summaryrefslogtreecommitdiff
path: root/source3/sam
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15697: I take no comments as no objections :)Günther Deschner3-40/+148
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-32/+6
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15283: Oh yeah. The build farm doesn't do much with head. OK, here is the ↵Paul Green1-0/+2
patch to SAMBA_3_0 to declare prototypes for the initialization functions. These are the same changes I just made to head. --paulg (This used to be commit 17774387ad879b6a72dd1cf406326318add31b04)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison1-0/+6
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-4/+4
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13316: Let the carnage begin....Gerald Carter7-416/+32
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12964: Rewind rem_backend in the case we have to workaround the idmap_ prefix.Lars Müller1-0/+6
Else SAFE_FREE seg faults. Thanks to Günther for pointing me at this. I've implemented in in this was as we should announce to remove the idmap_ strip stuff after some time at all. (This used to be commit 6a5bf399a59b4f07a1560d534629cb14e20b5d3f)
2007-10-10r12936: Fix bug #3264.Lars Müller1-0/+6
If we detect a leading 'idmap_' for the idmap backend setting we strip this and inform about the deprecated config with DEBUG 0. I'm not sure if we should set a TTL of one year or five additional releases from now for this code. This is required for the changes Günther made as the first step to solve bug #3264. With this fix we can even run with an old config. This is very important as we else will break existing configurations with an update. (This used to be commit 34c7d8c0694369760340843318f873e26546cb2e)
2007-10-10r12904: Fix #3264, allow to load idmap_ad with "idmap backend = ad".Günther Deschner1-1/+0
Finally cleanup the way idmap modules are build and loaded, idmap_rid now will have to be loaded without prefix, just "rid". Guenther (This used to be commit a77e02177dcefaaccf863aa8d237ea35a2ec52d1)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter2-9/+467
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10170: Fix for #3056:Günther Deschner1-4/+6
Allow to include BUILTIN to the mapping table also when "allow trusted domains" is disabled. Guenther (This used to be commit 3ccb1913a771a187ee61a87869966beb7645f2f9)
2007-10-10r8155: ops, add missing function.Günther Deschner1-0/+14
Guenther (This used to be commit f3da329fa89fad5b994e46251b43325fa4ea853e)
2007-10-10r8145: When inventing a new parameter for SFU-support, be aware of Volker'sGünther Deschner1-1/+1
upcoming changes for "unixinfo"-pipe. Therefor (after speaking with Volker) replace "winbind sfu support" with the list-parameter "winbind nss info" which defaults to "template". For SFU-support set it to "winbind nss info = template sfu". Note that nss_info_use() is just a dummy function at the moment. Guenther (This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
2007-10-10r8133: Got approval from Luke Howard (PADL) to change the company copyright toGünther Deschner1-7/+1
to a personal one. Thanks Luke! Guenther (This used to be commit 892ef0bbc100e05ba3e683f4e08946f36627cc1a)
2007-10-10r8093: Next round. Now it compiles with --enable-socket-wrapper.Volker Lendecke1-2/+2
Volker (This used to be commit 25cbcfba30f534f3fb31627ba43421c42ccd5b0f)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-7/+40
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7992: Adding PADL's idmap_ad plugin (taken from the latestGünther Deschner1-0/+380
xad_oss_plugins-tarball). Guenther (This used to be commit 1d59841c9901b6a3aff72b6da1037495aa75f389)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter3-19/+19
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r6450: * fix typo in htlm_auth help messageGerald Carter1-0/+1
* add synonym for idmap_rid in better lining with other idmap backend names * remove old debug messages when idmap {uid|gid} options are not defined (This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
2007-10-10r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that forVolker Lendecke1-6/+8
--enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
2007-10-10r6273: Remove some unused code, minor cleanupVolker Lendecke1-103/+0
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
2007-10-10r5708: BUG 2424: patch from Vince Brimhall <vbrimhall@novell.com> to ensure ↵Gerald Carter1-6/+5
that uidNumber and gidNumber use match the rfc2307 schema (This used to be commit c1727dc9e01f960c1eedf023b4de49ad6f418b18)
2007-10-10r5692: Fix compile warningsVolker Lendecke1-3/+3
(This used to be commit 6fad82d3d536fe2f7184377137d062710b40b4f2)
2007-10-10r5571: fix another breakage on gcc 2.96Gerald Carter1-1/+1
(This used to be commit cadd5a44e7f1d532aa4dad7a4233e5ea2c814a10)
2007-10-10r5568: fix more breakage on gcc 2.96Gerald Carter1-1/+1
(This used to be commit 3eeecff05efec9310cf2bed7c6fe9a6d80dd6d0d)
2007-10-10r5428: Apply some const. LDAP attribs should now be declared const char ↵Volker Lendecke1-5/+5
*attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2007-10-10r5278: BUG 2327: fix compile bug in idmap_rid.cGerald Carter1-1/+2
(This used to be commit dd55ef25d1b24401a743d0367544e535cd17815c)
2007-10-10r5272: BUG 2132, 2134: patch from Jason Mader <jason@ncac.gwu.edu> to remove ↵Gerald Carter1-4/+2
unused variables (This used to be commit 82c4e2f37f1f4c581cd7c792808c9a81ef80db94)
