1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

89 Commits

Author SHA1 Message Date
Andrew Tridgell
28b9d61076 r23800: LGPL is now called GNU Lesser General Public License
not GNU Library General Public License
(This used to be commit 727a6cf2cb)
2007-10-10 12:28:26 -05:00
Andrew Tridgell
fd881dad3f r23794: convert more code from LGPLv2+ to LGPLv3+
(This used to be commit f3df6cd87e)
2007-10-10 12:28:25 -05:00
Gerald Carter
9b78af1f64 r23244: Fix loop with nscd and NSS recusive calls.
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
>   winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
>   getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent.  So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ?  But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now.  The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290a)
2007-10-10 12:22:58 -05:00
Volker Lendecke
0e20456c1f r23225: Attached find a patch that makes use of NetSamLogonEx in
winbind. With this and W2k3 DCs around it is possible to use
more than one winbind on the same machine account, because
NetSamLogonEx does not use the credentials chain.

I added the flag domain->can_do_samlogon_ex because this
only works against W2k3 and with schannel. The theory is to
try if we're AD and have schannel, and fall back to
NetSamLogon if this fails. can_do_samlogon_ex is thus a
protection against multiple failures.

Only checking into 3_0, this needs more review before going
into a production release.

Feel free to comment :-)
(This used to be commit f5d525399b)
2007-10-10 12:22:56 -05:00
Gerald Carter
8bbf274f07 r22716: Clarify comment in winbindd_domain structure
(This used to be commit 32fd8558bd)
2007-10-10 12:21:50 -05:00
Gerald Carter
c16059f1f0 r22713: Offline logon fixes for idmap manager:
(a) Ignore the negative cache when the domain is offline
(b) don't delete expired entries from the cache as these
    can be used when offline (same model as thw wcache entries)
(c) Delay idmap backend initialization when offline
    as the backend routines will not be called until we go
    online anyways.  This prevents idmap_init() from failing
    when a backend's init() function fails becuase of lack of
    network connectivity
(This used to be commit 4086ef15b3)
2007-10-10 12:21:49 -05:00
Gerald Carter
7cb2a4be35 r22704: Implement three step method for enumerating domain trusts.
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.

This will give us a complete trust topology including
domains via transitive Krb5 trusts.  We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.

"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e)
2007-10-10 12:21:47 -05:00
Gerald Carter
4b7123bba7 r22700: Add a simple wcache TRUSTDOM api for maintaing a complete
list of trusted domains without requiring each winbindd process
to aquire this on its own.  This is needed for various idmap
plugins and for dealing with different trust topoligies.

list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d96)
2007-10-10 12:21:47 -05:00
Gerald Carter
815fdf23c7 r21860: Fixes for "winbind normalize names" functionality:
* Fix getgroups() call called using a normalized name
* Fix some more name mappings that could cause for example
  a user to be unable to unlock the screen as the username
  would not match in the PAM authenticate call.
(This used to be commit 505fc669a1)
2007-10-10 12:18:39 -05:00
Gerald Carter
b9b26be174 r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code.  The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.

The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2)
2007-10-10 12:17:23 -05:00
Gerald Carter
b2317c0979 r20488: When joined to a child domain in a multi-domain/single domain tree,
the child domain cannot always resolve SIDs in sibling domains.
Windows tries to contact a DC in its own domain and then the root
domain in the forest.  This async changes makes winbindd's name2sid()
call do the same.
(This used to be commit 7b2bf0e5a6)
2007-10-10 12:16:52 -05:00
Jeremy Allison
bf8988feaf r20206: Start cleaning up the talloc_ctx mess.
child->mem_ctx isn't actually used for
anything, so remove it.
Jeremy.
(This used to be commit a7f294b592)
2007-10-10 12:16:31 -05:00
Simo Sorce
4225f9a4bd r20116: Start merging in the work done to create the new idmap subsystem.
Simo.
(This used to be commit 50cd8bffee)
2007-10-10 12:16:25 -05:00
Jeremy Allison
155083547a r20057: Attempt to fix connect timeouts when connected on
a network but not one on which any home DC's can
be found (hotel network problem). Still testing
but this is getting close.
Jeremy.
(This used to be commit 369c9e4138)
2007-10-10 12:16:23 -05:00
Jeremy Allison
0f56237bc0 r18980: Be a little more intelligent about "startup_time",
move into the domain struct. Allow message to go online
to set this state and cope with removing it.
Jeremy.
(This used to be commit 51f0e60cc3)
2007-10-10 12:14:52 -05:00
Jeremy Allison
07e9f4e61a r18551: Implement a 30 seconds from startup, during which we
try hard to connect a DC even if we might be offline.
Jeremy.
(This used to be commit a9f1151407)
2007-10-10 11:51:49 -05:00
Gerald Carter
2b27c93a9a r18271: Big change:
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
  gen_ndr/ndr_security.c in SAMBA_4_0

