summaryrefslogtreecommitdiff
path: root/source3/winbindd
AgeCommit message (Collapse)AuthorFilesLines
2008-05-29Fix winbindd on a PDC by reverting : ↵Jeremy Allison2-9/+6
83b04c60fac76ccd2d5aecb14f8896a07d488b1f..6e66512d5beb256a44c6703cdb8c7fa7e0fd8537. We still need to address https://bugzilla.redhat.com/show_bug.cgi?id=429024, but this will come later. Jeremy. (This used to be commit 41e20becf3b976656f60aaec9175df329803b012)
2008-05-26winbind: correctly omit check for trusted domain support in ↵Michael Adam1-1/+1
cm_prepare_connection when checking for a trusted domain situation. This is how it was meant to be: Otherwise, with a dc-trusted-domain situation but trusted domains disabled, we would attempt to do a session setup and fail (wouldn't even get a trust password). Michael (This used to be commit a5a51ca8e5971992d9b060d66201b808bd2b7a53)
2008-05-25Fix two c++ warningsVolker Lendecke2-2/+3
(This used to be commit 3b1dae7c31b881834ca4494c4434ae97a56ce6c7)
2008-05-23Manually merge Steven Danneman's patch for SPNEGO auth to a trustedGerald W. Carter1-5/+7
Win2008 domain (merged from v3-0-test). commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405 Author: Steven Danneman <sdanneman@isilon.com> Date: Wed May 7 13:34:26 2008 -0700 spnego SPN fix when contacting trusted domains cli_session_setup_spnego() was not taking into consideration the situation where we're connecting to a trusted domain, specifically one (like W2K8) which doesn't return a SPN in the NegTokenInit. This caused two problems: 1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we were always using our default realm, not the realm of the domain we're connecting to. 2) When falling back on NTLMSSP for authentication we were passing the name of the domain we're connecting to for use in our credentials when we should be passing our own workgroup name. The fix for both was to split the single "domain" parameter into "user_domain" and "dest_realm" parameters. We use the "user_domain" parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN if none was returned in the NegTokenInit2 packet. If no "dest_realm" is provided we assume we're connecting to our own domain and use the credentials cache to build the SPN. Since we have a reasonable guess at the SPN, I removed the check that defaults us directly to NTLM when negHint is empty. (This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
2008-05-23Manually port Steven Dannenman fix for using the correct machine domain whenGerald W. Carter1-3/+3
looking up trust credentials in our tdb. commit fd0ae47046d37ec8297396a2733209c4d999ea91 Author: Steven Danneman <sdanneman@isilon.com> Date: Thu May 8 13:34:49 2008 -0700 Use machine account and machine password from our domain when contacting trusted domains. (This used to be commit 69b37ae60757075a0712149c5f97f17ee22c2e41)
2008-05-22Get rid of "shadowed local var" warnings with gcc.Jeremy Allison1-7/+7
Jeremy. (This used to be commit 0bc18967aa7cb6f4debeaa48be81d0e48a7d9503)
2008-05-22Make WINBINDD_LIST_GROUPS handler asynchronous.Steven Danneman6-60/+187
Previously WINBINDD_LIST_GROUPS requests (ex: wbinfo -g) were handled by the winbindd parent process in a sequential fashion. This patch, delegates the work to the winbindd children so that the request is handled much faster in large domain topologies, and doesn't block the parent from receiving new requests. The core group enumeration and conversion that was handled in winbindd_list_groups() has been moved into winbindd_dual_list_groups() to be done by the child. The parent winbindd_list_groups() simply calls each of the children asynchronously. listgroups_recv() aggregates the final group list that will be returned to the client and tracks how many of the children have returned their lists. The domain name of the child is passed back through the callbacks to be used in debugging messages. There are also several fixes to typos in various comments. (This used to be commit 037b9689d9042a398cb91e4628a82fcdfa913c21)
