1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

14067 Commits

Author SHA1 Message Date
Gerald Carter
1d8cd8faf6 fix for platforms that don't have unsetenv().
we now have to check the value for _NO_WINBINDD.
"1" enables, and != "1" disables (use "0" by convention).
(This used to be commit 11eccaef1d)
2003-06-30 16:18:29 +00:00
Volker Lendecke
aca3fa9149 Add the 'guest' passdb backend automatically if
guest account != ""

Volker
(This used to be commit 21d330af10)
2003-06-30 14:55:45 +00:00
Tim Potter
9d4b66c974 Yet more shadow variable warnings.
(This used to be commit b401e78b6e)
2003-06-30 05:45:27 +00:00
Tim Potter
063b515525 Fix more shadow variable warnings.
(This used to be commit 10c51bbef8)
2003-06-30 05:44:05 +00:00
Tim Potter
47a07aef5d Fix shadow variable warnings.
(This used to be commit 5ffb8e0920)
2003-06-30 05:42:15 +00:00
Andrew Tridgell
0a4959d48d - added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug #122)
- changed --enable-developer debug to use -gstabs as it makes the
  samba binaries about 10x smaller and is still quite functional for
  samba debugging
(This used to be commit 53bfcd478a)
2003-06-30 02:11:13 +00:00
Gerald Carter
b8723aaa65 Here's the code to make winbindd work on a Samba DC
to handle domain trusts.  Jeremy and I talked about this
and it's going in as working code.  It keeps winbind clean
and solves the trust problem with minimal changes.

To summarize, there are 2 basic cases where the deadlock would
occur.  (1) lookuping up secondary groups for a user, and
(2) get[gr|pw]nam() calls that fall through the NSS layer because
they don't exist anywhere.

o To handle case #1, we bypass winbindd in sys_getgrouplist() unless
  the username includes the 'winbind separator'.

o Case #2 is handled by adding checks in winbindd to return failure
  if we are a DC and the domain matches our own.

This code has been tested using basic share connections, domain
logons, and with pam_winbind (both with and without 'winbind
use default domain').  The 'trustdomain' auth module should work
as well if an admin wants to manually create UNIX users for
acounts in the trusted domains.

Other misc fixes:

  * we need to fix check_ntlm_password() to be able to determine
    if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD,
    etc...).  I worked around my specific situation, but this needs to be
    fixed.  the winbindd auth module was causing delays.
  * fix named server mutex deadlock between trust domain auth module
    and winbindd looking up a uid
  * make sure SAM_ACCOUNT gets stored in the server_info struct for the
    _net_sam_logon() reply.

Configuration details:

The recommended method for supporting trusts is to use winbind.
The gets us around some of the server mutex issues as well.

  * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf
  * create domain trusts like normal
  * join winbind on the pdc to the Samba domain using 'net rpc join'
  * add normal parameters to smb.conf for winbind
  * set 'auth method = guest sam winbind'
  * start smbd, nmbd, & winbindd

Problems that remain:

  * join a Windows 2k/XP box to a Samba domain.
  * create a 2-way trust between the Samba domain
    and an NT domain
  * logon to the windows client as a user from theh trusted
    domain
  * try to browse server in the trusted domain (or other
    workstations).  an NT client seems to work ok, but 2k
    and XP either prompt for passwords or fail with errors.

apparanently this never got tested since no one has ever been
able to logon as a trusted user to a Samba domain from a Windows
client.
(This used to be commit f804b590f9)
2003-06-29 03:39:50 +00:00
Gerald Carter
8a6fc79ad8 add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that
map to guest = bad user works again when "trustdomain" is listed
as last auth method.

Also clean up some more DC location calls.
(This used to be commit 77a5b1032f)
2003-06-28 08:29:42 +00:00
Gerald Carter
b2fbc05c6b cleaning up after the s/in_addr/ip_service/ switch for the get_dc_list() patch
(This used to be commit 303fdc516c)
2003-06-28 08:24:32 +00:00
Jeremy Allison
0e983b32fd Some const correctness. Stop tdb being used as a remote backend. If an
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509a)
2003-06-27 20:55:48 +00:00
Jeremy Allison
8d31403fe8 Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLY
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes
for multi-process access.
Jeremy.
(This used to be commit 5b998cdc1d)
2003-06-26 23:48:46 +00:00
Jeremy Allison
b57805dd9b As has been pointed out, ordering here doesn't matter so use normal
add.
Jeremy.
(This used to be commit 030b35ca0f)
2003-06-26 18:26:52 +00:00
Jelmer Vernooij
dde593e190 Remove the MODULES_CLEAN variable. It's no longer necessary since
object files for modules are in .po files, while object files for
static use are in .o files. Pointed out by metze.

