Age | Commit message (Collapse) | Author | Files | Lines |
|
Michael
|
|
Michael
|
|
Guenther
|
|
The adex idmap/nss_info plugin is an adapation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).
This plugin supports
* The RFC2307 schema for users and groups.
* Connections to trusted domains
* Global catalog searches
* Cross forest trusts
* User and group aliases
Prerequiste: Add the following attributes to the Partial Attribute
Set in global catalog:
* uidNumber
* uid
* gidNumber
A basic config using the current trunk code would look like
[global]
idmap backend = adex
idmap uid = 10000 - 19999
idmap gid = 20000 - 29999
idmap config US:backend = adex
idmap config US:range = 20000 - 29999
winbind nss info = adex
winbind normalize names = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
|
|
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
|
|
* Port the Likewise Open idmap/nss_info provider (renamed to
idmap_hash).
* uids & gids are generated based on a hashing algorithm that collapse
the Domain SID to a 31 bit number. The reverse mapping from the
high order 11 bits to the originat8ing sdomain SID is stored in
a has table initialized at start up.
* Includes support for "idmap_hash:name_map = <filename>" for the
name aliasing layer. The name map file consist of entries in
the form "alias = DOMAIN\name"
|
|
* Ensures that all points an which a name is received or returned
to/from a client passes through the name aliases layer (users
and groups).
|
|
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
|
|
|
|
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
|
|
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa.
(This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
|
|
request.extra_data is not freed if there is no extra_data in response or
when there is some error happens in processing. This patch will free the
buffer right after processing a request before sending back a response.
(This used to be commit be6f12273f171a3eb1967d2299064e57d737f6a4)
|
|
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
|
|
(This used to be commit 07b0323472b78d49cff06b78924c3015bea52a30)
|
|
This is a fix for a few small inefficiencies/bugs in the get_dcs() path.
* because the third add_one_dc_unique() loop was outside the ADS check all DCs
returned from the non-sitename lookup were being tacked onto the dc_name_ip
list twice.
* add_one_dc_unique() now checks if the given IP address already exists before
adding it to the list, making the returned list actually unique
* added more thorough doxygen comment headers
(This used to be commit cb2d488e1dbd90953c496c5e25d648977884f7e3)
|
|
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6.
(This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
|
|
(This used to be commit 8e4dca3b9416d9b5e535bda5e4befc073bfc1641)
|
|
Guenther
(This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
|
|
The scanner did not figure out that we always have a primary domain, so it
complained about us potentially passing a NULL pointer down to
set_domain_online_request() where it is dereferenced.
Make the code a bit clearer.
(This used to be commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
|
|
Guenther
(This used to be commit 5eee7423351ffd05486e33ff8eb905babcbc9422)
|
|
Jeremy.
(This used to be commit 7c820899ed1364fdaeb7b49e8ddd839e67397ec0)
|
|
(This used to be commit e038f1cf9fb305fc1e7a4189208e451d30aaa1f0)
|
|
(This used to be commit fe70dcc1b63b1969c13f7fb03ec374b6e5a376a1)
|
|
Guenther
(This used to be commit bb9c59e892cc9d3047bde89a15cc341e2bd21bc5)
|
|
Guenther
(This used to be commit ae3fa60c4546c7420722d8f422c22bbfd623ff5b)
|
|
Guenther
(This used to be commit 543dfdc1cf6baf60bffc23c6aebc542fd58d2d2e)
|
|
(This used to be commit 541e088656773d2b3b56a5a8bdc8dea6c9edec86)
|
|
(This used to be commit 79103000b13c95325534db749a0da638a3eb1807)
|
|
(This used to be commit 5314f06dcdf14ce5e038a03a3e4dfded227bd00c)
|
|
Guenther
(This used to be commit 15b72d44cbde0b8a375d8ed3d045c40ae97ec05a)
|
|
farm failures when winbindd connects as guest.
This one took a *lot* of tracking down :-).
Jeremy.
(This used to be commit dca827791276906436452c650062164eb819dfe0)
|
|
The call was looking up a uid and not gid in the cache.
(This used to be commit 25293ba1507f8f8fa7e33c302200184e980bb123)
|
|
Fix segv when talking to parent DC (joined to child domain).
The root cause was
(a) storing the parent domain in the cli_state struct caused
the NTLMSSP pipe bind to fail which made us fallover to
the schannel code path
(b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning
NULL even though the function indicated success.
