IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b722)
for anonymous bound connections.
When doing anonymous bind you can never use paged LDAP control for
RootDSE searches on AD.
Guenther
(This used to be commit dc1d92faab)
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680eb)
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
(This used to be commit 7d766b5505)
ldap_get_values_len, because they were handed a NULL msgs pointer, for
example in ads_pull_sid().
This occurs when the AD server fails at the connect stage. (The
toubled AD server is actually Samba4 in my example).
Andrew Bartlett
(This used to be commit 221a6de7d0)
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
could reproduce it, I would fix it, but for now just make sure we always
SAFE_FREE() and set our starting pointers to NULL.
Andrew Bartlett
(This used to be commit c279e178bc)
This module, primarilly the work of "Stefan (metze) Metzmacher"
<metze@metzemix.de>, uses the Active Directory schema to store the
user/group/other information. I've been testing it against a real AD server,
and it is intended to work with OpenLDAP as well.
I've moved a few functions around in our other libads code, which has made it
easier to tap into that existing code.
Also, I've made some changes to the SAM interface, I hope there are not too
many objections... To ensure we don't get silly bugs in the skel module, it
is now in the default compile. This way you should not forget to update it :-)
Andrew Bartlett
(This used to be commit 24fb0cde2f)