This reduces the number of files that have to be recompiled after the Makefile
changes. Preventing unnecessary recompiling of the other few is high
on my todo list.
(This used to be commit b9b46d43c7)
2003-06-26 17:33:58 +00:00
Jelmer Vernooij
29674c7fa6 Move up intialisation of logging, so we catch errors in handling 'preload modules'
(This used to be commit 13b81d0d92)
2003-06-26 17:29:09 +00:00
Alexander Bokovoy
d4ec979948 Document name resolve order suggested settings for security=ads as mentioned by Jerry
(This used to be commit 0413385feb)
2003-06-26 08:12:47 +00:00
Gerald Carter
7a4e38155d cleaning up more build issues. Tested
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything"
(This used to be commit 3e9e4bb7d1)
2003-06-26 05:26:20 +00:00
Jeremy Allison
e362f3d581 Fix immediate bug where the idmap can't tell the difference between an entry
not being present (and so allocate another) and an entry that is present but
of the wrong type. This code still has major problems...
Jeremy.
(This used to be commit a304bc5ff1)
2003-06-26 00:19:57 +00:00
Jelmer Vernooij
4d468c1c00 Add netlogon debug registry key info
(This used to be commit ffaddd8202)
2003-06-25 20:58:33 +00:00
Gerald Carter
88f1591216 fix linking of some things that are not built by default
(This used to be commit 42133092a4)
2003-06-25 20:16:53 +00:00
Gerald Carter
f414539d86 ifdef out some functions that are not used when HAVE_ADS is not defined
(This used to be commit 2d192e0431)
2003-06-25 19:49:27 +00:00
Gerald Carter
99a467662a fix build on non-ldap platforms
(This used to be commit a59ea1d6d3)
2003-06-25 19:39:16 +00:00
Jeremy Allison
0118f6b417 Ensure idmap backends are added in the correct order (DLIST_ADD puts
things at the *front* of the list). Add more debug. Still broken.. :-(.
Jeremy.
(This used to be commit dd9251e6f5)
2003-06-25 19:01:17 +00:00
Gerald Carter
72876b79c9 * fix typos in a few debug statements
* check negative connection cache before ads_try_connect()
  in ads_find_dc()
(This used to be commit 2a76101a3a)
2003-06-25 19:00:15 +00:00
Gerald Carter
9e2f008bb9 forgot one file
(This used to be commit ef978bd851)
2003-06-25 18:08:00 +00:00
Gerald Carter
f51d769dd3 large change:
*)  consolidates the dc location routines again (dns
    and netbios)  get_dc_list() or get_sorted_dc_list()
    is the authoritative means of locating DC's again.

    (also inludes a flag to get_dc_list() to define
     if this should be a DNS only lookup or not)

    (however, if you set "name resolve order = hosts wins"
     you could still get DNS queries for domain name IFF
     ldap_domain2hostlist() fails.  The answer?  Fix your DNS
     setup)

*)  enabled DOMAIN<0x1c> lookups to be funneled through
    resolve_hosts resulting in a call to ldap_domain2hostlist()
    if lp_security() == SEC_ADS

*)  enables name cache for winbind ADS backend

*)  enable the negative connection cache for winbind
    ADS backend

*)  removes some old dead code

*)  consolidates some duplicate code

*)  moves the internal_name_resolve() to use an IP/port pair
    to deal with SRV RR dns replies.  The namecache code
    also supports the IP:port syntax now as well.

*)  removes 'ads server' and moves the functionality back
    into 'password server' (which can support "hostname:port"
    syntax now but works fine with defaults depending on
    the value of lp_security())
(This used to be commit d7f7fcda42)
2003-06-25 17:41:05 +00:00
Andrew Bartlett
eb61c82382 Patch to move functions directly from pdb_ldap.c into lib/smbldap.c
The functions are unchanged.  Next step is to make idmap_ldap use them.

Andrew Bartlett
(This used to be commit 57617a0f8c)
2003-06-25 12:51:58 +00:00
Tim Potter
23c45a79d0 Metze assures me that this will fix Heimdal et al.
I think the lesson to take away here is that refactoring configure.in
is a hazardous task and should only be attempted if you have a lot
of time and patience!
(This used to be commit 5ba121ac9d)
2003-06-25 12:20:29 +00:00
Volker Lendecke
e65b68b131 Fix a warning in a DEBUG
Clean up the init a little bit, less nested if-statements.

Agreed upon with Simo.

Volker
(This used to be commit fdcfefd7f1)
2003-06-25 10:18:22 +00:00
Simo Sorce
d993c171b2 Tought I already done.
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on
samba-technical.
Tested and working so far.
(This used to be commit e154e50fed)
2003-06-25 08:15:51 +00:00
Tim Potter
86c9ba789c Only append to KRB5_LIBS when doing AC_CHECK_LIB for libkrb5.
I think we are done with MIT Kerberos for the moment.  The Heimdal detection
looks like it has been broken for ages so it's next on the list.
(This used to be commit 7690a722f9)
2003-06-25 02:24:48 +00:00
Tim Potter
1bc691069b Don't trash the values of CFLAGS and LIBS while engaged in Kerberos
detection.  On Solaris 9 extra libraries -lber and -lresolv are
required for Kerberos tests.  We used to have an extra check for
-lresolv only but I think the correct solution is not to forget about it
in the first place.

