summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2008-09-29re-added "winbind:ignore domains" patchAndrew Tridgell1-0/+17
This option really is essential, as we discover again and again at customer sites. Due to bugs in winbind some domains are toxic. When you are installing at a site and a particular domain in a complex setup causes winbind to segfault or hang then you need a way to disable that domain and continue. In an ideal world winbind could handle arbitrarily complex ADS domains, but we are nowhere near that yet. If we ever get to that stage then we won't need this option.
2008-09-29removed unused variablesAndrew Tridgell1-2/+1
2008-09-29fixed segv on startup with trusted domainsAndrew Tridgell1-0/+16
With some setups, idmap_tdb2_allocate_id can be called before the allocate backend is initialised, leading to a segv. This change ensures that the db is opened in all paths that use it
2008-09-25idmap: Fix typo is gid2sid() that was caching using idmap_cache_set_sid2uid()Gerald W. Carter1-1/+1
2008-09-24s3: fix idmap_adex.Günther Deschner3-3/+3
Guenther
2008-09-23Fix winbindd crash in an unusual failure mode. Bug #5737. Based on original ↵Jeremy Allison1-5/+9
patch from shargagan@novell.com Jeremy.
2008-09-23s3: fix NETLOGON_NT_VERSION version flags.Günther Deschner1-1/+1
Guenther
2008-09-23[s3]winbindd_group: don't list the domain twice when expanding internal aliasesMichael Adam1-1/+1
Before this, "getent group builtin\\administrators" expanded domain group members in the form DOMAIN\domain\user. Michael
2008-09-23[s3]winbindd_group: sanely handle NULL domain in add_member().Michael Adam1-1/+5
Michael
2008-09-23[s3]winbindd_ads: honour "winbind use default domain" in lookup_groupmem().Michael Adam1-9/+11
This fixes the output of "getent group" when "winbind use default domain = yes" with security = ads. Michael
2008-09-23[s3]winbindd_rpc: add domain prefix to username in lookup_groupmem().Michael Adam1-1/+4
This makes the output of "getent group" of a domain group show the domain prefix with "security = domain". Michael
2008-09-23[s3]winbindd_util: add fill_domain_username_talloc().Michael Adam1-0/+27
A talloc version of fill_domain_username(). Michael
2008-09-23[s3]winbindd_util: add prototype for fill_domain_username_talloc().Michael Adam1-0/+4
A talloc version of fill_domain_username(). Michael
2008-09-23[s3]winbindd: fix a comment typoMichael Adam1-1/+1
Michael
2008-09-23[s3]winbind_util: fix an implicit cast compile warning.Michael Adam1-1/+1
Michael
2008-09-23s3: use samba4 prototype for ndr_push/pull_struct_blob.Günther Deschner1-1/+1
Guenther
2008-09-22idmap_adex: Add new idmap plugin for support RFC2307 enabled AD forests.Gerald (Jerry) Carter7-0/+3740
The adex idmap/nss_info plugin is an adapation of the Likewise Enterprise plugin with support for OU based cells removed (since the Windows pieces to manage the cells are not available). This plugin supports * The RFC2307 schema for users and groups. * Connections to trusted domains * Global catalog searches * Cross forest trusts * User and group aliases Prerequiste: Add the following attributes to the Partial Attribute Set in global catalog: * uidNumber * uid * gidNumber A basic config using the current trunk code would look like [global] idmap backend = adex idmap uid = 10000 - 19999 idmap gid = 20000 - 29999 idmap config US:backend = adex idmap config US:range = 20000 - 29999 winbind nss info = adex winbind normalize names = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash
2008-09-16* Allow an admin to define the "uid" attribute for a RFC2307Gerald (Jerry) Carter1-9/+168
user object in AD to be the username alias. For example: $ net ads search "(uid=coffeedude)" distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org sAMAccountName: gcarter memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org uid: coffeedude uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/gcarter loginShell: /bin/bash $ ssh coffeedude@192.168.56.91 Password: coffeedude@orville:~$ id uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers) $ getent passwd PINK\\gcarter coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent passwd coffeedude coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent group PINK\\Unixusers PINK\unixusers:x:10000:coffeedude
2008-09-16idmap_hash: Add the idmap/nss-info provider from Likewise Open.Gerald (Jerry) Carter3-0/+628
* Port the Likewise Open idmap/nss_info provider (renamed to idmap_hash). * uids & gids are generated based on a hashing algorithm that collapse the Domain SID to a 31 bit number. The reverse mapping from the high order 11 bits to the originat8ing sdomain SID is stored in a has table initialized at start up. * Includes support for "idmap_hash:name_map = <filename>" for the name aliasing layer. The name map file consist of entries in the form "alias = DOMAIN\name"
2008-09-16winbindd: Update the calls to ws_name_XX() to reflect API changes.Gerald (Jerry) Carter4-46/+314
* Ensures that all points an which a name is received or returned to/from a client passes through the name aliases layer (users and groups).
