Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Guenther
|
|
Guenther
|
|
This makes us scale better with many simultaneous winbind requests,
some of which might be slow.
This implementation breaks offline logons, as the cached credentials are
maintained in a child (this needs fixing). So, if the offline logons are
active, only allow one DC connection.
Probably the offline logon and the scalable file server cases are
separate enough so that this patch is useful even with the restriction.
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Fri Nov 19 11:21:00 CET 2010 on sn-devel-104
|
|
This should ensure we only have one copy of these core functions
in the tree.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
Guenther
|
|
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Guenther
|
|
|
|
By putting this code inline in winbindd_setup_listeners() we remove 2
static variables and simplify the code.
By putting the get_winbind_priv_pipe_dir() in the same file, we allow
it to be reimplemented in s3compat.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
Don't store information explicitly as boolean flags that can be easily
retrieved from the domain when it's actually needed.
|
|
|
|
Volker, please check.
Guenther
|
|
add_trusted_domain() for a new domain always needs to be followed by a
setup_domain_child(). This was not always done, in particular not when walking
to the forest root for additional trusts.
This is a minimal patch, we need to fix add_trusted_domain().
|
|
|
|
|
|
|
|
If we found a match with sid==NULL, we ended up adding the domain twice
|
|
|
|
Hopefully this makes the flag tests a bit more understandable
|
|
|
|
|
|
|
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
It happens to be what we also share out via NETLOGON/SAMR, but winbind has
direct access to it via the passdb domain methods
|
|
|
|
|
|
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
|
|
|
|
Signed-off-by: Bo Yang <boyang@samba.org>
|
|
Same comment as in baa6084378e530b: This is just a preparatory checkin.
Volker
|
|
|
|
|
|
|
|
In itself, this is pretty pointless. But in the next steps I'll convert the
winbind internal communication to wb_reqtrans which allocates the request
properly. This minimizes the later diff.
Volker
|
|
Michael
|
|
|
|
metze
|
|
|
|
|
|
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
|
|
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
|
|
A talloc version of fill_domain_username().
Michael
|
|
Michael
|