1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

183 Commits

Author SHA1 Message Date
Rafal Szczesniak
663b922852 r24977: Ensure negative caching for name2sid, sid2name and rids2names
mappings.

rafal
(This used to be commit 3a9b5eabf9)
2007-10-10 12:30:31 -05:00
Michael Adam
57ac659fb6 r24848: Make tdb_validate() take an open tdb handle instead of a file name.
A new wrapper tdb_validate_open() takes a filename an opens and closes
the tdb before and after calling tdb_validate() respectively.

winbindd_validata_cache_nobackup() now dynamically calls one of
the above functions depending on whether the cache tdb has already
been opened or not.

Michael
(This used to be commit dc0b08e659)
2007-10-10 12:30:27 -05:00
Michael Adam
a4c92698c6 r24830: Add a winbindd cache validation function that does not do
backup and corrupt file handling. (To be used in subsequent
changes.)
(This used to be commit b3dcadbed0)
2007-10-10 12:30:26 -05:00
Michael Adam
e5533200ce r24829: Make use of a variable, that is available... :-)
(This used to be commit 9062665208)
2007-10-10 12:30:26 -05:00
Günther Deschner
410cc0e9c7 r24801: When told to ignore the winbind cache also do so while trying to store entries.
Thanks Michael for pointing this out.

Guenther
(This used to be commit c704760444)
2007-10-10 12:30:22 -05:00
Gerald Carter
40102ad546 r24722: Squashed commit of the following:
commit fb52f971986dd298abbcd9745ddf702820ce0184
Author: Gerald Carter <coffeedude@plainjoe.org>
Date:   Mon Aug 27 13:50:26 2007 -0500

    Check correct return type for pam_winbind_request_log() wnibind_upn_to_username

    which is an int and not NSS_STATUS.

commit 7382edf6fc0fe555df89d5b2a94d12b35049b279
Author: Gerald Carter <coffeedude@plainjoe.org>
Date:   Mon Aug 27 13:30:26 2007 -0500

    Allow wbinfo -n to convert a UPN to a SID

commit 8266c0fe1ccf2141e5a983f3213356419e626dda
Author: Gerald Carter <coffeedude@plainjoe.org>
Date:   Fri Aug 3 09:53:16 2007 -0500

    Merge some of Guenther UPN work for pam_winbind.c (check the winbind separator

    and better pam logging when converting a upn to a username).

commit 15156c17bc81dbcadf32757015c4e5158823bf3f
Author: Gerald Carter <coffeedude@plainjoe.org>
Date:   Fri Aug 3 08:52:50 2007 -0500

    Include Universal groups from the cached PAC/SamLogon info when

    generating the list of domain group SIDs for a user's token.

commit 979053c0307b051954261d539445102c55f309c7
Author: Gerald Carter <coffeedude@plainjoe.org>
Date:   Thu Aug 2 17:35:41 2007 -0500

    merge upnlogon patch from my tree
(This used to be commit 98fb5bcd57)
2007-10-10 12:30:15 -05:00
Günther Deschner
a375d368df r24714: Fix confusing indent.
Guenther
(This used to be commit 6a9af88a2d)
2007-10-10 12:30:15 -05:00
Günther Deschner
d8248816c3 r24438: Use dump_data_pw() instead of dump_data() on sensitive data in winbindd.
Guenther
(This used to be commit adaa5e423d)
2007-10-10 12:29:47 -05:00
Michael Adam
b82060b88f r23931: Use the new tdb_validate_and_backup function instead of pure tdb_validate
in winbindd cache validation.

Michael
(This used to be commit 2c2a1ff2c2)
2007-10-10 12:28:46 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Michael Adam
5e4962d9e7 r23769: Move removal of the tdb from the generic tdb_validate function
to the caller (winbindd_validate_cache in this case).
Next, there will be a backup handling for the tdb files.

Michael
(This used to be commit 821bc84109)
2007-10-10 12:23:55 -05:00
Michael Adam
7c48598e86 r23610: Move some winbindd_cache specific flags and actions
back to winbindd_cache.c. The generic mechanism
should open the cache tdb readonly and with default
flags.

Michael
(This used to be commit 062d8c6129)
2007-10-10 12:23:36 -05:00
Michael Adam
133472ac66 r23600: First step in abstracting the winbindd cache validation
code into a generic tdb validation code.
In lib/util_tdb.c for a start.