2008-09-16winbindd: Add support for name aliasing.Gerald (Jerry) Carter5-22/+425
* Add support user and group name aliasing by expanding the ws_name_replace() and ws_name_return() functions. The lookup path is aliases -> qualified name -> SID SID -> fully qualified name -> alias In other words, the name aliasing support is a thin layer built on top of SID/NAME translation. * Rename the ws_name_XX() functions to normalize_name_map() and normalize_name_unmap(). Chaneg interface to return NTSTATUS rather than char *. * Add associated cache validation functions.
2008-09-15idmap_ad: Fix a segfault when calling nss_get_info() with a NULL ads structure.Gerald W. Carter1-12/+69
2008-09-11Fix for bug 5571Simo Sorce3-1/+27
Make sure that usernames are parsed using the correct separator. Otherwise group memeberships in winbind may be result broken. (This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
2008-09-05Revert "winbindd: the ad trusted_domains call should return talloced strings."Günther Deschner1-5/+2
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa. (This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
2008-09-05Fix a memleakQiao Yang1-1/+2
request.extra_data is not freed if there is no extra_data in response or when there is some error happens in processing. This patch will free the buffer right after processing a request before sending back a response. (This used to be commit be6f12273f171a3eb1967d2299064e57d737f6a4)
2008-09-04Fix winbindd crash bug with trusted domains. Bug #5736James Ding1-0/+2
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
2008-09-04get rid of unneeded argument in get_methods and get_alloc_methodsHerb Lewis1-14/+9
(This used to be commit 07b0323472b78d49cff06b78924c3015bea52a30)
2008-09-04Cleanup of DC enumeration in get_dcs()Steven Danneman1-24/+74
This is a fix for a few small inefficiencies/bugs in the get_dcs() path. * because the third add_one_dc_unique() loop was outside the ADS check all DCs returned from the non-sitename lookup were being tacked onto the dc_name_ip list twice. * add_one_dc_unique() now checks if the given IP address already exists before adding it to the list, making the returned list actually unique * added more thorough doxygen comment headers (This used to be commit cb2d488e1dbd90953c496c5e25d648977884f7e3)
2008-09-03Revert "Split lookup_name() and create a new functiong called"Simo Sorce1-13/+15
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
2008-09-03Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce4-6/+34
(This used to be commit 8e4dca3b9416d9b5e535bda5e4befc073bfc1641)
2008-09-02winbindd: the ad trusted_domains call should return talloced strings.Günther Deschner1-2/+5
Guenther (This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
2008-08-31Fix Coverity ID 592Volker Lendecke1-0/+4
The scanner did not figure out that we always have a primary domain, so it complained about us potentially passing a NULL pointer down to set_domain_online_request() where it is dereferenced. Make the code a bit clearer. (This used to be commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
2008-08-28winbindd: fix invalid sid copy (hit when enumerating sibling domains).Günther Deschner1-1/+1
Guenther (This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
2008-08-27Fix the wcache_invalidate_samlogon calls.Jeremy Allison2-3/+24
Jeremy. (This used to be commit 7c820899ed1364fdaeb7b49e8ddd839e67397ec0)
2008-08-26Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce9-543/+409
