IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
initialisation code in winbindd_init_common() after the fork when
running in dual daemon mode.
The only tricky bit is we have to run a tdb_reopen_all() somewhere in
the child to avoid tdb corruption.
Fixed bug #60.
(This used to be commit 25e55aca0fe315c2ccf4e34a94107b2321313714)
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
- Jelmer's latest popt changes
- debugging tdb messages now initialised and handled in lib/messages.c
(This used to be commit b11f35fddec8c3d3899a8bc78d093137f73b2dfb)
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem
in winbindd to boot !). Adds a "last_access" field to winbindd connections,
and will close the oldest idle connection once the number of open connections
goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200
currently).
Jeremy.
(This used to be commit 7a586552a3aeb4a26495f0965af4bd027456a011)
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
- also consequential changes to the NTLMSSP and SPNEGO parsing functions
- and the client code that uses the same functions
- Add ntlm_auth, a NTLMSSP authentication interface for use by applications
like Squid and Apache.
- also consquential changes to use common code for base64 encode/decode.
- Winbind changes to support ntlm_auth (I don't want this program to need
to read smb.conf, instead getting all it's details over the pipe).
- nmbd changes for fstrcat() instead of fstrcpy().
Andrew Bartlett
(This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
- move winbindd client handling into accessor functions in
winbindd_util.c
- move some winbindd socket routines into accessor functions in
winbindd_utils.c
(The deadlock situation mentioned in the appliance branch is probably
not applicable since we don't clear the connection cache on SIGHUP.
Perhaps we should?)
(This used to be commit ee0e3d31a1d1bef70810aadcdafdf9678d21ea8f)
Added time based cache size check (#ifdef'ed out by default, just didn't
want to lose the code).
Jeremy.
(This used to be commit b2350ed36c42827c417ea4a3dd0668a4a631a090)
processing work correctly in winbindd. This is a really good patch
that gives full select semantics to the Samba modified select.
Jeremy.
(This used to be commit 3af16ade173cac24c1ac5eff4a36b439f16ac036)
the sid->uid and uid->sid conversions.
Remove some duplicate arguments from these funcitons, and update the
request/response structures for this and the 'winbind domain name' feature.
As such 'winbindd_lookup_name' now takes both a domain and username.
(This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
to move this from being a static to matching its mate in lib/util_sock.c.
In any case, this should discorage anybody from using the 'wrong' version of
this function. (ie the one from TNG, which needs a bit more error checking
depending on use).
Andrew Bartlett
(This used to be commit e6a3a01f795a85d908180ff19469ce09a2803512)
This work was sponsored by Optifacio Software Services, Inc.
Andrew Bartlett
(various e-mails announcements merged into some form of commit message below:)
This patch which adds basics of universal groups support
into Samba 3. Currently, only Winbind with RPC calls supports this, ADS
support requires additional (possibly huge) work on KRB5 PAC. However,
basic infrastructure is here.
This patch adds:
1. Storing of universal groups for particular user logged into Samba
software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array
of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb.
2. Fetching of unversal groups for given user rid and domain sid from
netlogon_unigrp.tdb.
Since this is used in both smbd and winbindd, main code is in
source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as
UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ.
This patch has had a few versions, the final version in particular:
Many thanks to Andrew Bartlett for critics and comments, and partly
rewritten code.
New:
- updated fetching code to changed byte order macros
- moved functions to proper namespace
- optimized memory usage by reusing caller's memory context
- enhanced code to more follow Samba coding rules
Todo:
- proper universal group expiration after timeout
(This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
the list received at startup or we get an out of date list. I thought
there might be some sequence number that is incremented when a trusted
domain is added or removed - perhaps there is but I just haven't found it
yet.
- Renamed get_domain_info() to init_domain_list()
- Made an accessor function to return the list of trusted domains rather
than using a global so we don't have to remember to put a magic init
function
- The getent state can not keep a pointer to a winbind_domain structure as
it may be freed if init_domain_list() is called again so we keep the
domain name instead
(This used to be commit 37216c649a394b449eaaaa6644709eafb3bf37ff)
swedish" test to client calls. This is putting a length field at the
start of a request so we can disconnect clients talking with an out of date
libnss_winbind.so rather than deadlock them.
Misc cleanups:
- made some int values uint32
- moved WINBIND_INTERFACE_VERSION to start of cmd list
(This used to be commit a4af65b9b93671f13f277d49279a85042a8fd1d5)
smb.conf to get it right.
While wb_client needs its lp_load() for samba dependency reasons, it now uses
the new method both to example and test the new code.
Also add an interface version function, and return the winbind's samba version
string.
In preperation for default domains, its now up to winbindd to reject plaintext
auths that don't have a seperator, but NTLM (CRAP) auths now have two feilds,
hence need parsing.
Andrew Bartlett
(This used to be commit 2bd2a092ee3d49a74d896385688d7c7256aa297e)
It adds a 'ping' request, just to check winbind is in fact alive
It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.
(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)
Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).
Andrew Bartlett
(This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)
when they are added or removed on the PDC.
- renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID}
- renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID}
- use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in
preparation for moving to smbcontrol type messages (not sure whether to
ditch this altogether or not)
- tidy debugging messages in top level winbind user and group routines
- convert talloc_init() to talloc_init_named()
- make enumerations of the domain list use the same local variable names
(This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