This should fix bug #125 although I don't have access to a
system to test it out on.
(This used to be commit 4ddfab4a57)
2003-06-25 01:33:27 +00:00
Jeremy Allison
911fbd5cdb More debugs for this... (these should have been here already !).
Jeremy.
(This used to be commit a118648d95)
2003-06-25 00:28:46 +00:00
Jeremy Allison
dba0005a9d More instrumentation tracking down this bug...
Jeremy.
(This used to be commit 705915d9f7)
2003-06-25 00:11:38 +00:00
Jeremy Allison
b5e2d8db28 Start to instrument this code as I try and track down a nasty bug that
causes mapping to dissapear...
Jeremy.
(This used to be commit bdffc81c9d)
2003-06-25 00:02:17 +00:00
Jeremy Allison
45f472ba21 Sequence number was not getting updated with ldap hack. Only a bug in this
branch.
Jeremy.
(This used to be commit 19629b41cb)
2003-06-24 23:07:26 +00:00
Jeremy Allison
11e6203896 Explain why winbindd is exiting.
Jeremy.
(This used to be commit a411923aa2)
2003-06-24 20:54:32 +00:00
Andrew Bartlett
137265b806 Fix pdb_ldap segfaults, and wrong default values for ldapsam_compat.
Reviewed by vl, metze.

Andrew Bartlett
(This used to be commit 9804ad458a)
2003-06-24 14:23:34 +00:00
Simo Sorce
a34ba41ae5 do not forget the include file :-)
(This used to be commit 73e13b9baf)
2003-06-24 14:02:57 +00:00
Simo Sorce
52826c034e add tdb backup function separation and winbind idmap upgrade code form
pre-2.2.4 tdb database format.

tx volker for your work on this
(This used to be commit 2bdbeb9e97)
2003-06-24 14:02:21 +00:00
Tim Potter
52e4b4d5ab More tuning of Kerberos detection - don't fall through to detect kerberos libs
when we have already decided that we can't do it.
(This used to be commit db792ed530)
2003-06-24 07:46:26 +00:00
Tim Potter
200af4e84c More sensible behaviour for bug 152. If we don't have krb5.h and were explicitly
configured using --with-ads then give an error, otherwise fall back to compiling
without ADS.

Tested on redhat 8.0 with and without MIT kerberos packages installed.  Metze,
let me know if this is working OK for you now!
(This used to be commit 7ea81535b8)
2003-06-24 05:31:08 +00:00
Jeremy Allison
98689251bb Fixes from Martin Dorey <mdorey@bluearc.com> to only ask for and change
the requested parts of the ACL.
Jeremy.
(This used to be commit c35a88201c)
2003-06-24 01:09:36 +00:00
Jeremy Allison
4f99186f6b Move the map acl inherit parameter into the protocol section.
Jeremy.
(This used to be commit 076d9a3c9b)
2003-06-24 00:58:54 +00:00
Jeremy Allison
e4169c57a4 Add documentation for "map acl inherit" parameter.
Jeremy.
(This used to be commit a97f25c785)
2003-06-23 23:02:49 +00:00
Jeremy Allison
951710b60d Fixed the merge_default_aces() code to work correctly with inheritance.
Hopefully will fix jcmd bugs :-).
Jeremy.
(This used to be commit 482e6c79ed)
2003-06-23 20:24:08 +00:00
Gerald Carter
f36c96d59c * s/get_dc_name/rpc_dc_name/g (revert a previous change)
* move back to qsort() for sorting IP address in get_dc_list()

* remove dc_name_cache in cm_get_dc_name() since it slowed
  things down more than it helped.  I've made a note of where
  to add in the negative connection cache in the ads code.
  Will come back to that.

* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
  of MAX_ALLOWED)

* only enumerate domain local groups in our domain

* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b)
2003-06-23 19:05:23 +00:00
Gerald Carter
d21358308a wrap group enuemration in brcome/unbecome_root() (bug #110)
(This used to be commit 3918fffc7f)
2003-06-23 18:29:09 +00:00
Gerald Carter
7356d558ff fix typo (bug #170)
(This used to be commit d376b67de9)
2003-06-23 18:27:59 +00:00
Gerald Carter
fb82535d1f fix bug #178; available space in devmode should be int
(This used to be commit 944480b89a)
2003-06-23 17:47:25 +00:00
Andrew Tridgell
fd87564eec lp_security() is a function not an integer
(This used to be commit 71907f32ba)
2003-06-23 06:38:19 +00:00