IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc)
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f)
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a2)
Else SAFE_FREE seg faults. Thanks to Günther for pointing me at this.
I've implemented in in this was as we should announce to remove the
idmap_ strip stuff after some time at all.
(This used to be commit 6a5bf399a5)
If we detect a leading 'idmap_' for the idmap backend setting we strip
this and inform about the deprecated config with DEBUG 0.
I'm not sure if we should set a TTL of one year or five additional
releases from now for this code.
This is required for the changes Günther made as the first step to solve
bug #3264. With this fix we can even run with an old config. This is
very important as we else will break existing configurations with an
update.
(This used to be commit 34c7d8c069)
Finally cleanup the way idmap modules are build and loaded, idmap_rid
now will have to be loaded without prefix, just "rid".
Guenther
(This used to be commit a77e02177d)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
upcoming changes for "unixinfo"-pipe.
Therefor (after speaking with Volker) replace "winbind sfu support" with
the list-parameter "winbind nss info" which defaults to "template". For
SFU-support set it to "winbind nss info = template sfu".
Note that nss_info_use() is just a dummy function at the moment.
Guenther
(This used to be commit 91596330ea)
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
(This used to be commit 28b5969942)
* add synonym for idmap_rid in better lining with
other idmap backend names
* remove old debug messages when idmap {uid|gid} options
are not defined
(This used to be commit 03ebf3ebfe)
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars
Mueller <lmuelle-at-suse.de>.
Allow to map ID's for a local SAM and add some more
debugging-information.
Guenther
(This used to be commit 4d8e7c9ff0)
(only ever shows up when the somewhat hidden
IDMAP_RID_SUPPORT_TRUSTED_DOMAINS - define is set).
Thanks to Stephan Martin <sm@suse.de> for reporting this bug.
Guenther
(This used to be commit e7b81d679b)
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
- fix several memleaks found by valgrind
- turn off support for trusted domains (can be reenabled with
#define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 1)
- improve readability
Guenther
(This used to be commit 351a1227e8)
Written by Sumit Bose <sbose@suse.de> and myself a while ago.
idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using
the idmap-range as offset. It does thus allow to have a unified mapping
over several winbindd-systems without having the need of a central
LDAP-Server (and all related dependencies and problems this solution can
bring).
Compile:
./configure --with-shared-modules=idmap_rid
Usage:
idmap backend = idmap_rid
idmp_rid does even allow you to have multiple mappings (for trusted
domains). This is a rather problemtic feature and will be turned off by
default rather soon. The problem is that ranges can quickly overlap when
not measured with caution.
idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999"
Will valgrind idmap_rid later today and fix a couple of things.
Guenther
(This used to be commit 49a238bd37)
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong
type, don't ask ldap when we have the opposite mapping in the local tdb.
Volker
(This used to be commit c91cff3bd3)
parameter a list instead of a string. This makes
idmap backend = ldap:"ldap://localhost/ ldap://fallback/"
possible.
Volker
(This used to be commit ea71834793)
Check in the 'winbind proxy only' mode -- no new parameter required :-)
If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it
will only proxy the netlogon request and thus speed up the authentication of
domain users.
Volker
(This used to be commit 29235f0c69)
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring. There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384)
