IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The main purpose of the change is to hand the sid into the
idmap backend and handle responsiblity for handling the
sid-type correctly to the idmap backend instead of failing
directly when the sid is not of type user.
Hence backends like rid who are sid-type agnostic, can
return uids also for sids of other types. This is an important
fix to make sid_to_uid behave the consistently with and without
the presence of cache entries.
We need to additionally filter the result for id type UID
or more general (BOTH) to keep the behaviour.
This is a step towards using only one codepath to id_mapping.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
- external part takes winbindd request/reponse structs (with sid strings)
- internal part takes sid lists
The new internal part implements functions wb_sids2xids_* that are
moved into the new module wb_sids2xids.c.
The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
We should just have one code path into id mapping and not several that behave
differently.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
As this is a burst of 3 unbound sockets with each try to reach a DC
we're running out of file descriptors pretty fast. So winbind is then
mostly spinning in an accept loop failing with EMFILE.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Wed Nov 28 17:17:21 CET 2012 on sn-devel-104
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 26 22:03:05 CET 2012 on sn-devel-104
Samba continues to query a broken DC while the DC did not finish to
rebuild Sysvol (after a Windows crash, for example). It causes end users
to received strange codes while trying to authenticate, even if there is
a secondary DC available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
Reviewed-by: Andreas Schneider <asn@samba.org>
We should use the latest supported dialect.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewd-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Nov 1 18:11:27 CET 2012 on sn-devel-104
The removal of consumption of the time field from the centry
as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
had the side effect of changing the offset for reading the following
nt password hash, so the read password hash was wrong.
This patch re-installs the consumption of the time,
thereby fixing the bug without changing the disk format of the cache.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
about type potentially being used uninitialized
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Sep 24 03:49:53 CEST 2012 on sn-devel-104
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Calling be_init with NULL safely crashes, because we dereference NULL. We
don't need to call it here, this is called in all workers anyway. Thanks
to Jiri Sasek <jiri.sasek@oracle.com> for finding this.
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 20 05:03:54 CEST 2012 on sn-devel-104
Break pdb_ldap -> smbldaphelper -> pdb -> pdb_ldap loop by
making smbldaphelp intentionally underlinked internal library.
It means that libsmbldaphelp is not usable unless its user is
also linked to libpdb (that is the case for both its users,
idmap_ldap and pdb_ldap, already) but gives us a break of
the circular dependency in case pdb_ldap statically linked
into pdb (default).
This should solve case when idmap_ldap and pdb_ldap are dynamically
loaded modules
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 14 01:02:21 CEST 2012 on sn-devel-104
Since these functions are used in pdb_ldap and idmap_ldap, and
pdb_ldap might be statically linked to libpdb (default), it is
better to keep them as separate subsystem to avoid polluting libpdb
namespace.
This is first step in refactoring libpdb. Right now I cannot move
these functions into proper libsmbldaphelper as it uses more of
libpdb-included functions and linking pdb_ldap against libsmbldaphelper
library would have created a loop if pdb_ldap is included into libpdb.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Sep 13 17:36:07 CEST 2012 on sn-devel-104
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
This wasn't planned and slipped trough, sorry.
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep 11 14:28:53 CEST 2012 on sn-devel-104
If we don't have a connection to a trusted domain but still try to do a
lookup we shouldn't segfault.
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Sep 4 18:16:06 CEST 2012 on sn-devel-104
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
A connection is idle when both struct winbindd_cli_state->request AND
struct winbindd_cli_state->response are NULL. Otherwise we can flag
as idle a connection in the state of having sent the request to
the winbindd child (request != NULL) but not yet received a reply
(response == NULL).
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug 21 01:31:46 CEST 2012 on sn-devel-104
The DC that was attempted to ping is useful for troubleshooting. Return
the DC name in the response to the wbclient.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The client checks for an error code in response.data.auth.nt_status,
make sure the result is stored there.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
