summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_cache.c
AgeCommit message (Collapse)AuthorFilesLines
2012-12-12winbind: Use talloc in resolve_username_to_alias().Andreas Schneider1-3/+5
Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2012-12-12winbind: Use talloc in resolve_alias_to_username().Andreas Schneider1-3/+5
Found by Coverity. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2012-11-26s3: Do not free a string where we should notVolker Lendecke1-1/+1
Reviewed by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Nov 26 22:03:05 CET 2012 on sn-devel-104
2012-11-26s3: Do not free a string where we should notVolker Lendecke1-1/+1
Reviewed by: Jeremy Allison <jra@samba.org>
2012-11-09Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache ↵David Disseldorp1-4/+0
access." This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b. Bug 9125 analysis from Volker: The problem is that there are no network calls possible at all that would do what the samlogon cache does for us. There is just no way to retrieve the group membership in a complex trusted environment. If you have just a single domain with Samba as domain controller it might be possible, but even within a single domain it is not possible to correctly retrieve all group memberships using LDAP calls due to ACLs on directory objects. The call to get that is called NetSamLogon on the NETLOGON pipe. But this call requires user credentials and might trigger updating counts on the server. So to correctly implement wbinfo -r after a user has logged in, you have two alternatives: Save the info3 struct or the PAC in the netsamlogon cache. If you insist on doing network calls, you need to cache the user credentials somewhere to re-do the NetSamLogon call every time the wbinfo -r is requested. Reviewed-by: Andreas Schneider <asn@samba.org>
2012-11-01s3:winbindd:cache: fix offline logons with cached credentials (bug #9321)Michael Adam1-0/+7
The removal of consumption of the time field from the centry as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a had the side effect of changing the offset for reading the following nt password hash, so the read password hash was wrong. This patch re-installs the consumption of the time, thereby fixing the bug without changing the disk format of the cache. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison1-1/+1
2012-08-09Check error returns from strupper_m() (in all reasonable places).Jeremy Allison1-6/+14
2012-07-12s3: rename sid_check_is_domain() to sid_check_is_our_sam()Michael Adam1-2/+2
This does not check whether the given sid is the domain sid, but whether it is the sid of the local sam, which is different for a domain member server.
2012-02-18Fix a bunch of "unused variable" warnings.Jeremy Allison1-3/+0
Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
2011-12-20s3: Fix some False/NULL hickupsVolker Lendecke1-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue Dec 20 13:13:17 CET 2011 on sn-devel-104
2011-12-03s3-winbind: Add an update function for winbind cache.Andreas Schneider1-2/+94
With 57b3d32 we changed the format for the winbind cache database and the code deleted the database for the upgrade. As this database holds also cached credentials, removing it is not an option. We need to update from version 1 to version 2. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Sat Dec 3 03:47:58 CET 2011 on sn-devel-104
2011-12-02s3-winbind: Remove unused keys from list.Andreas Schneider1-2/+0
DR and DE have been removed with 0834574fdd6b469797b3b6a4edd45f321b9b9971. Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Fri Dec 2 19:02:45 CET 2011 on sn-devel-104
2011-10-12Fix bug #8521 - winbindd cache timeout expiry test was reversedJeremy Allison1-1/+1
Found and fix reported by Micha Lenk <micha@lenk.info>. Thanks !
2011-09-15Finish commit 8745c70d by Michael Adam.Jeremy Allison1-5/+5
If you're going to move winbindd_cache.tdb to the state_path, do it *everywhere*. Found by Ira Cooper <ira@wakeful.net>. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Thu Sep 15 00:43:04 CEST 2011 on sn-devel-104
2011-09-08s3: Fix a debug messageVolker Lendecke1-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Thu Sep 8 15:08:43 CEST 2011 on sn-devel-104
2011-09-07s3:winbind: put winbindd_cache into the state dir, not the cache dirMichael Adam1-1/+1
Despite the name, in winbind offline logon mode, this is a database that contains valuable information and should not be cleared. Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Wed Sep 7 21:17:37 CEST 2011 on sn-devel-104
2011-08-17Replace calls to sid_equal with calls to dom_sid_equalVolker Lendecke1-1/+1
2011-06-20tdb_compat: Higher level API fixes.Rusty Russell1-1/+1
My previous patches fixed up all direct TDB callers, but there are a few utility functions and the db_context functions which are still using the old -1 / 0 return codes. It's clearer to fix up all the callers of these too, so everywhere is consistent: non-zero means an error. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-20tdb_compat: use tdb_errorstr_compat()Rusty Russell1-2/+2
Since TDB2 functions return the error directly, tdb_errorstr() taken an error code, not the tdb as it does in TDB1. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-20tdb_traverse/tdb_traverse_read: check returns for negative, not -1.Rusty Russell1-1/+1
TDB2 returns a negative error number on failure. This is compatible if we always check for < 0 instead of == -1. Also, there's no tdb_traverse_read in TDB2: we don't try to make traverse reliable any more, so there are no write locks anyway. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-20tdb_delete: check returns for 0, not -1.Rusty Russell1-1/+1
TDB2 returns a negative error number on failure. This is compatible if we always check for != 0 instead of == -1. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-20tdb_fetch_compat: use instead of tdb_fetch.Rusty Russell1-5/+5
This is a noop for tdb1. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2011-06-09s3-talloc Change TALLOC_ZERO_ARRAY() to talloc_zero_array()Andrew Bartlett1-1/+1
Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_ARRAY isn't standard talloc.