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
2008-08-26Move idmap_cache.c from winbindd/ to lib/Volker Lendecke1-261/+0
(This used to be commit fe70dcc1b63b1969c13f7fb03ec374b6e5a376a1)
2008-08-25winbindd: use set_auth_errors() in winbindd_dual_check_machine_acct as well.Günther Deschner1-4/+1
Guenther (This used to be commit bb9c59e892cc9d3047bde89a15cc341e2bd21bc5)
2008-08-25winbindd: move set_auth_errors to util functions.Günther Deschner3-12/+13
Guenther (This used to be commit ae3fa60c4546c7420722d8f422c22bbfd623ff5b)
2008-08-25winbindd: only create machine pwd change event when in primary domain child.Günther Deschner1-1/+1
Guenther (This used to be commit 543dfdc1cf6baf60bffc23c6aebc542fd58d2d2e)
2008-08-23Fix some nonempty blank linesVolker Lendecke1-26/+26
(This used to be commit 541e088656773d2b3b56a5a8bdc8dea6c9edec86)
2008-08-23Use talloc_stackframe() in machine_password_change_handlerVolker Lendecke1-9/+5
(This used to be commit 79103000b13c95325534db749a0da638a3eb1807)
2008-08-23Fix a memleak in calculate_next_machine_pwd_changeVolker Lendecke1-2/+7
(This used to be commit 5314f06dcdf14ce5e038a03a3e4dfded227bd00c)
2008-08-23winbindd: add event based machine password change.Günther Deschner2-0/+120
Guenther (This used to be commit 15b72d44cbde0b8a375d8ed3d045c40ae97ec05a)
2008-08-22Don't re-initialize a token when we already have one. This fixes the build ↵Jeremy Allison1-0/+3
farm failures when winbindd connects as guest. This one took a *lot* of tracking down :-). Jeremy. (This used to be commit dca827791276906436452c650062164eb819dfe0)
2008-08-22idmap_gid_to_sid: Fix a cut-a-npaste error.Gerald (Jerry) Carter1-1/+1
The call was looking up a uid and not gid in the cache. (This used to be commit 25293ba1507f8f8fa7e33c302200184e980bb123)
2008-08-22winbindd: Fix crash in cm_connect_sam()Gerald (Jerry) Carter1-2/+7
Fix segv when talking to parent DC (joined to child domain). The root cause was (a) storing the parent domain in the cli_state struct caused the NTLMSSP pipe bind to fail which made us fallover to the schannel code path (b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning NULL even though the function indicated success. (This used to be commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
2008-08-20Here is a re-working of the winbinddJeremy Allison3-9/+33
reconnect code to cope with rebooting a DC. This replaces the code I asked Volker to revert. The logic is pretty simple. It adds a new parameter, "winbind reconnect delay", set to 30 seconds by default, which determines how long to wait between connection attempts. To avoid overwhelming the box with DC-probe forked children, the code now keeps track of the DC probe child per winbindd_domain struct and only starts a new one if the existing one has died. I also added a little logic to make sure the dc probe child always sends a message whatever the reason for exit so we will always reschedule another connect attempt. Also added documentation. Jeremy. (This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
2008-08-19winbindd: consistently use false/true.Günther Deschner1-27/+27
Guenther (This used to be commit e8619121d16d086f1ab186051d0ecdc83c02e5b5)
2008-08-19winbindd: use set_auth_errors (avoid code duplication).Günther Deschner1-28/+6
Guenther (This used to be commit ae35a5110ea03d8ff27f320cdc685e5623715a2a)
2008-08-19winbindd: fill_in_password_policy (to avoid redundant code).Günther Deschner1-20/+18
Guenther (This used to be commit dbfa7ba14c9f1a4d7a1e7205dd0b3ea2fc2e6131)