IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The clear text presentaion of the sid in the ldap expression
does work with w2k3 but not with w2k....
Thanks to Guenther for advising me of this issue.
Michael
started in r23070, r23072, r23073, r23078, r23081 and r23082:
After retrieving the list of sids with the extended dn
ldap query, instead of passing all sids to the lsa_lookup_sids
call, now while extracting the sids from the extended dn member
entries, we first try to lookup the sid from cache and only pass
the sids that were not in cache to the lsa_lookup_sids call.
Michael
> Here's the problem I hit:
>
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
>
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
>
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> smb.conf.
>
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
winbind. With this and W2k3 DCs around it is possible to use
more than one winbind on the same machine account, because
NetSamLogonEx does not use the credentials chain.
I added the flag domain->can_do_samlogon_ex because this
only works against W2k3 and with schannel. The theory is to
try if we're AD and have schannel, and fall back to
NetSamLogon if this fails. can_do_samlogon_ex is thus a
protection against multiple failures.
Only checking into 3_0, this needs more review before going
into a production release.
Feel free to comment :-)
This removes message_block / message_unblock. I've talked to Jeremy and
Günther, giving them my reasons why I believe they have no effect.
Neither could come up with a counter-argument, so they go :-)
dn_lookup loop by a rpccli_lsa_lookupsids_all (see r23070)
call. This replaces one ldap search per member sid by one
rpc call per 1000 sids. This greatly speeds up groupmem
lookups for groups with lots of users.
Since the loop in lookup_groupmem was the only use of dn_lookup,
the function is removed.
Michael
doing this because for the clustering the marshalling is needed in more
than one place, so I wanted a decent routine to marshall a message_rec
struct which was not there before.
Tridge, this seems about the same speed as it used to be before, the
librpc/ndr overhead in my tests was under the noise.
Volker
check for IS_DC. Otherwise we will for example fail to lookup a
sid of S-1-22-1-780 because it has no valid struct winbindd_domain*
in the list. Thanks to Simo for the catch.
to be able to handle SIDs in the S-1-22-{1,2} domain in order
for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a,
we will short circuit in the sid_to_uid() family of functions
so that smbd is ok.
For 3.0.26, we need to allow winbindd to handle all types of SIDs.
winbindd main function.
I have tested and somewhat extended the code, and it seems
to do a good job. I have possibly not caught all error
conditions though.
Michael
* Replaced signal catching/longjmp magic by a fork:
Let the child do the actual validation of the entries.
Exit code and signals are intercepted by waitpid.
* Fix logic so that also encounter of an unknown key in the
tdb leads to an error.
* Extended status of validation is kept in a (as yet simple)
stuct and communicated over a pipe from child to parent.
* Added two validation_ functions for two new keys.
The call of winbindd_validate_cache is still commented out
in the winbindd main loop. But I am currently testing it
and so far it seems to work fine.
The next step in my plan is to generalize the validation
mechanism to a tdb_open_log_validate function in lib/util_tdb.c.
There ist nothing very special about the cache tdb here,
and this might be useful elsewhere...
Michael
