1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

22105 Commits

Author SHA1 Message Date
Gerald Carter
cfc4946ebf r22729: add help text for osver and osname options to 'net ads join' (patch from Dnailo A.)
(This used to be commit 3f588e0b65)
2007-10-10 12:21:51 -05:00
Gerald Carter
3eca3af1bc r22728: Patch from Danilo Almeida <dalmeida@centeris.com>:
When asked to create a machine account in an OU as part
of "net ads join" and the account already exists in another
OU, simply move the machine object to the requested OU.
(This used to be commit 3004cc6e59)
2007-10-10 12:21:51 -05:00
Gerald Carter
3df5bc8728 r22727: remove outdated comment about templatre shell and homedir
(This used to be commit e8f9bd6558)
2007-10-10 12:21:51 -05:00
Gerald Carter
c473d9e47f r22726: When performing an offline logon for a user in a trusted domain,
take care not to expire the name2sid cache entry just because
that child does not know that the primary domain is offline.
(This used to be commit 0399f52a1c)
2007-10-10 12:21:51 -05:00
Gerald Carter
78c27bb770 r22725: * Don't try to update the sequence_number when offline
* Log the NTSTATUS when saving name/sid cache entry
* Allow the backend loolkup_usergroups() call in winbindd_{rpc,ads}.c
  to inform the wcache manager that the group list should not be cached
  (needed for one-way trusts).
(This used to be commit 693ab48408)
2007-10-10 12:21:50 -05:00
Gerald Carter
189b694ee9 r22724: Call an nss_info backend's init() function if the
previous call was unsuccessful.  needed for offline
logons.
(This used to be commit c3a8dc5d13)
2007-10-10 12:21:50 -05:00
Gerald Carter
215e033e82 r22720: Fixes for offline auth when using krb5_auth = yes in pam_winbind.
Assume that "NO_DOMAIN_CONTROLLERS_FOUND" means that the domain
is offline.
(This used to be commit 30f9cc52bf)
2007-10-10 12:21:50 -05:00
Gerald Carter
cf4f314fb3 r22719: Missed change for one-way trust support. Ignore password policy
settings from one trusted domain with no incoming trust path.

Guenther, I think this is ok as we only need the pw policy
to give feedback on upcoming expiration times.
(This used to be commit c79ae57388)
2007-10-10 12:21:50 -05:00
Gerald Carter
2a9c7462c7 r22717: Add Everyone and AuthenticatedUsers to the user's token
for use by the require-membership-of pam_winbind option.
(This used to be commit 11f81c5997)
2007-10-10 12:21:50 -05:00
Gerald Carter
8bbf274f07 r22716: Clarify comment in winbindd_domain structure
(This used to be commit 32fd8558bd)
2007-10-10 12:21:50 -05:00
Gerald Carter
09fee9aa18 r22715: When our primary domain does on or offline, make sure to send a msg
to the idmap child.

Also remove the check for the global offline state in child_msg_offline()
as this means we cannot mark domains offline due to network outages.
(This used to be commit 1b99e8b521)
2007-10-10 12:21:49 -05:00
Gerald Carter
89fd4444af r22714: Prevent DNS lookup storms when the DNS servers are unreachable.
Helps when transitioning from offline to online mode.

Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
(This used to be commit 4f05c6fe26)
2007-10-10 12:21:49 -05:00
Gerald Carter
c16059f1f0 r22713: Offline logon fixes for idmap manager:
(a) Ignore the negative cache when the domain is offline
(b) don't delete expired entries from the cache as these
    can be used when offline (same model as thw wcache entries)
(c) Delay idmap backend initialization when offline
    as the backend routines will not be called until we go
    online anyways.  This prevents idmap_init() from failing
    when a backend's init() function fails becuase of lack of
    network connectivity
(This used to be commit 4086ef15b3)
2007-10-10 12:21:49 -05:00
Gerald Carter
fd5ff711b6 r22712: Inform the user when logging in via pam_winbind
and the krb5 tkt cache could not be created due to clock skew.
(This used to be commit 24616f7d6b)
2007-10-10 12:21:49 -05:00
Gerald Carter
80dca03aae r22711: Fix a compile warnign in query_user(). Ensure that user_rid
is initialized.
(This used to be commit ef03042682)
2007-10-10 12:21:49 -05:00
Gerald Carter
391a72f3df r22710: Support one-way trusts.
* Rely on the fact that name2sid will work for any name
  in a trusted domain will work against our primary domain
  (even in the absense of an incoming trust path)

