Age | Commit message (Collapse) | Author | Files | Lines |
|
access."
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
|
|
|
|
We do this so that we catch LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUT, which
has special handling in winbindd_cache.c
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Using the standard macro makes it easier to move code into common, as
TALLOC_ZERO_ARRAY isn't standard talloc.
|
|
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Jun 8 14:44:31 CEST 2011 on sn-devel-104
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
|
|
|
|
Guenther
|
|
Guenther
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
This reduces the manual marshalling of these structures by removing
the duplication here.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Guenther
|
|
Guenther
|
|
This is similar to 09a9cc3, this re-arranges winbindd_ads.c:query_user_list()
so that "ads" is not accessed anymore across a call to nss_get_info_cached()
call which can destroy it behind the scenes.
|
|
Guenther
|
|
We can't ads_msgfree after the ads struct has been killed. Do early returns.
|
|
nss_get_info_cached does not necessarily fill in gid
|
|
We can't access the LDAP message after nss_get_info_cached has potentially
destroyed the ads_struct
|
|
|
|
|
|
nss_get_info_cached might deep inside sequence_number() invalidate the
ads_struct without telling its callers.
|
|
nss_get_info_cached might have invalidated "ads" deep inside.
|
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.
Guenther
|
|
|
|
Hopefully this makes the flag tests a bit more understandable
|
|
(*trusted_domains)
|
|
No real code change, this just removes an indentation by turning
if ( NT_STATUS_IS_OK(result) && trusts.count) {
into
if (!NT_STATUS_IS_OK(result)) {
return result;
}
if (trusts.count == 0) {
return NT_STATUS_OK;
}
|
|
samba.
Guenther
|
|
Guenther
|
|
Guenther
|
|
We need to enumerate passdb alias members
Thanks to gd for bugging me :-)
|
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
|
|
metze
|
|
|
|
|
|
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
|
|
Guenther
|
|
|
|
|
|
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
Jeremy.
|
|
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Michael
|