| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
for use by the require-membership-of pam_winbind option.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
to the idmap child.
Also remove the check for the global offline state in child_msg_offline()
as this means we cannot mark domains offline due to network outages.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Helps when transitioning from offline to online mode.
Note that this is a quick hack and a better solution
would be to start the DNS server's state between processes
(similar to the namecache entries).
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(a) Ignore the negative cache when the domain is offline
(b) don't delete expired entries from the cache as these
can be used when offline (same model as thw wcache entries)
(c) Delay idmap backend initialization when offline
as the backend routines will not be called until we go
online anyways. This prevents idmap_init() from failing
when a backend's init() function fails becuase of lack of
network connectivity
|
| | |
| |
| |
| | |
and the krb5 tkt cache could not be created due to clock skew.
|
| | |
| |
| |
| | |
is initialized.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Rely on the fact that name2sid will work for any name
in a trusted domain will work against our primary domain
(even in the absense of an incoming trust path)
* Only logons will reliably work and the idmap backend
is responsible for being able to manage id's without contacting
the trusted domain
* "getent passwd" and "getent group" for trusted users and groups
will work but we cannot get the group membership of a user in any
fashion without the user first logging on (via NTLM or krb5)
and the netsamlogon_cache being updated.
|
| | |
| |
| |
| | |
need some fixing here for a Samba DC)
|
| | |
| |
| |
| | |
daemon to manage the complete trusted domain cache
|
| | |
| |
| |
| | |
when calling the async lookupsid() routine
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
information return from our DC in the DsEnumerateDomainTrusts()
call. If the fails, we callback ot the older
connect-to-the-remote-domain method.
Note that this means we can only reliably expect the native_mode
flag to be set for our own domain as this information in not
available outside our primary domain from the trusted information.
This is ok as we only really need the flag when trying to
determine to enumerate domain local groups via RPC.
Use the AD flag rather than the native_mode flag when using
ldap to obtain the seq_num for a domain.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(a) Query our primary domain for trusts
(b) Query all tree roots in our forest
(c) Query all forest roots in trusted forests.
This will give us a complete trust topology including
domains via transitive Krb5 trusts. We also store the
trust type, flags, and attributes so we can determine
one-way trusted domains (outgoing only trust path).
Patch for one-way trusts coming in a later check-in.
"wbinfo -m" now lists all domains in the domain_list() as held
by the main winbindd process.
|
| | |
| |
| |
| |
| | |
to use the same code path after we resolve the name/gid to
a SID. Use the async lookupname/lookupsid interface.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
same heuristic. First try our DC and then try a DC in the
root of our forest. Use a temporary state since
winbindd_lookupXXX_async() is called from various winbindd
API entry points.
Note this will break the compile. That will be fixed in the
next commit.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
list of trusted domains without requiring each winbindd process
to aquire this on its own. This is needed for various idmap
plugins and for dealing with different trust topoligies.
list_trusted_domain() patches coming next.
|
| | | |
|
| | |
| |
| |
| | |
laptop :-)
|
| | |
| |
| |
| |
| |
| | |
Thanks to Tom Bork for reporting this!
Volker
|
| | | |
|
| | |
| |
| |
| | |
lock_struct *
|
| | | |
|
| | |
| |
| |
| | |
Jerry, please add this for 3.0.25 final
|
| | |
| |
| |
| | |
Jeremy.
|
| | |
| |
| |
| |
| | |
to examine parse_misc.c fix.
Jeremy.
|
| | |
| |
| |
| |
| | |
before talloc.
Jeremy.
|
| | |
| |
| |
| |
| |
| | |
winbindd's kerberized pam_auth use that.
Guenther
|
| | |
| |
| |
| |
| |
| |
| |
| | |
NTSTATUS
codes directly out of the krb5_error edata.
Guenther
|
| | |
| |
| |
| | |
Guenther
|
| | |
| |
| |
| |
| |
| |
| |
| | |
- add AC_GNU_SOURCE macro for systems which don't have it
(sles8)
- fix compiler warning on some systems
metze
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Forgot those
in the previous commit.
Guenther
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
by making
netsamlogon_cache_get() return a talloc'ed structure.
Guenther
|
| | | |
|
| | |
| |
| |
| | |
Guenther
|
| | |
| |
| |
| |
| |
| | |
offline.
Guenther
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We certainly don't want to crash winbind on each sucessfull
centry_uint{8,16,32,64} read.
Jeremy, please check :-)
Guenther
|
| | | |
|
| | |
| |
| |
| | |
sid_check_is_in_our_domain getting out of sync.
|
| | |
| |
| |
| | |
was correct
|
| | | |
|
| | |
| |
| |
| | |
make we found is what will be run when the user invokes "make".
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
memory leak I introduced into acl code, also remove
redundent extra check for global_sid_System :
global_sid_System == S-1-5-18 which is already
included in the check for a domain of
global_sid_NT_Authority == S-1-5
Jeremy.
|
| | |
| |
| |
| | |
Jeremy.
|
| | |
| |
| |
| | |
Jeremy.
|
