Age | Commit message (Collapse) | Author | Files | Lines |
|
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
|
|
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
|
|
|
|
With some setups, idmap_tdb2_allocate_id can be called before the
allocate backend is initialised, leading to a segv. This change
ensures that the db is opened in all paths that use it
|
|
|
|
Guenther
|
|
patch from shargagan@novell.com
Jeremy.
|
|
Guenther
|
|
Before this, "getent group builtin\\administrators" expanded
domain group members in the form DOMAIN\domain\user.
Michael
|
|
Michael
|
|
This fixes the output of "getent group" when "winbind use default domain = yes"
with security = ads.
Michael
|
|
This makes the output of "getent group" of a domain group show the
domain prefix with "security = domain".
Michael
|
|
A talloc version of fill_domain_username().
Michael
|
|
A talloc version of fill_domain_username().
Michael
|
|
Michael
|
|
Michael
|
|
Guenther
|
|
The adex idmap/nss_info plugin is an adapation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).
This plugin supports
* The RFC2307 schema for users and groups.
* Connections to trusted domains
* Global catalog searches
* Cross forest trusts
* User and group aliases
Prerequiste: Add the following attributes to the Partial Attribute
Set in global catalog:
* uidNumber
* uid
* gidNumber
A basic config using the current trunk code would look like
[global]
idmap backend = adex
idmap uid = 10000 - 19999
idmap gid = 20000 - 29999
idmap config US:backend = adex
idmap config US:range = 20000 - 29999
winbind nss info = adex
winbind normalize names = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
|
|
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
|
|
* Port the Likewise Open idmap/nss_info provider (renamed to
idmap_hash).
* uids & gids are generated based on a hashing algorithm that collapse
the Domain SID to a 31 bit number. The reverse mapping from the
high order 11 bits to the originat8ing sdomain SID is stored in
a has table initialized at start up.
* Includes support for "idmap_hash:name_map = <filename>" for the
name aliasing layer. The name map file consist of entries in
the form "alias = DOMAIN\name"
|
|
* Ensures that all points an which a name is received or returned
to/from a client passes through the name aliases layer (users
and groups).
|
|
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
|
|
|
|
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
|
|
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa.
(This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
|
|
request.extra_data is not freed if there is no extra_data in response or
when there is some error happens in processing. This patch will free the
buffer right after processing a request before sending back a response.
(This used to be commit be6f12273f171a3eb1967d2299064e57d737f6a4)
|
|
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
|
|
(This used to be commit 07b0323472b78d49cff06b78924c3015bea52a30)
|
|
This is a fix for a few small inefficiencies/bugs in the get_dcs() path.
* because the third add_one_dc_unique() loop was outside the ADS check all DCs
returned from the non-sitename lookup were being tacked onto the dc_name_ip
list twice.
* add_one_dc_unique() now checks if the given IP address already exists before
adding it to the list, making the returned list actually unique
* added more thorough doxygen comment headers
(This used to be commit cb2d488e1dbd90953c496c5e25d648977884f7e3)
|
|
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6.
(This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
|
|
(This used to be commit 8e4dca3b9416d9b5e535bda5e4befc073bfc1641)
|
|
Guenther
(This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
|
|
The scanner did not figure out that we always have a primary domain, so it
complained about us potentially passing a NULL pointer down to
set_domain_online_request() where it is dereferenced.
Make the code a bit clearer.
(This used to be commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
|
|
Guenther
(This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
|
|
Jeremy.
(This used to be commit 7c820899ed1364fdaeb7b49e8ddd839e67397ec0)
|
|
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
|
|
(This used to be commit fe70dcc1b63b1969c13f7fb03ec374b6e5a376a1)
|
|
Guenther
(This used to be commit bb9c59e892cc9d3047bde89a15cc341e2bd21bc5)
|
|
Guenther
(This used to be commit ae3fa60c4546c7420722d8f422c22bbfd623ff5b)
|
|
Guenther
(This used to be commit 543dfdc1cf6baf60bffc23c6aebc542fd58d2d2e)
|
|
(This used to be commit 541e088656773d2b3b56a5a8bdc8dea6c9edec86)
|
|
(This used to be commit 79103000b13c95325534db749a0da638a3eb1807)
|
|
(This used to be commit 5314f06dcdf14ce5e038a03a3e4dfded227bd00c)
|
|
Guenther
(This used to be commit 15b72d44cbde0b8a375d8ed3d045c40ae97ec05a)
|
|
farm failures when winbindd connects as guest.
This one took a *lot* of tracking down :-).
Jeremy.
(This used to be commit dca827791276906436452c650062164eb819dfe0)
|
|
The call was looking up a uid and not gid in the cache.
(This used to be commit 25293ba1507f8f8fa7e33c302200184e980bb123)
|
|
Fix segv when talking to parent DC (joined to child domain).
The root cause was
(a) storing the parent domain in the cli_state struct caused
the NTLMSSP pipe bind to fail which made us fallover to
the schannel code path
(b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning
NULL even though the function indicated success.
(This used to be commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
|
|
reconnect code to cope with rebooting a DC. This
replaces the code I asked Volker to revert.
The logic is pretty simple. It adds a new parameter,
"winbind reconnect delay", set to 30 seconds by
default, which determines how long to wait between
connection attempts.
To avoid overwhelming the box with DC-probe
forked children, the code now keeps track of
the DC probe child per winbindd_domain struct
and only starts a new one if the existing one
has died.
I also added a little logic to make sure the
dc probe child always sends a message whatever
the reason for exit so we will always reschedule
another connect attempt.
Also added documentation.
Jeremy.
(This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
|
|
Guenther
(This used to be commit e8619121d16d086f1ab186051d0ecdc83c02e5b5)
|
|
Guenther
(This used to be commit ae35a5110ea03d8ff27f320cdc685e5623715a2a)
|