summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
...
* Add a talloc context to saf_fetch().Jeremy Allison2013-09-052-7/+9
| | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* lib: Add a "mem_ctx" arg to gencache_get (unused so far)Volker Lendecke2013-09-051-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:winbind: fail ads_cached_connection_connect() if realm == NULLMichael Adam2013-08-291-0/+4
| | | | | | | | | | This prevents segfaults when e.g. a previous SMB_STRDUP failed.. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Aug 29 18:54:28 CEST 2013 on sn-devel-104
* s3-winbindd: remove unneded include of secrets.h from idmap_ad.cGünther Deschner2013-08-291-1/+0
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: use get_trust_pw_clear() wrapper for AD connection code.Günther Deschner2013-08-291-7/+4
| | | | | | | | | This avoids calling secrets functions directly. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: make sure also the idmap code can deal with trusted domains.Günther Deschner2013-08-291-9/+31
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: use find_domain_from_name() instead of ↵Günther Deschner2013-08-291-2/+2
| | | | | | | | | | | | find_domain_from_name_no_init(). Otherwise there is a good chance the domain has not been connected and we don't know the realm name yet. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: Fix winbind on DC crash with trusted AD domains.Günther Deschner2013-08-291-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: Fix memory leak in ads_cached_connection().Günther Deschner2013-08-291-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3-winbindd: remove pointless variable assigment, see the strdup below.Günther Deschner2013-08-291-1/+0
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3:winbindd: make use of lp_cli_{min,max}protocol()Stefan Metzmacher2013-08-151-2/+3
| | | | | | | | | This changes winbindd back to use NT1 as defeault. https://bugzilla.samba.org/show_bug.cgi?id=9514 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Followup patch for BUG: https://bugzilla.samba.org/show_bug.cgi?id=10082Andreas Schneider2013-08-151-1/+1
| | | | | | | | | | | Thanks to Jim Brown <jim.brown@rsmas.miami.edu> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <Volker.Lendecke@SerNet.DE> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Aug 15 03:46:20 CEST 2013 on sn-devel-104
* winbind3: Fix an invalid freeVolker Lendecke2013-08-141-1/+1
| | | | | | | | | | | | This fixes a warning I've never seen before :-) ../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object] Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
* s3-winbindd: fix fallback to ncacn_np in cm_connect_lsat().Günther Deschner2013-08-131-2/+7
| | | | | | | | | | | | | | | | | | Fallback to lsa named-pipe connection when tcp connection has failed twice (it could be a trusted domain connection where we cannot setup a secure channel). Guenther BUG: https://bugzilla.samba.org/show_bug.cgi?id=9615 BUG: https://bugzilla.samba.org/show_bug.cgi?id=9899 Signed-off-by: Günther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Tested-by: Christof Schmitt <christof.schmitt@us.ibm.com> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Aug 13 20:55:33 CEST 2013 on sn-devel-104
* s3-winbind: Fix a segfault passing NULL to a fstring argument.Andreas Schneider2013-08-131-2/+11
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10082 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Aug 13 13:58:26 CEST 2013 on sn-devel-104
* s3-rpc_cli: pass down ndr_interface_table to cli_rpc_pipe_open_noauth().Günther Deschner2013-08-051-5/+5
| | | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-rpc_cli: pass down ndr_interface_table to ↵Günther Deschner2013-08-051-4/+4
| | | | | | | | | | cli_rpc_pipe_open_schannel_with_key(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:winbind: add a warning DEBUG message when skipping a sid from the mapped ↵Michael Adam2013-07-291-0/+18
| | | | | | | | | | | | | | GID list This presents a potential security problem when ACLs contain DENY ACEs. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
* s3:winbind: change getgroups to only do one sids2xids call instead of manyMichael Adam2013-07-291-26/+42
| | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:winbind: fix the getgroups implementation to include the user sid's GID ↵Michael Adam2013-07-291-3/+5
| | | | | | | | | | | in case of ID_TYPE_BOTH This is important for acl checks on the unix level where only a group ace has been added to the ACL for the user sid, e.g. when accessing Files with nfs or local unix processes. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3:winbind: fix gid counting and error handling in the getgroups implementationMichael Adam2013-07-291-6/+10
| | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.Günther Deschner2013-07-231-0/+23
| | | | | | | | | | | | It is currently only available in MIT. In addition, allow to define custom filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the %u pattern. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:idmap_autorid: Add a NULL check in idmap_autorid_preallocate_wellknownVolker Lendecke2013-07-081-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap_autorid: Don't zero in idmap_autorid_preallocate_wellknownVolker Lendecke2013-07-081-1/+1
| | | | | | | We initialize everything later anyway Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap_autorid: Use ARRAY_SIZE where appropriateVolker Lendecke2013-07-081-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3-winbind: Do not delete an existing valid credential cache.Andreas Schneider2013-07-151-0/+8
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994 Thanks to David Woodhouse <dwmw2@infradead.org>. Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
* s3-winbind: Allow sec_initial_uid() to store creds.Andreas Schneider2013-07-021-1/+1
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jul 2 23:26:24 CEST 2013 on sn-devel-104
* winbindd and nmbd don't set their umask to zero on startup like smbd does.Jeremy Allison2013-06-271-0/+6
| | | | | | | | | | | Fix this - we already control tightly what permissions are on the files we create. Ensure we don't get surprised. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Thu Jun 27 02:02:24 CEST 2013 on sn-devel-104
* Fix bug #9166 - Starting smbd or nmbd with stdin from /dev/null results in ↵Jeremy Allison2013-06-201-1/+14
