| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
Simo is right, we need to ask passdb first. At least this fixes a nasty to find
NT_STATUS_ACCESS_DENIED problem in the build farm for the test run I just did
on host "opi".
Michael, can you re-check if this also fixes the error you found, leading to
the two fixes?
Thanks,
Volker
|
|
This reverts commit 9a9b64dbdfce4414ada22d4f882c8c757b5813e1.
|
|
This reverts commit 45db33e73262d8e195a46fb96405dfb3dc43d6bc.
|
|
Jeremy.
|
|
reinit_after_fork() already calls messaging_reinit()
metze
|
|
As noted by Metzy, it makes no sense here to check id->sid.
What is worse, this might even be passed in uninitialized.
This still fixes the bug for me (of course), but we might need
to check, if another special handling of passdb is needed
(possibly changing from constant return code NT_STATUS_OK...)
Michael
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
This failed for backends other than passed, since
idmap_backends_unixid_to_sid() always asked passdb first,
which returned Success no matter whether a mapping was
found or not.
One effect wast that getpwuid failed after "net cache flush".
Only after filling the cache with a getpwnam call it succeeded.
This fix makes the behaviour of idmap_backends_unixid_to_sid()
exactly the same as that of idmap_backends_sid_to_unixid()
Michael
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
getgrsid_sid2gid_recv
to make code more readble
Michael
|
|
This is just to find the corresponding domain struct.
Actual connection is handled by the domain child.
Michael
|
|
This is just to find the corresponding domain struct.
Actual connection is handled by the domain child.
Michael
|
|
Also eliminates name conflicts with OneFS system libraries
|
|
|
|
Michael
|
|
Michael
|
|
This fixes "winbind nss info = rfc2307" (or sfu or sfu20).
Originally, only explicitly configured domains (like "rfc2307:domain")
worked with the ad module, since the domain name was not passed
backe to the module. This is fixed by recording the first backend
listed without domain in the "winbind nss info" parameter as the
default backend, and creating new nss_domain entries (using this default
backend) on the fly as requests for domains which are not explicitly
configured are encountered.
Michael
|
|
Remove trailing spaces and fix tab / space mixup.
Michael
|
|
Michael
|
|
Michael
|
|
Michael
|
|
Michael
|
|
This initial fix does at least work for explicitly configured domains.
The patch has a few disadvantages:
1. It does work only for explicitly configured domains, not with
the default backend (idmap backend = ad), since it relies on the
domain name being passed in via the idmap_domain. One workaround
for this would be to create clones of the default idmap_domain
for domains not explicitly configured.
2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
The problem here is that only the NetBIOS domain name (workgroup
name) is passed in via the idmap_domain struct, and the module
has to establish a connection to the domain based on that information.
find_domain_from_name_noinit() has the disadvantage that it uses the state
of the domain list at fork time (unless used from the main winbindd).
But this should be ok as long as the primary domain was reachable at
start time.
For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.
Michael
|
|
common function.
Michael
|
|
in preparation to using the idmap_ad_context there
Michael
|
|
idmap_backends_sid_to_unixid
Michael
|
|
idmap_backends_unixid_to_sid
Michael
|
|
Michael
|
|
Michael
|
|
instead of just the domain name
Michael
|
|
This reverts commit 6a4957d35d50e6508917aca62b282ae4904187c8.
Sorry - this got accidentially pushed.
Michael
|
|
Michael
|
|
Now that the methods are no longer needed in winbindd_ads,
we can make them static again.
Michael
|
|
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Michael
|
|
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids
to names. This is tried only once. So in case the connection was broken,
e.g. closed by the server (without a reset packet), there will be an empty
GM/ cache entry for the requested group which will prevent proper working
of access checks among other checks for the expiry period.
This patch works around this problem by retrying once if the lsa_lookupsids
call fails, re-establishing the dc-connection, as we already do in many other
places (e.g. the winbindd retry methods for the rpc layer).
Michael
|
|
keytab.
Guenther
|
|
|
|
The idmap_tdb backend already provides an interface to remove existing id
mappings. This commit plumbs that ability up through, winbindd, libwbclient,
and wbinfo.
Added new winbindd command:
WINBINDD_REMOVE_MAPPING
Added new libwbclient interfaces:
wbcRemoveUidMapping() and wbcRemoveGidMapping()
Added new wbinfo options:
--remove-uid-mapping
--remove-gid-mapping
Increased libwbclient version to 0.2
Increased winbind interface version to 20
|
|
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute. This patch adds more granular return
errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.
I updated all callers to ignore SIDless objects when appropriate.
Also did some cleanup to the out paths of lookup_usergroups_memberof()
|
|
|
|
'getent group'
Jeremy.
|
|
w2k dcs.
Guenther
|
