Age | Commit message (Collapse) | Author | Files | Lines |
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
It happens to be what we also share out via NETLOGON/SAMR, but winbind has
direct access to it via the passdb domain methods
|
|
|
|
|
|
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
|
|
|
|
Signed-off-by: Bo Yang <boyang@samba.org>
|
|
Same comment as in baa6084378e530b: This is just a preparatory checkin.
Volker
|
|
|
|
|
|
|
|
In itself, this is pretty pointless. But in the next steps I'll convert the
winbind internal communication to wb_reqtrans which allocates the request
properly. This minimizes the later diff.
Volker
|
|
Michael
|
|
|
|
metze
|
|
|
|
|
|
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
|
|
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
|
|
A talloc version of fill_domain_username().
Michael
|
|
Michael
|
|
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
|
|
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
|
|
Guenther
(This used to be commit ae3fa60c4546c7420722d8f422c22bbfd623ff5b)
|
|
reconnect code to cope with rebooting a DC. This
replaces the code I asked Volker to revert.
The logic is pretty simple. It adds a new parameter,
"winbind reconnect delay", set to 30 seconds by
default, which determines how long to wait between
connection attempts.
To avoid overwhelming the box with DC-probe
forked children, the code now keeps track of
the DC probe child per winbindd_domain struct
and only starts a new one if the existing one
has died.
I also added a little logic to make sure the
dc probe child always sends a message whatever
the reason for exit so we will always reschedule
another connect attempt.
Also added documentation.
Jeremy.
(This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
|
|
should never include the user SID.
The comment for the function in winbindd/winbindd_ads.c says
/* Lookup groups a user is a member of. */
The following patch makes the wbinfo calls return the correct data
before and after a login.
wbinfo --user-domgroups and --user-sids
(This used to be commit 7849938906a9c859805cbaeca66fae9d3c515aad)
|
|
(This used to be commit 30a180f2fce8cf6a3e5548f6bba453272ba70b33)
|
|
containing a '.'.
Jeremy.
(This used to be commit 96325ff44dc404a68d4ebd423cf78210ec3ff902)
|
|
backend. This allows winbindd when running on a Samba PDC to
correctly answer wbinfo -u lists and other queries.
Jeremy.
(This used to be commit e61ad0c1586733ae1d3518ce56d95094d1ac5ef9)
|
|
83b04c60fac76ccd2d5aecb14f8896a07d488b1f..6e66512d5beb256a44c6703cdb8c7fa7e0fd8537.
We still need to address https://bugzilla.redhat.com/show_bug.cgi?id=429024, but this
will come later.
Jeremy.
(This used to be commit 41e20becf3b976656f60aaec9175df329803b012)
|
|
Guenther
(This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce)
|
|
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
(This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)
|
|
Guenther
(This used to be commit d9502eb75395131d5a8130ff2c4ebace106cb974)
|
|
(This used to be commit 7dbfc7bdc65314466a83e8121b35c9bcb24b2631)
|
|
This patch make sure we do not try to contact smbd in the main dameon
to avoid deadlocks.
All the operations that require connecting to smbd are performed in
the domain child anyway.
(This used to be commit 9347d34b502bef70cdae8f3e8acd9796dba49581)
|
|
Jerry, please have a look if you're fine with that.
Guenther
(This used to be commit beae25c808a3a03d645f247e9befcd05e3ecca2c)
|
|
Use the flags stored in the tdb when determining if a domain can
be contacted. The tdb should be considered authoratative anyways unless
you know the flags in the winbindd_domain are correct (such as when
first enumerating trusts).
Original suggestion and patch from Steven Danneman <steven.danneman@isilon.com>.
Manually rewritten by me for 3.2.
(This used to be commit f53658a20de07a29abbe2e90917b328d00fc0024)
|
|
The check for inbound trusts is invalid when samba is a DC
and has a trust with an active directory domain.
This effectively prevented tusts with an AD domain on a
samba DC from working (unless using "winbindd rpc only"),
because an ads_connect() was never performed. Only the
rpc-based winbindd methods were working properly.
Jerry: Please check!
Michael
(This used to be commit dcd42a1e0642c69348adfaeecef7f7f2f074ac30)
|
|
explaining the reason for failure.
Michael
(This used to be commit ba5373ed7f74d560a9de8620039b596b8938d1dc)
|
|
The present assignment
"request->data.init_conn.is_primary = domain->internal ? False : True"
simply feels wrong. This seems to be the thing right to do:
"request->data.init_conn.is_primary = domain->primary ? true : false".
The question is: Does this have any purpose at all?
data.init_conn.is_primary seems to be used nowhere
in the whole code at all.
Is it (still) needed?
Michael
(This used to be commit 8bb21b8b3802e7b093a3c4fb41b8550033388878)
|
|
Just to be sure the "if (!_domain_list)" in domain_list() test always works.
Michael
(This used to be commit 1f49065d44dd7570d5a9928359751bd36f287952)
|
|
Michael
(This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a)
|
|
Also *do not* clear the trust list when rescanning or else it is possible
to suffer from a race condition where no trusted domains can be found.
(This used to be commit e7164a252bf213a74d6eeac5aa04645eed5be241)
|
|
least surprise for callers
(This used to be commit eb523ba77697346a365589101aac379febecd546)
|
|
It seems a bit pointless to do a fstrcpy(dst, sid_string_static(src))
(This used to be commit c221c246b10e2dbbd54a9af2dc45de2eae237380)
|
|
(This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
|
|
metze
(This used to be commit 075d315e0f72d506b70040da10940e4af131b4e2)
|
|
(This used to be commit 31d0a846db08d845e6cdfd85def4ac1c34031e02)
|
|
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd)
|
|
metze
(cherry picked from commit abbb36a37c1dba2218a6c7ec31739eba5f250127)
(This used to be commit 5af1b45ed31043f952ec141d0f5f2973aec69d1a)
|