Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 00c998c5030560d096d7f3c0f9d89ce18e2d006b)
|
|
very efficient though, it only does one group at a time. Needs improving, but
the structures are not particularly easy to set up, so check in the basically
working part for others to review.
I'm close to saying that I would like to remove aliases from general group
mapping. These can not be reflected correctly in /etc/group, winbind could do
a better job here.
And having aliases only on machines with nss_winbind at least for me is not a
too severe limitation.
Comments?
Volker
(This used to be commit 6cad5bcc280c2964473346cc467423a44cc6a5c2)
|
|
Do:
wbinfo -C alias
net groupmap set alias alias -L
net rpc group addmem alias DOMAIN\\group -S localhost -Uroot%secret
getent group alias
And hopefully the members of domain\\group show up :-)
Still have to get them to show up in 'getent group'.
Volker
(This used to be commit 18e48190838907a29347d471e81945257f540aa7)
|
|
su - WINDOWS\\vl
now includes the locally defined aliases I'm member of.
Next will be getent group.
Volker
(This used to be commit 52dae45684317ac8ac529017607bb5787dda7c50)
|
|
(This used to be commit 98d9278c81ede2a931a2c2c8371c0499601a1457)
|
|
Add more static...
Andrew Bartlett
(This used to be commit 6391e2cc8e5b224c002b57ce615b9b8052eeb346)
|
|
nsswitch/winbindd_util.c:
add static
smbd/uid.c:
remove unused function
Andrew Bartlett
(This used to be commit 4822a3f73610f6e468c447f1282246f13a378cde)
|
|
Make more functions static, and remove duplication in the use of functions
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c
(These should perhaps be pulled back out to smbpasswd.c, but that can occour
later).
This also includes some >14 character password changes, and the start
of a move away from using 'admin user' to determine if the user is
root (as root can login without setting 'admin user').
Andrew Bartlett
(This used to be commit be0704abb919152c359a735023283acbf9be3076)
|
|
Jeremy.
(This used to be commit 5c5545bd44cdaf4a0b75b0c1c22dd74bb278a6a5)
|
|
Remove duplicate comment.
Andrew Bartlett
(This used to be commit 841766bcbddbbe5e18d1b7989e54c85ab97715f5)
|
|
end mapper code
(This used to be commit 902d4a647a88d1def09d5b1eacb06ab1561f3dec)
|
|
(This used to be commit 467a58af346b30291b69b5d8da7f1b21d518fc1d)
|
|
(This used to be commit 9a81094a0f0ca5c209f640c48b77522e5f81d28e)
|
|
This adds client-side support for the unicode/SAMR password change scheme.
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 8063b8b6c2eb30cb116988e265fb289109d7c348)
|
|
(This used to be commit f83606a058b934309bf1b2075747f504eb38575d)
|
|
to winbindd_cm about this
(This used to be commit c1174cf57b1b6fad03de23f6a4ff952671dc87d7)
|
|
<john.klinger@lmco.com>
(This used to be commit c4d58ec5d5c2b8947824d78639a7e9e615e2a400)
|
|
The reason for this are:
(a) the set_dc_type_and_flags() cannot tell the different
between connecting to an NT4 domain and an NT4 BDC
of a mixed mode domain.
(b) the connection management for the rpc backend only
provides on named pipe per cli_state. So it is possible
to connect to an NT4 BDC for netlogon and an AD mixed mode
DC for lsarpc. RPC is the lowest common demonimator here.
(c) Issue with the sequence number value between the
highestCommittedUSN LDAP attribute and the seq_num returned
via RPC.
We will revisit this later, but the changes need to make this
work right now are too broad and risky.
(This used to be commit 86f24908c395cc832ae87b04c9da3d32449acad3)
|
|
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
|
|
metze
(This used to be commit fcb3c9c61ecd787b8d3e5a53ee8f9e04daae76fe)
|
|
code changes form 3.0
(This used to be commit 2279e98cb81faaf8a4e971fec339955f14c23858)
|
|
(This used to be commit 36d985a75faa5ebda1c8c7de1e3ab5d7a51a9c10)
|
|
(This used to be commit 175c5c9faa8c1cb3577eb96598434e6097d408c7)
|
|
Changes include:
- header changes for better pre-compiled headers (tridge)
- get a list of sids for a given user (tridge)
- fix function prototype
and a few other minor things
Andrew Bartlett
(This used to be commit 60107efdc61247034424d008c6f1eb4d46a19881)
|
|
Ensure that for wbinfo --set-auth-user, we actually use the domain.
