summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2008-09-23[s3]winbindd: fix a comment typoMichael Adam1-1/+1
Michael
2008-09-23[s3]winbind_util: fix an implicit cast compile warning.Michael Adam1-1/+1
Michael
2008-09-23s3: use samba4 prototype for ndr_push/pull_struct_blob.Günther Deschner1-1/+1
Guenther
2008-09-22idmap_adex: Add new idmap plugin for support RFC2307 enabled AD forests.Gerald (Jerry) Carter7-0/+3740
The adex idmap/nss_info plugin is an adapation of the Likewise Enterprise plugin with support for OU based cells removed (since the Windows pieces to manage the cells are not available). This plugin supports * The RFC2307 schema for users and groups. * Connections to trusted domains * Global catalog searches * Cross forest trusts * User and group aliases Prerequiste: Add the following attributes to the Partial Attribute Set in global catalog: * uidNumber * uid * gidNumber A basic config using the current trunk code would look like [global] idmap backend = adex idmap uid = 10000 - 19999 idmap gid = 20000 - 29999 idmap config US:backend = adex idmap config US:range = 20000 - 29999 winbind nss info = adex winbind normalize names = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash
2008-09-16* Allow an admin to define the "uid" attribute for a RFC2307Gerald (Jerry) Carter1-9/+168
user object in AD to be the username alias. For example: $ net ads search "(uid=coffeedude)" distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org sAMAccountName: gcarter memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org uid: coffeedude uidNumber: 10000 gidNumber: 10000 unixHomeDirectory: /home/gcarter loginShell: /bin/bash $ ssh coffeedude@192.168.56.91 Password: coffeedude@orville:~$ id uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers) $ getent passwd PINK\\gcarter coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent passwd coffeedude coffeedude:*:10000:10000::/home/gcarter:/bin/bash $ getent group PINK\\Unixusers PINK\unixusers:x:10000:coffeedude
2008-09-16idmap_hash: Add the idmap/nss-info provider from Likewise Open.Gerald (Jerry) Carter3-0/+628
* Port the Likewise Open idmap/nss_info provider (renamed to idmap_hash). * uids & gids are generated based on a hashing algorithm that collapse the Domain SID to a 31 bit number. The reverse mapping from the high order 11 bits to the originat8ing sdomain SID is stored in a has table initialized at start up. * Includes support for "idmap_hash:name_map = <filename>" for the name aliasing layer. The name map file consist of entries in the form "alias = DOMAIN\name"
2008-09-16winbindd: Update the calls to ws_name_XX() to reflect API changes.Gerald (Jerry) Carter4-46/+314
* Ensures that all points an which a name is received or returned to/from a client passes through the name aliases layer (users and groups).
2008-09-16winbindd: Add support for name aliasing.Gerald (Jerry) Carter5-22/+425
* Add support user and group name aliasing by expanding the ws_name_replace() and ws_name_return() functions. The lookup path is aliases -> qualified name -> SID SID -> fully qualified name -> alias In other words, the name aliasing support is a thin layer built on top of SID/NAME translation. * Rename the ws_name_XX() functions to normalize_name_map() and normalize_name_unmap(). Chaneg interface to return NTSTATUS rather than char *. * Add associated cache validation functions.
