Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit fc6458d0d4d9059e00b19ad6c54e3fd5a4119341)
|
|
hack for the
winbind "bug" :-)
Volker
(This used to be commit fb9a3c7ef376f289288c71bc47d67f548ddb7194)
|
|
This also removes dcerpc_bind_auth_password, the only user of
dcerpc_bind_auth. And this was not only passwords anyway.
Andrew Bartlett, as usual: Please take a close look.
Thanks,
Volker
(This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee)
|
|
(This used to be commit 681451af727d12294ecee1b8fddc595b0148003f)
|
|
that some values aren't handled. The remaining warnings I think are
actual bugs or required functionality that is missing (mostly lack of
server side Unix extensions).
(This used to be commit 03c7da27a06736f2a27d76e6a00a24ab54453af9)
|
|
possibly
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
(This used to be commit d14948fdf687c8f70ef9ec35445b7eb04da84253)
|
|
wb_domain_request, now that we have queued rpc requests.
Volker
(This used to be commit 848522d1b64c1c283ac1ea7ce7f1a7a1b014a2aa)
|
|
(This used to be commit a043ef33dca19d5ac1cdead60a4faa8b3a950bf4)
|
|
(This used to be commit d5aef4e2f955025266e59227364b5cccccdb9f32)
|
|
regardless the authentication result on a particular user.
Andrew Bartlett
(This used to be commit 2ee7ed000ef099b2e38d540be75cbc8de386839a)
|
|
minimal comments much better (much like volker scans code of less than
80 cols better ;-)
Andrew Bartlett
(This used to be commit 8800e9b5b06701ed1cdf9da0a37291a84eb36f7f)
|
|
logins (changing the winbindd interface).
Clean up the wbsrv_samba3_async_epilogue() handling, as it was mixing
auth and other replies, such that all replies were having the auth
error strings set. We now do a better job of filling in the right
errors in the right places.
Andrew Bartlett
(This used to be commit 8ed975df52bcac9646672f6a39c51481b5c59226)
|
|
I still have some gremlins that get in the my way in testing this.
Andrew Bartlett
(This used to be commit 3353e906adb3b3116551026e3ae18fd4d7ae1764)
|
|
metze
(This used to be commit 2f1930fb62011303abf930da6b57e73b1b9601de)
|
|
properly, make
socket_connect and ldap_connect properly async.
Volker
(This used to be commit bcc71fc1deeed443d7cf00220ce264011ddf588d)
|
|
was the one
I sent to you. Sorry for bothering you.
Volker
(This used to be commit 3a9f2291ae6e96a715f463899957c6c598fc7627)
|
|
(This used to be commit 4fe3c9871bff512a464c688a5f6fdb37387833ed)
|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
|
|
(This used to be commit 12a800bc8541c4160a534d1edcaeb6774776e18d)
|
|
(This used to be commit 134e104c3ff39e5f3ebdaf9168df78a156490ed7)
|
|
because
--user-sids required the extension to trusted domains.
Implement "winbind sealed pipes" parameter for debugging purposes.
Volker
(This used to be commit 3821a17bdb68b2f1389b5a150502c057d28569d2)
|
|
Tridge, if you have the time, you might want to look at a problem I'm having
with unix domain stream sockets. From a comment in this commit:
/* Using composite_trigger_error here causes problems with the client
* socket. Linux 2.6.8 gives me a ECONNRESET on the next read after
* writing the reply when I don't wait the 100 milliseconds. */
This is in winbind/wb_cmd_userdomgroups.c:93.
The problem I have is that I can not *immediately* send an error reply to the
client because the next receive fails. Waiting 100 milliseconds helps. It
might also be a problem with epoll(), I don't really know.
I'd appreciate if you took a brief look at this, maybe I'm doing something
wrong.
Thanks,
Volker
(This used to be commit 3e535cce743710a68a4264e4f66e9c0c4d6770c6)
|
|
(This used to be commit a14398715eceecf204caf815a8769ba8214d0576)
|
|
initialized, do that
first. And if a request is being processed, queue it. This correctly survived
3 endless loops with wbinfo's doing different things while starting up smbd.
The number of indirections starts to become a bit scary, but what can you do
without a decent programming language that provides closures :-)
One thing that we might consider is to auto-generate async rpc requests that
return composite_context structs instead of rpc_requests. Otherwise I'd have
to write a lot of wrappers like composite_netr_LogonSamLogon_send.
The alternative would be to write two versions of wb_queue_domain_send which I
would like to avoid. This is cluttered enough already.
Volker
(This used to be commit 66c1b674f9870de73cce0e611909caf9eff34baa)
|
|
(This used to be commit 576a724bf1350ba7f38f95118224bdee98e0be5a)
|
|
user...
