Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
|
|
|
|
|
|
The generic NDR-based cache in winbindd_dual_ndr.c replaces this.
|
|
|
|
|
|
|
|
|
|
This is a small performance optimization. Instead of opening the tdb
on every smb connection in the forked child process, we now open it in
the parent and share the fd.
This also reduces the total fd usage in the system.
|
|
|
|
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
|
|
Guenther
|
|
|
|
Explictly pass the facility from both smbd and full_audit to syslog.
Really the only major change is to not call openlog() in full_audit if
WITH_SYSLOG is defined, which implies that smbd is already using
syslog. This allows full audit to piggy-back on the same ident as
smbd, while still differentiating the logging via the facility.
|
|
file was requested
full_audit will now print out whether the createfile was requested for
a file or directory. The create disposition is also printed out.
|
|
|
|
Guenther
|
|
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.
The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.
Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
|
|
opcodes.
Guenther
|
|
Tim, I am reverting this as this eliminates "_netr_LogonSamLogonEx" from the
debug messages completely. Followup fix to come immediately.
This reverts commit add9b4afb14d3426d1f3bf5b8e7c86926f462578.
|
|
Guenther
|
|
(in preparation of credential merge).
Guenther
|
|
_netr_ServerAuthenticate3.
Guenther
|
|
Fix set_namearray to allow for strings that don't end in a slash. Also
remove unnecessary strdup()s.
Signed-off-by: Tim Prouty <tprouty@samba.org>
|
|
|
|
|
|
Should help track if we get invoked with an invalid fd from
the signal handler.
Jeremy.
|
|
Office 2003.
Confirmation from reporter that this fixes the issue in master on ext3/ext4.
Back-ports to follow.
Jeremy.
|
|
Jeremy.
|
|
sucessfully.
Guenther
|
|
ext4 may be able to store ns timestamps, but the only API to *set* timestamps
takes usec, not nsec. Round to usec on set requests.
Jeremy.
|
|
pid_t correctly
|
|
|
|
metze
|
|
metze
|
|
Thanks to Steven Danneman for watching me closely :-)
|
|
It happens to be what we also share out via NETLOGON/SAMR, but winbind has
direct access to it via the passdb domain methods
|
|
|
|
|
|
|
|
We need to return state->userinfo beyond the end of wb_queryuser_recv, so the
unmarshalled strings are children of that, not the state that is lost sooner.
Metze, this scheme works fine as long as we only have a single malloc'ed
entity that is returned. I think we need a different scheme in the future
when we might have more than one independent object to be returned.
|
|
Jeremy.
|
|
share.
Jeremy.
|
|
On filesystems that can't store less than one second timestamps,
round the incoming timestamp set requests so the client can't discover
that a time set request has been truncated by the filesystem.
Needs backporting to 3.4, 3.3, 3.2 and (even) 3.0.
Jeremy
|
|
of getpwuid(0) if DEVELOPER is defined. I'm hoping the
build farm defines DEVELOPER...
Jeremy.
|
|
Jeremy.
|
|
Authentication of domain users on the member server fails when winbindd
is not running. This is because the is_trusted_domain() check behaves
differently when winbindd is running and when it isn't:
Since wb_is_trusted_domain() calls wbcDomainInfo(), and this will also
give a result for our own domain, this succeeds for the member
server's own domain when winbindd is running. When winbindd is not
running, is_trusted_domain() checks (and possibly updates) the trustdom
cache, and this does the lsa_EnumTrustDom() rpc call to the DC which
does not return its own domain.
In case of winbindd not running, before 3.4, the domain part was _silently_
mapped to the workgroup in auth_util.c:make_user_info_map(),
which effectively did nothing in the member case.
But then the parameter "map untrusted to domain" was introduced
and the mapping was made to the workstation name instead of
the workgroup name by default unless "map untrusted to domain = yes".
(Commits
d8c54fddda2dba3cbc5fc13e93431b152813892e,
5cd4b7b7c03df6e896186d985b6858a06aa40b3f, and
fbca26923915a70031f561b198cfe2cc0d9c3aa6)
This was ok as long as winbindd was running, but with winbindd not running,
these changes actually uncovered the above logic bug in the check.
So the correct check is to treat the workgroup as trusted / or known
in the member case. This is most easily achieved by not comparing the
domain name against get_global_sam_name() which is the host name unless
for a DC but against my_sam_name() which is the workgroup for a DC and for
a member, too. (These names are not very intuitive...)
I admit that this is a very long commit message for a one-liner, but this has
needed some tracking down, and I think the change deserves some justification.
Michael
|
|
|
|
Add good error message for share modification denial.
Jeremy.
|
|
Guenther
|