2008-09-15idmap_ad: Fix a segfault when calling nss_get_info() with a NULL ads structure.Gerald W. Carter1-12/+69
2008-09-11Fix for bug 5571Simo Sorce3-1/+27
Make sure that usernames are parsed using the correct separator. Otherwise group memeberships in winbind may be result broken. (This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
2008-09-05Revert "winbindd: the ad trusted_domains call should return talloced strings."Günther Deschner1-5/+2
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa. (This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
2008-09-05Fix a memleakQiao Yang1-1/+2
request.extra_data is not freed if there is no extra_data in response or when there is some error happens in processing. This patch will free the buffer right after processing a request before sending back a response. (This used to be commit be6f12273f171a3eb1967d2299064e57d737f6a4)
2008-09-04Fix winbindd crash bug with trusted domains. Bug #5736James Ding1-0/+2
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
2008-09-04get rid of unneeded argument in get_methods and get_alloc_methodsHerb Lewis1-14/+9
(This used to be commit 07b0323472b78d49cff06b78924c3015bea52a30)
2008-09-04Cleanup of DC enumeration in get_dcs()Steven Danneman1-24/+74
This is a fix for a few small inefficiencies/bugs in the get_dcs() path. * because the third add_one_dc_unique() loop was outside the ADS check all DCs returned from the non-sitename lookup were being tacked onto the dc_name_ip list twice. * add_one_dc_unique() now checks if the given IP address already exists before adding it to the list, making the returned list actually unique * added more thorough doxygen comment headers (This used to be commit cb2d488e1dbd90953c496c5e25d648977884f7e3)
2008-09-03Revert "Split lookup_name() and create a new functiong called"Simo Sorce1-13/+15
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
2008-09-03Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce4-6/+34
(This used to be commit 8e4dca3b9416d9b5e535bda5e4befc073bfc1641)
2008-09-02winbindd: the ad trusted_domains call should return talloced strings.Günther Deschner1-2/+5
Guenther (This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
2008-08-31Fix Coverity ID 592Volker Lendecke1-0/+4
The scanner did not figure out that we always have a primary domain, so it complained about us potentially passing a NULL pointer down to set_domain_online_request() where it is dereferenced. Make the code a bit clearer. (This used to be commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
2008-08-28winbindd: fix invalid sid copy (hit when enumerating sibling domains).Günther Deschner1-1/+1
Guenther (This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
2008-08-27Fix the wcache_invalidate_samlogon calls.Jeremy Allison2-3/+24
Jeremy. (This used to be commit 7c820899ed1364fdaeb7b49e8ddd839e67397ec0)
2008-08-26Merge branch 'v3-devel' of ssh://git.samba.org/data/git/samba into v3-develSimo Sorce9-543/+409
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
2008-08-26Move idmap_cache.c from winbindd/ to lib/Volker Lendecke1-261/+0
(This used to be commit fe70dcc1b63b1969c13f7fb03ec374b6e5a376a1)
2008-08-25winbindd: use set_auth_errors() in winbindd_dual_check_machine_acct as well.Günther Deschner1-4/+1
Guenther (This used to be commit bb9c59e892cc9d3047bde89a15cc341e2bd21bc5)
2008-08-25winbindd: move set_auth_errors to util functions.Günther Deschner3-12/+13
Guenther (This used to be commit ae3fa60c4546c7420722d8f422c22bbfd623ff5b)
2008-08-25winbindd: only create machine pwd change event when in primary domain child.Günther Deschner1-1/+1
Guenther (This used to be commit 543dfdc1cf6baf60bffc23c6aebc542fd58d2d2e)
2008-08-23Fix some nonempty blank linesVolker Lendecke1-26/+26
(This used to be commit 541e088656773d2b3b56a5a8bdc8dea6c9edec86)
2008-08-23Use talloc_stackframe() in machine_password_change_handlerVolker Lendecke1-9/+5
(This used to be commit 79103000b13c95325534db749a0da638a3eb1807)
2008-08-23Fix a memleak in calculate_next_machine_pwd_changeVolker Lendecke1-2/+7
(This used to be commit 5314f06dcdf14ce5e038a03a3e4dfded227bd00c)
2008-08-23winbindd: add event based machine password change.Günther Deschner2-0/+120
Guenther (This used to be commit 15b72d44cbde0b8a375d8ed3d045c40ae97ec05a)
2008-08-22Don't re-initialize a token when we already have one. This fixes the build ↵Jeremy Allison1-0/+3
farm failures when winbindd connects as guest. This one took a *lot* of tracking down :-). Jeremy. (This used to be commit dca827791276906436452c650062164eb819dfe0)
2008-08-22idmap_gid_to_sid: Fix a cut-a-npaste error.Gerald (Jerry) Carter1-1/+1
The call was looking up a uid and not gid in the cache. (This used to be commit 25293ba1507f8f8fa7e33c302200184e980bb123)
2008-08-22winbindd: Fix crash in cm_connect_sam()Gerald (Jerry) Carter1-2/+7
Fix segv when talking to parent DC (joined to child domain). The root cause was (a) storing the parent domain in the cli_state struct caused the NTLMSSP pipe bind to fail which made us fallover to the schannel code path (b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning NULL even though the function indicated success. (This used to be commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
