IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The adex idmap/nss_info plugin is an adapation of the Likewise
Enterprise plugin with support for OU based cells removed
(since the Windows pieces to manage the cells are not available).
This plugin supports
* The RFC2307 schema for users and groups.
* Connections to trusted domains
* Global catalog searches
* Cross forest trusts
* User and group aliases
Prerequiste: Add the following attributes to the Partial Attribute
Set in global catalog:
* uidNumber
* uid
* gidNumber
A basic config using the current trunk code would look like
[global]
idmap backend = adex
idmap uid = 10000 - 19999
idmap gid = 20000 - 29999
idmap config US:backend = adex
idmap config US:range = 20000 - 29999
winbind nss info = adex
winbind normalize names = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
* Port the Likewise Open idmap/nss_info provider (renamed to
idmap_hash).
* uids & gids are generated based on a hashing algorithm that collapse
the Domain SID to a 31 bit number. The reverse mapping from the
high order 11 bits to the originat8ing sdomain SID is stored in
a has table initialized at start up.
* Includes support for "idmap_hash:name_map = <filename>" for the
name aliasing layer. The name map file consist of entries in
the form "alias = DOMAIN\name"
* Add support user and group name aliasing by expanding
the ws_name_replace() and ws_name_return() functions.
The lookup path is
aliases -> qualified name -> SID
SID -> fully qualified name -> alias
In other words, the name aliasing support is a thin layer
built on top of SID/NAME translation.
* Rename the ws_name_XX() functions to normalize_name_map()
and normalize_name_unmap(). Chaneg interface to return
NTSTATUS rather than char *.
* Add associated cache validation functions.
Make sure that usernames are parsed using the correct separator.
Otherwise group memeberships in winbind may be result broken.
(This used to be commit 20b9c0aa7b)
request.extra_data is not freed if there is no extra_data in response or
when there is some error happens in processing. This patch will free the
buffer right after processing a request before sending back a response.
(This used to be commit be6f12273f)
This is a fix for a few small inefficiencies/bugs in the get_dcs() path.
* because the third add_one_dc_unique() loop was outside the ADS check all DCs
returned from the non-sitename lookup were being tacked onto the dc_name_ip
list twice.
* add_one_dc_unique() now checks if the given IP address already exists before
adding it to the list, making the returned list actually unique
* added more thorough doxygen comment headers
(This used to be commit cb2d488e1d)
The scanner did not figure out that we always have a primary domain, so it
complained about us potentially passing a NULL pointer down to
set_domain_online_request() where it is dereferenced.
Make the code a bit clearer.
(This used to be commit e6e8d108f9)
Fix segv when talking to parent DC (joined to child domain).
The root cause was
(a) storing the parent domain in the cli_state struct caused
the NTLMSSP pipe bind to fail which made us fallover to
the schannel code path
(b) the dcinfo pointer in cm_get_schannel_dcinfo() was returning
NULL even though the function indicated success.
(This used to be commit 5ce4a2ae66)
reconnect code to cope with rebooting a DC. This
replaces the code I asked Volker to revert.
The logic is pretty simple. It adds a new parameter,
"winbind reconnect delay", set to 30 seconds by
default, which determines how long to wait between
connection attempts.
To avoid overwhelming the box with DC-probe
forked children, the code now keeps track of
the DC probe child per winbindd_domain struct
and only starts a new one if the existing one
has died.
I also added a little logic to make sure the
dc probe child always sends a message whatever
the reason for exit so we will always reschedule
another connect attempt.
Also added documentation.
Jeremy.
(This used to be commit 8027197635)
was asking for a winbindd name to SID lookup of
"Unix Group\name" where "name" was also a valid username,
the winbindd passdb lookup of that name was losing the
domain string info before calling lookup name (ie. lookup_name()
was being called with just the string "name", not the
full string "Unix Group\name").
The passdb backend of winbindd has to cope with
not only names from it's own global SAM domain,
but it does lookups for BUILTIN and "Unix User"
and "Unix Group" also, so making it guess by
losing the domain string is "A Bad Idea" (tm) :-).
Note that as winbind globally calls winbind_off()
at startup, it's safe for winbind to call sys_getgrnam()
to do the "Unix Group" lookup from inside lookup_name().
Jeremy.
(This used to be commit 5293af6c3c)
should never include the user SID.
The comment for the function in winbindd/winbindd_ads.c says
/* Lookup groups a user is a member of. */
The following patch makes the wbinfo calls return the correct data
before and after a login.
wbinfo --user-domgroups and --user-sids
(This used to be commit 7849938906)
1. use the return value that idmap_tdb2_open_perm_db() gives us
2. don't delete frep the local db if deleting from the perm db failed.
3. fix wrong interpretation of return value of the local delete
Michael
(This used to be commit 147573d7f6)
1. use the return value that idmap_tdb2_open_perm_db() gives us
2. don't write to the local db if writing to the perm db failed.
