1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

164 Commits

Author SHA1 Message Date
Volker Lendecke
1b69659315 r24330: Fix a 64-bit error
(This used to be commit 30fd903465)
2007-10-10 12:29:30 -05:00
Volker Lendecke
99a1f5a75c r24329: Fix a 64-bit bug
enums are not necessarily represented as 32-bit uints. On assignment
(see line 1029) implicit conversion happens, but not when pointers are
taken.
(This used to be commit 67ec6863dd)
2007-10-10 12:29:30 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Lars Müller
c05cbbe41c r23733: Limit LDAP lookup in lookup_usergroups_member() to security groups.
Credits to Ralf Haferkamp for the discussion and help on this.
(This used to be commit 5be96d09a7)
2007-10-10 12:23:50 -05:00
Gerald Carter
a6706eee9b r23730: Squashed commit of the following:
commit 3941269fa01038fca242a197e8d7c1f234d45ea7
Author: Gerald (Jerry) Carter <jerry@samba.org>
Date:   Thu Jul 5 14:52:03 2007 -0500

    Two fixes for "winbind expand groups".

    (a) Update the counter for the number of new groups to resolve else
        we'll only expand one group member per level and drop the rest.
    (b) Don't reset the num_names counter in winbindd_ads.c:lookup_groupmem()
        or we'll drop the SIDs resolved to names via cache from the resulting
        list.
(This used to be commit dfb89dfcaa)
2007-10-10 12:23:49 -05:00
Gerald Carter
78d6b95e18 r23471: Here's a rough patch for expanding domain group membership
in the winbindd_getgrnam() call.  Couple of comments:

* Adds "winbind expand groups" parameter which defines the
  max depth winbindd will expand group members.  The default
  is the current behavior of one level of expansion.
* The entire getrgnam() interface should be async.  I
  haven't done that.
* Refactors the domain users hack in fill_grent_mem() into
  its own function.
(This used to be commit 3d3a813035)
2007-10-10 12:23:19 -05:00
Günther Deschner
454de808a2 r23355: Fix some more build warnings.
Guenther
(This used to be commit 23e25bba8f)
2007-10-10 12:23:09 -05:00
Michael Adam
0fbe25656c r23291: Undo the somewhat naive change of r23279:
The clear text presentaion of the sid in the ldap expression
does work with w2k3 but not with w2k....

Thanks to Guenther for advising me of this issue.

Michael
(This used to be commit 7e6b0c19f8)
2007-10-10 12:23:03 -05:00
Michael Adam
4d2a1103bf r23290: Fix another small and stupid but severe typo.
Hopfully, I have finally got this right... :-)

Michael
(This used to be commit 2190d838e4)
2007-10-10 12:23:03 -05:00
Michael Adam
d6a42af5e6 r23287: Use talloc_move instead of talloc_steal as this is what I really
wanted to do.

Michael
(This used to be commit f2adae8fc1)
2007-10-10 12:23:03 -05:00
Michael Adam
b5f37e7359 r23284: Oh what a nasty typo! This gave me some headache,
with talloc randomly failing.

Hey, shouldn't TALLOC_ARRAY _not_ return NULL when
requested to allocate an array with zero entries? :-)

Michael
(This used to be commit 7170d2e9f5)
2007-10-10 12:23:02 -05:00
Michael Adam
8c4ef50f13 r23283: Use a temporary talloc context in ads:lookup_groupmem.
And clean up unused stuff at the end.
Daringly, I use talloc_steal at some point, where it
appears natural to me.

Michael
(This used to be commit f2a29643bd)
2007-10-10 12:23:02 -05:00
Michael Adam
eb676446bd r23279: Replace occurrence of sid_binstring inside lookup_groupmem
by sid_string_static.
(This used to be commit ba3026dce0)
2007-10-10 12:23:02 -05:00
Volker Lendecke
a672c1ab2c r23263: Remove an unused variable -- Fix Coverity ID 358
(This used to be commit c5929aa82b)
2007-10-10 12:23:01 -05:00
Michael Adam
159938d734 r23253: Add some debugging output.
(This used to be commit bd90573fbb)
2007-10-10 12:23:00 -05:00
Michael Adam
55e50c8470 r23252: Complete the reworking of the ads lookup_groupmem function
started in r23070, r23072, r23073, r23078, r23081 and r23082:

After retrieving the list of sids with the extended dn
ldap query, instead of passing all sids to the lsa_lookup_sids
call, now while extracting the sids from the extended dn member
entries, we first try to lookup the sid from cache and only pass
the sids that were not in cache to the lsa_lookup_sids call.