2008-08-20Here is a re-working of the winbinddJeremy Allison3-9/+33
reconnect code to cope with rebooting a DC. This replaces the code I asked Volker to revert. The logic is pretty simple. It adds a new parameter, "winbind reconnect delay", set to 30 seconds by default, which determines how long to wait between connection attempts. To avoid overwhelming the box with DC-probe forked children, the code now keeps track of the DC probe child per winbindd_domain struct and only starts a new one if the existing one has died. I also added a little logic to make sure the dc probe child always sends a message whatever the reason for exit so we will always reschedule another connect attempt. Also added documentation. Jeremy. (This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
2008-08-19winbindd: consistently use false/true.Günther Deschner1-27/+27
Guenther (This used to be commit e8619121d16d086f1ab186051d0ecdc83c02e5b5)
2008-08-19winbindd: use set_auth_errors (avoid code duplication).Günther Deschner1-28/+6
Guenther (This used to be commit ae35a5110ea03d8ff27f320cdc685e5623715a2a)
2008-08-19winbindd: fill_in_password_policy (to avoid redundant code).Günther Deschner1-20/+18
Guenther (This used to be commit dbfa7ba14c9f1a4d7a1e7205dd0b3ea2fc2e6131)
2008-08-19winbindd: kill some trailing/leading whitespace.Günther Deschner1-159/+159
Guenther (This used to be commit b5bb7844952a87b123551b478b60bfe232afc308)
2008-08-17Split lookup_name() and create a new functiong calledSimo Sorce1-15/+13
lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
2008-08-16Fix bug 5696. The problem was when smbdJeremy Allison1-2/+18
was asking for a winbindd name to SID lookup of "Unix Group\name" where "name" was also a valid username, the winbindd passdb lookup of that name was losing the domain string info before calling lookup name (ie. lookup_name() was being called with just the string "name", not the full string "Unix Group\name"). The passdb backend of winbindd has to cope with not only names from it's own global SAM domain, but it does lookups for BUILTIN and "Unix User" and "Unix Group" also, so making it guess by losing the domain string is "A Bad Idea" (tm) :-). Note that as winbind globally calls winbind_off() at startup, it's safe for winbind to call sys_getgrnam() to do the "Unix Group" lookup from inside lookup_name(). Jeremy. (This used to be commit 5293af6c3cbfdde340e6add47b914b6ee6fd7b6f)
2008-08-16Attempt to fix Coverity ID 596Volker Lendecke1-1/+1
Jeremy, please check & push if it's ok. (This used to be commit f06070c188d6d2efed3205bbc9c3c290718397b1)
2008-08-15I think the problem with these functions is that lookup_usergroupsHerb Lewis1-1/+1
should never include the user SID. The comment for the function in winbindd/winbindd_ads.c says /* Lookup groups a user is a member of. */ The following patch makes the wbinfo calls return the correct data before and after a login. wbinfo --user-domgroups and --user-sids (This used to be commit 7849938906a9c859805cbaeca66fae9d3c515aad)
2008-08-14Revert "Add winbind:online check timeout parameter"Volker Lendecke1-16/+0
This reverts commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6. (This used to be commit 34a32db9060e7b60455774f923f61b7367ee3fcf)
2008-08-13use transactions in idmap_tdb2Andrew Tridgell1-18/+42
(This used to be commit 32b8db27652a66a2ade547a6d27f34d0816f7296)
2008-08-13first cut at adding full transactions for ctdb to samba3Andrew Tridgell1-4/+0
(This used to be commit f91a3e0f7b7737c1d0667cd961ea950e2b93e592)
2008-08-13got rid of the redundent cache databaseAndrew Tridgell1-134/+28
(This used to be commit 126f4ac8e85458ee4693b89a184b99420f1b6bee)
2008-08-13idmap tdb2: fix inconsistent mappings by checking for race and retrying to ↵Michael Adam2-57/+22
fetch mapping. Michael (This used to be commit cb4c74c9c206e5a445ca636fa6562ce721ea5839)
2008-08-13idmap tdb2: fix broken logic in tdb2_delete_bystring().Michael Adam1-5/+8
1. use the return value that idmap_tdb2_open_perm_db() gives us 2. don't delete frep the local db if deleting from the perm db failed. 3. fix wrong interpretation of return value of the local delete Michael (This used to be commit 147573d7f6faab0ad90258b6a28c4b9575ccb6ea)
2008-08-13idmap tdb2: fix broken logic in tdb2_store_bystring().Michael Adam1-5/+8
1. use the return value that idmap_tdb2_open_perm_db() gives us 2. don't write to the local db if writing to the perm db failed. 3. fix wrong interpretation of return value of the local store Michael (This used to be commit be8c6b4f2f40014313899b5cbc1da9d390d94fee)
2008-08-13Add winbind:online check timeout parameterVolker Lendecke1-0/+16
This is a band-aid for the rather convoluted offline/online mess in winbind right now. Winbind re-uses the offline functionality that is targeted at domain client installations on laptops to not overload disfunctional DCs. It uses the winbind cache timeout as the retry timeout after a DC reboot. I am using a parametric options because when this mess is cleaned up, that parameter needs to go away again. I'd recommend to use something like winbind:online check timeout = 30 in typical LAN environments. This means a reconnect is attempted every 30 seconds. Volker (This used to be commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6)