IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
"getent group" used to fill the idmap cache with negative
cache entries for unmapped group sids.
Don't pass domain name unconditionally to idmap_sid_to_gid().
idmap_sid_to_gid() only creates new mappings (allocating
idmap backends tdb, tdb2, ldap...) when the domain name passed
in is "".
Note that it is _wrong_ to directly call the idmap_sid_to_gid()
functions here, in the main winbindd. The correct fix would be
to send a sid_to_gid request to winbindd itself, but this needs
more work to prepare the async mechanisms, and we nee a quick
fix for getent passwd now.
Michael
"getent passwd" used to fill the idmap cache with negative
cache entries for unmapped user sids.
Don't pass domain name unconditionally to idmap_sid_to_[ug]id().
idmap_sid_to_[ug]id() only creates new mappings (allocating
idmap backends tdb, tdb2, ldap...) when the domain name passed
in is "".
Note that it is _wrong_ to directly call the idmap_sid_to_[ug]id()
functions here, in the main winbindd. The correct fix would be
to send a sid_to_[ug]id request to winbindd itself, but this needs
more work to prepare the async mechanisms, and we nee a quick
fix for getent passwd now.
Michael
This is a sample for other accesses to pdb to go via samr. The goal is to
access passdb only via srv_samr_nt.c. If that is done, then we can easily swap
in another samr implementation like for example samba4's via a unix domain
socket.
The idea of this is that all client utils like smbpasswd and also for example
"net join" do not access our internal databases like passdb and secrets.tdb
directly anymore but pass everything throught the well-established RPC
interfaces.
The way you use this is the following: With rpc_cli_smbd_conn_init() or its
async variant you initialize a "struct rpc_cli_smbd_conn". This structure is
the link to a freshly forked smbd, ready to be used for RPC services. You
should only ever have one such structure in your program. More don't hurt, but
are plainly unnecessary.
If you want to use the SAMR pipe to change a passwort, you connect to that pipe
with rpc_pipe_open_local. Do you normal rpccli_samr calls on that and your
locally forked smbd will connect to passdb for you.
GD, this might make the distinction between the _l and _r calls in libnetapi
mostly unnecessary. At least it is intended to do so... :-)
