IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This patch removes 'non unix account range' (same as idra's change in HEAD),
and uses the winbind uid range instead.
More importanly, this patch changes the LDAP schema to use 'ntSid' instead
of 'rid' as the primary attribute. This makes it in common with the group
mapping code, and should allow it to be used closely with a future idmap_ldap.
Existing installations can use the existing functionality by using the
ldapsam_compat backend, and users who compile with --with-ldapsam will get
this by default.
More importantly, this patch adds a 'sambaDomain' object to our schema -
which contains 2 'next rid' attributes, the domain name and the domain sid.
Yes, there are *2* next rid attributes. The problem is that we don't 'own'
the entire RID space - we can only allocate RIDs that could be 'algorithmic'
RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be
mapped by IDMAP, not the algorithm.
Andrew Bartlett
(This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
Also get charset 'werid' for both --enable-developer options in configure.
Andrew Bartlett
(This used to be commit 2a99e77e91cd214296f12b0aaf30c3c51d5a2c0a)
'UF8-safe' LDAP code.
I hope I've caught all the places where we were pushing strings into or
out of LDAP now.
Andrew Bartlett
(This used to be commit 70bf7a5f71f71aeb5338723d1f5b32a89d5c4f91)
- Use find backend function to find duplicates
- declare static function before using it
(This used to be commit ad5ebd4f2065425a9edffc753c0f0414fd6f98d4)
- change update behaviour for new RIDs:
- store the new RID into the SAM_ACCOUNT, so that the caller get's it back
automaticly
- use this to make the code paths simpiler for the normal 'need_update' code.
We must always store a RID if we intend to use the sambaAccount objectClass
Andrew Bartlett
(This used to be commit 5edeee5116b9c775a1bded1d53cb2b22c7a2765f)
sambaAccount requires the rid to be present, and doing this fallback is quite
dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite
often not the case.
Also finish of vl's work on 'use a function pointer, not embedded logic' to
tell lower levels that they should/should not attempt to set the user's password
into LDAP with the extended operation.
Andrew Bartlett
(This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
This might help avoid killing the ldap server when all 100 smbd processes
reconnect in pulses...
Also, reduces the maximum wait time, as SMB clients will time out after 30
seconds anyway...
Andrew Bartlett
(This used to be commit 08c5aaae6a92d6ee14f9bf8e3330191718e84edf)
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
I could not fix the "passing arg 5 of `ldap_search_s'" completely with
gcc -Wall. A non-developer compile does not complain though.
Volker
(This used to be commit cf923d713305620278e3759599247d3cf7aa0e2f)
are handled, though we assume that always everything needs to
be updated in LDAP. PDB_IS_* is not done yet for groups.
Do we need it?
Volker
(This used to be commit 091f8f94486057b33f0409887ba09000a8415f4c)
easier to understand by moving the logic for init_ldap_from_sam
and friends around.
Volker
(This used to be commit 09a92984baaee94521d0cacf16daaf0291242b42)
are 'SET' when adding the account.
I really don't like passing flags down to inner routines and
complicated if/else conditions, but this time he might be right. ;-)
Volker
(This used to be commit 339c14906802db6ddb59f07a0c71dcc3c73cc3d6)
This adds 'ldap delete dn' as the recommended parameter
for the 'ldap del only sam attr' functionality. So
we are compatiple to the current SuSE patches as well
as to TNG... ;-)
Volker
(This used to be commit 53b5704ff21de6fce097d74dd7f235d3ceccec66)
> Hi Volker,
>
> if 'displayName' is not available we should fallback to 'cn' for map->nt_name
> 'cn' is used as unix group name by nss_ldap.
>
> and if nt_name is not available we should fail (so does this patch)
Volker
(This used to be commit 7ae9c2500e3ac5f671d41077327156f1f3767fff)
This repairs domain join with fully existing wks-account which I broke
with my last patch...
Volker
(This used to be commit bc59912aa10e5000225110e48ad548f19756bed5)
anymore, but instead look at what is currently stored in the
database. Then we explicitly delete the existing attribute and add the
new value if it is not NULL or "". This way we can handle appearing
and disappearing attributes quite nicely.
This currently breaks pdbedit -o, as this does not set the CHANGED
flag on the SAM_ACCOUNT.
Jelmer suggested that we set all the fields on CHANGED in
context_add_sam_account. This sounds not too unreasonable.
Volker
(This used to be commit a75015c9ce8246670ee7c7d73df585390696fe95)
- pdb_guest (including change defaults)
- 'default' passdb actions (instead of 'not implemented' stubs in each module)
- net_rpc_samsync no longer assumes pdb_unix
Andrew Bartlett
(This used to be commit 4bec53c8c81019f0f06a93c4df0800bbf7281dd6)
This patch is heavily based on a patch by SuSE. Thanks
to Guenther Deschner <gd@suse.de> for providing it.
Volker
(This used to be commit 5eaf9195eefda5ababba85cc0f6d581ff6f0f454)
Original message:
This patch attemptes to clean up winbindd's mutex locking.
The current locking scheme in winbind is a complete mess - indeed, the
next step should be to push the locking into cli_full_connection(), but
I'll leave it for now.
This patch works on the noted behaviour that 2 parts of the connection
process need protection - and independent protection. Tim Potter did
some work on this a little while back, verifying the second case.
The two cases are:
- between connect() and first session setup
- during the auth2 phase of the netlogon pipe setup.
I've removed the counter on the lock, as I fail to see what it gains us.
This patch also adds 'anonymous fallback' to our winbindd -> DC connection.
If the authenticated connection fails (wbinfo -A specifed) - say that
account isn't trusted by a trusted DC - then we try an anonymous.
Both tpot and mbp like the patch.
Andrew Bartlett
(This used to be commit b5283c00a900393b83f0edb2785c5caf402404eb)
