summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_ads.c
AgeCommit message (Collapse)AuthorFilesLines
2010-06-28s3: More cleanup in winbindd_ads.c:query_userVolker Lendecke1-13/+10
We can't ads_msgfree after the ads struct has been killed. Do early returns.
2010-06-28s3: Fix a valgrind errorVolker Lendecke1-2/+1
nss_get_info_cached does not necessarily fill in gid
2010-06-28s3: Re-arrange winbindd_ads.c:query_userVolker Lendecke1-23/+24
We can't access the LDAP message after nss_get_info_cached has potentially destroyed the ads_struct
2010-06-28s3: free -> SAFE_FREEVolker Lendecke1-1/+1
2010-06-28s3: Do an early TALLOC_FREEVolker Lendecke1-2/+5
2010-06-25s3: Fix a winbind crashVolker Lendecke1-0/+10
nss_get_info_cached might deep inside sequence_number() invalidate the ads_struct without telling its callers.
2010-06-25s3: Fix a winbind crashVolker Lendecke1-1/+6
nss_get_info_cached might have invalidated "ads" deep inside.
2010-05-21s3:dom_sid Global replace of DOM_SID with struct dom_sidAndrew Bartlett1-24/+24
This matches the structure that new code is being written to, and removes one more of the old-style named structures, and the need to know that is is just an alias for struct dom_sid. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-18s3-rpc_misc: clean out include/rpc_misc.h.Günther Deschner1-1/+1
Well known rids don't really belong into an rpc header, just use the ones defined in security.idl. Guenther
2010-01-10s3: Replace most calls to sid_append_rid() by sid_compose()Volker Lendecke1-2/+1
2010-01-02s3: Introduce domain_is_forest_root() helper functionVolker Lendecke1-5/+2
Hopefully this makes the flag tests a bit more understandable
2009-12-28s3: Pass netr_DomainTrustList instead of names and sids through ↵Volker Lendecke1-62/+21
(*trusted_domains)
2009-12-28s3: Simplify winbindd_ads.c:trusted_domains()Volker Lendecke1-110/+123
No real code change, this just removes an indentation by turning if ( NT_STATUS_IS_OK(result) && trusts.count) { into if (!NT_STATUS_IS_OK(result)) { return result; } if (trusts.count == 0) { return NT_STATUS_OK; }
2009-11-26s3-rpc: Avoid including every pipe's client and server stubs everywhere in ↵Günther Deschner1-0/+1
samba. Guenther
2009-11-03s3-passdb: cleanup some callers of pdb_get_trusteddom_pw().Günther Deschner1-3/+1
Guenther
2009-09-17s3-winbindd: add and use winbindd_lookup_sids().Günther Deschner1-50/+14
Guenther
2009-08-29s3:winbind: Fix a bug found by RPC-SAMRVolker Lendecke1-1/+3
We need to enumerate passdb alias members Thanks to gd for bugging me :-)
2009-08-26s3/winbindd: Remove unnecessary check for NULL SIDSteven Danneman1-1/+5
There's a known bug in some Windows implementations of DsEnumerateDomainTrusts() where domain SIDs are not returned for transitively trusted domains within the same forest. Jerry originally worked around this in the winbindd parent by checking for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved these checks into the child process in commit 3bdfcbac making the initial patch unecessary. I've removed it and added a clarifying comment to the child process. If ever this SID is needed we could add an extra DsEnumerateDomainTrusts() call in trusted_domains() as suggested by the Microsoft KB.
2009-08-16s3:winbind: WINBIND_USERINFO -> wbint_userinfoVolker Lendecke1-7/+10
2009-08-11s3:winbindd: raise the timeout for lsa_Lookup*() calls from 10 to 35 seconds.Stefan Metzmacher1-0/+21
metze
2009-08-03Add some const to winbind_userinfoVolker Lendecke1-3/+4
2009-08-02Fix some nonempty blank linesVolker Lendecke1-28/+28
2009-08-02Refactor 9b78af1f: Fix lookupname recursionVolker Lendecke1-3/+3
Pass a "flags" argument instead of the original winbind command down the name_to_sid chain. This way we are independent of the winbind commands and can take the decision at a much higher level
2009-07-13libds: merge the UF<->ACB flag mapping functions.Günther Deschner1-1/+1
Guenther
2009-07-09Make escape_ldap_string take a talloc contextVolker Lendecke1-3/+3
2009-05-28Make sid_binstring & friends take a talloc contextVolker Lendecke1-8/+6
2009-04-06s3:libads Make ads_get_dn() take a talloc contextAndrew Bartlett1-2/+2
Also remove ads_memfree(), which was only ever a wrapper around SAFE_FREE, used only to free the DN from ads_get_ds(). This actually makes libgpo more consistant, as it mixed a talloc and a malloc based string on the same element. Andrew Bartlett Signed-off-by: Günther Deschner <gd@samba.org>
2009-03-18s3: remove POLICY_HND.Günther Deschner1-1/+1
Guenther
2008-12-31Fix more asprintf and "ignoring return code" warnings from gcc 4.3.Jeremy Allison1-1/+4
Jeremy.