2008-05-18winbindd: freeze winbindd_proto.hMichael Adam1-0/+583
Michael (This used to be commit 467b8f0f4d58fc00d07264c651016087bd00b233)
2008-05-14Fix bug #5464. Pointed out by Herb @ Connectathon. In fork_domain_child() we ↵Jeremy Allison1-3/+3
call : CatchChild(); *before* we fork the domain child. This call establishes a signal handler that eats SIGCLD signals and doesn't call sys_select_signal() as the main daemon SIGCLD handler should do. This causes the parent to ignore dead children and time out, instead of calling winbind_child_died() on receipt of the signal. The correct fix is to move the CatchChild call into the child code after the fork. Jeremy. (This used to be commit 8d701a142be2b75dc30ad215bc178af902eb4af9)
2008-05-13Enable winbind child processes to do something with signals,Jim McDonough2-12/+27
in particular closing and reopening logs on SIGHUP. Conflicts: source/winbindd/winbindd.c (This used to be commit 0f7b11accec7df1c0e9a9dc0828a5e0c5ddec4cb)
2008-05-13libwbclient: Abstract the DS_XXX flags for DsGetDcName().coffeedude2-1/+46
The wbcLookupDomainController() call supports a set of flags defined in wbclient.h. Add a mapping function between these flags and the original DS_XXX flags in order to prevent having to include the generated RPC headers in wbclient.h. (This used to be commit 31614cd5e08dd6389c66e6ddf9f2d5429c6ab033)
2008-05-09dsgetdcname: use existing messaging_context if possible.Günther Deschner1-1/+2
Guenther (This used to be commit 7889516a384c155a9045aad4409c041fddd0d98d)
2008-05-09Use strip_hostname after dsgetdcname/getdcname calls.Günther Deschner2-12/+3
Guenther (This used to be commit 82cbb3269b2e764c9c2a2fbcbe9c29feae07fb62)
2008-05-09dsgetdcname: mailslot replies are identical to the cldap ones, use cldap ↵Günther Deschner1-0/+1
everywhere. Guenther (This used to be commit fe904ee77a7fec1674e9db660978c40c17897f77)
2008-05-06mailslot/cldap: use nt_version bits in queries.Günther Deschner1-1/+3
Guenther (This used to be commit b261f063125f8454d8f4e8f6b6f8aa5bc393ea34)
2008-04-30Winbind: Prevent cycle in children list when reaping dead child processes.Gerald W. Carter1-0/+4
Thanks to Glenn Curtis and Kyle Stemen @ Likewise. Their explanation is: In winbindd_dual.c, there is a list of children processes that is maintained using macros DTLIST_ADD and DTLIST_REMOVE. In the case when a scheduled_async_request fails, the particular child was located in the list, and its attributes were cleared out and it was reused for a subsequent async request. The bug was that the new request would queue the same node into the doubly-linked list and would result in list->next pointing to the same node as list itself. This would set up an infinite loop in the processing of the for loop when the list of children was referenced. Solution was to fully remove the child node from the list, such that it could be inserted without risk of being inserted twice. Note that the child is re-added to the list in fork_domain_child() again. (This used to be commit b379b5b5d8a6daccc69aaf2be6d9a6e276e7dd78)
2008-04-24mailslot: allow to give back struct nbt_ntlogon_packet.Günther Deschner1-1/+2
Guenther (This used to be commit 2b178dcae608ecc05f62593a7a0c2a127b8b7ca2)
2008-04-24mailslot: allow to define nt_version in send_getdc_request().Günther Deschner1-1/+1
Guenther (This used to be commit ce3728191b23badfd5eb92701e4cebf84273b61e)
2008-04-23Fix CLEAR_IF_FIRST handling of messages.tdbVolker Lendecke3-3/+3
We now open messages.tdb even before we do the become_daemon. become_daemon() involves a fork and an immediate exit of the parent, thus the parent_is_longlived argument must be set to false in this case. The parent is not really long lived :-) (This used to be commit 4f4781c6d17fe2db34dd5945fec52a7685448aec)
