1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

3277 Commits

Author SHA1 Message Date
Volker Lendecke
2c610804fe winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-16 16:14:30 +00:00
Pavel Filipenský
09e853af7f s4:torture: Skip test_membership_user for users that get incorrectly assigned group sid
This commit should be removed once wb_queryuser() is fixed.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
a1e611a8c7 s3:winbind: Fix the default group for the 'Guest' user
If samlogon cache has no entry for the 'Guest' user, the group sid
should default to 'Guests' group.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
783c9d2237 s3:winbind: Include local groups in _wbint_QueryGroupList
This is needed for GETGRENT to show also e.g. BUILTIN/users.
Otherwise the test_membership_user (local.nss.membership) would fail.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
f116cda34f s3:winbind: Remove SID_NAME_ALIAS code from rpc_lookup_groupmem()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
47b3a5d0de s3:winbind: s/wb_group_members_send/wb_alias_members_send/ for SID_NAME_ALIAS in wb_getgrsid_sid2gid_done()
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
fa7d9c13c3 s3:winbind: Convert wb_group_members_send() to resolve array of groups
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
6b321cb17e s3:winbind: Add wb_alias_members_{send/recv}
wb_alias_members.c is very similar to wb_lookupusergroups.c

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
38565ff2df s3:winbind: Add wbint_LookupAliasMembers to winbind interface
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
92b2eb9c3f s3:winbind: Add lookup_aliasmem to winbindd_methods and implement it in all backends
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
b67dc2586f s3:winbind: Fix trailing whitespace in winbindd_cache.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
d58872053c s3:winbind: Fix trailing whitespace in winbindd_reconnect.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
f91c8bf8d0 s3:winbind: Fix trailing whitespace in winbindd_msrpc.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Volker Lendecke
6206e15b4d winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May  9 02:58:45 UTC 2023 on atb-devel-224
2023-05-09 02:58:45 +00:00
Volker Lendecke
3fdf8d15c0 idmap_ad: Add "deny ous" and "allow ous" options
With these options, certain OUs can be denied or a list of OUs can be
explicitly permitted for idmapping.

Use case: Administration of OUs in AD has been delegated to people not
100% trusted by the unix server team, this can prevent arbitrary unix
IDs to be assigned by these delegated admins.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:50 +00:00
Volker Lendecke
c9c709e39d idmap: Initialize struct idmap_ad_context
We'll add another pointer next that should be initialized to NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:50 +00:00
Volker Lendecke
6499a2dcb3 winbind: Add idmap_config_string_list()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:50 +00:00
Volker Lendecke
443572ce42 winbind: Factor out idmap_config_name()
3 times is enough, next patch will add a 4th one.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:50 +00:00
Pavel Filipenský
a11d6fe590 s3:winbind: Fix wrong string zero termination for empty groups
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Mar 28 08:36:50 UTC 2023 on atb-devel-224
2023-03-28 08:36:50 +00:00
Joseph Sutton
3c5296d9ae winbindd: Show warning message on tc connection errors too
Some of these conditions could never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Stefan Metzmacher
7ee725f286 idmap_hash: remember new domain sids in idmap_hash_sid_to_id()
This change means that idmap_hash_id_to_sid() can return mappings
for new domains learned in idmap_hash_sid_to_id().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224
2023-03-10 11:35:06 +00:00
Stefan Metzmacher
ee820553fd idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
ede88d9f83 idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
42dcb3db05 idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later
If we are going to return ID_UNMAPPED later anyway, there's no need to
defer that decision by returning ID_REQUIRE_TYPE first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
c158b075b0 idmap_hash: split out a idmap_hash_sid_to_id() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
57150b463f idmap_hash: split out a idmap_hash_id_to_sid() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
14102b05f3 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
0da13ab3ad idmap_hash: we don't need to call idmap_hash_initialize() over an over again
It's always the first function that's called from idmap_methods.

This also demonstrates that we currently always return NT_STATUS_OK,
even if we haven't mapped all map entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
2cfcff3101 idmap_hash: remove unused error checks
id_map_ptrs_init() is used in the callers in order to
set everything up as expected.

