IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
winbind functions to be accessed via NSS. This provides a much cleaner
way for applications that need (for example) to provide name->sid
mappings to do this via NSS rather than having to know the winbindd
pipe protocol (as this might change).
This patch also adds a varient of the winbindd_getgroups() call called
winbindd_getusersids() that provides direct SID->SIDs listing of a
users supplementary groups. This is enough to allow non-Samba
applications to do ACL checking.
A test program for the new functionality will be committed shortly.
I also added the 'wbinfo --user-sids' option to expose the new
function in wbinfo.
(This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
and workstation to utf8 before sending the winbindd request. Also, don't
continue when the call to pull_utf8() fails but rather return a winbind
error. (This is what was causing the crash)
(This used to be commit ca1c463360b75538a93b56a87cbb4a6ee7b6cec6)
Add support for geting the sequence number, list of users, and list
of groups for a specific domain (assuming on reported back by
wbinfo -m)
wbinfo -u --domain=DOA
(This used to be commit 34fc6e1bf97d514d3b1763a808d08d730191e03b)
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
--set-auth-user. There was enough confusion, as in bug #158,
when a user accidentally typed -A instead of -a, and would get themselves
stuck with a non-working winbind.
I've made the changes to docs/docbook/manpages/wbinfo.xml, but I'm not
sure what to do beyond that. Is checking that in enough?
(This used to be commit 70fe85e4698ce2c26372b050417986bf4a96680b)
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
empty username/password is passed on the command line. Previously we were
leaving the domain name set and the password set to a NULL character.
Added a --get-auth-user command to display the restrict anonymous username
information. Can only be run successfully by root.
(This used to be commit dcaf21efc5b48ddb0cbe70ce17e45c035ef525ad)
Some random reformatting and cleanup.
Display output of wbinfo -s using actual winbind separator.
(This used to be commit 099f8c5dfdb150b025e29d5c8ca060f1ee1c0145)
This patch fixes the segfaults I introduced in the previous conneciton caching
patch. It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.
If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.
There is still a memory leak in here somewhere - but this code also cleans up a
number of these.
Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.
Andrew Bartlett
(This used to be commit 92cbefdf2783bf9dbbb2179c1b2f7cdb802d84a9)
Add a connection cache to the netlogon pipe. This makes a *massive* difference
to the time-per-auth. Also fix up *some* of the memory leaks in other
connection caches.
Add some debugging messages for the is_connected() code. I'm thinking we
should get a client implementation of SMBecho and call it here - as it would
allow us to always know the DC is around before we start.
Down the debug level for some of the pam_winbind code - I'll probably down it
further when I'm finished debugging.
Andrew Bartlett
(This used to be commit 49d3e476662220775ef8da7db01ea17e77e11b0b)
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.
In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.
Added code to wbinfo to display these - makes a big difference in debugging
winbindd.
The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)
Andrew Bartlett
(This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
the sid->uid and uid->sid conversions.
Remove some duplicate arguments from these funcitons, and update the
request/response structures for this and the 'winbind domain name' feature.
As such 'winbindd_lookup_name' now takes both a domain and username.
(This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
(This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
smb.conf to get it right.
While wb_client needs its lp_load() for samba dependency reasons, it now uses
the new method both to example and test the new code.
Also add an interface version function, and return the winbind's samba version
string.
In preperation for default domains, its now up to winbindd to reject plaintext
auths that don't have a seperator, but NTLM (CRAP) auths now have two feilds,
hence need parsing.
Andrew Bartlett
(This used to be commit 2bd2a092ee3d49a74d896385688d7c7256aa297e)
It adds a 'ping' request, just to check winbind is in fact alive
It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.
(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)
Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).
Andrew Bartlett
(This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
(This used to be commit ee1c3e1f044b4ef62169ad74c5cac40eef81bfda)
Added a --set-auth-user function to set a username and password that can be
used by winbindd when making connections to domain controllers. This is
necessary when restrictions have been placed on anonymous connections
either through the RestrictAnonymous registry setting, or the win2k Local
Security Policy -> Security Settings -> Local Policies -> Security Options
-> Additional restrictions for anonymous connections. (phew)
Two new keys are set in secrets.tdb: SECRETS/AUTH_USER and
SECRETS/AUTH_PASSWORD which hold the username and plaintext password of the
user to connect as.
To reset these values, run wbinfo --set-auth-user ""
(This used to be commit 507003522b70443f79b8b69a836dcd38d309cfca)
