summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2008-11-21s3-winbindd_ads: prevent negative GM/ cache entries due to broken connectionsMichael Adam1-0/+23
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids to names. This is tried only once. So in case the connection was broken, e.g. closed by the server (without a reset packet), there will be an empty GM/ cache entry for the requested group which will prevent proper working of access checks among other checks for the expiry period. This patch works around this problem by retrying once if the lsa_lookupsids call fails, re-establishing the dc-connection, as we already do in many other places (e.g. the winbindd retry methods for the rpc layer). Michael
2008-11-21s3-winbindd: for now only change machine pwd when not using a system krb5 ↵Günther Deschner1-0/+1
keytab. Guenther
2008-11-18Clean-up various trailing space and >80 column lines.Steven Danneman3-21/+33
2008-11-18Added ability to remove id mappings in wbinfo and libwbclient.Steven Danneman6-2/+141
The idmap_tdb backend already provides an interface to remove existing id mappings. This commit plumbs that ability up through, winbindd, libwbclient, and wbinfo. Added new winbindd command: WINBINDD_REMOVE_MAPPING Added new libwbclient interfaces: wbcRemoveUidMapping() and wbcRemoveGidMapping() Added new wbinfo options: --remove-uid-mapping --remove-gid-mapping Increased libwbclient version to 0.2 Increased winbind interface version to 20
2008-11-18Fix extended DN parse error when AD object does not have a SID.Steven Danneman1-18/+37
Some AD objects, like Exchange Public Folders, can be members of Security Groups but do not have a SID attribute. This patch adds more granular return errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse error occured because of bad input, or the DN was valid but contained no SID. I updated all callers to ignore SIDless objects when appropriate. Also did some cleanup to the out paths of lookup_usergroups_memberof()
2008-11-18Whitespace and >80 column cleanups.Steven Danneman2-39/+41
2008-11-17Fix bug #5906 when running winbindd on a Samba PDC. Winbindd crash on ↵Davide Sfriso1-2/+2
'getent group' Jeremy.
2008-11-13s3-winbindd: workaround for samr_ChangePasswordUser3 to User2 fallback for ↵Günther Deschner1-0/+6
w2k dcs. Guenther
2008-11-12Fix memory leak in error path, spotted by Martin Zielinski <mz@seh.de>.Jeremy Allison1-0/+1
Jeremy.
2008-11-10s3-samr-idl: cleanup.Günther Deschner1-0/+2
Guenther
2008-11-10ntlm_auth: Put huge NTLMv2 blobs into extra_data on CRAP auth.Kai Blin1-7/+18
This fixes bug #5865
2008-11-03s3: fix a few "shadows a global declaration" warningsTim Prouty3-14/+14
2008-11-02[s3]winbindd: speed up fill_grent_mem (i.e. winbindd_getgrent) a lot.Michael Adam1-13/+20
With large groups, getgrent ran into timeouts because after each single user that was added to the expanded group list, the list was sorted and made unique. Now the list is sorted just once after all members have been added. Michael
2008-11-01Rename dos_errstr() to win_errstr() for consistency with Samba 4.Jelmer Vernooij2-2/+2
2008-10-29Coverity fix CID: 592 - null deref (can't happen but doesn't hurt to be sure).Jeremy Allison1-1/+1
Jeremy.
2008-10-27[s3]winbind: fix smbd hanging on Solaris when winbindd closes socket.Michael Adam1-1/+6
On some versions of Solaris, we observed a strange effect of close(2) on a socket: After the server (here winbindd) called close, the client fd was not marked as readable for select. And a write call to the fd did not produce an error EPIPE but just returned as if successful. So while winbindd had called remove_client(), the corresponding smbd still thought that it was connected, but failed to retrieve answers for its queries. This patch works around the problem by forcing the client fd to the readable state: Just write one byte into the socket before closing. Michael
2008-10-23s3: fix simple "incompatible pointer type" build warningTim Prouty1-1/+1
2008-10-23Use sockaddr_storage only where we rely on the size, use sockaddrJelmer Vernooij1-1/+1
otherwise (to clarify we can also pass in structs smaller than sockaddr_storage, such as sockaddr_in).