2011-06-09s3-talloc Change TALLOC_P() to talloc()Andrew Bartlett1-2/+2
Using the standard macro makes it easier to move code into common, as TALLOC_P isn't standard talloc.
2011-06-09s3-talloc Change TALLOC_ARRAY() to talloc_array()Andrew Bartlett1-9/+9
Using the standard macro makes it easier to move code into common, as TALLOC_ARRAY isn't standard talloc.
2011-06-09s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()Andrew Bartlett1-1/+1
Using the standard macro makes it easier to move code into common, as TALLOC_REALLOC_ARRAY isn't standard talloc. Andrew Bartlett
2011-06-08s3-winbindd: make sure we obey the -n switch also for samlogon cache access.Günther Deschner1-0/+4
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Jun 8 14:44:31 CEST 2011 on sn-devel-104
2011-05-06s3: only include tdb headers where needed.Günther Deschner1-0/+1
Guenther
2011-05-05More simple const fixups.Jeremy Allison1-2/+2
2011-04-01s3: Fix Coverity ID 1137: CONSTANT_EXPRESSION_RESULTVolker Lendecke1-2/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Apr 1 09:35:19 CEST 2011 on sn-devel-104
2011-03-30s3-passdb: use passdb headers where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-winbindd: copy acct_info to wb_acct_info so we dont need passdb for it.Günther Deschner1-4/+4
Guenther
2011-03-30s3-includes: only include system/filesys.h when needed.Günther Deschner1-0/+1
Guenther
2011-03-06s3: Remove unused args from nss_get_info_cachedVolker Lendecke1-1/+0
2011-03-06s3: Remove unused args from nss_get_infoVolker Lendecke1-1/+1
2011-01-21s3:winbind: Protect against invalid winbindd_cache entries in lookupridsVolker Lendecke1-1/+2
2010-12-19s3: wcache_invalidate_samlogon only needs the SIDVolker Lendecke1-7/+4
2010-12-19s3: netsamlogon_clear_cached_user only needs the SIDVolker Lendecke1-1/+1
2010-11-22s3: Use sid_check_is..Volker Lendecke1-2/+2
2010-11-18s3: Call sid_check_is_domain instead of dom_sid_equalVolker Lendecke1-1/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Thu Nov 18 15:32:32 UTC 2010 on sn-devel-104
2010-11-08s3:winbind add wcache_tdc_fetch_domainbysidChristian Ambach1-0/+52
add a function to lookup a domain in the winbind cache by domain SID
2010-11-08s3: Put some parentheses around conditionalsVolker Lendecke1-2/+2
2010-11-08s3: Consistently use stdbool types in new codeVolker Lendecke1-11/+11
2010-11-08s3:winbind add timeouts to winbind cacheChristian Ambach1-14/+57
This adds a timeout value to cache entries and the NDR records in the winbind cache. The previous approach of just comparing the sequence number has some issues, e.g. when retrying a wbinfo -n operation for a user in a not yet trusted domain was always failing even after the trusted domain was added. The new approach compares sequence number and timeout value to determine if a cache entry is still valid or not. I increased the cache version number so an old cache will be wiped automatically after upgrade.
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-1/+1
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-09-27Change to using TDB_INCOMPATIBLE_HASH (the jenkins hash) on allJeremy Allison1-2/+5
TDB_CLEAR_IF_FIRST tdb's. For tdb's like gencache where we open without CLEAR_IF_FIRST and then with CLEAR_IF_FIRST if corrupt this is still safe to use as if opening an existing tdb the new hash will be ignored - it's only used on creating a new tdb not opening an old one. Jeremy.
2010-09-21s3-winbindd: another attempt to fix the non-ldap build.Günther Deschner1-0/+3
Guenther
2010-09-20s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.Günther Deschner1-3/+4
Guenther
2010-09-19s3/winbind: remove unused winbindd_check_cache_sizeBjörn Jacke1-29/+0