Age | Commit message (Collapse) | Author | Files | Lines |
|
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
|
|
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
|
|
patch to SAMBA_3_0 to declare prototypes for the initialization functions. These are the same changes I just made to head. --paulg
(This used to be commit 17774387ad879b6a72dd1cf406326318add31b04)
|
|
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
|
|
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
Else SAFE_FREE seg faults. Thanks to Günther for pointing me at this.
I've implemented in in this was as we should announce to remove the
idmap_ strip stuff after some time at all.
(This used to be commit 6a5bf399a59b4f07a1560d534629cb14e20b5d3f)
|
|
If we detect a leading 'idmap_' for the idmap backend setting we strip
this and inform about the deprecated config with DEBUG 0.
I'm not sure if we should set a TTL of one year or five additional
releases from now for this code.
This is required for the changes Günther made as the first step to solve
bug #3264. With this fix we can even run with an old config. This is
very important as we else will break existing configurations with an
update.
(This used to be commit 34c7d8c0694369760340843318f873e26546cb2e)
|
|
Finally cleanup the way idmap modules are build and loaded, idmap_rid
now will have to be loaded without prefix, just "rid".
Guenther
(This used to be commit a77e02177dcefaaccf863aa8d237ea35a2ec52d1)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
Allow to include BUILTIN to the mapping table also when
"allow trusted domains" is disabled.
Guenther
(This used to be commit 3ccb1913a771a187ee61a87869966beb7645f2f9)
|
|
Guenther
(This used to be commit f3da329fa89fad5b994e46251b43325fa4ea853e)
|
|
upcoming changes for "unixinfo"-pipe.
Therefor (after speaking with Volker) replace "winbind sfu support" with
the list-parameter "winbind nss info" which defaults to "template". For
SFU-support set it to "winbind nss info = template sfu".
Note that nss_info_use() is just a dummy function at the moment.
Guenther
(This used to be commit 91596330ea3c4ba0fb9ddc52ad9d4a7c8e5b2d3f)
|
|
to a personal one.
Thanks Luke!
Guenther
(This used to be commit 892ef0bbc100e05ba3e683f4e08946f36627cc1a)
|
|
Volker
(This used to be commit 25cbcfba30f534f3fb31627ba43421c42ccd5b0f)
|
|
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
|
|
xad_oss_plugins-tarball).
Guenther
(This used to be commit 1d59841c9901b6a3aff72b6da1037495aa75f389)
|
|
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
|
|
* add synonym for idmap_rid in better lining with
other idmap backend names
* remove old debug messages when idmap {uid|gid} options
are not defined
(This used to be commit 03ebf3ebfe83897d8c18e57ed378154d1377874b)
|
|
--enable-developer=yes?
Volker
(This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
|
|
(This used to be commit b451434e378e52e8ab6b932d7b26657ea9d0353c)
|
|
that uidNumber and gidNumber use match the rfc2307 schema
(This used to be commit c1727dc9e01f960c1eedf023b4de49ad6f418b18)
|
|
(This used to be commit 6fad82d3d536fe2f7184377137d062710b40b4f2)
|
|
(This used to be commit cadd5a44e7f1d532aa4dad7a4233e5ea2c814a10)
|
|
(This used to be commit 3eeecff05efec9310cf2bed7c6fe9a6d80dd6d0d)
|
|
*attr[]. This
gives some new warnings in smbldap.c, but a the callers are cleaned up.
Volker
(This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
|
|
(This used to be commit dd55ef25d1b24401a743d0367544e535cd17815c)
|
|
unused variables
(This used to be commit 82c4e2f37f1f4c581cd7c792808c9a81ef80db94)
|
|
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars
Mueller <lmuelle-at-suse.de>.
Allow to map ID's for a local SAM and add some more
debugging-information.
Guenther
(This used to be commit 4d8e7c9ff00417b2ebae0c5faccfe9c2c9c44f2e)
|
|
allow BUILTIN domain-mapping.
Guenther
(This used to be commit e3b067ee99e304aa9e165dae5fcb0546cec711e2)
|
|
(only ever shows up when the somewhat hidden
IDMAP_RID_SUPPORT_TRUSTED_DOMAINS - define is set).
Thanks to Stephan Martin <sm@suse.de> for reporting this bug.
Guenther
(This used to be commit e7b81d679b487734e12a948f30f0ad88240f17f1)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
real life
if you have several competing winbinds that might get a lag due to
replication.
Volker
(This used to be commit 1c3f194ab7ab63aeb2284d7e5c7e183340740ceb)
|
|
when trusted domains are disabled anyway.
Guenther
(This used to be commit cd30a0b14adf1e58c19bcbfec385a5794d4ca112)
|
|
throw-up.
(This used to be commit 3d8e19468b8dda3bc84f0bc9174944c8275ed024)
|
|
Guenther
(This used to be commit c9a7bc10b7aa5e1cb7d37ba9b1a8ddb9b0b2dd5e)
|
|
- fix several memleaks found by valgrind
- turn off support for trusted domains (can be reenabled with
#define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 1)
- improve readability
Guenther
(This used to be commit 351a1227e80db5d87b71e17cd1443c11ea6ace4e)
|
|
Written by Sumit Bose <sbose@suse.de> and myself a while ago.
idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using
the idmap-range as offset. It does thus allow to have a unified mapping
over several winbindd-systems without having the need of a central
LDAP-Server (and all related dependencies and problems this solution can
bring).
Compile:
./configure --with-shared-modules=idmap_rid
Usage:
idmap backend = idmap_rid
idmp_rid does even allow you to have multiple mappings (for trusted
domains). This is a rather problemtic feature and will be turned off by
default rather soon. The problem is that ranges can quickly overlap when
not measured with caution.
idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999"
Will valgrind idmap_rid later today and fix a couple of things.
Guenther
(This used to be commit 49a238bd37105bf1a33d4a230ca594c4cf304dd3)
|
|
(in preparation of adding idmap_rid)
Guenther
(This used to be commit e7691f4862da141f530a8e8b1364b9c02e8dc732)
|
|
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong
type, don't ask ldap when we have the opposite mapping in the local tdb.
Volker
(This used to be commit c91cff3bd38c1a8e23628b032f09829f9abf792d)
|
|
parameter a list instead of a string. This makes
idmap backend = ldap:"ldap://localhost/ ldap://fallback/"
possible.
Volker
(This used to be commit ea718347937ec0e5640b29e0e9edf6eda2b45e34)
|
|
Check in the 'winbind proxy only' mode -- no new parameter required :-)
If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it
will only proxy the netlogon request and thus speed up the authentication of
domain users.
Volker
(This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
|
|
Jeremy.
(This used to be commit c336ccf4e8a6340f8d786219fbc7e4e5a7877e4e)
|
|
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring. There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
|
|
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
|
|
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
|
|
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
|
|
UNIX entity foo to DOMAIN\foo instead of SERVER\foo
on members of a Samba domain when all UNIX accounts
are shared via NIS, et. al.
* allow winbindd to match local accounts to domain SID
when 'winbind trusted domains only = yes'
* remove code in idmap_ldap that searches the user
suffix and group suffix. It's not needed and
provides inconsistent functionality from the tdb backend.
This has been tested. I'm still waiting on some more feedback
but This needs to be in 3.0.1pre2 for widespread use.
(This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
|
|
Jeremy.
(This used to be commit b5d953bc26de5c4e0e1a15f70ae56ea2dd2843f2)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|