Age | Commit message (Collapse) | Author | Files | Lines |
|
transaction id of packets it was requested to send via a client, and
only store replies that match these ids. On the client side change
clients to always attempt to ask nmbd first for name_query and
node_status calls, and then fall back to doing socket calls if
we can't talk to nmbd (either nmbd is not running, or we're not
root and cannot open the messaging tdb's). Fix readers of unexpected.tdb
to delete packets they've successfully read.
This should fix a long standing problem of unexpected.tdb
growing out of control in noisy NetBIOS envioronments with
lots of bradcasts, yet still allow unprivileged client apps
to work mostly as well as they already did (nmblookup for
example) in an environment when nmbd isn't running.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sun Nov 14 05:22:45 UTC 2010 on sn-devel-104
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
This is supposed to improve the winbind reconnect time after an ip address
has been moved away from a box. Any kind of HA scenario will benefit from
this, because winbindd does not have to wait for the TCP timeout to kick in
when a local IP address has been dropped and DC replies are not received
anymore.
|
|
|
|
|
|
|
|
|
|
|
|
Ensure cm_get_schannel_creds() returns NTSTATUS.
Jeremy.
|
|
secure channel.
This is an important fix as the following could and is happening:
* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3
* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)
* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for
decryption
Guenther
|
|
Guenther
|
|
Guenther
|
|
well.
Guenther
|
|
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Note that this failure was hard to track, as winbind did only log a super helpful
"cm_prepare_connection: Success" debug message.
IPv6 gurus, please check
Successfully tested in two independent IPv6 networks now.
Guenther
|
|
This shrinks include/includes.h.gch by the size of 7 MB and reduces build time
as follows:
ccache build w/o patch
real 4m21.529s
ccache build with patch
real 3m6.402s
pch build w/o patch
real 4m26.318s
pch build with patch
real 3m6.932s
Guenther
|
|
This fixes a crash in winbindd_dual_pam_chng_pswd_auth_crap when given
global_sam_name() in the domain field
|
|
The main problem is that we call CatchChild() within the
parent winbindd, which overwrites the signal handler
that was registered by winbindd_setup_sig_chld_handler().
That means winbindd_sig_chld_handler() and winbind_child_died()
are never triggered when a winbindd domain child dies.
As a result will get "broken pipe" for all requests to that domain.
To reduce the risk of similar bugs in future we call
CatchChild() in winbindd_reinit_after_fork() now.
We also use a full winbindd_reinit_after_fork() in the
cache validation child now instead instead of just resetting
the SIGCHLD handler by hand. This will also fix possible
tdb problems on systems without pread/pwrite and disabled mmap
as we now correctly reopen the tdb handle for the child.
metze
|
|
There're maybe additional TCP connection for ncacn_ip_tcp.
metze
|
|
This makes sure we don't crash while trying to dereference domain->conn.cli->foo
while trying to establish a rpc connection to the server.
metze
|
|
metze
|
|
connection
metze
|
|
metze
|
|
metze
|
|
|
|
This way we can endup with silently using builtin_passdb_methods
for an ad domain without an inbound trust.
This fixes bug #7170.
metze
|
|
lsa_pipe_tcp is ok but network is down, then send request is ok, but select() on writeable fds loops forever since there is no response.
Signed-off-by: Bo Yang <boyang@samba.org>
|
|
samba.
Guenther
|
|
Required for cluster systems working in a Samba domain. With NT4 this won't
work, but real NT4 DCs should not be around in environments that pay big bucks
for a cluster... And if they are, they can always install a Samba DC trusting
that NT4 domain.
|
|
Guenther
|
|
This reverts commit 20a8ea91e10af167067cc794a251265aaf489e75.
Ooops, this should not have been committed.
|
|
|
|
ACCCESS_DENIED
metze
|
|
lookup_names/lookup_sids doesn't work over ncacn_np"
This reverts commit f23691cffd39e5df81b7b075e61ed1def6cce9f6.
This should not have been commited...
metze
|
|
doesn't work over ncacn_np
metze
|
|
|
|
Winbindd should always try to use LSA via an schannel authenticated ncacn_ip_tcp
connection when talking to AD for LSA lookup calls.
In Samba <-> W2k8 interdomain trust scenarios, LookupSids3 and LookupNames4 via an
schannel ncacn_ip_tcp LSA connection are the *only* options to successfully resolve
sids and names.
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
and cli_rpc_pipe_open_ntlmssp.
Guenther
|
|
principal.
Patch from Robert LeBlanc <robert@leblancnet.us>.
Thanks!
Guenther
|
|
|
|
W2K3 DC's can have IPv6 addresses but won't serve
krb5/ldap or cldap on those addresses. Make sure when
we're asking for DC's we prefer IPv4.
If you have an IPv6-only network this prioritizing code
will be a no-op. And if you have a mixed network then you
need to prioritize IPv4 due to W2K3 DC's.
Jeremy.
|
|
|
|
|