IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Klocwork ID 1773 complained about oldest being dereferenced in line 2275 where
it could be NULL. I think you can construct extreme racy conditions where this
actually could happen.
Volker
(This used to be commit b5602cc4f1d77ed48ddca0f7f42b28706160c923)
enabled).
Do not bail out when a group just has 0 members.
Jeremy, please check, this has been removed with r13915.
Guenther
(This used to be commit 3a738a855d335e44e167351e6396bf3fe81a03af)
Fix more potential segfaults when something on our way to a DC connection
fails.
We can not continue if dcip_to_name() fails. With
192.168.234.100 nt4pdc
192.168.234.100 windows#1c
192.168.234.100 windows#1b
in the lmhosts file when nt4pdc is rebooted, we do find the DC's IP address,
we can connect to TCP 139 while it is booting but anything else fails. So we
fall back to put the IP address into domain->dcname. When the DC is fully up
later on we try to do the auth2 against \\192.168.234.100 which gives
INVALID_COMPUTER_NAME. And we never get out of this loop again.
Fix this.
Jerry, maybe you can take a look.
Thanks,
Volker
(This used to be commit b1244e79068af9e287252b2dfbb8d612e717674a)
controller the next time we connect this child ran into a segfault because it
tried to reference a half-baked connection.
Volker
(This used to be commit c8a8204c744cf7aa1a1a6992a3433d99b6bb73a1)
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
(This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
sid"); works in all AD versions I tested. Also add "net ads sid" search
tool.
Guenther
(This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
