IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
* depreacte 'acl group control' after discussion with Jeremy
and implement functionality as part of 'dos filemode'
* fix winbindd on a non-member server to expand local groups
* prevent code previously only used by smbd from blindly
turning _NO_WINBINDD back on
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'
* Add a SID domain to the group mapping enumeration passdb call
to fix the checks for local and builtin groups. The SID can be
NULL if you want the old semantics for internal maintenance.
I only updated the tdb group mapping code.
* remove any group mapping from the tdb that have a
gid of -1 for better consistency with pdb_ldap.c.
The fixes the problem with calling add_group_map() in
the tdb code for unmapped groups which might have had
a record present.
* Ensure that we distinguish between groups in the
BUILTIN and local machine domains via getgrnam()
Other wise BUILTIN\Administrators & SERVER\Administrators
would resolve to the same gid.
* Doesn't strip the global_sam_name() from groups in the
local machine's domain (this is required to work with
'winbind default domain' code)
Still todo.
* Fix fallback Administrators membership for root and domain Admins
if nested groups = no or winbindd is not running
* issues with "su - user -c 'groups'" command
* There are a few outstanding issues with BUILTIN\Users that
Windows apparently tends to assume. I worked around this
presently with a manual group mapping but I do not think
this is a good solution. So I'll probably add some similar
as I did for Administrators.
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.
This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.
Guenther
in question is still initializing overwrites domain->dcname. Only overwrite if
the parent actually has sent a dcname and thus really knows it. Second,
ntlm_auth needs the error code, not just the fact it failed.
Jerry, the 3_0 part might qualify as a "recommended patch".
Thanks,
Volker
* ensure that we set full access on the handle
returned from _samr_create_dom_alias() so that
future set_alias commands succeed
* fix bug when looking for internal domains in winbindd
(caused winbindd_getgrgid() for local groups to fail).
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
whole of samba comiles warning-free with the default compiler flags.
Temporarily defined -Wall to locate other potential problems. Found an
unused static function (#ifdefed out rather than deleted, in case it's
needed for something in progress).
There are also a number of uses of undeclared functions, mostly krb5_*.
Files with these problems need to have appropriate header files included,
but they are not fixed in this update.
oplock_linux.c.c has undefined functions capget() and capset(), which need
to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>,
but that could potentially have other side effects, so that remains uncorrected
as well.
The flag -Wall should be added permanently to CFLAGS, and all warnings then
generated should be eliminated.
Use the fully qualified DOMAIN\user format for 'security = domain|ads'
and apply after authentication has succeeded.
* also change fill_domain_username() to only lowercase the username
and not the domain+username. This was a cosmetic fix only.
makes the output more consistent with %D and %U.
from HEAD follows :
While torturing winbind a bit I found the following unfortunate behaviour:
Sending multiple requests at a high rate for a slow operation exposed that no
response comes back until the last request in the queue has been
processed. This is an unfortunate result of serially going through all sockets> that have shown to be readable or writable. All client sockets become readable> at the same time, none of them is writable. We go through them, read the
request, process the complete request. Before we enter the select system call
the next time all requests have to have completed.
This patch optimizes this by first looking at the sockets for writability. A
write on a socket that came back from select does not block, so this
additional loop might have a non-zero cost, but it can't prevent other
operations from proceeding.
After a possibly long-running winbindd_process() we directly start select()
again. To avoid starvation the currently processed client is demoted to be the> last one in the list of clients.
Jeremy.
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
While machine accounts cannot use an NTLM login (NT4 style), they are
otherwise full and valid members of the domain, and expect to be able to
use kerberos to connect to CIFS servers.
This means that the LocalSystem account, used by various services, can
perform things like backups, without the admin needing to enter further
passwords.
This particular issue (bug 722) has started to come up a lot on the lists.
I have only enabled it for winbindd-based systems, as the macros use use
to call the 'add user script' will strip the $ from the username for
security reasons.
Andrew Bartlett
DNS names (realms) from NetBIOS domain names.
Until now, we would experience delays as we broadcast lookups for DNS names
onto the local network segments.
Now if DNS comes back negative, we fall straight back to looking up the
short name.
Andrew Bartlett
domains (in particular, the domain of the current machine, if it is not a PDC)
By changing the error codes, we now return values that PAM can correctly
use for better stacking of PAM modules - in particular of the password change
module.
This allows pam_winbind to co-exist with other pam modules for password changes.
Andrew Bartlett
our primary domain - new domains are added to the front of the list. :-(
Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean).
Andrew Bartlett
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This
doesn't seem to occour in reality, hence why we missed the typo.
lib/charcnv.c:
lib/smbldap.c:
libads/ldap.c:
libsmb/libsmbclient.c:
printing/nt_printing.c:
- all the callers to pull_utf8_allocate() pass a char ** as the first
parammeter, so don't make them all cast it to a void **
nsswitch/winbind_util.c:
- Allow for a more 'correct' view of when usernames should be qualified
in winbindd. If we are a PDC, or have 'winbind trusted domains only',
then for the authentication returns stip the domain portion.
- Fix valgrind warning about use of free()ed name when looking up our
local domain. lp_workgroup() is maniplated inside a procedure that
uses it's former value. Instead, use the fact that our local domain is
always the first in the list.
Andrew Bartlett
