| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
- make it more clear what the different min and max fields mean
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
|
| |
|
|
|
|
| |
remove unused global variable...
metze
|
| |
|
|
|
|
|
|
| |
add support for NTLMSSP sign and seal
NOTE: windows servers are broken with sign only...
metze
|
| |
|
|
|
|
|
| |
- always provide ads_setup_sasl_wrapping() function
- read/write returning 0 means EOF and we need to return direct
metze
|
| |
|
|
|
|
| |
implement output buffer handling for the SASL write wrapper
metze
|
| |
|
|
|
|
| |
implement buffer handling for the SASL read wrapper
metze
|
| |
|
|
|
|
|
|
| |
rename HAVE_ADS_SASL_WRAPPING -> HAVE_LDAP_SASL_WRAPPING
+ adding missing file libads/sasl_wrapping.c
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
| |
add dummy callbacks for LDAP SASL wrapping,
they're not used yet...
metze
|
| |
|
|
|
|
|
| |
move elements belonging to the current ldap connection to a
substructure.
metze
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
| |
for the
extended apply group policy right.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| | |
|
| |
|
|
|
|
|
|
| |
search with
the SD_FLAGS control.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
|
|
| |
stable branch
* Also include pam_winbind changes for multiple groups in the
require-membership-of parameter
|
| |
|
|
|
|
|
|
|
| |
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
|
| | |
|
| |
|
|
|
|
|
| |
Merge back the winbindd changes from SAMBA_3_0
to a release branch. This compiles, but hasn't
been valgrinded or tested. That will come...
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This pulls is what I considered safe fixes from SAMBA_3_0.
This boiled down to either Klocwork fixes or obvious compiler
warning fixes. I did not include any changes to fnuction
signatures not the version change to the passdb API.
Also pulled in the 3 nmbd fixes requested by Jeremy
and the wildcard delete fix.
This code will sit for a few days in the cooker and then
become 3.0.23 if nothing blows up. I don't care how many
more compile warning fixes people throw into SAMBA_3_0.
|
| |
|
|
| |
* updating release notes to match
|
| | |
|
| |
|
|
|
|
| |
Howard for pointing this out.
Guenther
|
| |
|
|
|
|
| |
attribute when "winbind nss info = sfu" is set. Fixes #3539.
Guenther
|
| |
|
|
| |
Sync with trunk as off r13315
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
|
| |
|
|
|
|
|
| |
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
|
| |
|
|
|
| |
Make all LDAP timeouts consistent.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User-, Group- and Machine-Accounts in Active Directory (this got lost
during the last trunk-merge).
This way we match e.g. default containers moved by redircmp.exe and
redirusr.exe in Windows 2003 and don't blindly default to cn=Users or
cn=Computers.
Further wkguids can be examied via "net ads search wellknownobjects=*".
This should still keep a samba3-client joining a samba4 dc. Fixes
Bugzilla #1343.
Guenther
|
|
|
metze
|