Michael
(This used to be commit 527edfa0cb)
2007-10-10 12:23:35 -05:00
Volker Lendecke
4a99ee0236 r23368: Make "winbind:rpc only" a full blown parameter. Thanks to Karolin for
the patch :-)
(This used to be commit 07b71a02ae)
2007-10-10 12:23:10 -05:00
Günther Deschner
454de808a2 r23355: Fix some more build warnings.
Guenther
(This used to be commit 23e25bba8f)
2007-10-10 12:23:09 -05:00
Jeremy Allison
45dc5e1b92 r23345: Stop Coverity from getting confused.
Jeremy.
(This used to be commit 8e83e42672)
2007-10-10 12:23:08 -05:00
James Peach
4a76fa88b4 r23312: As per Volker, rename the "windbind:ads" parameter "winbind:rpc only".
(This used to be commit cbd083efb9)
2007-10-10 12:23:05 -05:00
Volker Lendecke
a7efef4d09 r23297: This introduces the winbind:ads parameter which defaults to True. Setting it
to False makes winbind use RPC and not LDAP methods to connect to the DCs,
even when it figured out they are AD.
(This used to be commit 1c1f710e3e)
2007-10-10 12:23:03 -05:00
Gerald Carter
9b78af1f64 r23244: Fix loop with nscd and NSS recusive calls.
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
>   winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
>   getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent.  So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ?  But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now.  The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
(This used to be commit bcc8a3290a)
2007-10-10 12:22:58 -05:00
Stefan Metzmacher
5057c595d5 r23039: merge from SAMBA_3_0_26:
use a helper function to construct the TDB_DATA key
as strlen_m() is totally wrong here anyway

metze
(This used to be commit fb77cc7fbc)
2007-10-10 12:22:16 -05:00
Michael Adam
1f7c3007b9 r22855: fix the build
(#if inside DEBUG macro not allowed...)

Michael
(This used to be commit f0570dc3d9)
2007-10-10 12:22:03 -05:00
Michael Adam
c9b94d7170 r22848: Fix brace alignment.
(This used to be commit d909a60641)
2007-10-10 12:22:02 -05:00
Michael Adam
c580cda23c r22847: The new validate_panic function calls exit (instead of setting
a global error flag an returning), so cleanups and returns
subsequent to calls of smb_panic_fn have become unnecessary.
(This used to be commit 9d2db8c70f)
2007-10-10 12:22:02 -05:00
Michael Adam
cb47bb6d8f r22845: Modified and extended the winbindd cache validation code:
* Replaced signal catching/longjmp magic by a fork:
  Let the child do the actual validation of the entries.
  Exit code and signals are intercepted by waitpid.
* Fix logic so that also encounter of an unknown key in the
  tdb leads to an error.
* Extended status of validation is kept in a (as yet simple)
  stuct and communicated over a pipe from child to parent.
* Added two validation_ functions for two new keys.

The call of winbindd_validate_cache is still commented out
in the winbindd main loop. But I am currently testing it
and so far it seems to work fine.

The next step in my plan is to generalize the validation
mechanism to a tdb_open_log_validate function in lib/util_tdb.c.
There ist nothing very special about the cache tdb here,
and this might be useful elsewhere...

Michael
(This used to be commit 417325b9e6)
2007-10-10 12:22:01 -05:00
Volker Lendecke
7192160599 r22747: Fix some C++ warnings
(This used to be commit a66a04e9f1)
2007-10-10 12:21:54 -05:00
Gerald Carter
c473d9e47f r22726: When performing an offline logon for a user in a trusted domain,
take care not to expire the name2sid cache entry just because
that child does not know that the primary domain is offline.
(This used to be commit 0399f52a1c)
2007-10-10 12:21:51 -05:00
Gerald Carter
78c27bb770 r22725: * Don't try to update the sequence_number when offline
* Log the NTSTATUS when saving name/sid cache entry
* Allow the backend loolkup_usergroups() call in winbindd_{rpc,ads}.c
  to inform the wcache manager that the group list should not be cached
  (needed for one-way trusts).
(This used to be commit 693ab48408)
2007-10-10 12:21:50 -05:00
Gerald Carter
391a72f3df r22710: Support one-way trusts.
* Rely on the fact that name2sid will work for any name
  in a trusted domain will work against our primary domain
  (even in the absense of an incoming trust path)

* Only logons will reliably work and the idmap backend
  is responsible for being able to manage id's without contacting
  the trusted domain

* "getent passwd" and "getent group" for trusted users and groups
  will work but we cannot get the group membership of a user in any
  fashion without the user first logging on (via NTLM or krb5)
  and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af)
2007-10-10 12:21:49 -05:00
Gerald Carter
47761fdc30 r22708: disable saving the trusted domain list as we want to the parent daemon to manage the complete trusted domain cache
(This used to be commit 3a9152a2ac)
2007-10-10 12:21:48 -05:00
Gerald Carter
4b7123bba7 r22700: Add a simple wcache TRUSTDOM api for maintaing a complete
list of trusted domains without requiring each winbindd process
to aquire this on its own.  This is needed for various idmap
plugins and for dealing with different trust topoligies.

list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d96)
2007-10-10 12:21:47 -05:00
Günther Deschner
c74c6f722f r22643: Don't clear cached U/SID and UG/SID entries when we want to logon offline.
Guenther
(This used to be commit 37f9f466fd)
2007-10-10 12:19:52 -05:00
Günther Deschner
bdbe2a955b r22636: Fix logic bug.
We certainly don't want to crash winbind on each sucessfull
centry_uint{8,16,32,64} read.