3. fix wrong interpretation of return value of the local store
Michael
(This used to be commit be8c6b4f2f)
This is a band-aid for the rather convoluted offline/online mess in winbind
right now. Winbind re-uses the offline functionality that is targeted at domain
client installations on laptops to not overload disfunctional DCs. It uses the
winbind cache timeout as the retry timeout after a DC reboot.
I am using a parametric options because when this mess is cleaned up, that
parameter needs to go away again.
I'd recommend to use something like
winbind:online check timeout = 30
in typical LAN environments. This means a reconnect is attempted every 30
seconds.
Volker
(This used to be commit 9920473cc1)
in winbind
When a w2k3 DC is rebooted the 139/445 ports come up before the
udp/389 cldap port. During this brief period, winbind manages to
connect to 139/445 but not to udp 389. It then enters a tight loop
where it leaks one fd each time. In a couple of seconds it runs out of
file descriptors, and leaves winbind crippled after the DC does
finally come up
(This used to be commit 57187cafbc)
When SIGCHLD handling is delayed for some reason, sending a request to a child
can fail early because the child has died already. In this case
async_main_request_sent() directly called the continuation function without
properly removing the malfunctioning child process and the requests in the
queue. The next request would then crash in the DLIST_ADD_END() in
async_request() because the request pending for the child had been
talloc_free()'ed and yet still was referenced in the list.
This one is *old*...
Volker
(cherry picked from commit 8691709626)
(This used to be commit c70e2b6476)
In reloading the smb.conf, if a "log file" is specified in smb.conf,
winbind children will overwrite the logfile name to be the same as the
parent.
Jeremy.
(This used to be commit 62d319cc1a)
We must not return an error here just because we are offline.
We must instead fix the mappings to the best of our knowledge
(ie mark as mapped, expired ones, and as unmapped, unknown ones)
(This used to be commit 4436272dd4)
sid_check_is_in_unix_* will only give true if it is of the corresponding type,
so the check if the struct idmap actually represents a user or group is
unnecessary.
(This used to be commit 55b976ba93)
smbcontrol winbindd debug level would only set the debug level of the
parent winbindd process and not the child processes. This patch adds
the functionality of broadcasting the debug message to all winbindd
children. Now the debug level message is propagated to all the winbindd
processes that includes parent and children.
(This used to be commit cfbcfc3ffe)
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389. Also makes ads_try_connect() static and
only used internally to ldap.c
(This used to be commit f4c37dbe2c)
Attached is the companion patch to
(037b9689d9), which
made handling of WINBINDD_LIST_GROUPS asynchronous.
Because most all of the list_groups code was reusable, I abstracted it,
and implemented both list_groups and list_users on top of it.
On my large test domain a "wbinfo -u" call went from 70 seconds to 30
seconds with this patch. Plus, the parent process is no longer blocked
from receiving new requests during that time.
Steven Danneman | Software Development Engineer
Isilon Systems P +1-206-315-7500 F +1-206-315-7501
www.isilon.com
(This used to be commit 5188f28611)
Leave the message inside winbind_messaging_context() for now.
There might be callers, where this debug message could prove useful...
Michael
(This used to be commit e9177ec56a)
Clients can request name-to-sid queries for different combinations of
upper and lower case names. We don't want to create the reverse caching
entries for each combination used.
This avoids inconsistent answers on sid-to-name queries.
Please review!
Karolin
(This used to be commit b58e4f6b3d)
goto target we were not reinitializing the array counts.
From Herb:
This is in the file nsswitch/winbindd_cm.c (samba-3.0.30) line 1236
We have a label again: where we keep trying to find the name of the DC
from the list of IPs returned by get_dcs. If we fail to figure out the
name we do a goto again at the end of the function. The problem is we
don't reset the num_dcs, num_addrs, etc and free the memory in the
various arrays. This seems wrong to me. I have a winbindd core where
I have 9 IPs returned for the DCs but at the time of the crash num_dcs
is 87 and if I look through the array dcs it keeps repeating entries
from the same group of 9
Jerry, Volker and Guenther please check.
Jeremy.
(This used to be commit 15f464321a)
backend. This allows winbindd when running on a Samba PDC to
correctly answer wbinfo -u lists and other queries.
Jeremy.
(This used to be commit e61ad0c158)
when checking for a trusted domain situation.
This is how it was meant to be:
Otherwise, with a dc-trusted-domain situation but trusted domains disabled,
we would attempt to do a session setup and fail (wouldn't even get a trust
password).
Michael
(This used to be commit a5a51ca8e5)
Win2008 domain (merged from v3-0-test).
commit 8dc4e97977
Author: Steven Danneman <sdanneman@isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
(This used to be commit b78b14c88e)
looking up trust credentials in our tdb.
commit fd0ae47046
Author: Steven Danneman <sdanneman@isilon.com>
Date: Thu May 8 13:34:49 2008 -0700
Use machine account and machine password from our domain when
contacting trusted domains.