Other backends also just trust the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
0f96c4b419 idmap_hash: fix comments about the algorithm
Only support ~ 50k users per domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
9a24570d3d idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids
While sids_to_unixids returns ID_TYPE_BOTH mappings,
unixids_to_sids() returns the callers asked for, which
fills gencache with the non ID_TYPE_BOTH mappings.
As a result also the sids_to_unixids fast path via
gencache won't return ID_TYPE_BOTH mappings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
a9583b5f96 idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain
When we see a trusted domain SID for the first time,
idmap_autorid returns ID_REQUIRE_TYPE only for the first sid
and leaves the others with ID_TYPE_NOT_SPECIFIED.
It means the winbindd parent only retries the first sid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15318

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Stefan Metzmacher
ad242a2064 winbindd: don't call set_domain_online_request() in the idmap child
Most idmap backends don't need access to the domain controllers.
And the related code is not needed for the backends.

Commit 17c86a2c5a changed
the logic of set_domain_online_request() completely!
Instead of triggering a dc probe in the background,
it is now doing a blocking connection.
And doing this in the idmap child is completely useless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15317

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-10 10:38:37 +00:00
Andreas Schneider
460fd441d7 s3:winbind: Improve warning message if we are out of autorid ranges
The message should help our users to understand what's the problem. The
message was rather cryptic before.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Feb 28 14:18:32 UTC 2023 on atb-devel-224
2023-02-28 14:18:32 +00:00
Joseph Sutton
618d95822e ldap: Cut down on string substitution
Constant strings can be inserted directly into format strings, reducing
the amount of string substitution to be performed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
Andreas Schneider
8b7fcfa577 s3:winbind: Remove unused variable
source3/winbindd/winbindd_ads.c:1399:6: error: variable 'ret_count' set but not
    used [-Werror,-Wunused-but-set-variable]
        int ret_count;
            ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-06 22:51:31 +00:00
Pavel Filipenský
51d559d8f4 s3:winbind: Move tevent_req_create() before debug macros to have the right call depth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15287

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-01-26 14:10:36 +00:00
Pavel Filipenský
4b6e8e1c11 s3:winbind: Deactivate call depth tracking in child winbindd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15287

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-01-26 14:10:36 +00:00
Pavel Filipenský
a6c1211504 s3:winbind: Activate the call depth tracking in main winbindd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15287

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-01-26 14:10:36 +00:00
Ralph Boehme
eb1d1f19a2 winbindd: add dcname arg to ChangeMachineAccount request
Existing callers will pass an empty string, later a new caller will pass an
explicit DC name taken from the wbinfo command line.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
4a74748d32 winbindd: Add force_dc to bypass cached connection and DC lookup
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
0fcf00121a winbindd: More simplification of cm_open_connection()
This basically moves the functionality to connect the socket to the currently
preferred DC to a new helper function connect_preferred_dc() that is called from
the renamed function find_new_dc().

find_dc() now either returns a connected to the preferred DC or a new DC until
all possible DCs are exhausted and cm_open_connection() can just call find_dc()
to get a connected socket and pass it to cm_prepare_connection().

While at it reorder the args of find_dc() and make the only real out arg "fd"
the last one.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
7315c5f4a5 winbindd: simplify cm_open_connection()
Simplify to retry logic: if cm_prepare_connection() succeeded just exit the
retry loop, only if it failed check the "retry" variable.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
ccb6b75482 winbindd: simplify find_new_dc()
Remove the dcname and pss args from find_new_dc(). The caller passes in the
domain anyway, so let's fill in domain->dcname and domain->dcaddr directly.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Ralph Boehme
2e496efe8c winbindd: do an early exit in cm_open_connection()
Best viewed with git show -w. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-21 19:10:35 +00:00
Günther Deschner
39e8489dfc s3-librpc: add ads.idl and convert ads_struct to talloc.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-16 20:38:32 +00:00
Volker Lendecke
4156d37db1 winbind: Save lines with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-14 04:32:34 +00:00
Volker Lendecke
f25b6de771 winbind: Save an intermediate NULL check with talloc_asprintf_addbuf()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-14 04:32:34 +00:00
Volker Lendecke
7870e82cb4 lib: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-14 04:32:34 +00:00
Ralph Boehme
fc57b88e6a smbd: remove process shortname arg from reinit_after_fork()
All callers pass NULL anyway, so it isn't used anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-14 01:38:29 +00:00