IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
CatchChild();
*before* we fork the domain child. This call establishes a signal handler that
eats SIGCLD signals and doesn't call sys_select_signal() as the main daemon
SIGCLD handler should do. This causes the parent to ignore dead children and
time out, instead of calling winbind_child_died() on receipt of the signal. The
correct fix is to move the CatchChild call into the child code after the fork.
Jeremy.
The wbcLookupDomainController() call supports a set of flags
defined in wbclient.h. Add a mapping function between these
flags and the original DS_XXX flags in order to prevent having
to include the generated RPC headers in wbclient.h.
Thanks to Glenn Curtis and Kyle Stemen @ Likewise. Their explanation is:
In winbindd_dual.c, there is a list of children processes that
is maintained using macros DTLIST_ADD and DTLIST_REMOVE. In the
case when a scheduled_async_request fails, the particular child
was located in the list, and its attributes were cleared out
and it was reused for a subsequent async request. The bug was that
the new request would queue the same node into the doubly-linked
list and would result in list->next pointing to the same node as
list itself. This would set up an infinite loop in the processing of
the for loop when the list of children was referenced.
Solution was to fully remove the child node from the list, such that
it could be inserted without risk of being inserted twice.
Note that the child is re-added to the list in fork_domain_child() again.
We now open messages.tdb even before we do the become_daemon. become_daemon()
involves a fork and an immediate exit of the parent, thus the
parent_is_longlived argument must be set to false in this case. The parent is
not really long lived :-)
This reduces indentation by combining common code paths,
and wraps long lines.
Holger: sorry, I could not resist. I think it is much easier to
understand what is going on when we only have one check and
determine the max allowed key length in advance.
Michael
UA keys consist of a potientally large number of concatenated SID strings which
can grow much larger than 1024 bytes in complex environments. We catch those keys
and allow them exclusivly to be larger.
In getgrsid_lookupsid_recv() we use parse_domain_user which itself looks at
lp_winbind_separator(). Thus when building up that group name we should better
use it as well.
originally, the cache was cleared before calling validate, but
this way, we skipt the validation of the database when not in
offline logon mode.
This is put into a new wrapper function winbindd_cache_validate_and_initialize()
which is now called in winbindd.c instead calling validate and
initialize functions separately.
Michael
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
* added several helper functions to convert the trust_flags field in the
winbindd_tdc_domain to more useful administrator ideas of trust type, trust
direction, and trust transitivity.
* converted winbindd_list_trusted_domains() to enumerate the trusted domain
cache, instead of the domain list, and return additional trust information to
the calling process
* modified wbinfo to pretty print this additional trust information when a new
--verbose switch is given with -m. Thus "wbinfo -m" and "wbinfo -all-domains"
output as before, but "wbinfo --verbose -m" prints extra trust info.
* updated some comments and fixed typos
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
When we get a NT_STATUS_WRONG_PASSWORD for example, my_info3 is not initialized
at all. So first check that we have NT_STATUS_IS_OK(status) before we
dereference my_info3.