2007-10-10r4870: Make multi-domain-mode in idmap_rid accessible from outside (can beGünther Deschner1-8/+20
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars Mueller <lmuelle-at-suse.de>. Allow to map ID's for a local SAM and add some more debugging-information. Guenther (This used to be commit 4d8e7c9ff00417b2ebae0c5faccfe9c2c9c44f2e)
2007-10-10r4221: when in the multi-mapping mode of idmap_rid:Günther Deschner1-4/+10
allow BUILTIN domain-mapping. Guenther (This used to be commit e3b067ee99e304aa9e165dae5fcb0546cec711e2)
2007-10-10r4216: fix segfault in idmap_ridGünther Deschner1-2/+2
(only ever shows up when the somewhat hidden IDMAP_RID_SUPPORT_TRUSTED_DOMAINS - define is set). Thanks to Stephan Martin <sm@suse.de> for reporting this bug. Guenther (This used to be commit e7b81d679b487734e12a948f30f0ad88240f17f1)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison2-2/+2
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3758: Increase a debug level. This error condition can actually happen in ↵Volker Lendecke1-1/+1
real life if you have several competing winbinds that might get a lag due to replication. Volker (This used to be commit 1c3f194ab7ab63aeb2284d7e5c7e183340740ceb)
2007-10-10r3498: Optimisation of idmap_rid init: Avoid calling a DC for the domain-sidGünther Deschner1-28/+42
when trusted domains are disabled anyway. Guenther (This used to be commit cd30a0b14adf1e58c19bcbfec385a5794d4ca112)
2007-10-10r3221: Remove check for allow-trusted-domains so that this thing does not ↵John Terpstra1-1/+1
throw-up. (This used to be commit 3d8e19468b8dda3bc84f0bc9174944c8275ed024)
2007-10-10r3151: Add the "no warranty"-section in the licence header.Günther Deschner1-0/+10
Guenther (This used to be commit c9a7bc10b7aa5e1cb7d37ba9b1a8ddb9b0b2dd5e)
2007-10-10r3146: Some cleanup for idmap_rid:Günther Deschner1-155/+150
- fix several memleaks found by valgrind - turn off support for trusted domains (can be reenabled with #define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 1) - improve readability Guenther (This used to be commit 351a1227e80db5d87b71e17cd1443c11ea6ace4e)
2007-10-10r3145: Add experimental idmap_rid-Plugin.Günther Deschner1-0/+513
Written by Sumit Bose <sbose@suse.de> and myself a while ago. idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using the idmap-range as offset. It does thus allow to have a unified mapping over several winbindd-systems without having the need of a central LDAP-Server (and all related dependencies and problems this solution can bring). Compile: ./configure --with-shared-modules=idmap_rid Usage: idmap backend = idmap_rid idmp_rid does even allow you to have multiple mappings (for trusted domains). This is a rather problemtic feature and will be turned off by default rather soon. The problem is that ranges can quickly overlap when not measured with caution. idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999" Will valgrind idmap_rid later today and fix a couple of things. Guenther (This used to be commit 49a238bd37105bf1a33d4a230ca594c4cf304dd3)
2007-10-10r3137: Do not simply ignore failing idmap-module init for remotemaps.Günther Deschner1-1/+4
(in preparation of adding idmap_rid) Guenther (This used to be commit e7691f4862da141f530a8e8b1364b9c02e8dc732)
2007-10-10r2691: Increase a debug level for a quite frequent operation.Volker Lendecke1-0/+27
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong type, don't ask ldap when we have the opposite mapping in the local tdb. Volker (This used to be commit c91cff3bd38c1a8e23628b032f09829f9abf792d)
2007-10-10r1430: Although prepared for only one remote backend, make the 'idmap backend'Volker Lendecke1-3/+4
parameter a list instead of a string. This makes idmap backend = ldap:"ldap://localhost/ ldap://fallback/" possible. Volker (This used to be commit ea718347937ec0e5640b29e0e9edf6eda2b45e34)
2007-10-10r1297: Yes, it does survive valgrind for my tests :-)Volker Lendecke1-0/+29
Check in the 'winbind proxy only' mode -- no new parameter required :-) If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it will only proxy the netlogon request and thus speed up the authentication of domain users. Volker (This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
2007-10-10r916: Memory leak fix from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-2/+6
Jeremy. (This used to be commit c336ccf4e8a6340f8d786219fbc7e4e5a7877e4e)
2004-03-11Get MungedDial actually working with full TS strings in it for pdb_ldap.Jim McDonough1-8/+8
I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-02-23Janitor for tpot...bugzilla #1098, msleep already exists on aixJim McDonough1-1/+1
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
2004-01-06isolate ldap debug messages to the common smbldap_XXX() functionsGerald Carter1-5/+0
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
2003-11-14fix more memory leaks in the LDAP backend code; patches from metzeGerald Carter1-4/+14
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-07fix for bug 680 (heads up). This gist is to map theGerald Carter1-355/+129
UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
2003-09-10Ensure we consistantly translate to/from utf8 for talking to LDAP.Jeremy Allison1-33/+31
Jeremy. (This used to be commit b5d953bc26de5c4e0e1a15f70ae56ea2dd2843f2)
2003-08-15get rid of more compiler warningsHerb Lewis2-4/+4
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)