* Only logons will reliably work and the idmap backend
  is responsible for being able to manage id's without contacting
  the trusted domain

* "getent passwd" and "getent group" for trusted users and groups
  will work but we cannot get the group membership of a user in any
  fashion without the user first logging on (via NTLM or krb5)
  and the netsamlogon_cache being updated.
(This used to be commit dee2bce2af)
2007-10-10 12:21:49 -05:00
Gerald Carter
044f1b4a99 r22709: we can only use tschannel when commectcing to our primary (might need some fixing here for a Samba DC)
(This used to be commit 3d2123383d)
2007-10-10 12:21:48 -05:00
Gerald Carter
47761fdc30 r22708: disable saving the trusted domain list as we want to the parent daemon to manage the complete trusted domain cache
(This used to be commit 3a9152a2ac)
2007-10-10 12:21:48 -05:00
Gerald Carter
9037774927 r22707: missed merge from local tree: pass the correct state to the domain when calling the async lookupsid() routine
(This used to be commit 3d814862af)
2007-10-10 12:21:48 -05:00
Gerald Carter
dcfeb64bd2 r22706: missed one reference to domain->native_mode in the previous commit
(This used to be commit aa2ac5a194)
2007-10-10 12:21:48 -05:00
Gerald Carter
96f590807f r22705: Implement new set_dc_type_and_flags() called based on the
information return from our DC in the DsEnumerateDomainTrusts()
call.   If the fails, we callback ot the older
connect-to-the-remote-domain method.

Note that this means we can only reliably expect the native_mode
flag to be set for our own domain as this information in not
available outside our primary domain from the trusted information.
This is ok as we only really need the flag when trying to
determine to enumerate domain local groups via RPC.

Use the AD flag rather than the native_mode flag when using
ldap to obtain the seq_num for a domain.
(This used to be commit 4b4148a964)
2007-10-10 12:21:47 -05:00
Gerald Carter
7cb2a4be35 r22704: Implement three step method for enumerating domain trusts.
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.

This will give us a complete trust topology including
domains via transitive Krb5 trusts.  We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.

"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
(This used to be commit 9cf6068f1e)
2007-10-10 12:21:47 -05:00
Gerald Carter
879b843627 r22703: Convert winbindd_getgrgid() and winbindd_getgetpwnam()
to use the same code path after we resolve the name/gid to
a SID.  Use the async lookupname/lookupsid interface.
(This used to be commit d12b8147d6)
2007-10-10 12:21:47 -05:00
Gerald Carter
6ef504d71f r22702: Convert both lookup name and lookup sid to follow the
same heuristic.  First try our DC and then try a DC in the
root of our forest.  Use a temporary state since
winbindd_lookupXXX_async() is called from various winbindd
API entry points.

Note this will break the compile.  That will be fixed in the
next commit.
(This used to be commit b442644bac)
2007-10-10 12:21:47 -05:00
Gerald Carter
8ff276fcb0 r22701: Fix the krb5_nt_status error table and add the "no DCs found" mapping
(This used to be commit 2ab617fbbf)
2007-10-10 12:21:47 -05:00
Gerald Carter
4b7123bba7 r22700: Add a simple wcache TRUSTDOM api for maintaing a complete
list of trusted domains without requiring each winbindd process
to aquire this on its own.  This is needed for various idmap
plugins and for dealing with different trust topoligies.

list_trusted_domain() patches coming next.
(This used to be commit 2da62a3d96)
2007-10-10 12:21:47 -05:00
Volker Lendecke
bf7008abb8 r22695: Dummy checkin (reformatting) to make the AIX hosts retry.
(This used to be commit cd55ccef6a)
2007-10-10 12:21:46 -05:00
Volker Lendecke
c4d42829a5 r22693: Always compile before checkin.... I've now installed dmapi on my laptop :-)
(This used to be commit 7460511c4e)
2007-10-10 12:21:46 -05:00
Volker Lendecke
baabe03030 r22692: Fix compilation of explicit --without-winbind.
Thanks to Tom Bork for reporting this!

