| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
With large groups, getgrent ran into timeouts because after each
single user that was added to the expanded group list, the list
was sorted and made unique.
Now the list is sorted just once after all members have been added.
Michael
|
|
|
|
Jeremy.
|
|
On some versions of Solaris, we observed a strange effect of close(2)
on a socket: After the server (here winbindd) called close, the client fd
was not marked as readable for select. And a write call to the fd did
not produce an error EPIPE but just returned as if successful.
So while winbindd had called remove_client(), the corresponding smbd
still thought that it was connected, but failed to retrieve answers
for its queries.
This patch works around the problem by forcing the client fd to
the readable state: Just write one byte into the socket before
closing.
Michael
|
|
|
|
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
|
|
We need to initialize all mappings in case we don't find anything.
Simo, please check!
Volker
|
|
|
|
Guenther
|
|
|
|
|
|
Guenther
|
|
"rescan_trusted_domain".
From analysis by hargagan <shargagan@novell.com> :
"The winbindd_child_died() is also getting called from process_loop() in case of
SIGCHLD signal. In this case it doesn't make the timeout_handler to NULL for
the first request. It then initiate a new request using
schedule_async_request() which installs a new timeout handler for the same
request. In such a case, for a badly unresponsive system both the timeout
handler can be called. For the first call the "private_data" will be cleared
and for another call the timeout handler will be detecting the double free. So,
for such a case as well, the winbindd_child_died() should make the
timeout_handler to NULL."
Jeremy.
|
|
Log the dn of all located entries in order to verify search results.
|
|
Part of continue work on BUG 5806.
|
|
|
|
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
|
|
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
|
|
|
|
With some setups, idmap_tdb2_allocate_id can be called before the
allocate backend is initialised, leading to a segv. This change
ensures that the db is opened in all paths that use it
|
|
|
|
Guenther
|
|
patch from shargagan@novell.com
Jeremy.
|
|
Guenther
|
|
Before this, "getent group builtin\\administrators" expanded
domain group members in the form DOMAIN\domain\user.
Michael
|
|
Michael
|
|
This fixes the output of "getent group" when "winbind use default domain = yes"
with security = ads.
Michael
|
|
This makes the output of "getent group" of a domain group show the
domain prefix with "security = domain".
Michael
|
|
A talloc version of fill_domain_username().
Michael
|
|
A talloc version of fill_domain_username().
Michael
|
|
Michael
|
|
Michael
|
|
Guenther
|
|
The adex idmap/nss_info plugin is an adapation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).
This plugin supports
* The RFC2307 schema for users and groups.
* Connections to trusted domains
* Global catalog searches
* Cross forest trusts
* User and group aliases
Prerequiste: Add the following attributes to the Partial Attribute
Set in global catalog:
* uidNumber
* uid
* gidNumber
A basic config using the current trunk code would look like
[global]
idmap backend = adex
idmap uid = 10000 - 19999
idmap gid = 20000 - 29999
idmap config US:backend = adex
idmap config US:range = 20000 - 29999
winbind nss info = adex
winbind normalize names = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
|
|
user object in AD to be the username alias.
For example:
$ net ads search "(uid=coffeedude)"
distinguishedName: CN=Gerald W. Carter,CN=Users,DC=pink,DC=plainjoe,DC=org
sAMAccountName: gcarter
memberOf: CN=UnixUsers,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Domain Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=pink,DC=plainjoe,DC=org
uid: coffeedude
uidNumber: 10000
gidNumber: 10000
unixHomeDirectory: /home/gcarter
loginShell: /bin/bash
$ ssh coffeedude@192.168.56.91
Password:
coffeedude@orville:~$ id
uid=10000(coffeedude) gid=10000(PINK\unixusers) groups=10000(PINK\unixusers)
$ getent passwd PINK\\gcarter
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent passwd coffeedude
coffeedude:*:10000:10000::/home/gcarter:/bin/bash
$ getent group PINK\\Unixusers
PINK\unixusers:x:10000:coffeedude
|
|
* Port the Likewise Open idmap/nss_info provider (renamed to
idmap_hash).
* uids & gids are generated based on a hashing algorithm that collapse
the Domain SID to a 31 bit number. The reverse mapping from the
high order 11 bits to the originat8ing sdomain SID is stored in
a has table initialized at start up.
* Includes support for "idmap_hash:name_map = <filename>" for the
name aliasing layer. The name map file consist of entries in
the form "alias = DOMAIN\name"
|
|
* Ensures that all points an which a name is received or returned
to/from a client passes through the name aliases layer (users
and groups).
|
|
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
|
|
|
|
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b4e6d6be5bb6e4e96bd8a1cbb6edd37)
|
|
This reverts commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa.
(This used to be commit b2a3f13e5b3b81df2ed7460e54c11a7f56b3c4f6)
|
|
request.extra_data is not freed if there is no extra_data in response or
when there is some error happens in processing. This patch will free the
buffer right after processing a request before sending back a response.
(This used to be commit be6f12273f171a3eb1967d2299064e57d737f6a4)
|
|
(This used to be commit d4f5caa3d38b5afc1e8b3d0e0c6d7d68a152fe0a)
|
|
(This used to be commit 07b0323472b78d49cff06b78924c3015bea52a30)
|
|
This is a fix for a few small inefficiencies/bugs in the get_dcs() path.
* because the third add_one_dc_unique() loop was outside the ADS check all DCs
returned from the non-sitename lookup were being tacked onto the dc_name_ip
list twice.
* add_one_dc_unique() now checks if the given IP address already exists before
adding it to the list, making the returned list actually unique
* added more thorough doxygen comment headers
(This used to be commit cb2d488e1dbd90953c496c5e25d648977884f7e3)
|
|
This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6.
(This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b)
|
|
(This used to be commit 8e4dca3b9416d9b5e535bda5e4befc073bfc1641)
|
|
Guenther
(This used to be commit b57cbf62e8180c8fdb8f541c43358d36d8dbbdfa)
|
|
The scanner did not figure out that we always have a primary domain, so it
complained about us potentially passing a NULL pointer down to
set_domain_online_request() where it is dereferenced.
Make the code a bit clearer.
(This used to be commit e6e8d108f95ed974f98f3f57adcfbbde4e00fad9)
|