Andrew Bartlett
(This used to be commit 8a63bed29315acb3fe9cc2973426ef8392987c8c)
|
|
Try to keep vl happy - shorten some of these lines.
--
Grumble... grumble... fix the build...
--
Show the sid type in name->sid translatons in a way that can be easily
understood by humans.
Andrew Bartlett
(This used to be commit c5d1e2112baa7d87cd6b9f0855c2fd8b006af01d)
|
|
Change our Domain controller lookup routines to more carefully seperate
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
(This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
|
|
Add const.
Andrew Bartlett
(This used to be commit b08502a8fb1083cc49fd2976880b7bef3f14a72a)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Add ads_sid_to_dn utility function
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 627d33d1667f0d4b1070f988494885b74c4c04dd)
|
|
Fix for bug 707, getent group for huge ads groups (>1500 members)
This introduces range retrieval of ADS attributes.
VL rewrote most of Güther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
I rewrote that patch, to ensure that we can keep an eye on the USN
(sequence number) of the entry - this allows us to ensure the read was
atomic.
In particular, the range retrieval is now generic, for strings. It
could easily be made generic for any attribute type, if need be.
Andrew Bartlett
(This used to be commit 08e851c7417d52a86e31982fcfce695c8a6360b7)
|
|
Having no members of a group is a perfectly valid (if unusual) situation.
Andrew Bartlett
(This used to be commit bc77b586be6992a662422304dbefbd4b833818fb)
|
|
Changes to our PAM code to cope with the fact that we can't handle some
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
(This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
|
|
auth/auth_util.c:
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
--
Jerry rightly complained that we can't assume that the first domain is
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind
structures, make clean).
--
Forgot to commit this for the 'get our primary domain' change.
Andrew Bartlett
(This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
|
|
Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
--
Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.
Andrew Bartlett
(This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit d32f47fedcff3fdf46f42926d1cd84433e7ab487)
|
|
Volker
(This used to be commit 6121a866659c3b81e790a79432b6d89d7865fbd3)
|
|
Volker
(This used to be commit a2e384262d0203772a6237b566c294f15bfd8948)
|
|
This introduces range retrieval of ADS attributes.
I've rewritten most of Günther's patch, partly to remove code duplication and
partly to get the retrieval of members in one rush, not interrupted by the
lookups for the DN.
Andrew, you told me that you would like to see a check whether the AD sequence
number is the same before and after the retrieval to achieve atomicity. This
would be trivial to add, but I'm not sure that we want this, as this adds two
roundtrips to every membership query. We can not know before the first query
whether we get additional range values, and at that point it's too late to ask
for the USN.
Tested with a group of 4000 members along with lots of small groups.
Volker
(This used to be commit a2aa6e41e552abfb6d1056ab3a7c75e8fd0a150c)
|
|
(This used to be commit 67d893701f09f29e8af56cd98f04131658b39713)
|
|
(This used to be commit c16e51bfaf59b2d5b1b800ee272ac45b13b9a9fc)
|
|
the full name in gecos field; bug 587
(This used to be commit 5482ff71729b623c4561e42b82467bf2d5d64082)
|
|
- NTLM2 fixes, don't force NTLM2
- Don't use NTLM2 for RPC, it doesn't work yet
- Add comments to winbindd_pam.c
- Merge 64 bit fixes and better debug messages in winbindd.c
Andrew Bartlett
(This used to be commit ba94e4a1ab6dc3335bbb29686ca6795d0ffad5b0)
|
|
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
|
|
UNIX entity foo to DOMAIN\foo instead of SERVER\foo
on members of a Samba domain when all UNIX accounts
are shared via NIS, et. al.
* allow winbindd to match local accounts to domain SID
when 'winbind trusted domains only = yes'
* remove code in idmap_ldap that searches the user
suffix and group suffix. It's not needed and
provides inconsistent functionality from the tdb backend.
This has been tested. I'm still waiting on some more feedback
but This needs to be in 3.0.1pre2 for widespread use.
(This used to be commit cac4723e206bd001882011c9e12327064d032268)
|
|
(This used to be commit a26d425f93e43641195d0aaf0f9ce5ef0e69f5e1)
|
|
Jeremy.
(This used to be commit c2f38eb66578affb50cb15c73b297fb866be140b)
|
|
is given (patch from Tom Dickson)
(This used to be commit aa2abd5800856120ddec6937955e961ff0c77c96)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
|
|
Jeremy.
(This used to be commit 96cefb4542debd8902d9bc0cd09bb01c7a41cc69)
|
|
(This used to be commit 51f12170affd87cdff23118ed16f85dd97914f0c)
|