2008-04-23Mark a domain offline in the wbcDomainInfo structure using the domain_flags.Gerald W. Carter1-4/+14
Use the existing domain_flags fiueld in wbcDomainInfo to set a bit if the domain is marked as offline by Winbind. (This used to be commit 59cfba2c3d6d4594f08cbe3b7295ab36a7cfb044)
2008-04-23winbindd_cache: simplify logic in new key length check for UA keys.Michael Adam1-14/+9
This reduces indentation by combining common code paths, and wraps long lines. Holger: sorry, I could not resist. I think it is much easier to understand what is going on when we only have one check and determine the max allowed key length in advance. Michael (This used to be commit e489f3d988feafe35b486b31a9e60c2399e6a6e7)
2008-04-23winbindd_cache: recognize and allow longer UA keysHolger Hetterich1-3/+13
UA keys consist of a potientally large number of concatenated SID strings which can grow much larger than 1024 bytes in complex environments. We catch those keys and allow them exclusivly to be larger. (This used to be commit fcd35232e111f9b046ae35d939d08c29d0d43438)
2008-04-22Fix wbinfo --group-info if the winbind separator set to non \Volker Lendecke1-2/+4
In getgrsid_lookupsid_recv() we use parse_domain_user which itself looks at lp_winbind_separator(). Thus when building up that group name we should better use it as well. (This used to be commit 5df75578ef1da41164936cd11b14114889201d47)
2008-04-21cldap: avoid duplicate definitions so remove ads_cldap.h.Günther Deschner1-1/+1
Guenther (This used to be commit 538eefe22ad69540b9f73ffaa613d6be045de199)
2008-04-21winbind: pass down existing talloc context.Günther Deschner1-5/+6
Guenther (This used to be commit 675bf42cfff89b05f21d77ca74eba20c4a24d44c)
2008-04-21Add in a nice big comment explaining why SamLogonEx matters.Andrew Bartlett1-0/+21
Andrew Bartlett (This used to be commit 87232351b5e66728f8d602259961909e8c1dfcb6)
2008-04-21winbind: Use libnbt for NTLOGON SAMLOGON mailslot request and reply.Günther Deschner1-1/+3
Guenther (This used to be commit 2d6a1c5da64195784b0b102edb268356a24d84b5)
2008-04-20Replace cli_rpc_pipe_close by a talloc destructor on rpc_pipe_structVolker Lendecke1-29/+23
(This used to be commit 99fc3283c4ecc791f5a242bd1983b4352ce3e6cf)
2008-04-20Introduce rpccli_set_timeout()Volker Lendecke3-6/+6
Reduce dependency on "cli" member of rpc_pipe_client struct (This used to be commit 2e4c1ba38963cffe4c3f25ab24bc28975f2fc291)
2008-04-20Add "desthost" to rpc_pipe_clientVolker Lendecke2-5/+5
This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b)
2008-04-18winbindd: create the messaging conntext earlierStefan Metzmacher1-7/+17
metze (This used to be commit 2e1b9130635235efdbf49d0b92a43b342114246c)
2008-04-18winbindd: call reinit_after_fork() in the child processesStefan Metzmacher2-6/+4
metze (This used to be commit 8e9fdef792e612e414444e7714a2fd4513892248)
2008-04-17Move GETDC mailslot out of winbindd.Günther Deschner1-162/+2
Guenther (This used to be commit b003ba65e34bb92bf71a7943957715cd7acbcce0)
2008-04-12dbwrap: wait for tdb2 change notifies in smbd, nmbd and winbinddStefan Metzmacher1-0/+7
metze (This used to be commit 64450cc1e441355aa8925b7183e90872eeab20b1)
2008-04-10winbindd: only call winbindd_validate_cache when not in offline logon mode.Michael Adam2-20/+17
originally, the cache was cleared before calling validate, but this way, we skipt the validation of the database when not in offline logon mode. This is put into a new wrapper function winbindd_cache_validate_and_initialize() which is now called in winbindd.c instead calling validate and initialize functions separately. Michael (This used to be commit 641b5e3fecfce9581536de8daf6d7e6ecbefaf34)
2008-04-10Also accept 0x15 getdc repliesVolker Lendecke1-19/+22
My NT4SP6 which my DC here trusts sends 0x15 instead of 0x13, from looking at the sniff at least the DC name is at the same place. (This used to be commit 79bc6796b81395d591fc6ef389f153dd981fe68b)
