summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2013-07-29s3:winbind: add a warning DEBUG message when skipping a sid from the mapped ↵Michael Adam1-0/+18
GID list This presents a potential security problem when ACLs contain DENY ACEs. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
2013-07-29s3:winbind: change getgroups to only do one sids2xids call instead of manyMichael Adam1-26/+42
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-29s3:winbind: fix the getgroups implementation to include the user sid's GID ↵Michael Adam1-3/+5
in case of ID_TYPE_BOTH This is important for acl checks on the unix level where only a group ace has been added to the ACL for the user sid, e.g. when accessing Files with nfs or local unix processes. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-29s3:winbind: fix gid counting and error handling in the getgroups implementationMichael Adam1-6/+10
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-23s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.Günther Deschner1-0/+23
It is currently only available in MIT. In addition, allow to define custom filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the %u pattern. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-08s3:idmap_autorid: Add a NULL check in idmap_autorid_preallocate_wellknownVolker Lendecke1-0/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-07-08s3:idmap_autorid: Don't zero in idmap_autorid_preallocate_wellknownVolker Lendecke1-1/+1
We initialize everything later anyway Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-07-08s3:idmap_autorid: Use ARRAY_SIZE where appropriateVolker Lendecke1-1/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-07-15s3-winbind: Do not delete an existing valid credential cache.Andreas Schneider1-0/+8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994 Thanks to David Woodhouse <dwmw2@infradead.org>. Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
2013-07-02s3-winbind: Allow sec_initial_uid() to store creds.Andreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jul 2 23:26:24 CEST 2013 on sn-devel-104
2013-06-27winbindd and nmbd don't set their umask to zero on startup like smbd does.Jeremy Allison1-0/+6
Fix this - we already control tightly what permissions are on the files we create. Ensure we don't get surprised. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jun 27 02:02:24 CEST 2013 on sn-devel-104
2013-06-20Fix bug #9166 - Starting smbd or nmbd with stdin from /dev/null results in ↵Jeremy Allison1-1/+14
"EOF on stdin" Only install the stdin handler if it's a pipe or fifo. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-25winbind: Print error code on connection error in ping_dcChristof Schmitt1-1/+2
For debugging, it is useful to include the error code in the message. Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Sat May 25 23:11:23 CEST 2013 on sn-devel-104
2013-05-14winbind/idmap_ad: be verbose about the user that we fail to mapBjörn Jacke1-2/+3
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-07winbind: Fix bug 9854 -- NULL pointer dereferenceVolker Lendecke1-3/+3
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue May 7 14:49:07 CEST 2013 on sn-devel-104
2013-05-06s3:idmap:autorid: add a comment block explaining the calculationsMichael Adam1-0/+51
Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: simplify the id->sid calculationMichael Adam1-7/+13
To make it more intutive. rid = reduced_rid + domain_range_index * range_size where reduced_rid = (id - id_low) % range_size Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: calculate the range's low_id in ↵Michael Adam1-8/+9
idmap_autorid_get_domainrange() This way, the calculation needs to be don only in one central place and the formulas get simpler. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: make calculation in idmap_autorid_sid_to_id much more obviousMichael Adam1-3/+6
This is my attempt to make the sid->unix-id calculation much more obvious. Especially with the introduction of the multi-range support an the originally named "multiplier", the calculation id = low_id + range_size * domain_number + rid - range_size * multiplier was rather opaque to me. What really happens here is this: The rid is split into a reduced_rid part that is < rangesize and a multiple of rangesize. This is given by the formula rid = rid % range_size + (rid / range_size) * range_size We define reduced_rid := rid % range_size and domain_range_index := rid / range_size ( == the original multiplier) and the original formula is equivalent to: id = reduced_rid + low_id + range_number * range_size; and reads id = reduced_rid + range_minvalue if we set range_minvalue := low_id + range_number * range_size. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: rename range.multiplier to domain_range_indexMichael Adam1-15/+17
The name multiplier is very confusing (at least for me). This is an index that is used to reference the various per-domain ranges. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: rename autorid_range_config.sid to domsid, along with ↵Michael Adam1-12/+12
instances Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: rename autorid_domain_config --> autorid_range_config and ↵Michael Adam1-37/+37
instances to "range" This describes it better with the new support for multiple ranges for domains. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:idmap:autorid: rename domainnum to rangenumMichael Adam1-12/+13
Now ranges don't correspond to domains any more, but multiple ranges are associated to a domain. So the name is misleading. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