Michael
(This used to be commit 5520c7d855)
2007-10-10 12:22:59 -05:00
Michael Adam
725e90f157 r23078: Don't handle return code NT_STATUS_NONE_MAPPED from lookup sids
as an error. (This is purely cosmetic here, issuing a success
message at the end.)
(This used to be commit 4d9e8c91dc)
2007-10-10 12:22:43 -05:00
Michael Adam
b5100b1f25 r23072: In winbindd_ads.c:lookup_groupmem, replace the bottleneck
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070)
call. This replaces one ldap search per member sid by one
rpc call per 1000 sids. This greatly speeds up groupmem
lookups for groups with lots of users.

Since the loop in lookup_groupmem was the only use of dn_lookup,
the function is removed.

Michael
(This used to be commit 88dac65ab1)
2007-10-10 12:22:18 -05:00
Günther Deschner
2e1acc4f5a r22737: Fix crash bug (info3 is now talloced).
Guenther
(This used to be commit 08a7ee8d96)
2007-10-10 12:21:52 -05:00
Gerald Carter
80dca03aae r22711: Fix a compile warnign in query_user(). Ensure that user_rid
is initialized.
(This used to be commit ef03042682)
2007-10-10 12:21:49 -05:00
Gerald Carter
391a72f3df r22710: Support one-way trusts.
* Rely on the fact that name2sid will work for any name
  in a trusted domain will work against our primary domain
  (even in the absense of an incoming trust path)

* Only logons will reliably work and the idmap backend
  is responsible for being able to manage id's without contacting
  the trusted domain

* "getent passwd" and "getent group" for trusted users and groups
  will work but we cannot get the group membership of a user in any
  fashion without the user first logging on (via NTLM or krb5)
  and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af)
2007-10-10 12:21:49 -05:00
Gerald Carter
dcfeb64bd2 r22706: missed one reference to domain->native_mode in the previous commit
(This used to be commit aa2ac5a194)
2007-10-10 12:21:48 -05:00
Gerald Carter
7cb2a4be35 r22704: Implement three step method for enumerating domain trusts.
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.

This will give us a complete trust topology including
domains via transitive Krb5 trusts.  We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.

"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e)
2007-10-10 12:21:47 -05:00
Jeremy Allison
56a5d05b8b r22590: Make TALLOC_ARRAY consistent across all uses.
That should be it....
Jeremy.
(This used to be commit 603233a98b)
2007-10-10 12:19:49 -05:00
Günther Deschner
0d1c821700 r22511: Remove unused LDAPMessage.
Guenther
(This used to be commit 31a193b02a)
2007-10-10 12:19:41 -05:00
Günther Deschner
fa2756c944 r22461: Use ranged LDAP queries in lookup_usergroups_member() and start to optinmize
lookup_groupmem(). In the later, at least try to avoid those massive LDAP
dn_lookups by looking in the cache before.

Guenther
(This used to be commit eb1566869c)
2007-10-10 12:19:35 -05:00
Jeremy Allison
ce3c830f15 r22015: Fix for memory leak from Steven Danneman <steven.danneman@isilon.com>
Jeremy.
(This used to be commit 61a1574f50)
2007-10-10 12:19:02 -05:00
Gerald Carter
cfecca614f r21636: Was almost right before. We have to specify the short domain name to get the
Krb5 config stuff to work in the server affinity settings.
(This used to be commit 518052be38)
2007-10-10 12:18:19 -05:00
Gerald Carter
a4db672e26 r21633: First real fix from me found during the bug hunt.
ads_cached_connection() does not call get_dc_name()
before ads_connect() and therefore does not setup
the environment to look at krb5.conf.DOMAIN file
before sending the TGT request.  The failure I'm seeing
occurs ni a multi-DC domain where we get back preuath
failed after we just joined the domain.
(This used to be commit 256f36dce3)
2007-10-10 12:18:18 -05:00
Simo Sorce
e9e6af5951 r21606: Implement escaping function for ldap RDN values
Fix escaping of DN components and filters around the code
Add some notes to commandline help messages about how to pass DNs

revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was
incorrect.
The 2 functions use DNs in different ways.