2008-04-09Try anonymous session setupVolker Lendecke1-1/+3
... if there's no trust password Attempt to fix bug 5350 (This used to be commit 99f6b63f3c637457fdda7ed930c6666171b25b61)
2008-04-07winbindd: fix break out early condition in fill_grent_mem().Michael Adam1-1/+1
if (!&new_glist) would always be skipped, if (new_glist == NULL) is what must have been meant... Michael (This used to be commit c1b60cdecff2a53f0a75a432a1ad7730eb734908)
2008-04-07Only cache password policy results that worked, otherwise weBo Yang1-1/+3
cannot login until the cache expires even if a connection to a DC has been restored. (This used to be commit 8671f9767d7d93a86712741303d6046937c3aae8)
2008-04-04Use sid_array_from_info3 in lookup_usergroups_cached().Günther Deschner2-41/+11
Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce)
2008-04-03Fix trusted users on a DC that uses the old idmap syntax. There was no ↵Simo Sorce1-0/+70
default backend therefore on IDs were mapped by default. (This used to be commit f6069126e5e6d239b1ae00e897a420227f923e3f)
2008-04-02Fix NETLOGON credential chain with Windows 2008 all over the place.Günther Deschner1-5/+1
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0)
2008-03-31Fix enumeration of forest trusts from our root domain.Gerald W. Carter1-1/+1
Do not overwrite the domain->domain_flags when setting infomation in set_dc_type_and_flags_connect(). (This used to be commit 3414eac439b731ad7204b821ddc4fec54fe4435d)
2008-03-31Augmented "wbinfo -m" to list additional information about the type, ↵Steven Danneman1-13/+91
direction, and transitivty of trusts. * added several helper functions to convert the trust_flags field in the winbindd_tdc_domain to more useful administrator ideas of trust type, trust direction, and trust transitivity. * converted winbindd_list_trusted_domains() to enumerate the trusted domain cache, instead of the domain list, and return additional trust information to the calling process * modified wbinfo to pretty print this additional trust information when a new --verbose switch is given with -m. Thus "wbinfo -m" and "wbinfo -all-domains" output as before, but "wbinfo --verbose -m" prints extra trust info. * updated some comments and fixed typos (This used to be commit e7827bb6afa264c12ecdc0858f49707ca3d6104f)
2008-03-31Forest root trust flags won't overwrite child trust flagsSteven Danneman2-33/+54
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite existing trust information if we're joined to a child domain, and querying the forest root domain. Previously if we were joined to a child domain, we'd request all known trust information from this child domain (our primary domain) and store it in the tdc. We'd then request all trust information from our tree root (to get the forests we transitively trust) and overwrite the existing trust information we already had from the perspective of the tree root. * updated several comments and fixed typos (This used to be commit 6aac972d790ad5ca65096cb2e85e6819b60a5413)
2008-03-29winbindd_cache: add missing validation function for pwinfo cache entryMichael Adam1-0/+24
Michael (This used to be commit 6d3fc63bfab06346fa57719e8747397873a3c46d)
2008-03-29Don't let winbind getgroups crash when we have no gids in the token.Günther Deschner1-3/+5
Guenther (This used to be commit 6a576cfe9b87e69af6acbe9abc04124b8b743fd3)
2008-03-28Make some fns staticVolker Lendecke1-16/+5
(This used to be commit e04fc36f223d8d905a930c077a6cf6c48ee57af7)
2008-03-27Fix typo.Günther Deschner1-5/+5
Guenther (This used to be commit fed644372916a5e565e4f5352aab61b39a3a42a0)
2008-03-27Don't fill password policy structure for any domain other than our own.Gerald W. Carter1-3/+15
The samr connects will fail. This is not independent of the CONTACT_TRUSTDOM flag neede by krb5 logins. (This used to be commit 4de4949e3bfcfb2169c329f19cb76936d9043d50)