2013-05-06s3:winbindd/autorid multiple range supportAbhidnya Joshi1-19/+36
when a mapping request for a RID comes in that is larger than the rangesize, allocate an extension range to be able to map this one This is especially important for large installations which might have large RIDs being used in a trusted domain that the administrator was not aware of when planning for autorid usage and so those objects could not be mapped up to now. As it is not possible to change the rangesize after the first start of autorid, this would lead to big trouble. Signed-off-by: Abhidnya Joshi <achirmul@in.ibm.com> Reviewed-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-05-03idmap: Store negative cache entries if the backend failsVolker Lendecke1-2/+2
This changes the behaviour for out-of-range queries: The tdb backend (probably all backends) returns NT_STATUS_NONE_MAPPED and does not set the map.status value to ID_UNMAPPED. This means that we did an early error exit, not setting a negative cache value. This makes smbd ask winbind over and over again for out-of-range gids, which can be a performance problem in certain scenarios. The new code makes us fall through to the code setting the negative cache entry in all cases. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri May 3 14:48:35 CEST 2013 on sn-devel-104
2013-05-03idmap: Print error from idmap_backends_unixid_to_sidVolker Lendecke1-2/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-04-18s3:winbindd: avoid usage of procid_self()Stefan Metzmacher1-1/+3
metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-04-09winbindd: Avoid a fd leak when we can not forkVolker Lendecke1-0/+2
Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Jim McDonough <jmcd@samba.org> Autobuild-User(master): Jim McDonough <jmcd@samba.org> Autobuild-Date(master): Tue Apr 9 20:27:27 CEST 2013 on sn-devel-104
2013-04-09BUG 9766: Cache name_to_sid/sid_to_name correctly.Andreas Schneider1-0/+21
If there is no domain_name specified we still need to set to for caching else we will not find the entry later if we lookup the entry with the domain_name. Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Tue Apr 9 16:32:44 CEST 2013 on sn-devel-104
2013-03-09s3-winbindd: Add new module idmap_rfc2307Christof Schmitt2-0/+880
This module allows querying id mappings from LDAP servers as described in RFC 2307. The LDAP records can be queried from an Active Directory Server or from a stand-alone LDAP server. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-09s3-winbindd: Move connection to AD server from idmap_adChristof Schmitt3-62/+52
Having this in a common place allows reuse by other idmap modules. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-09s3-winbindd: Use common helper function for connecting to ADSChristof Schmitt3-86/+87
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-09s3-winbindd: Move code for verifying ADS connection to common helper functionChristof Schmitt3-45/+41
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-09s3-winbindd: Move idmap_fetch_secret to idmap_utils.c for reuseChristof Schmitt3-24/+27
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-09s3-winbindd: Move common code for LDAP id mapping to idmap_utilsChristof Schmitt4-83/+53
idmap_ad and idmap_ldap use the same helper functions and the same maximum query size. Move the code to idmap_utils so that it can be shared by every module issuing LDAP queries. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-03-08s3:idmap: fix a debug message and lower its levelMichael Adam1-1/+2
It is not an error to be logged at level 1 when a domain has no explicitly configured idmap backend. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Mar 8 03:16:54 CET 2013 on sn-devel-104
2013-03-05winbind: Fix no memory check in _wbint_PingDc().Andreas Schneider1-1/+1
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-03-05winbind: Fix samba3.winbind.struct test.Andreas Schneider1-1/+1
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-03-05winbind: Correctly use names in the domain struct.Andreas Schneider7-20/+52
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-03-05winbind: Use talloc for allocating domain, dns, forest and dc name.Andreas Schneider6-61/+142
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-02-22winbind: Don't leak centry memory.Andreas Schneider1-0/+1
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22winbind: Don't leak memory on return.Andreas Schneider1-0/+3
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22winbind: Correctly cast name to messaging_send_buf().Andreas Schneider1-3/+3
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22winbind: Use uint8_t type and use const where needed.Andreas Schneider1-7/+7
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22winbind: Make domain_name const in wcache_ndr_key().Andreas Schneider1-1/+1
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-19s3:winbindd: s/event_add_timed/tevent_add_timerStefan Metzmacher3-13/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-19s3:winbindd: s/struct timed_event/struct tevent_timerStefan Metzmacher4-11/+11
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-19s3:winbindd: s/struct event_context/struct tevent_contextStefan Metzmacher3-6/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-19s3:winbindd: make use of samba_tevent_context_init()Stefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-13s3:idmap_autorid: fix freeing of non-talloced memory (uninitialized pointer) ↵Michael Adam1-1/+1
(bug #9653) Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Feb 13 09:51:53 CET 2013 on sn-devel-104