2008-11-21s3-winbindd_ads: use the reconnect methods instead of the rpc methods directlyMichael Adam1-6/+75
Some of the ads methods just point to the rpc methods. This makes winbindd_ads use the reconnect methods instead of calling the rpc methods directly in order to prevent negative cache entries for e.g. name_to_sid, when the dc has closed the connection without sending a reset. Michael
2008-11-21s3-winbindd_ads: prevent negative GM/ cache entries due to broken connectionsMichael Adam1-0/+23
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids to names. This is tried only once. So in case the connection was broken, e.g. closed by the server (without a reset packet), there will be an empty GM/ cache entry for the requested group which will prevent proper working of access checks among other checks for the expiry period. This patch works around this problem by retrying once if the lsa_lookupsids call fails, re-establishing the dc-connection, as we already do in many other places (e.g. the winbindd retry methods for the rpc layer). Michael
2008-11-18Fix extended DN parse error when AD object does not have a SID.Steven Danneman1-18/+37
Some AD objects, like Exchange Public Folders, can be members of Security Groups but do not have a SID attribute. This patch adds more granular return errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse error occured because of bad input, or the DN was valid but contained no SID. I updated all callers to ignore SIDless objects when appropriate. Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18Whitespace and >80 column cleanups.Steven Danneman1-37/+39
2008-09-23[s3]winbindd_ads: honour "winbind use default domain" in lookup_groupmem().Michael Adam1-9/+11
This fixes the output of "getent group" when "winbind use default domain = yes" with security = ads. Michael
2008-09-05Revert "winbindd: the ad trusted_domains call should return talloced strings."Günther Deschner1-5/+2
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa. (This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
2008-09-04Fix winbindd crash bug with trusted domains. Bug #5736James Ding1-0/+2
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
2008-09-02winbindd: the ad trusted_domains call should return talloced strings.Günther Deschner1-2/+5
Guenther (This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
2008-08-28winbindd: fix invalid sid copy (hit when enumerating sibling domains).Günther Deschner1-1/+1
Guenther (This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
2008-07-30winbindd: handle trusted domains without sid.Günther Deschner1-2/+10
Guenther (This used to be commit 0c1efc6c89b1a51a94d10971bf0fc515416709b3)
2008-05-22Make WINBINDD_LIST_GROUPS handler asynchronous.Steven Danneman1-1/+1
Previously WINBINDD_LIST_GROUPS requests (ex: wbinfo -g) were handled by the winbindd parent process in a sequential fashion. This patch, delegates the work to the winbindd children so that the request is handled much faster in large domain topologies, and doesn't block the parent from receiving new requests. The core group enumeration and conversion that was handled in winbindd_list_groups() has been moved into winbindd_dual_list_groups() to be done by the child. The parent winbindd_list_groups() simply calls each of the children asynchronously. listgroups_recv() aggregates the final group list that will be returned to the client and tracks how many of the children have returned their lists. The domain name of the child is passed back through the callbacks to be used in debugging messages. There are also several fixes to typos in various comments. (This used to be commit 037b9689d9042a398cb91e4628a82fcdfa913c21)
2008-04-20Add "desthost" to rpc_pipe_clientVolker Lendecke1-1/+1
This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
2008-03-31Forest root trust flags won't overwrite child trust flagsSteven Danneman1-30/+51
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite existing trust information if we're joined to a child domain, and querying the forest root domain. Previously if we were joined to a child domain, we'd request all known trust information from this child domain (our primary domain) and store it in the tdc. We'd then request all trust information from our tree root (to get the forests we transitively trust) and overwrite the existing trust information we already had from the perspective of the tree root. * updated several comments and fixed typos (This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)
2008-02-17Use netr_SamInfo3 everywhere in winbindd.Günther Deschner1-5/+5
Guenther (This used to be commit d9502eb75395131d5a8130ff2c4ebace106cb974)
2008-01-29Remove include/rpc_ds.h and all references to it completly.Günther Deschner1-6/+6
Jerry, please have a look if you're fine with that. Guenther (This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c)
2008-01-29Use another pidl generated call to enumerate ds trusted domains in winbindd.Günther Deschner1-26/+23
Guenther (This used to be commit f6397fbeae6668c6d0470f968cb1506b3ce34e4a)
2008-01-09Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS.Michael Adam1-18/+21
Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
2008-01-04Fix the inherited trust flags when spidering the trust heirarchy.Gerald (Jerry) Carter1-0/+12
Also *do not* clear the trust list when rescanning or else it is possible to suffer from a race condition where no trusted domains can be found. (This used to be commit e7164a252bf213a74d6eeac5aa04645eed5be241)
2007-12-15Replace sid_string_static by sid_string_dbg in DEBUGsVolker Lendecke1-17/+16
(This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
2007-11-27Remove pstrings from everything except srv_spoolss_nt.c.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 0002a9e96b0ef78316295a6eb94ff29b64e2f988)
2007-10-24This is a large patch (sorry). Migrate from struct in_addrJeremy Allison1-9/+9
to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd)