IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This includes some of the original ildap ldap client API. ldb
provides a much easier abstraction on this to use, and doesn't use
these functions.
Andrew Bartlett
(This used to be commit dc27a7e41c)
using the pattern in the clilsa code, it didn't fill in the p->binding
structure. This affects nearly all users of dcerpc_pipe_open_smb(), so
the simplest fix is to ensure that dcerpc_pipe_open_smb() initialises
the binding if its not already there.
- re-enable the RAW-ACLS test
(This used to be commit d8875c286d)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0)
This commit cleans up a number of aspects of the LSA interface.
Firstly, we do 2 simple searches on opening the LSA policy, to obtain
the basic information we need. This also avoids us searching for
dnsDomain (an invented attribute).
While I was at it, I added and tested new LSA calls, including the
enumTrustedDomainsEx call. I have also merged the identical structures
lsa_DomainInformation and lsa_DomainList.
Also in this commit: Fix netlogon use of uninitialised variables.
Andrew Bartlett
(This used to be commit 3f3fa7f466)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
instead make the normal composite_done() and composite_error()
functions automatically trigger a delayed callback if the caller has
had no opportunity to setup a async callback
this removes one of the common mistakes in writing a composite function
(This used to be commit f9413ce792)
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
(This used to be commit d14948fdf6)
--user-sids required the extension to trusted domains.
Implement "winbind sealed pipes" parameter for debugging purposes.
Volker
(This used to be commit 3821a17bdb)
Tridge, if you have the time, you might want to look at a problem I'm having
with unix domain stream sockets. From a comment in this commit:
/* Using composite_trigger_error here causes problems with the client
* socket. Linux 2.6.8 gives me a ECONNRESET on the next read after
* writing the reply when I don't wait the 100 milliseconds. */
This is in winbind/wb_cmd_userdomgroups.c:93.
The problem I have is that I can not *immediately* send an error reply to the
client because the next receive fails. Waiting 100 milliseconds helps. It
might also be a problem with epoll(), I don't really know.
I'd appreciate if you took a brief look at this, maybe I'm doing something
wrong.
Thanks,
Volker
(This used to be commit 3e535cce74)
first. And if a request is being processed, queue it. This correctly survived
3 endless loops with wbinfo's doing different things while starting up smbd.
The number of indirections starts to become a bit scary, but what can you do
without a decent programming language that provides closures :-)
One thing that we might consider is to auto-generate async rpc requests that
return composite_context structs instead of rpc_requests. Otherwise I'd have
to write a lot of wrappers like composite_netr_LogonSamLogon_send.
The alternative would be to write two versions of wb_queue_domain_send which I
would like to avoid. This is cluttered enough already.
Volker
(This used to be commit 66c1b674f9)
tested it, but I can not reproduce the problem I had with abartlett's initial
implementation anymore.
Fix a bug found using valgrind.
Volker
(This used to be commit 0c6c71ae3c)
* rename the composite helper functions from comp_* to composite_*
* Move the lsa initialization to wb_connect_lsa.c
* Equip smb_composite_connect with a fallback_to_anonymous
The latter two simplify wb_init_domain.c quite a bit.
Volker
(This used to be commit deb127e04e)
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
(This used to be commit 3e69fdc07c)
start to look sane.
Question: What about providing all winbind commands as irpc interfaces that
are called from the samba3 compatibility layer? This way it would be easy for
other samba components to access its functionality. Does that make sense?
Volker
(This used to be commit 2a6b805385)
queryinfopolicy. Idea is to get a consistency check between that and our
notion of the domain name and sid, and take the lsa pipe as the holder of the
central smbcli_tree that netlogon and samr use as well.
Volker
(This used to be commit 126c80aefc)
Tridge, if you have time, you might want to look at the segfault I was still
seeing. Now I store the handle to the netlogon pipe in the global winbind
state and free it on the next entry into check_machacc. The problem seems to
be that talloc_free()ing a pipe struct from within a callback function on that
pipe is not possible. I think I can live with that, but it has been not really
obvious. To reproduce the segfault you might want to look at putting a
talloc_free(state->getcreds->out.netlogon) into
wbsrv_samba3_check_machacc_receive_creds. This is called from a dcerpc
callback function.
In particular if the check failed it would be nice if I could delete the pipe
directly and not post a different event to some winbind queue.
I tried to delete the pipe from a timed event triggered immediately, but this
also fails because the inner loop seems to hit the same event again, calling
it twice.
Volker
(This used to be commit 5436d77648)
stuff.
- don't use SMBCLI_REQUEST_* state's in the genreic composite stuff
- move monitor_fn to libnet.
NOTE: I have maybe found some bugs, in code that is dirrectly in DONE or ERROR
state in the _send() function. I haven't fixed this bugs in this
commit! We may need some composite_trigger_*() functions or so.
And maybe some other generic helper functions...
metze
(This used to be commit 4527815a0a)
domain and gets the DC's name via a mailslot call.
Metze, I renamed wbsrv_queue_reply to wbsrv_send_reply in accordance with
irpc_send_reply. Having _queue_ here and _send_ there is a bit confusing. And
as everything is async anyway, the semantics should not be too much of a
problem.
Volker
(This used to be commit 4637964b19)