Jeremy, please check :-)

Guenther
(This used to be commit bfcd10766b)
2007-10-10 12:19:51 -05:00
Jeremy Allison
be8b0685a5 r22589: Make TALLOC_ARRAY consistent across all uses.
Jeremy.
(This used to be commit 8968808c3b)
2007-10-10 12:19:49 -05:00
Günther Deschner
2713a9ca0e r22466: Fix build warning.
Guenther
(This used to be commit d6f259e918)
2007-10-10 12:19:36 -05:00
Jeremy Allison
731df24607 r22211: Don't return a value from void functions !
Jeremy.
(This used to be commit 1dd8d3a723)
2007-10-10 12:19:20 -05:00
Jeremy Allison
91be3a9ed6 r22210: Fix typo in testing for non-centry entries.
Jeremy.
(This used to be commit b89ecbcac6)
2007-10-10 12:19:20 -05:00
Jeremy Allison
c7d136dcac r22209: Fix the storage of time_t -> make it 64 bits (use the
same load/store function as NTTIME). Add a version number
string to the winbindd cache so we can tell if it needs
upgrading. THIS WILL DELETE ANY EXISTING winbindd_cache.tdb
on first startup regardless of offline auth status. Once
this is done we're in good shape though.
Jeremy.
(This used to be commit c52c7f91af)
2007-10-10 12:19:19 -05:00
Jeremy Allison
a2bab163be r22207: Fill in the validation functions. Now to test...
Jeremy.
(This used to be commit fc2b9e860e)
2007-10-10 12:19:19 -05:00
Jeremy Allison
127cc73034 r22206: Added boilerplate to be filled in for other validation functions.
Jeremy.
(This used to be commit 9be463eb0c)
2007-10-10 12:19:19 -05:00
Jeremy Allison
23e575c4b7 r22205: Add some flesh to the bones of the cache validation code.
Jeremy
(This used to be commit b773ea2c8a)
2007-10-10 12:19:19 -05:00
Jeremy Allison
9f41ff47d0 r22202: Volker is clever :-). Use TDB_NOMMAP to prevent any wild pointer
problems when validating the winbindd cache. Wish I'd have
thought of that.
Jeremy.
(This used to be commit 6b0a8cbbb8)
2007-10-10 12:19:19 -05:00
Stefan Metzmacher
bc2b6436d0 r22009: change TDB_DATA from char * to unsigned char *
and fix all compiler warnings in the users

metze
(This used to be commit 3a28443079)
2007-10-10 12:19:00 -05:00
Stefan Metzmacher
56ba447668 r22001: change prototype of dump_data(), so that it takes unsigned char * now,
which matches what samba4 has.

also fix all the callers to prevent compiler warnings

metze
(This used to be commit fa322f0cc9)
2007-10-10 12:18:59 -05:00
Stefan Metzmacher
5060393272 r21985: make use of string_tdb_data()
to avoid creating the TDB_DATA struct from strings "by hand"

metze
(This used to be commit a8bc20d67f)
2007-10-10 12:18:56 -05:00
Günther Deschner
a90034f5aa r21146: Fix debug typos.
Guenther
(This used to be commit cdef1d00b8)
2007-10-10 12:17:43 -05:00
Gerald Carter
b9b26be174 r20986: Commit the prototype of the nss_info plugin interface.
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code.  The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.

The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2)
2007-10-10 12:17:23 -05:00
Herb Lewis
791f48f167 r20124: clean up nested extern declaration warnings
(This used to be commit ac3eb7813e)
2007-10-10 12:16:26 -05:00
Jeremy Allison
155083547a r20057: Attempt to fix connect timeouts when connected on
a network but not one on which any home DC's can
be found (hotel network problem). Still testing
but this is getting close.
Jeremy.
(This used to be commit 369c9e4138)
2007-10-10 12:16:23 -05:00
Jeremy Allison
4c98afb2de r19975: Deal with 2 keytypes I messed previously (DR/DE).
Fix code that mistakenly assumed tdb_traverse
returned 0 or -1, it actually returns -1 or the
number of entries traversed. Add a static as another
way to return the bad cache value.
Jeremy.
(This used to be commit 5266a70ae9)
2007-10-10 12:16:16 -05:00