The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28)
2007-10-10 11:51:18 -05:00
Jeremy Allison
ccdd921e61 r18191: Fix the online/offline state handling of winbindd.
Instead of trying to do this in the winbindd_cache
entries, add a timed even handler to probe every
5 mins when disconnected.
Fix events to run all pending events, rather than
only one.
Jeremy.
(This used to be commit 7bfbe1b4fb)
2007-10-10 11:43:57 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Günther Deschner
ae0939ee66 r15634: Prevent passwords of winbindd's list of credential caches from beeing
swapped to disc using mlock(). (patch was reviewed by Jeremy).

Guenther
(This used to be commit 206cdbb8e9)
2007-10-10 11:17:04 -05:00
Günther Deschner
0dd9afad76 r14505: Rename the timed_event to lockout_policy_event.
Guenther
(This used to be commit 3e607aa69a)
2007-10-10 11:15:34 -05:00
Günther Deschner
b97a69dce3 r14321: When we have libnscd and winbindd comes (back) online, try to flush the
nscd caches so that NSS-calls can deliver accurate information.

Guenther
(This used to be commit a32a423a0e)
2007-10-10 11:15:24 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Volker Lendecke
789bed878a r11704: methods->alternate_name is not used anymore -- remove it
(This used to be commit 4a4f85f0ef)
2007-10-10 11:05:24 -05:00
Volker Lendecke
bd935df617 r11319: read_buf_len and write_buf_len are no longer used, remove them.
Volker
(This used to be commit 6948f748f6)
2007-10-10 11:05:11 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Günther Deschner
2e7f22e833 r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".

Enable it with:

        winbind sfu support = yes

User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.

Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.

If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:

        idmap backend = ad

When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.

Guenther
(This used to be commit 28b5969942)
2007-10-10 10:58:07 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Volker Lendecke
b62247f1ee r7785: This looks much larger than it is. It changes the top-level functions of the
parent winbind not to return winbindd_result. This is to hopefully fix all the
problems where a result has been scheduled for write twice.

The problematic ones have been the functions that might have been delayed as
well as under other circumstances immediately gets answered from the cache.

Now a request needs to be explicitly replied to with a request_error() or
request_ok().

Volker
(This used to be commit 7365c9accf)
2007-10-10 10:57:20 -05:00
Gerald Carter
fed660877c r7415: * big change -- volker's new async winbindd from trunk
(This used to be commit a0ac9a8ffd)
2007-10-10 10:57:08 -05:00
Gerald Carter
5906b27ab5 r6755: removing domain_sid() since it is not referenced anymore
(This used to be commit 8104149e6f)
2007-10-10 10:56:53 -05:00
Gerald Carter
9d009834a6 r6040: finish out 'net rpc service list'
(This used to be commit 42588ba50c)
2007-10-10 10:56:18 -05:00
Volker Lendecke
fca72668cc r4760: Make wbinfo --user-sids expand domain local groups. Andrew B., my testing
shows that this info is correctly returned to us in to info3 struct, so
check_info3_in_group does not need to be adapted.

Volker
(This used to be commit a84e778caf)
2007-10-10 10:53:54 -05:00
Volker Lendecke
24d3605d99 r3843: If a connection to a DC is requested, open connections simultaeneously to all
DCs found. The first one to reply wins.

