapping. These can not be reflected correctly in /etc/group, winbind could do
a better job here.
And having aliases only on machines with nss_winbind at least for me is not a
too severe limitation.
Comments?
Volker
(This used to be commit 6cad5bcc280c2964473346cc467423a44cc6a5c2)
|
|
Do:
wbinfo -C alias
net groupmap set alias alias -L
net rpc group addmem alias DOMAIN\\group -S localhost -Uroot%secret
getent group alias
And hopefully the members of domain\\group show up :-)
Still have to get them to show up in 'getent group'.
Volker
(This used to be commit 18e48190838907a29347d471e81945257f540aa7)
|
|
su - WINDOWS\\vl
now includes the locally defined aliases I'm member of.
Next will be getent group.
Volker
(This used to be commit 52dae45684317ac8ac529017607bb5787dda7c50)
|
|
(This used to be commit 98d9278c81ede2a931a2c2c8371c0499601a1457)
|
|
Add more static...
Andrew Bartlett
(This used to be commit 6391e2cc8e5b224c002b57ce615b9b8052eeb346)
|
|
nsswitch/winbindd_util.c:
add static
smbd/uid.c:
remove unused function
Andrew Bartlett
(This used to be commit 4822a3f73610f6e468c447f1282246f13a378cde)
|
|
Make more functions static, and remove duplication in the use of functions
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c
(These should perhaps be pulled back out to smbpasswd.c, but that can occour
later).
This also includes some >14 character password changes, and the start
of a move away from using 'admin user' to determine if the user is
root (as root can login without setting 'admin user').
Andrew Bartlett
(This used to be commit be0704abb919152c359a735023283acbf9be3076)
|
|
Jeremy.
(This used to be commit 5c5545bd44cdaf4a0b75b0c1c22dd74bb278a6a5)
|
|
Remove duplicate comment.
Andrew Bartlett
(This used to be commit 841766bcbddbbe5e18d1b7989e54c85ab97715f5)
|
|
end mapper code
(This used to be commit 902d4a647a88d1def09d5b1eacb06ab1561f3dec)
|
|
(This used to be commit 467a58af346b30291b69b5d8da7f1b21d518fc1d)
|
|
(This used to be commit 9a81094a0f0ca5c209f640c48b77522e5f81d28e)
|
|
This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 8063b8b6c2eb30cb116988e265fb289109d7c348)
|
|
(This used to be commit f83606a058b934309bf1b2075747f504eb38575d)
|
|
to winbindd_cm about this
(This used to be commit c1174cf57b1b6fad03de23f6a4ff952671dc87d7)
|
|
<john.klinger@lmco.com>
(This used to be commit c4d58ec5d5c2b8947824d78639a7e9e615e2a400)
|
|
The reason for this are:
(a) the set_dc_type_and_flags() cannot tell the different
between connecting to an NT4 domain and an NT4 BDC
of a mixed mode domain.
(b) the connection management for the rpc backend only
provides on named pipe per cli_state. So it is possible
to connect to an NT4 BDC for netlogon and an AD mixed mode
DC for lsarpc. RPC is the lowest common demonimator here.
(c) Issue with the sequence number value between the
highestCommittedUSN LDAP attribute and the seq_num returned
via RPC.
We will revisit this later, but the changes need to make this
work right now are too broad and risky.
(This used to be commit 86f24908c395cc832ae87b04c9da3d32449acad3)
|
|
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
|
|
metze
(This used to be commit fcb3c9c61ecd787b8d3e5a53ee8f9e04daae76fe)
|
|
code changes form 3.0
(This used to be commit 2279e98cb81faaf8a4e971fec339955f14c23858)
|
|
(This used to be commit 36d985a75faa5ebda1c8c7de1e3ab5d7a51a9c10)
|
|
(This used to be commit 175c5c9faa8c1cb3577eb96598434e6097d408c7)
|
|
Changes include:
- header changes for better pre-compiled headers (tridge)
- get a list of sids for a given user (tridge)
- fix function prototype
and a few other minor things
Andrew Bartlett
(This used to be commit 60107efdc61247034424d008c6f1eb4d46a19881)
|
|
Ensure that for wbinfo --set-auth-user, we actually use the domain.
Andrew Bartlett
(This used to be commit 8a63bed29315acb3fe9cc2973426ef8392987c8c)
|
|
Try to keep vl happy - shorten some of these lines.
--
Grumble... grumble... fix the build...
--
Show the sid type in name->sid translatons in a way that can be easily
understood by humans.
Andrew Bartlett
(This used to be commit c5d1e2112baa7d87cd6b9f0855c2fd8b006af01d)
|
|
Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
|
|
Add const.
Andrew Bartlett
(This used to be commit b08502a8fb1083cc49fd2976880b7bef3f14a72a)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Add ads_sid_to_dn utility function
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 627d33d1667f0d4b1070f988494885b74c4c04dd)
|
|
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.
VL rewrote most of Güther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 08e851c7417d52a86e31982fcfce695c8a6360b7)
|
|
Having no members of a group is a perfectly valid (if unusual) situation.
Andrew Bartlett
(This used to be commit bc77b586be6992a662422304dbefbd4b833818fb)
|
|
Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
|
|
auth/auth_util.c:
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
--
Jerry rightly complained that we can't assume that the first domain is
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind
structures, make clean).
--
Forgot to commit this for the 'get our primary domain' change.
Andrew Bartlett
(This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
|
|
Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
--
Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.
Andrew Bartlett
(This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit d32f47fedcff3fdf46f42926d1cd84433e7ab487)
|
|
Volker
(This used to be commit 6121a866659c3b81e790a79432b6d89d7865fbd3)
|
|
Volker
(This used to be commit a2e384262d0203772a6237b566c294f15bfd8948)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit a2aa6e41e552abfb6d1056ab3a7c75e8fd0a150c)
|
|
(This used to be commit 67d893701f09f29e8af56cd98f04131658b39713)
|
|
(This used to be commit c16e51bfaf59b2d5b1b800ee272ac45b13b9a9fc)
|