2008-10-20Fix a valgrind error in idmap_ad_sids_to_unixids()Volker Lendecke1-0/+2
We need to initialize all mappings in case we don't find anything. Simo, please check! Volker
2008-10-18Use separate make variables for libutil and libcrypto.Jelmer Vernooij2-3/+3
2008-10-15s3: fix various samr callers.Günther Deschner1-1/+1
Guenther
2008-10-13Remove smb_np_structVolker Lendecke1-2/+0
2008-10-11Cope with changed signature of http_timestring().Jelmer Vernooij1-1/+1
2008-10-09s3-winbindd: use new, richer structures in WINBINDD_DSGETDCNAME implementation.Günther Deschner1-21/+40
Guenther
2008-10-08Fix bug #5814 - Winbindd dumping core in a strange manner while doing ↵Jeremy Allison1-0/+23
"rescan_trusted_domain". From analysis by hargagan <shargagan@novell.com> : "The winbindd_child_died() is also getting called from process_loop() in case of SIGCHLD signal. In this case it doesn't make the timeout_handler to NULL for the first request. It then initiate a new request using schedule_async_request() which installs a new timeout handler for the same request. In such a case, for a badly unresponsive system both the timeout handler can be called. For the first call the "private_data" will be cleared and for another call the timeout handler will be detecting the double free. So, for such a case as well, the winbindd_child_died() should make the timeout_handler to NULL." Jeremy.
2008-10-06idmap_adex: Add more debugging to the basic search function.Gerald (Jerry) Carter1-0/+18
Log the dn of all located entries in order to verify search results.
2008-10-06idmap_adex: Add log messages to dc_add_domain for easier debugging.Gerald (Jerry) Carter1-0/+8
Part of continue work on BUG 5806.
2008-10-06Log in the parent winbind log where a request is goingVolker Lendecke1-0/+4
2008-10-01Fix use of DLIST_REMOVE as spotted by Constantine Vetoshev <gepardcv@gmail.com>.Jeremy Allison1-2/+1
This API is unusual in that if used to remove a non-list head it nulls out the next and prev pointers. This is what you want for debugging (don't want an entry removed from the list to be still virtually linked into it) but means there is no consistent idiom for use as the next and prev pointers get trashed on removal from the list, meaning you must save them yourself. You can use it one way when deleting everything via the head pointer, as this preserves the next pointer, but you *must* use it another way when not deleting everything via the head pointer. Fix all known uses of this (the main one is in conn_free_internal() and would not free all the private data entries for vfs modules. The other changes in web/statuspage.c and winbindd_util.c are not strictly neccessary, as the head pointer is being used, but I've done them for consistency. Long term we must revisit this as this API is too hard to use correctly. Jeremy.
2008-09-29re-added "winbind:ignore domains" patchAndrew Tridgell1-0/+17
This option really is essential, as we discover again and again at customer sites. Due to bugs in winbind some domains are toxic. When you are installing at a site and a particular domain in a complex setup causes winbind to segfault or hang then you need a way to disable that domain and continue. In an ideal world winbind could handle arbitrarily complex ADS domains, but we are nowhere near that yet. If we ever get to that stage then we won't need this option.
2008-09-29removed unused variablesAndrew Tridgell1-2/+1
2008-09-29fixed segv on startup with trusted domainsAndrew Tridgell1-0/+16
With some setups, idmap_tdb2_allocate_id can be called before the allocate backend is initialised, leading to a segv. This change ensures that the db is opened in all paths that use it
2008-09-25idmap: Fix typo is gid2sid() that was caching using idmap_cache_set_sid2uid()Gerald W. Carter1-1/+1
2008-09-24s3: fix idmap_adex.Günther Deschner3-3/+3
Guenther
2008-09-23Fix winbindd crash in an unusual failure mode. Bug #5737. Based on original ↵Jeremy Allison1-5/+9
patch from shargagan@novell.com Jeremy.