Volker
(This used to be commit 84ac54aef2)
2007-10-10 10:53:20 -05:00
Tim Potter
b4cf9e9505 r2835: Since we always have -I. and -I$(srcdir) in CFLAGS, we can get rid of
'..' from all #include preprocessor commands.   This fixes bugzilla #1880
where OpenVMS gets confused about the '.' characters.
(This used to be commit 7f161702fa)
2007-10-10 10:52:55 -05:00
Gerald Carter
ce55cf1b82 r395: BUG 1232: patch from landonf@opendarwin.org (Landon Fuller) to fix
user/group enumeration on systems whose libc does not call setgrent()
before trying to enumerate users (i.e. FreeBSD 5.2)
(This used to be commit 8106d80972)
2007-10-10 10:51:21 -05:00
Gerald Carter
f7cf0aaa6f r294: checking in volker's winbindd patches; tested on domain members (Samba and AD) as well as on a Samba DC
(This used to be commit 157d53782d)
2007-10-10 10:51:17 -05:00
Gerald Carter
7af3777ab3 r116: volker's patch for local group and group nesting
(This used to be commit b393469d95)
2007-10-10 10:51:10 -05:00
Volker Lendecke
97b200d422 Apply some const
(This used to be commit 8037750df5)
2004-03-30 08:03:32 +00:00
Andrew Bartlett
7d068355aa This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096)
2004-01-08 08:19:18 +00:00
Andrew Bartlett
614c18d24b rpc_client/cli_lsarpc.c:
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
 - Add const

libads/ads_ldap.c:
 - Cleanup function for use

nsswitch/winbindd_ads.c:
 - Use new utility function ads_sid_to_dn
 - Don't search for 'dn=', rather call the ads_search_retry_dn()

nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
 - Fixup braindamage in cli_ds_enum_domain_trusts():
    - This function was returning a UNISTR2 up to the caller, and
      was doing nasty (invalid, per valgrind) things with memcpy()
    - Create a new structure that represents this informaiton in a useful way
      and use talloc.

Andrew Bartlett
(This used to be commit 06c3f15aa1)
2004-01-05 02:04:37 +00:00
Andrew Bartlett
b34401b48a Forgot to commit this for the 'get our primary domain' change.
(This used to be commit 6f3cd9e2af)
2003-12-31 08:42:22 +00:00
Andrew Tridgell
e1c468477c a small include file rearrangement that doesn't affect normal
compilation, but that allows Samba3 to take advantage of pre-compiled
headers in gcc if available.
(This used to be commit b3e024ce1d)
2003-11-12 01:51:10 +00:00
Jim McDonough
8c64504f7c Update my copyrights according to my agreement with IBM
(This used to be commit a2bd8f0bfa)
2003-08-01 15:30:44 +00:00
Jim McDonough
f210ee9b99 Fix copyright statements for various pieces of Anthony Liguori's work.
(This used to be commit 15d2bc4785)
2003-08-01 14:47:39 +00:00
Gerald Carter
93bcb9963b merge of the netsamlogon caching code from APPLIANCE_HEAD
This replaces the universal group caching code (was originally
based on that code).  Only applies to the the RPC code.

One comment: domain local groups don't show up in 'getent group'
that's easy to fix.

Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.

netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc)
2003-06-21 04:05:01 +00:00
Andrew Tridgell
057ec70b53 - fixed the bug that forced us not to use the winbindd cache when we
have a primary ADS domain and a secondary (trusted) NT4 domain. This
  caused winbindd to be *really* slow for that setup.

- fixed winbindd_getgrgid(), which was calling uid_to_sid instead of
  gid_to_sid(). When you make changes to winbind *PLEASE* test using
  nsstest.
(This used to be commit cdd9b60a07)
2003-06-10 03:50:38 +00:00
Tim Potter
1f84a14b0b Bug 83: fixes for building when $srcdir != $builddir from David Lee
<t.d.lee@durham.ac.uk>
(This used to be commit e48a8b5e9c)
2003-05-23 01:59:43 +00:00
Andrew Bartlett
1a9394195d Merge HEAD's winbind into 3.0.
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).

Andrew Bartlett
(This used to be commit d4d5e6c2ee)
2003-04-23 11:54:56 +00:00
Andrew Bartlett
d23b35a65f Winbind merges from HEAD:
- fix winbindd_pam bugs
 - give a better error message for unauthorized access to auth_crap
 - show this message in wbinfo
 - fix spelling: privilaged -> privileged
   ** This changes the location of the winbindd privileged pipe **
   (thanks to tpot)

Andrew Bartlett
(This used to be commit 92c2a33483)
2003-04-07 07:32:51 +00:00