(This used to be commit 5ce4a2ae6697970ea37d0078a506615b4b7a9a9c)
|
|
reconnect code to cope with rebooting a DC. This
replaces the code I asked Volker to revert.
The logic is pretty simple. It adds a new parameter,
"winbind reconnect delay", set to 30 seconds by
default, which determines how long to wait between
connection attempts.
To avoid overwhelming the box with DC-probe
forked children, the code now keeps track of
the DC probe child per winbindd_domain struct
and only starts a new one if the existing one
has died.
I also added a little logic to make sure the
dc probe child always sends a message whatever
the reason for exit so we will always reschedule
another connect attempt.
Also added documentation.
Jeremy.
(This used to be commit 8027197635b988b3dcf9d3d00126a024e768fa62)
|
|
Guenther
(This used to be commit e8619121d16d086f1ab186051d0ecdc83c02e5b5)
|
|
Guenther
(This used to be commit ae35a5110ea03d8ff27f320cdc685e5623715a2a)
|
|
Guenther
(This used to be commit dbfa7ba14c9f1a4d7a1e7205dd0b3ea2fc2e6131)
|
|
Guenther
(This used to be commit b5bb7844952a87b123551b478b60bfe232afc308)
|
|
lookup_domain_name(). This new function accept separated
strings for domain and name.
(This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6)
|
|
was asking for a winbindd name to SID lookup of
"Unix Group\name" where "name" was also a valid username,
the winbindd passdb lookup of that name was losing the
domain string info before calling lookup name (ie. lookup_name()
was being called with just the string "name", not the
full string "Unix Group\name").
The passdb backend of winbindd has to cope with
not only names from it's own global SAM domain,
but it does lookups for BUILTIN and "Unix User"
and "Unix Group" also, so making it guess by
losing the domain string is "A Bad Idea" (tm) :-).
Note that as winbind globally calls winbind_off()
at startup, it's safe for winbind to call sys_getgrnam()
to do the "Unix Group" lookup from inside lookup_name().
Jeremy.
(This used to be commit 5293af6c3cbfdde340e6add47b914b6ee6fd7b6f)
|
|
Jeremy, please check & push if it's ok.
(This used to be commit f06070c188d6d2efed3205bbc9c3c290718397b1)
|
|
should never include the user SID.
The comment for the function in winbindd/winbindd_ads.c says
/* Lookup groups a user is a member of. */
The following patch makes the wbinfo calls return the correct data
before and after a login.
wbinfo --user-domgroups and --user-sids
(This used to be commit 7849938906a9c859805cbaeca66fae9d3c515aad)
|
|
This reverts commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6.
(This used to be commit 34a32db9060e7b60455774f923f61b7367ee3fcf)
|
|
(This used to be commit 32b8db27652a66a2ade547a6d27f34d0816f7296)
|
|
(This used to be commit f91a3e0f7b7737c1d0667cd961ea950e2b93e592)
|
|
(This used to be commit 126f4ac8e85458ee4693b89a184b99420f1b6bee)
|
|
fetch mapping.
Michael
(This used to be commit cb4c74c9c206e5a445ca636fa6562ce721ea5839)
|
|
1. use the return value that idmap_tdb2_open_perm_db() gives us
2. don't delete frep the local db if deleting from the perm db failed.
3. fix wrong interpretation of return value of the local delete
Michael
(This used to be commit 147573d7f6faab0ad90258b6a28c4b9575ccb6ea)
|
|
1. use the return value that idmap_tdb2_open_perm_db() gives us
2. don't write to the local db if writing to the perm db failed.
3. fix wrong interpretation of return value of the local store
Michael
(This used to be commit be8c6b4f2f40014313899b5cbc1da9d390d94fee)
|
|
This is a band-aid for the rather convoluted offline/online mess in winbind
right now. Winbind re-uses the offline functionality that is targeted at domain
client installations on laptops to not overload disfunctional DCs. It uses the
winbind cache timeout as the retry timeout after a DC reboot.
I am using a parametric options because when this mess is cleaned up, that
parameter needs to go away again.
I'd recommend to use something like
winbind:online check timeout = 30
in typical LAN environments. This means a reconnect is attempted every 30
seconds.
Volker
(This used to be commit 9920473cc165e75ee9aa5cbb9e568eb5fb67e9e6)
|