| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes "winbind nss info = rfc2307" (or sfu or sfu20).
Originally, only explicitly configured domains (like "rfc2307:domain")
worked with the ad module, since the domain name was not passed
backe to the module. This is fixed by recording the first backend
listed without domain in the "winbind nss info" parameter as the
default backend, and creating new nss_domain entries (using this default
backend) on the fly as requests for domains which are not explicitly
configured are encountered.
Michael
|
| |
|
|
|
|
| |
Remove trailing spaces and fix tab / space mixup.
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This initial fix does at least work for explicitly configured domains.
The patch has a few disadvantages:
1. It does work only for explicitly configured domains, not with
the default backend (idmap backend = ad), since it relies on the
domain name being passed in via the idmap_domain. One workaround
for this would be to create clones of the default idmap_domain
for domains not explicitly configured.
2. It calls find_domain_from_name_noinit() from idmap_ad_cached_connection.
The problem here is that only the NetBIOS domain name (workgroup
name) is passed in via the idmap_domain struct, and the module
has to establish a connection to the domain based on that information.
find_domain_from_name_noinit() has the disadvantage that it uses the state
of the domain list at fork time (unless used from the main winbindd).
But this should be ok as long as the primary domain was reachable at
start time.
For nss_info, the situation is similar - This will only work for domains
explicitly configured in smb.conf as follows:
"winbind nss info = rfc2307:dom1 sfu:dom2 rfc2307:dom3 template:dom4"
Setting the default nss info to one of the ad backends (rfc2307, sfu, sfu20)
will fail since the domain name is not passed in with the nss_domain_entry.
Michael
|
| |
|
|
|
|
| |
common function.
Michael
|
| |
|
|
|
|
| |
in preparation to using the idmap_ad_context there
Michael
|
| |
|
|
|
|
| |
idmap_backends_sid_to_unixid
Michael
|
| |
|
|
|
|
| |
idmap_backends_unixid_to_sid
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
|
|
| |
instead of just the domain name
Michael
|
| |
|
|
|
|
|
|
| |
This reverts commit 6a4957d35d50e6508917aca62b282ae4904187c8.
Sorry - this got accidentially pushed.
Michael
|
| |
|
|
| |
Michael
|
| |
|
|
|
|
|
| |
Now that the methods are no longer needed in winbindd_ads,
we can make them static again.
Michael
|
| |
|
|
|
|
|
|
|
|
| |
Some of the ads methods just point to the rpc methods.
This makes winbindd_ads use the reconnect methods instead of
calling the rpc methods directly in order to prevent
negative cache entries for e.g. name_to_sid, when the dc
has closed the connection without sending a reset.
Michael
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids
to names. This is tried only once. So in case the connection was broken,
e.g. closed by the server (without a reset packet), there will be an empty
GM/ cache entry for the requested group which will prevent proper working
of access checks among other checks for the expiry period.
This patch works around this problem by retrying once if the lsa_lookupsids
call fails, re-establishing the dc-connection, as we already do in many other
places (e.g. the winbindd retry methods for the rpc layer).
Michael
|
| |
|
|
|
|
| |
keytab.
Guenther
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idmap_tdb backend already provides an interface to remove existing id
mappings. This commit plumbs that ability up through, winbindd, libwbclient,
and wbinfo.
Added new winbindd command:
WINBINDD_REMOVE_MAPPING
Added new libwbclient interfaces:
wbcRemoveUidMapping() and wbcRemoveGidMapping()
Added new wbinfo options:
--remove-uid-mapping
--remove-gid-mapping
Increased libwbclient version to 0.2
Increased winbind interface version to 20
|
| |
|
|
|
|
|
|
|
|
|
| |
Some AD objects, like Exchange Public Folders, can be members of Security
Groups but do not have a SID attribute. This patch adds more granular return
errors to ads_get_sid_from_extended_dn(). Callers can now determine if a parse
error occured because of bad input, or the DN was valid but contained no SID.
I updated all callers to ignore SIDless objects when appropriate.
Also did some cleanup to the out paths of lookup_usergroups_memberof()
|
| | |
|
| |
|
|
|
|
| |
'getent group'
Jeremy.
|
| |
|
|
|
|
| |
w2k dcs.
Guenther
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
This fixes bug #5865
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
With large groups, getgrent ran into timeouts because after each
single user that was added to the expanded group list, the list
was sorted and made unique.
Now the list is sorted just once after all members have been added.
Michael
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On some versions of Solaris, we observed a strange effect of close(2)
on a socket: After the server (here winbindd) called close, the client fd
was not marked as readable for select. And a write call to the fd did
not produce an error EPIPE but just returned as if successful.
So while winbindd had called remove_client(), the corresponding smbd
still thought that it was connected, but failed to retrieve answers
for its queries.
This patch works around the problem by forcing the client fd to
the readable state: Just write one byte into the socket before
closing.
Michael
|
| | |
|
| |
|
|
|
| |
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
|
| |
|
|
|
|
|
|
| |
We need to initialize all mappings in case we don't find anything.
Simo, please check!
Volker
|
| | |
|
| |
|
|
| |
Guenther
|
| | |
|
| | |
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"rescan_trusted_domain".
From analysis by hargagan <shargagan@novell.com> :
"The winbindd_child_died() is also getting called from process_loop() in case of
SIGCHLD signal. In this case it doesn't make the timeout_handler to NULL for
the first request. It then initiate a new request using
schedule_async_request() which installs a new timeout handler for the same
request. In such a case, for a badly unresponsive system both the timeout
handler can be called. For the first call the "private_data" will be cleared
and for another call the timeout handler will be detecting the double free. So,
for such a case as well, the winbindd_child_died() should make the
timeout_handler to NULL."
Jeremy.
|
| |
|
|
| |
Log the dn of all located entries in order to verify search results.
|
| |
|
|
| |
Part of continue work on BUG 5806.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API is unusual in that if used to remove a non-list head it nulls out
the next and prev pointers. This is what you want for debugging (don't want
an entry removed from the list to be still virtually linked into it) but
means there is no consistent idiom for use as the next and prev pointers
get trashed on removal from the list, meaning you must save them yourself.
You can use it one way when deleting everything via the head pointer, as
this preserves the next pointer, but you *must* use it another way when not
deleting everything via the head pointer. Fix all known uses of this (the main
one is in conn_free_internal() and would not free all the private data entries
for vfs modules. The other changes in web/statuspage.c and winbindd_util.c
are not strictly neccessary, as the head pointer is being used, but I've done
them for consistency. Long term we must revisit this as this API is too hard
to use correctly.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This option really is essential, as we discover again and again at
customer sites. Due to bugs in winbind some domains are toxic. When
you are installing at a site and a particular domain in a complex
setup causes winbind to segfault or hang then you need a way to
disable that domain and continue.
In an ideal world winbind could handle arbitrarily complex ADS
domains, but we are nowhere near that yet. If we ever get to that
stage then we won't need this option.
|