(This used to be commit 69b37ae607)
Previously WINBINDD_LIST_GROUPS requests (ex: wbinfo -g) were handled by the
winbindd parent process in a sequential fashion. This patch, delegates the work
to the winbindd children so that the request is handled much faster in large
domain topologies, and doesn't block the parent from receiving new requests.
The core group enumeration and conversion that was handled in
winbindd_list_groups() has been moved into winbindd_dual_list_groups() to be
done by the child.
The parent winbindd_list_groups() simply calls each of the children
asynchronously.
listgroups_recv() aggregates the final group list that will be returned to the
client and tracks how many of the children have returned their lists.
The domain name of the child is passed back through the callbacks to be used in
debugging messages.
There are also several fixes to typos in various comments.
(This used to be commit 037b9689d9)
CatchChild();
*before* we fork the domain child. This call establishes a signal handler that
eats SIGCLD signals and doesn't call sys_select_signal() as the main daemon
SIGCLD handler should do. This causes the parent to ignore dead children and
time out, instead of calling winbind_child_died() on receipt of the signal. The
correct fix is to move the CatchChild call into the child code after the fork.
Jeremy.
(This used to be commit 8d701a142b)
The wbcLookupDomainController() call supports a set of flags
defined in wbclient.h. Add a mapping function between these
flags and the original DS_XXX flags in order to prevent having
to include the generated RPC headers in wbclient.h.
(This used to be commit 31614cd5e0)
Thanks to Glenn Curtis and Kyle Stemen @ Likewise. Their explanation is:
In winbindd_dual.c, there is a list of children processes that
is maintained using macros DTLIST_ADD and DTLIST_REMOVE. In the
case when a scheduled_async_request fails, the particular child
was located in the list, and its attributes were cleared out
and it was reused for a subsequent async request. The bug was that
the new request would queue the same node into the doubly-linked
list and would result in list->next pointing to the same node as
list itself. This would set up an infinite loop in the processing of
the for loop when the list of children was referenced.
Solution was to fully remove the child node from the list, such that
it could be inserted without risk of being inserted twice.
Note that the child is re-added to the list in fork_domain_child() again.
(This used to be commit b379b5b5d8)
We now open messages.tdb even before we do the become_daemon. become_daemon()
involves a fork and an immediate exit of the parent, thus the
parent_is_longlived argument must be set to false in this case. The parent is
not really long lived :-)
(This used to be commit 4f4781c6d1)
This reduces indentation by combining common code paths,
and wraps long lines.
Holger: sorry, I could not resist. I think it is much easier to
understand what is going on when we only have one check and
determine the max allowed key length in advance.
Michael
(This used to be commit e489f3d988)
UA keys consist of a potientally large number of concatenated SID strings which
can grow much larger than 1024 bytes in complex environments. We catch those keys
and allow them exclusivly to be larger.
(This used to be commit fcd35232e1)
In getgrsid_lookupsid_recv() we use parse_domain_user which itself looks at
lp_winbind_separator(). Thus when building up that group name we should better
use it as well.
(This used to be commit 5df75578ef)
originally, the cache was cleared before calling validate, but
this way, we skipt the validation of the database when not in
offline logon mode.
This is put into a new wrapper function winbindd_cache_validate_and_initialize()
which is now called in winbindd.c instead calling validate and
initialize functions separately.
Michael
(This used to be commit 641b5e3fec)
My NT4SP6 which my DC here trusts sends 0x15 instead of 0x13, from looking at
the sniff at least the DC name is at the same place.
(This used to be commit 79bc6796b8)
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0)
* added several helper functions to convert the trust_flags field in the
winbindd_tdc_domain to more useful administrator ideas of trust type, trust
direction, and trust transitivity.
* converted winbindd_list_trusted_domains() to enumerate the trusted domain
cache, instead of the domain list, and return additional trust information to
the calling process
* modified wbinfo to pretty print this additional trust information when a new
--verbose switch is given with -m. Thus "wbinfo -m" and "wbinfo -all-domains"
output as before, but "wbinfo --verbose -m" prints extra trust info.
* updated some comments and fixed typos
(This used to be commit e7827bb6af)
* changed the behavior of winbind_ads.c:trusted_domains() to not overwrite
existing trust information if we're joined to a child domain, and querying the
forest root domain. Previously if we were joined to a child domain, we'd
request all known trust information from this child domain (our primary domain)
and store it in the tdc. We'd then request all trust information from our tree
root (to get the forests we transitively trust) and overwrite the existing trust
information we already had from the perspective of the tree root.
* updated several comments and fixed typos
(This used to be commit 6aac972d79)
When we get a NT_STATUS_WRONG_PASSWORD for example, my_info3 is not initialized
at all. So first check that we have NT_STATUS_IS_OK(status) before we
dereference my_info3.
(This used to be commit 559cd9e5a7)
Another preparation to convert secrets.c to dbwrap: The dbwrap API does not
provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC
mutex is needed per-node anyway, so it is perfectly fine to use a local mutex
only.
(This used to be commit f94a63cd8f)
