| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
We can optimize this later and just do one wb_sids2xids_send/recv call.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
idmap_find_domain_with_sid() should be used instead
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
wbint_Sids2UnixIDs()
This is the way the singular calls work and how they should (currently) work.
The two code paths need to give the same results. It is important to use
the passdb backend, otherwise groups don't work.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
This will return the passdb domain if the given sid is in our sam or builtin
or is the domain sid of those domains. Otherwise it returns the idmap domain
that results from the idmap configuration.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of group type.
Hence backends like rid who are sid-type agnostic, can
return gids also for sids of other types. This is an important
fix to make sid_to_gid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type GID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.
Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists
The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.
The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
winbindd_sids_to_xids_lookupsids_done()
for readability
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Volker, please check.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
As this is a burst of 3 unbound sockets with each try to reach a DC
we're running out of file descriptors pretty fast. So winbind is then
mostly spinning in an accept loop failing with EMFILE.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Wed Nov 28 17:17:21 CET 2012 on sn-devel-104
|
|
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 26 22:03:05 CET 2012 on sn-devel-104
|
|
Reviewed by: Jeremy Allison <jra@samba.org>
|
|
Samba continues to query a broken DC while the DC did not finish to
rebuild Sysvol (after a Windows crash, for example). It causes end users
to received strange codes while trying to authenticate, even if there is
a secondary DC available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
|
|
access."
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
We should use the latest supported dialect.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewd-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Nov 1 18:11:27 CET 2012 on sn-devel-104
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
The removal of consumption of the time field from the centry
as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
had the side effect of changing the offset for reading the following
nt password hash, so the read password hash was wrong.
This patch re-installs the consumption of the time,
thereby fixing the bug without changing the disk format of the cache.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Oct 19 23:15:04 CEST 2012 on sn-devel-104
|
|
|
|
|
|
Guenther
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Sat Sep 29 00:34:04 CEST 2012 on sn-devel-104
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 27 07:57:03 CEST 2012 on sn-devel-104
|
|
about type potentially being used uninitialized
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Sep 24 03:49:53 CEST 2012 on sn-devel-104
|
|
about result being potentially uninitialized
|
|
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 09:09:17 CEST 2012 on sn-devel-104
|
|
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
in idmap_tdb_common_sids_to_unixids()
|
|
in idmap_tdb_common_unixids_to_sids()
|
|
Calling be_init with NULL safely crashes, because we dereference NULL. We
don't need to call it here, this is called in all workers anyway. Thanks
to Jiri Sasek <jiri.sasek@oracle.com> for finding this.
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 20 05:03:54 CEST 2012 on sn-devel-104
|
|
Break pdb_ldap -> smbldaphelper -> pdb -> pdb_ldap loop by
making smbldaphelp intentionally underlinked internal library.
It means that libsmbldaphelp is not usable unless its user is
also linked to libpdb (that is the case for both its users,
idmap_ldap and pdb_ldap, already) but gives us a break of
the circular dependency in case pdb_ldap statically linked
into pdb (default).
This should solve case when idmap_ldap and pdb_ldap are dynamically
loaded modules
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 14 01:02:21 CEST 2012 on sn-devel-104
|
|
Since these functions are used in pdb_ldap and idmap_ldap, and
pdb_ldap might be statically linked to libpdb (default), it is
better to keep them as separate subsystem to avoid polluting libpdb
namespace.
This is first step in refactoring libpdb. Right now I cannot move
these functions into proper libsmbldaphelper as it uses more of
libpdb-included functions and linking pdb_ldap against libsmbldaphelper
library would have created a loop if pdb_ldap is included into libpdb.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Sep 13 17:36:07 CEST 2012 on sn-devel-104
|
|
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
|
|
This wasn't planned and slipped trough, sorry.
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep 11 14:28:53 CEST 2012 on sn-devel-104
|
