Age | Commit message (Collapse) | Author | Files | Lines |
|
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Guenther
|
|
Guenther
|
|
This is similar to 09a9cc3, this re-arranges winbindd_ads.c:query_user_list()
so that "ads" is not accessed anymore across a call to nss_get_info_cached()
call which can destroy it behind the scenes.
|
|
Guenther
|
|
We can't ads_msgfree after the ads struct has been killed. Do early returns.
|
|
nss_get_info_cached does not necessarily fill in gid
|
|
We can't access the LDAP message after nss_get_info_cached has potentially
destroyed the ads_struct
|
|
|
|
|
|
nss_get_info_cached might deep inside sequence_number() invalidate the
ads_struct without telling its callers.
|
|
nss_get_info_cached might have invalidated "ads" deep inside.
|
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.
Guenther
|
|
|
|
Hopefully this makes the flag tests a bit more understandable
|
|
(*trusted_domains)
|
|
No real code change, this just removes an indentation by turning
if ( NT_STATUS_IS_OK(result) && trusts.count) {
into
if (!NT_STATUS_IS_OK(result)) {
return result;
}
if (trusts.count == 0) {
return NT_STATUS_OK;
}
|
|
samba.
Guenther
|
|
Guenther
|
|
Guenther
|
|
We need to enumerate passdb alias members
Thanks to gd for bugging me :-)
|
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
|
|
metze
|
|
|
|
|
|
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
|
|
Guenther
|
|
|
|
|
|
Also remove ads_memfree(), which was only ever a wrapper around
SAFE_FREE, used only to free the DN from ads_get_ds().
This actually makes libgpo more consistant, as it mixed a talloc and a
malloc based string on the same element.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Guenther
|
|
Jeremy.
|
|
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Michael
|
|
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids
to names. This is tried only once. So in case the connection was broken,
e.g. closed by the server (without a reset packet), there will be an empty
GM/ cache entry for the requested group which will prevent proper working
of access checks among other checks for the expiry period.
This patch works around this problem by retrying once if the lsa_lookupsids
call fails, re-establishing the dc-connection, as we already do in many other
places (e.g. the winbindd retry methods for the rpc layer).
Michael
|
|
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute. This patch adds more granular return
errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.
I updated all callers to ignore SIDless objects when appropriate.
Also did some cleanup to the out paths of lookup_usergroups_memberof()
|
|
|
|
This fixes the output of "getent group" when "winbind use default domain = yes"
with security = ads.
Michael
|
|
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa.
(This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
|
|
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
|
|
Guenther
(This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
|
|
Guenther
(This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
|
|
Guenther
(This used to be commit 0c1efc6c89b1a51a94d10971bf0fc515416709b3)
|
|
Previously WINBINDD_LIST_GROUPS requests (ex: wbinfo -g) were handled by the
winbindd parent process in a sequential fashion. This patch, delegates the work
to the winbindd children so that the request is handled much faster in large
domain topologies, and doesn't block the parent from receiving new requests.
The core group enumeration and conversion that was handled in
winbindd_list_groups() has been moved into winbindd_dual_list_groups() to be
done by the child.
The parent winbindd_list_groups() simply calls each of the children
asynchronously.
listgroups_recv() aggregates the final group list that will be returned to the
client and tracks how many of the children have returned their lists.
The domain name of the child is passed back through the callbacks to be used in
debugging messages.
There are also several fixes to typos in various comments.
(This used to be commit 037b9689d9042a398cb91e4628a82fcdfa913c21)
|
|
This reduces the dependency on cli_state
(This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
|
|
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
(This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)
|
|
Guenther
(This used to be commit d9502eb75395131d5a8130ff2c4ebace106cb974)
|
|
Jerry, please have a look if you're fine with that.
Guenther
(This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c)
|
|
Guenther
(This used to be commit f6397fbeae6668c6d0470f968cb1506b3ce34e4a)
|