Volker
(This used to be commit 6e4f774a4948691440362663418243623d1f51f7)
|
|
tested it, but I can not reproduce the problem I had with abartlett's initial
implementation anymore.
Fix a bug found using valgrind.
Volker
(This used to be commit 0c6c71ae3cd0a2f97eab2cc24a752976c32a39fc)
|
|
(This used to be commit eaf347bdeaaddb655fe72ddb98f3a67ace795937)
|
|
work yet,
but the version before did not either, so we're not worse than before.
One thing this does better is to call the domain init code if it's not there
yet.
Volker
(This used to be commit 35bcfb185b9763a3677d7ac9e748f3a3ba7d2593)
|
|
* rename the composite helper functions from comp_* to composite_*
* Move the lsa initialization to wb_connect_lsa.c
* Equip smb_composite_connect with a fallback_to_anonymous
The latter two simplify wb_init_domain.c quite a bit.
Volker
(This used to be commit deb127e04ea01ae93394da5ebffb39d81caeb6d9)
|
|
(This used to be commit 66c90483b49bd8a8de1a46b12cce5270571f4090)
|
|
Volker
(This used to be commit 512ae49270197146e5967acd654dd97452cf4e77)
|
|
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07cd76b4bc01b032148609ee4b59b8be7)
|
|
of the
async helpers.
Volker
(This used to be commit 10585ba4e81e979a03aec747db6fc059978fa566)
|
|
Plaintext should be simple, but I'm going to do some infrustructure
work first.
Andrew Bartlett
(This used to be commit c9273729e4db4adc0061087fe7e0332e2bc24384)
|
|
(This used to be commit ecaa70f63b7f38a1daf8e33ded738107c5f6b53a)
|
|
Abartlet, now I think I need some assistance to implement the pam auth & crap
auth calls.
Volker
(This used to be commit 90a30c8b6585ed48b50e6aed75f3ecfd3543bbdc)
|
|
functions
start to look sane.
Question: What about providing all winbind commands as irpc interfaces that
are called from the samba3 compatibility layer? This way it would be easy for
other samba components to access its functionality. Does that make sense?
Volker
(This used to be commit 2a6b8053859ea5690f90a8d2074d2bb4f06551f8)
|
|
(This used to be commit 1afa893506f3d7157e251eec9baeba28dc011587)
|
|
(This used to be commit 2c3a9f04db5d61305f4eca8b44e33c2dd15a6dc4)
|
|
pipe is safe while inside a rpc callback
(This used to be commit 5d752a519416c7a0c8c7d166f43eadc75cb5c37f)
|
|
queryinfopolicy. Idea is to get a consistency check between that and our
notion of the domain name and sid, and take the lsa pipe as the holder of the
central smbcli_tree that netlogon and samr use as well.
Volker
(This used to be commit 126c80aefc4f53c4ba79afc12d70602ef9055ddb)
|
|
(This used to be commit d18f7edf92e8420f30cae01649d18f0ae20a80aa)
|
|
(This used to be commit a7137fd3ec2e484c8feb73fa228031c8b75107bf)
|
|
(This used to be commit 820b4180dd3c1d07dd529fcb654ea01407a481cb)
|
|
proper fix
for it pending.
Also fix a bug with timed events: Don't call the same event recursively in the
handler's inner semi-async event loop.
Volker
(This used to be commit e38e50127a3414461578421e676a9c58c106c272)
|
|
Tridge, if you have time, you might want to look at the segfault I was still
seeing. Now I store the handle to the netlogon pipe in the global winbind
state and free it on the next entry into check_machacc. The problem seems to
be that talloc_free()ing a pipe struct from within a callback function on that
pipe is not possible. I think I can live with that, but it has been not really
obvious. To reproduce the segfault you might want to look at putting a
talloc_free(state->getcreds->out.netlogon) into
wbsrv_samba3_check_machacc_receive_creds. This is called from a dcerpc
callback function.
In particular if the check failed it would be nice if I could delete the pipe
directly and not post a different event to some winbind queue.
I tried to delete the pipe from a timed event triggered immediately, but this
also fails because the inner loop seems to hit the same event again, calling
it twice.
Volker
(This used to be commit 5436d7764812bb632ba865e633005ed07923b57f)
|
|
once, use the
first one that replies correctly.
Add a talloc context to smb_composite_connect()
Volker
(This used to be commit 6b88de182e40cb00a833c085f801fd47c92bbe94)
|
|
Volker
(This used to be commit c7557884843a5b2bac9e21ec81cafcaadf436bca)
|