IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
User-, Group- and Machine-Accounts in Active Directory (this got lost
during the last trunk-merge).
This way we match e.g. default containers moved by redircmp.exe and
redirusr.exe in Windows 2003 and don't blindly default to cn=Users or
cn=Computers.
Further wkguids can be examied via "net ads search wellknownobjects=*".
This should still keep a samba3-client joining a samba4 dc. Fixes
Bugzilla #1343.
Guenther
Winbind tickets expired. We now check the expiration time, and acquire
new tickets. We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them. Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway. Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
in heimdal it is an enum. Thanks to Guenther Deschner (gd@suse.de).
With this join will work, but without a keytab, cifs connections will still
fail with heimdal. Fix to come later.
- new kerberos code, allowing the account to change it's own password
without special SD settings required
- NTLMSSP client code, now seperated from cliconnect.c
- NTLMv2 client code
- SMB signing fixes
Andrew Bartlett
net ads printer publish <printername> [servername]
Will retreive the DsSpooler and DsDriver info by rpc for a remote server
then publish it.
Next comes doing it within smbd
