IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This makes us scale better with many simultaneous winbind requests,
some of which might be slow.
This implementation breaks offline logons, as the cached credentials are
maintained in a child (this needs fixing). So, if the offline logons are
active, only allow one DC connection.
Probably the offline logon and the scalable file server cases are
separate enough so that this patch is useful even with the restriction.
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
By putting this code inline in winbindd_setup_listeners() we remove 2
static variables and simplify the code.
By putting the get_winbind_priv_pipe_dir() in the same file, we allow
it to be reimplemented in s3compat.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
add_trusted_domain() for a new domain always needs to be followed by a
setup_domain_child(). This was not always done, in particular not when walking
to the forest root for additional trusts.
This is a minimal patch, we need to fix add_trusted_domain().
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in 8b0fce0b. Guenter later moved
these checks into the child process in commit 3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
Pass a "flags" argument instead of the original winbind command down the
name_to_sid chain. This way we are independent of the winbind commands and
can take the decision at a much higher level
In itself, this is pretty pointless. But in the next steps I'll convert the
winbind internal communication to wb_reqtrans which allocates the request
properly. This minimizes the later diff.
Volker
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b)
reconnect code to cope with rebooting a DC. This
replaces the code I asked Volker to revert.
The logic is pretty simple. It adds a new parameter,
"winbind reconnect delay", set to 30 seconds by
default, which determines how long to wait between
connection attempts.
To avoid overwhelming the box with DC-probe
forked children, the code now keeps track of
the DC probe child per winbindd_domain struct
and only starts a new one if the existing one
has died.
I also added a little logic to make sure the
dc probe child always sends a message whatever
the reason for exit so we will always reschedule
another connect attempt.
Also added documentation.
Jeremy.
(This used to be commit 8027197635)
should never include the user SID.
The comment for the function in winbindd/winbindd_ads.c says
/* Lookup groups a user is a member of. */
The following patch makes the wbinfo calls return the correct data
before and after a login.
wbinfo --user-domgroups and --user-sids
(This used to be commit 7849938906)
backend. This allows winbindd when running on a Samba PDC to
correctly answer wbinfo -u lists and other queries.
Jeremy.
(This used to be commit e61ad0c158)
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
(This used to be commit 6aac972d79)
This patch make sure we do not try to contact smbd in the main dameon
to avoid deadlocks.
All the operations that require connecting to smbd are performed in
the domain child anyway.
(This used to be commit 9347d34b50)
Use the flags stored in the tdb when determining if a domain can
be contacted. The tdb should be considered authoratative anyways unless
you know the flags in the winbindd_domain are correct (such as when
first enumerating trusts).
Original suggestion and patch from Steven Danneman <steven.danneman@isilon.com>.
Manually rewritten by me for 3.2.
(This used to be commit f53658a20d)
The check for inbound trusts is invalid when samba is a DC
and has a trust with an active directory domain.
This effectively prevented tusts with an AD domain on a
samba DC from working (unless using "winbindd rpc only"),
because an ads_connect() was never performed. Only the
rpc-based winbindd methods were working properly.
Jerry: Please check!
Michael
(This used to be commit dcd42a1e06)
The present assignment
"request->data.init_conn.is_primary = domain->internal ? False : True"
simply feels wrong. This seems to be the thing right to do:
"request->data.init_conn.is_primary = domain->primary ? true : false".
The question is: Does this have any purpose at all?
data.init_conn.is_primary seems to be used nowhere
in the whole code at all.
Is it (still) needed?
Michael
(This used to be commit 8bb21b8b38)
Also *do not* clear the trust list when rescanning or else it is possible
to suffer from a race condition where no trusted domains can be found.
(This used to be commit e7164a252b)
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c312)
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
Now BUILTIN is always the first domain followed
by the domain of our own SAM DB and the primary
domain (in member server mode).
metze
(This used to be commit b8d67b78aa)
