IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 6 13:43:45 CET 2015 on sn-devel-104
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 6 07:03:27 CEST 2015 on sn-devel-104
There are places in the code where we're not checking that alt_name is NULL
and then calling into the DC lookup code with a NULL name request. This can
happen in offline mode.
Fixes bug #10717 - Winbind crash on losing VPN connection
https://bugzilla.samba.org/show_bug.cgi?id=10717
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Sep 15 23:29:00 CEST 2014 on sn-devel-104
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug 30 06:10:36 CEST 2014 on sn-devel-104
When authenticating users in a trusted domain, the idmap_ad module
always connects to a local DC instead of one in the trusted domain.
Fix this by passing the correct realm to connect to.
Also Comment parameters passed to ads_cached_connection_connect
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This makes use more consistent with security=domain as well where the gecos
field is also filled using the displayName field.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.
Thanks to Matt Rogers <mrogers@redhat.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Failure in ads_search_retry() deallocates the memory occupied
by "ads" which should not be used after.
CID: 242096
Signed-off-by: Santosh Kumar Pradhan <spradhan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
This prevents segfaults when e.g. a previous SMB_STRDUP failed..
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104
Otherwise there is a good chance the domain has not been connected and we don't
know the realm name yet.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
Reviewed-by: Andreas Schneider <asn@samba.org>
Avoid overriding default ccache for ads operations.
Nowadays various samba components may need to use GSSAPI and a default cred
cache to perform their tasks.
This code was completely overriding the whole process default ccache name, thus
altering the current credentials and sometimes hijacking them (or getting
preemptively hijaked).
By using gss_krb5_import_cred we can instead use a private ccache (necessary
sometimes to use a different set of credentials fromt he default
cifs/fqdn@realm one, for example when contacting foreign DCs using trust
credentials) that does not affect the rest of the process.
For the kerberos versions which don't have gss_krb5_import_cred
we fallback to temp override of KRB5CCNAME and gss_acquire_cred.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Sep 12 21:18:09 CEST 2012 on sn-devel-104
We do this so that we catch LDAP_TIMELIMIT_EXCEEDED as NT_STATUS_IO_TIMEOUT, which
has special handling in winbindd_cache.c
Andrew Bartlett
Signed-off-by: Jeremy Allison <jra@samba.org>
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
This reduces the manual marshalling of these structures by removing
the duplication here.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.
This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This is similar to 09a9cc3, this re-arranges winbindd_ads.c:query_user_list()
so that "ads" is not accessed anymore across a call to nss_get_info_cached()
call which can destroy it behind the scenes.
