IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda42)
I think the lesson to take away here is that refactoring configure.in
is a hazardous task and should only be attempted if you have a lot
of time and patience!
(This used to be commit 5ba121ac9d)
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on
samba-technical.
Tested and working so far.
(This used to be commit e154e50fed)
I think we are done with MIT Kerberos for the moment. The Heimdal detection
looks like it has been broken for ages so it's next on the list.
(This used to be commit 7690a722f9)
detection. On Solaris 9 extra libraries -lber and -lresolv are
required for Kerberos tests. We used to have an extra check for
-lresolv only but I think the correct solution is not to forget about it
in the first place.
This should fix bug #125 although I don't have access to a
system to test it out on.
(This used to be commit 4ddfab4a57)
configured using --with-ads then give an error, otherwise fall back to compiling
without ADS.
Tested on redhat 8.0 with and without MIT kerberos packages installed. Metze,
let me know if this is working OK for you now!
(This used to be commit 7ea81535b8)
* move back to qsort() for sorting IP address in get_dc_list()
* remove dc_name_cache in cm_get_dc_name() since it slowed
things down more than it helped. I've made a note of where
to add in the negative connection cache in the ads code.
Will come back to that.
* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
of MAX_ALLOWED)
* only enumerate domain local groups in our domain
* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b)
* Fix code to use winbind_rpc methods for trusted mixed mode or NT4 domains
( does no one ever test this? )
* add in LDAP code to get the sequence number for rpc based seqnum update.
( this is needed if the DC is upgraded and samba is not reconfigured
to use security = ads; it's not pretty but it works (from app_head) )
* fix bug that caused us to enumerate domain local groups in domains
other than our own
(This used to be commit 14f2cd139a)
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d41)
groupmap'. The correct way to implement this stuff is via a function
table, as exampled in all the other parts of 'net'.
This also moves the idmap code into a new file. Volker, is this your
code? You might want to put your name on it.
Andrew Bartlett
(This used to be commit 477f2d9e39)
The idea here is to eliminate the need to *set* the 'HWM' (High Water
Mark) in the tdb. Instead, each caller wanting to add an item to the
TDB uses the fact that an insert will *fail* if entry already exists.
More importantly, this means that we don't need to know the value of the
idmap uid/gid values when setting arbitrary entries, which can occur on
an smb.conf without such values specified.
Then all we need to do is loop until we get an id that will insert.
This means that the HWM does not need to be accurate, and we can have
IDs allocates safely above the HWM.
Setting the HWM to an arbitrary value was racy in the past - now we
don't even do it.
This patch also adds paranoia in reading the tdb - both the entry, and
it's reverse entry must be present. This means that we don't need to
'clean up' after an abnormal failure (which would probably fail too),
instead we rely on readers to ignore the half-completed entry. The way
this is done will allow SIDs to then allocated an ID when things are
normal again.
Andrew Bartlett
(This used to be commit 74709e159c)
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc)
and pdb_ldap.
So far, it's just a function rename, so that the next patch can be a very
simple matter of copying functions, without worrying about what changed
in the process.
Also removes the 'static' pointers for the rebind procedures, replacing them
with a linked list of value/key lookups. (Only needed on older LDAP client
libs)
Andrew Bartlett
(This used to be commit f93167a7e1)
this doesn't need to be done explicitly in the Kerberos checks.
Also there was a duplicate AC_CHECK_LIB(resolv, dn_expand) which is done
early on in the configure process.
(This used to be commit fa66e2e1e1)
if available. Adds new parameter "map acl inheritance" (docs coming soon)
off by default. Allows W2K acl inheritance dialogs to work correctly on
POSIX acls.
Jeremy.
(This used to be commit a83595e80a)
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.
We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.
This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base
Simo.
(This used to be commit e341e7c49f)
--set-auth-user. There was enough confusion, as in bug #158,
when a user accidentally typed -A instead of -a, and would get themselves
stuck with a non-working winbind.
I've made the changes to docs/docbook/manpages/wbinfo.xml, but I'm not
sure what to do beyond that. Is checking that in enough?
(This used to be commit 70fe85e469)
Everybody who calls get_global_sam_sid expects this to return non-NULL, and
there are way too many places where this is called.
Volker
(This used to be commit 2dfa896e6f)
Simo, I remember you complaining about a memleak there, could it be
this one, or did you resolve it at that time?
Volker
(This used to be commit c660595ded)
a NT4 domain as a BDC with an existing workstation account (existing
bdc is fine), we fail. Print a friendly error message in this case.
The correct solution would probably be to delete the account and try
again. But even this makes us better than NT: NT4 fails in this
situation with an empty warning message box and an unusable BDC. It
has unsuccessfully tried to suck down the domain database, and thus
has no administrator account to log in after reboot....