| | | | | | | | | | "EOF on stdin" Only install the stdin handler if it's a pipe or fifo. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* winbind: Print error code on connection error in ping_dcChristof Schmitt2013-05-251-1/+2
| | | | | | | | | | | | For debugging, it is useful to include the error code in the message. Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Sat May 25 23:11:23 CEST 2013 on sn-devel-104
* winbind/idmap_ad: be verbose about the user that we fail to mapBjörn Jacke2013-05-141-2/+3
| | | | Reviewed-by: Stefan Metzmacher <metze@samba.org>
* winbind: Fix bug 9854 -- NULL pointer dereferenceVolker Lendecke2013-05-071-3/+3
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue May 7 14:49:07 CEST 2013 on sn-devel-104
* s3:idmap:autorid: add a comment block explaining the calculationsMichael Adam2013-05-061-0/+51
| | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: simplify the id->sid calculationMichael Adam2013-05-061-7/+13
| | | | | | | | | | | | | To make it more intutive. rid = reduced_rid + domain_range_index * range_size where reduced_rid = (id - id_low) % range_size Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: calculate the range's low_id in ↵Michael Adam2013-05-061-8/+9
| | | | | | | | | | idmap_autorid_get_domainrange() This way, the calculation needs to be don only in one central place and the formulas get simpler. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: make calculation in idmap_autorid_sid_to_id much more obviousMichael Adam2013-05-061-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is my attempt to make the sid->unix-id calculation much more obvious. Especially with the introduction of the multi-range support an the originally named "multiplier", the calculation id = low_id + range_size * domain_number + rid - range_size * multiplier was rather opaque to me. What really happens here is this: The rid is split into a reduced_rid part that is < rangesize and a multiple of rangesize. This is given by the formula rid = rid % range_size + (rid / range_size) * range_size We define reduced_rid := rid % range_size and domain_range_index := rid / range_size ( == the original multiplier) and the original formula is equivalent to: id = reduced_rid + low_id + range_number * range_size; and reads id = reduced_rid + range_minvalue if we set range_minvalue := low_id + range_number * range_size. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: rename range.multiplier to domain_range_indexMichael Adam2013-05-061-15/+17
| | | | | | | | | The name multiplier is very confusing (at least for me). This is an index that is used to reference the various per-domain ranges. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: rename autorid_range_config.sid to domsid, along with ↵Michael Adam2013-05-061-12/+12
| | | | | | | instances Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: rename autorid_domain_config --> autorid_range_config and ↵Michael Adam2013-05-061-37/+37
| | | | | | | | | instances to "range" This describes it better with the new support for multiple ranges for domains. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:idmap:autorid: rename domainnum to rangenumMichael Adam2013-05-061-12/+13
| | | | | | | | | Now ranges don't correspond to domains any more, but multiple ranges are associated to a domain. So the name is misleading. Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
* s3:winbindd/autorid multiple range supportAbhidnya Joshi2013-05-061-19/+36
| | | | | | | | | | | | | | | | | when a mapping request for a RID comes in that is larger than the rangesize, allocate an extension range to be able to map this one This is especially important for large installations which might have large RIDs being used in a trusted domain that the administrator was not aware of when planning for autorid usage and so those objects could not be mapped up to now. As it is not possible to change the rangesize after the first start of autorid, this would lead to big trouble. Signed-off-by: Abhidnya Joshi <achirmul@in.ibm.com> Reviewed-by: Christian Ambach <ambi@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* idmap: Store negative cache entries if the backend failsVolker Lendecke2013-05-031-2/+2
| | | | | | | | | | | | | | | | | | This changes the behaviour for out-of-range queries: The tdb backend (probably all backends) returns NT_STATUS_NONE_MAPPED and does not set the map.status value to ID_UNMAPPED. This means that we did an early error exit, not setting a negative cache value. This makes smbd ask winbind over and over again for out-of-range gids, which can be a performance problem in certain scenarios. The new code makes us fall through to the code setting the negative cache entry in all cases. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Fri May 3 14:48:35 CEST 2013 on sn-devel-104
* idmap: Print error from idmap_backends_unixid_to_sidVolker Lendecke2013-05-031-2/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* s3:winbindd: avoid usage of procid_self()Stefan Metzmacher2013-04-181-1/+3
| | | | | | | metze Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* winbindd: Avoid a fd leak when we can not forkVolker Lendecke2013-04-091-0/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Jim McDonough <jmcd@samba.org> Autobuild-User(master): Jim McDonough <jmcd@samba.org> Autobuild-Date(master): Tue Apr 9 20:27:27 CEST 2013 on sn-devel-104
* BUG 9766: Cache name_to_sid/sid_to_name correctly.Andreas Schneider2013-04-091-0/+21
| | | | | | | | | | | | | If there is no domain_name specified we still need to set to for caching else we will not find the entry later if we lookup the entry with the domain_name. Reviewed-by: Guenther Deschner <gd@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Tue Apr 9 16:32:44 CEST 2013 on sn-devel-104
* s3-winbindd: Add new module idmap_rfc2307Christof Schmitt2013-03-092-0/+880
| | | | | | | | This module allows querying id mappings from LDAP servers as described in RFC 2307. The LDAP records can be queried from an Active Directory Server or from a stand-alone LDAP server. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbindd: Move connection to AD server from idmap_adChristof Schmitt2013-03-093-62/+52
| | | | | | Having this in a common place allows reuse by other idmap modules. Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbindd: Use common helper function for connecting to ADSChristof Schmitt2013-03-093-86/+87
| | | | Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbindd: Move code for verifying ADS connection to common helper functionChristof Schmitt2013-03-093-45/+41
| | | | Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2025-09-03 02:36:29 +0000