Age | Commit message (Collapse) | Author | Files | Lines |
|
Volker
(This used to be commit 25cbcfba30f534f3fb31627ba43421c42ccd5b0f)
|
|
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
|
|
xad_oss_plugins-tarball).
Guenther
(This used to be commit 1d59841c9901b6a3aff72b6da1037495aa75f389)
|
|
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
|
|
* add synonym for idmap_rid in better lining with
other idmap backend names
* remove old debug messages when idmap {uid|gid} options
are not defined
(This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
|
|
--enable-developer=yes?
Volker
(This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
|
|
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
|
|
that uidNumber and gidNumber use match the rfc2307 schema
(This used to be commit c1727dc9e01f960c1eedf023b4de49ad6f418b18)
|
|
(This used to be commit 6fad82d3d536fe2f7184377137d062710b40b4f2)
|
|
(This used to be commit cadd5a44e7f1d532aa4dad7a4233e5ea2c814a10)
|
|
(This used to be commit 3eeecff05efec9310cf2bed7c6fe9a6d80dd6d0d)
|
|
*attr[]. This
gives some new warnings in smbldap.c, but a the callers are cleaned up.
Volker
(This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
|
|
(This used to be commit dd55ef25d1b24401a743d0367544e535cd17815c)
|
|
unused variables
(This used to be commit 82c4e2f37f1f4c581cd7c792808c9a81ef80db94)
|
|
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars
Mueller <lmuelle-at-suse.de>.
Allow to map ID's for a local SAM and add some more
debugging-information.
Guenther
(This used to be commit 4d8e7c9ff00417b2ebae0c5faccfe9c2c9c44f2e)
|
|
allow BUILTIN domain-mapping.
Guenther
(This used to be commit e3b067ee99e304aa9e165dae5fcb0546cec711e2)
|
|
(only ever shows up when the somewhat hidden
IDMAP_RID_SUPPORT_TRUSTED_DOMAINS - define is set).
Thanks to Stephan Martin <sm@suse.de> for reporting this bug.
Guenther
(This used to be commit e7b81d679b487734e12a948f30f0ad88240f17f1)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
real life
if you have several competing winbinds that might get a lag due to
replication.
Volker
(This used to be commit 1c3f194ab7ab63aeb2284d7e5c7e183340740ceb)
|
|
when trusted domains are disabled anyway.
Guenther
(This used to be commit cd30a0b14adf1e58c19bcbfec385a5794d4ca112)
|
|
throw-up.
(This used to be commit 3d8e19468b8dda3bc84f0bc9174944c8275ed024)
|
|
Guenther
(This used to be commit c9a7bc10b7aa5e1cb7d37ba9b1a8ddb9b0b2dd5e)
|
|
- fix several memleaks found by valgrind
- turn off support for trusted domains (can be reenabled with
#define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 1)
- improve readability
Guenther
(This used to be commit 351a1227e80db5d87b71e17cd1443c11ea6ace4e)
|
|
Written by Sumit Bose <sbose@suse.de> and myself a while ago.
idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using
the idmap-range as offset. It does thus allow to have a unified mapping
over several winbindd-systems without having the need of a central
LDAP-Server (and all related dependencies and problems this solution can
bring).
Compile:
./configure --with-shared-modules=idmap_rid
Usage:
idmap backend = idmap_rid
idmp_rid does even allow you to have multiple mappings (for trusted
domains). This is a rather problemtic feature and will be turned off by
default rather soon. The problem is that ranges can quickly overlap when
not measured with caution.
idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999"
Will valgrind idmap_rid later today and fix a couple of things.
Guenther
(This used to be commit 49a238bd37105bf1a33d4a230ca594c4cf304dd3)
|
|
(in preparation of adding idmap_rid)
Guenther
(This used to be commit e7691f4862da141f530a8e8b1364b9c02e8dc732)
|
|
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong
type, don't ask ldap when we have the opposite mapping in the local tdb.
Volker
(This used to be commit c91cff3bd38c1a8e23628b032f09829f9abf792d)
|
|
parameter a list instead of a string. This makes
idmap backend = ldap:"ldap://localhost/ ldap://fallback/"
possible.
Volker
(This used to be commit ea718347937ec0e5640b29e0e9edf6eda2b45e34)
|
|
Check in the 'winbind proxy only' mode -- no new parameter required :-)
If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it
will only proxy the netlogon request and thus speed up the authentication of
domain users.
Volker
(This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
|
|
Jeremy.
(This used to be commit c336ccf4e8a6340f8d786219fbc7e4e5a7877e4e)
|
|
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring. There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
|
|
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
|
|
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
|
|
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
|
|
UNIX entity foo to DOMAIN\foo instead of SERVER\foo
on members of a Samba domain when all UNIX accounts
are shared via NIS, et. al.
* allow winbindd to match local accounts to domain SID
when 'winbind trusted domains only = yes'
* remove code in idmap_ldap that searches the user
suffix and group suffix. It's not needed and
provides inconsistent functionality from the tdb backend.
This has been tested. I'm still waiting on some more feedback
but This needs to be in 3.0.1pre2 for widespread use.
(This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
|
|
Jeremy.
(This used to be commit b5d953bc26de5c4e0e1a15f70ae56ea2dd2843f2)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
* bug #280 (my fault) - initialize sambaNextUserRid and
sambaNextGroupRid
* Unix users shared vis LDAP or NIS between a samba domain member
of a Samba domain are not seen as domain users on the member servers.
not as local users.
(This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
|
|
(This used to be commit d98a68e0ebaf2fbd360b826f5df472bc3f94285b)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
|
|
(This used to be commit 165d1ae55622ca1e89c94fc5e40bdf5cddbcab45)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
just yet.
`
(This used to be commit 6f0b5d474a051db512db2f73a8097c80964ec513)
|
|
winbindd now. Also removing an unused file.
(This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
Samba will now use the user's UNIX primary group, as the primary group when
dealing with the filesystem. The NT primary group is ignored in unix.
For the NT_TOKEN, the primary group is the NT priamry group, and the unix
primary group is added to the NT_TOKEN as a supplementary group.
This should fix bug #109, but will need to be revisited when we get a full
NT group database.
Also in this commit:
- Fix debug statements in service.c
- Make idmap_ldap show if it's adding, or modifying an existing DN
- Make idmap_ldap show both the error message and error string
(This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b)
|
|
down failures.
Add a 'auto-add on modify' feature to guestsam
Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.
Make the 'private data' a bit more robust.
Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
|