Volker
(This used to be commit 1ddeea2179)
module. Use "wins" as the nss name to invoke this behaviour.
Also, fixed nsstest so it doesn't segfault when a nss function can't
be dlopened(). Log an error and abort the test gracefully instead.
(This used to be commit 66bafbe371)
There are lots of things wrong with this patch, including:
1) it overrides a user chosen configuration option
2) it adds lots of complexity inside a loop when a tiny piece of code
outside the loop would do the same thing
3) it does no error checking, and is sure to crash on some systems
If you want this functionality then try something like this at the end
of charset_name():
#ifdef HAVE_NL_LANGINFO
if (strcasecmp(ret, "LOCALE") == 0) {
const char *ln = nl_langinfo(CODESET);
if (ln) {
DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln));
return ln;
}
}
#endif
then users can set 'display charset = LOCALE' to get the locale based
charset. You could even make that the default for systems that have
nl_langinfo().
(This used to be commit 382b9b806b)
Samba should preferentially use the locale information from the native system,
and only fall back on 'display charset' if this is unavailable or unsupported.
(This used to be commit 1e445fb422)
the idmap and the SAM.
The basic idea is this: Lookup the user with GetPwnam(), and if they
exist then use that uid. This is what people expect. If the user does
not exist, try and run the right script.
This is also what people expect from previous Samba 3.0 behaviour, where
the Get_Pwnam() was at runtime.
If the idmap entry for this SID isn't valid, or isn't the right value,
modify the idmap to account for this mapping.
Also, the same logic is applied to the primary gid - if it has changed,
update the user's primary unix group.
This patch allows users to be added without a mapping - this is fine for
machine accounts, for example. I've given it a quick test against my
Win2k DC, and I *think* it's sane.
Andrew Bartlett
(This used to be commit d2a70bfff1)
that has been authenticated unmapped.
We need to make sure that every caller of idmap handles failure gracefully.
Volker
(This used to be commit 902d607b66)
from the PDC as a mapping to the uid we got from getpwnam in the
local idmap.
This should not be worse than the current state, so I decided to
commit it. It is different from abartlet's preliminary patch, but I
believe this is the better solution. Feel free to comment and/or
revert it.
Volker
(This used to be commit 0c16965e6f)
**********************************************************
**** PLEASE TEST YOUR CHANGES BEFORE CHECKING THEM IN ****
**********************************************************
Jelmer, your change did not fix the -b option, it just make it not
segfault on debian. It did however add a warning and make it not
compile on some systems. It also gave the io_bufsize the value of a
pointer, not the value the user specified.
(this doesn't apply just to Jelmer, I'm just seeing rather too many
checkins from everyone lately where the code could never have possibly
worked, so was obviously checked in without testing)
(This used to be commit 21931ad7a0)
the "don't use bzero" macros.
In general I think it would be better to have a separate script that
checks for deprecated functions like these using grep rather than
using these cpp tricks. They just get us into trouble.
(This used to be commit 2a227c880d)
keep putting bzero BSD'ism's into our source code. Make this an error like
bcopy and others to prevent it in future.
Jeremy.
(This used to be commit 80d0432316)
fails to build on a ton of platforms as it completely bypasses all of
our portability code.
if you want it then use 'make bin/editreg'. If some distros want to
add that to their spec files then thats up to them, but we really
can't have non-portable code unconditionally built in our main tree.
(This used to be commit 3c66111f32)
have a primary ADS domain and a secondary (trusted) NT4 domain. This
caused winbindd to be *really* slow for that setup.
- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
gid_to_sid(). When you make changes to winbind *PLEASE* test using
nsstest.
(This used to be commit cdd9b60a07)
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c)
called. This is *essential* (and should be done on all the other cli_XX
rpc calls) to help debug winbindd problems remotely.
Jeremy.
(This used to be commit bc215612cb)
(this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured)
'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the
most secure setting for compatible hosts.
Perhaps we should change this to 'client minimum auth'?
Andrew Bartlett
(This used to be commit e1fb681e4c)
* remove 'winbind uid' and 'winbind gid' parameters (replaced
by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
(parameters are passed to idmap init() function
(This used to be commit 1665926281)
any extra bytes, not clobber region them - otherwise valgrind
thinks they are invalid on send() or write().
Jeremy.
(This used to be commit 8aa5f7a65c)
(to match win2003 behaviour)
- added the STR_TERMINATE_ASCII flag from samba4 so we can get the
string termination right for the case where it is supposed to be
non-terminated for UCS2 and terminated when ASCII
(This used to be commit 791a4cc7cf)