- lookup_usergroups_member() uses the DN in a search filter,
and must use the filter escaping function to escape it
Escaping filters that include escaped DNs ("\," becomes "\5c,") is the
correct way to do it (tested against W2k3).

- lookup_usergroups_memberof() instead uses the DN ultimately as a base dn.
Both functions do NOT need any DN escaping function as DNs can't be reliably
escaped when in a string form, intead each single RDN value must be escaped
separately.

DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as
they come already escaped on the wire and passed as is by the ldap libraries

DN filtering has been tested.
For example now it is possible to do something like:
'net ads add user joe#5' as now the '#' character is correctly escaped when
building the DN, previously such a call failed with Invalid DN Syntax.

Simo.
(This used to be commit 5b4838f62a)
2007-10-10 12:18:16 -05:00
Jeremy Allison
2546b63f73 r21566: If we're going to be broken, at least be *consistently*
broken :-). This will do until Simo fixes the escape
calls properly.
Jeremy.
(This used to be commit b7d91ec1b2)
2007-10-10 12:18:14 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b722)
2007-10-10 12:17:50 -05:00
Gerald Carter
a31f10c99e r21001: * Use a simple '#define LDAPMessage void' to fix the build
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b)
2007-10-10 12:17:25 -05:00
Gerald Carter
b9b26be174 r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code.  The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.

The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2)
2007-10-10 12:17:23 -05:00
Volker Lendecke
b906886e9e r20824: Send access to the trusted domain passwords through the pdb backend, so that
in the next step we can store them in LDAP to be replicated across DCs.

Thanks to Michael Adam <ma@sernet.de>

Volker
(This used to be commit 3c879745cf)
2007-10-10 12:17:10 -05:00
Herb Lewis
791f48f167 r20124: clean up nested extern declaration warnings
(This used to be commit ac3eb7813e)
2007-10-10 12:16:26 -05:00
Jeremy Allison
63609fbb04 r20090: Fix a class of bugs found by James Peach. Ensure
we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e)
2007-10-10 12:16:24 -05:00
Jeremy Allison
490e3205bc r20035: Fix obvious horrible bug in falling back to MS-RPC
methods.
Jeremy.
(This used to be commit 7ac4ae4b51)
2007-10-10 12:16:21 -05:00
Volker Lendecke
bf6bb74985 r19657: Correctly check for malloc failure
(This used to be commit e5b5c9b058)
2007-10-10 12:15:45 -05:00
Volker Lendecke
8371c0e44c r19656: Correctly check for malloc failure
(This used to be commit 3d0661b039)
2007-10-10 12:15:45 -05:00
Volker Lendecke
ee0e397d6f r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.

Volker
(This used to be commit b2ff9680eb)
2007-10-10 11:39:49 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Volker Lendecke
dfa4760eea r16361: Fix Klocwork ID 1731 1770 1771 1775 1796
Volker
(This used to be commit 8a5cebc19e)
2007-10-10 11:18:49 -05:00
Jeremy Allison
193830091f r16285: On a 64-bit box, size_t != uint32. Ensure we use
the right parameter type.
Jeremy.
(This used to be commit 938545f535)
2007-10-10 11:17:31 -05:00
Günther Deschner
2828356be3 r16187: Fix memleak.
Guenther
(This used to be commit e7d2b84aba)
2007-10-10 11:17:23 -05:00
Günther Deschner
9467e6f41a r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).
Guenther
(This used to be commit 8759a00fed)
2007-10-10 11:17:20 -05:00
Günther Deschner
c60e96c392 r15698: An attempt to make the winbind lookup_usergroups() call in security=ads
more scalable:

The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).

Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.

The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.

The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.

Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.

Guenther
(This used to be commit 7d766b5505)
2007-10-10 11:17:08 -05:00
Günther Deschner
39c45ce4f1 r15697: I take no comments as no objections :)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.

This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).

Guenther
(This used to be commit 52423e01dc)
2007-10-10 11:17:08 -05:00
Volker Lendecke
c2e6ebe22c r15562: Attempt to fix Coverity bug # 283
(This used to be commit 3762effca5)
2007-10-10 11:17:01 -05:00