2008-09-23s3: fix NETLOGON_NT_VERSION version flags.Günther Deschner1-1/+1
Guenther
2008-09-23[s3]winbindd_group: don't list the domain twice when expanding internal aliasesMichael Adam1-1/+1
Before this, "getent group builtin\\administrators" expanded domain group members in the form DOMAIN\domain\user. Michael
2008-09-23[s3]winbindd_group: sanely handle NULL domain in add_member().Michael Adam1-1/+5
Michael
2008-09-23[s3]winbindd_ads: honour "winbind use default domain" in lookup_groupmem().Michael Adam1-9/+11
This fixes the output of "getent group" when "winbind use default domain = yes" with security = ads. Michael
2008-09-23[s3]winbindd_rpc: add domain prefix to username in lookup_groupmem().Michael Adam1-1/+4
This makes the output of "getent group" of a domain group show the domain prefix with "security = domain". Michael
2008-09-23[s3]winbindd_util: add fill_domain_username_talloc().Michael Adam1-0/+27
A talloc version of fill_domain_username(). Michael
2008-09-23[s3]winbindd_util: add prototype for fill_domain_username_talloc().Michael Adam1-0/+4
A talloc version of fill_domain_username(). Michael
2008-09-23[s3]winbindd: fix a comment typoMichael Adam1-1/+1
Michael
2008-09-23[s3]winbind_util: fix an implicit cast compile warning.Michael Adam1-1/+1
Michael
2008-09-23s3: use samba4 prototype for ndr_push/pull_struct_blob.Günther Deschner1-1/+1
Guenther
2008-09-22idmap_adex: Add new idmap plugin for support RFC2307 enabled AD forests.Gerald (Jerry) Carter7-0/+3740
The adex idmap/nss_info plugin is an adapation of the Likewise Enterprise plugin with support for OU based cells removed (since the Windows pieces to manage the cells are not available). This plugin supports * The RFC2307 schema for users and groups. * Connections to trusted domains * Global catalog searches * Cross forest trusts * User and group aliases Prerequiste: Add the following attributes to the Partial Attribute Set in global catalog: * uidNumber * uid * gidNumber A basic config using the current trunk code would look like [global] idmap backend = adex idmap uid = 10000 - 19999 idmap gid = 20000 - 29999 idmap config US:backend = adex idmap config US:range = 20000 - 29999 winbind nss info = adex winbind normalize names = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash
2008-09-16* Allow an admin to define the "uid" attribute for a RFC2307Gerald (Jerry) Carter1-9/+168
user object in AD to be the username alias. For example: $ net ads search "(uid=coffeedude)" distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org sAMAccountName: gcarter memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org uid: coffeedude uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/gcarter loginShell: /bin/bash $ ssh coffeedude@192.168.56.91 Password: coffeedude@orville:~$ id uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers) $ getent passwd PINK\\gcarter coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent passwd coffeedude coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent group PINK\\Unixusers PINK\unixusers:x:10000:coffeedude
2008-09-16idmap_hash: Add the idmap/nss-info provider from Likewise Open.Gerald (Jerry) Carter3-0/+628
* Port the Likewise Open idmap/nss_info provider (renamed to idmap_hash). * uids & gids are generated based on a hashing algorithm that collapse the Domain SID to a 31 bit number. The reverse mapping from the high order 11 bits to the originat8ing sdomain SID is stored in a has table initialized at start up. * Includes support for "idmap_hash:name_map = <filename>" for the name aliasing layer. The name map file consist of entries in the form "alias = DOMAIN\name"
2008-09-16winbindd: Update the calls to ws_name_XX() to reflect API changes.Gerald (Jerry) Carter4-46/+314
* Ensures that all points an which a name is received or returned to/from a client passes through the name aliases layer (users and groups).
2008-09-16winbindd: Add support for name aliasing.Gerald (Jerry) Carter5-22/+425
* Add support user and group name aliasing by expanding the ws_name_replace() and ws_name_return() functions. The lookup path is aliases -> qualified name -> SID SID -> fully qualified name -> alias In other words, the name aliasing support is a thin layer built on top of SID/NAME translation. * Rename the ws_name_XX() functions to normalize_name_map() and normalize_name_unmap(). Chaneg interface to return NTSTATUS rather than char *. * Add associated cache validation functions.