Volker
(This used to be commit 3f956d3451)
2007-10-10 12:21:46 -05:00
Volker Lendecke
fb56443427 r22691: Fix a 64-bit warning and a const const discard warning
(This used to be commit 3a2ca1b1b8)
2007-10-10 12:21:46 -05:00
Volker Lendecke
1bcee2679d r22688: Change lock_data in struct byte_range_lock from void * to struct lock_struct *
(This used to be commit 8e0e278961)
2007-10-10 12:21:46 -05:00
Simo Sorce
327e232e40 r22677: One line fix to make net idmap restore work again
Jerry, please add this for 3.0.25 final
(This used to be commit e04ca2d7f8)
2007-10-10 12:19:54 -05:00
Jeremy Allison
92999cee8d r22676: Fix zero alloc with create_rpc_blob().
Jeremy.
(This used to be commit c73963a60a)
2007-10-10 12:19:54 -05:00
Jeremy Allison
f1d8c4da23 r22675: Simo's patch for 0 size allocation. Still need
to examine parse_misc.c fix.
Jeremy.
(This used to be commit 80d981265c)
2007-10-10 12:19:54 -05:00
Jeremy Allison
32b9beb164 r22673: Fix for Jerry's reversion. We still need to check size
before talloc.
Jeremy.
(This used to be commit 9e4c6ab739)
2007-10-10 12:19:54 -05:00
Günther Deschner
e468268335 r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
winbindd's kerberized pam_auth use that.

Guenther
(This used to be commit 0f436eab5b)
2007-10-10 12:19:54 -05:00
Günther Deschner
116c1532e7 r22664: When we have krb5_get_init_creds_opt_get_error() then try to get the NTSTATUS
codes directly out of the krb5_error edata.

Guenther
(This used to be commit dcd902f24a)
2007-10-10 12:19:53 -05:00
Günther Deschner
6288491e90 r22663: Restructure kerberos_kinit_password_ext() error path.
Guenther
(This used to be commit 997ded4e3f)
2007-10-10 12:19:53 -05:00
Stefan Metzmacher
c5bcb4b31a r22659: merge from SAMBA_4_0:
- add AC_GNU_SOURCE macro for systems which don't have it
  (sles8)
- fix compiler warning on some systems

metze
(This used to be commit cb785d9bed)
2007-10-10 12:19:53 -05:00
Günther Deschner
e7d06b1c25 r22655: Call correct free-macros in netsamlogon_cache_get() error paths. Forgot those
in the previous commit.

Guenther
(This used to be commit fce2fe9903)
2007-10-10 12:19:53 -05:00
Gerald Carter
aa454619a2 r22654: And this is now Samba 3.0.27pre1-SVN
(This used to be commit 435a6e5e82)
2007-10-10 12:19:53 -05:00
James Peach
68d5d934bb r22648: Fix comment to match the code.
(This used to be commit e93d33b463)
2007-10-10 12:19:52 -05:00
Günther Deschner
b213b35e08 r22647: Avoid leaking a full info3 structure on each winbindd cached login by making
netsamlogon_cache_get() return a talloc'ed structure.

Guenther
(This used to be commit 5b149967cc)
2007-10-10 12:19:52 -05:00
Simo Sorce
b48096e546 r22646: segfault fix in idmap_ldap.c from 3_0_25
(This used to be commit 565d7d0b18)
2007-10-10 12:19:52 -05:00
Günther Deschner
d14e7803e7 r22644: Fix memleak.
Guenther
(This used to be commit 65a2701f36)
2007-10-10 12:19:52 -05:00
Günther Deschner
c74c6f722f r22643: Don't clear cached U/SID and UG/SID entries when we want to logon offline.
Guenther
(This used to be commit 37f9f466fd)
2007-10-10 12:19:52 -05:00
Jelmer Vernooij
cd7ad0993d r22641: Install tdbdump and tdbbackup.
(This used to be commit 232c5c6557)
2007-10-10 12:19:51 -05:00
Günther Deschner
bdbe2a955b r22636: Fix logic bug.
We certainly don't want to crash winbind on each sucessfull
centry_uint{8,16,32,64} read.

Jeremy, please check :-)

Guenther
(This used to be commit bfcd10766b)
2007-10-10 12:19:51 -05:00
James Peach
3972121063 r22633: Fix typo in debug message.
(This used to be commit 4c58b6b194)
2007-10-10 12:19:51 -05:00
James Peach
d7041fedc8 r22631: Remove the possibility of sid_check_is_domain and
sid_check_is_in_our_domain getting out of sync.
(This used to be commit bbc102172a)
2007-10-10 12:19:51 -05:00