| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
| |
Extends ads_connect() to a new call ads_connect_gc() which connects on port
3268 rather than port 389. Also makes ads_try_connect() static and
only used internally to ldap.c
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
|
| |
|
|
|
|
|
|
|
| |
in the
"not_defined_in_RFC4178@please_ignore" case to make at least LDAP SASL binds
succeed with windows server 2008.
Guenther
|
| |
|
|
|
|
|
|
|
| |
- with the "GSSAPI" sasl mech the plain, sign or seal negotiation
is independed from the req_flags and ret_flags
- verify the server supports the wrapping type we want
- better handling on negotiated buffer sizes
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
| |
NOTE: windows servers are broken with sign only...
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
| |
metze
|
| |
|
|
|
|
| |
they're not used yet...
metze
|
| |
|
|
|
|
| |
substructure.
metze
|
| |
|
|
| |
Guenther
|
| |
|
|
|
|
|
|
| |
for the
extended apply group policy right.
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| |
|
|
| |
Guenther
|
| | |
|
| |
|
|
|
|
|
|
| |
search with
the SD_FLAGS control.
Guenther
|
| |
|
|
|
|
|
|
| |
NTSTATUS
codes directly out of the krb5_error edata.
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
|
| |
|
|
|
|
|
|
|
|
|
| |
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
|
| |
|
|
|
|
|
|
|
| |
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
|
| |
|
|
|
|
|
| |
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
|
| |
|
|
|
|
| |
Remove all reference to "Default-First-Site-Name" and
treat it like any other site.
Jeremy.
|
| |
|
|
|
|
| |
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
|
| |
|
|
|
|
|
| |
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
| |
1107, 1109,
1111
Volker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
more scalable:
The most efficient way is to use the "tokenGroups" attribute which gives
the nested group membership. As this attribute can not always be
retrieved when binding with the machine account (the only garanteed way
to get the tokenGroups I could find is when the machine account is a
member of the "Pre Win2k Access" builtin group).
Our current fallback when "tokenGroups" failed is looking for all groups
where the userdn was in the "member" attribute. This behaves not very
well in very large AD domains.
The patch first tries the "memberOf" attribute on the user's dn in that
case and directly retrieves the group's sids by using the LDAP Extended
DN control from the user's object.
The way to pass down the control to the ldap search call is rather
painfull and probably will be rearranged later on.
Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2.
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
Expand the "winbind nss info" to also take "rfc2307" to support the
plain posix attributes LDAP schema from win2k3-r2.
This work is based on patches from Howard Wilkinson and Bob Gautier
(and closes bug #3345).
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
|
| |
|
|
|
|
|
| |
* Fix the build without kerberos headers
* Fix memleak in the krb5_address handling
Guenther
|
| |
|
|
|
|
|
|
|
|
|
|
| |
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
|
| |
|
|
|
|
| |
Howard for pointing this out.
Guenther
|
| |
|
|
|
|
| |
attribute when "winbind nss info = sfu" is set. Fixes #3539.
Guenther
|
| |
|
|
| |
Sync with trunk as off r13315
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids that each time a full-group-dump is requested from ADS; the
bitwise match allows to only query those groups we are interested in.
The ADS LDAP server changed to RFC compliant behaviour when decoding the ldap
filter with extensible match in the latest SPs (fixes). From the patch:
/* Workaround ADS LDAP bug present in MS W2K3 SP0 and W2K SP4 w/o
* rollup-fixes:
*
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
* when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then a buggy AD fails to decode
* the extensible match. As a workaround set it to TRUE and thereby add
* the dnAttributes "dn" field to cope with those older AD versions.
* It should not harm and won't put any additional load on the AD since
* none of the dn components have a bitmask-attribute.
*
* Thanks to Ralf Haferkamp for input and testing */
Guenther
|
| |
|
|
|
|
|
| |
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
POSIX
homedirectory and the loginshell from Active Directory's "Services for Unix".
Enable it with:
winbind sfu support = yes
User-Accounts without SFU-Unix-Attributes will be assigned template-based
Shells and Homedirs as before.
Note that it doesn't matter which version of Services for Unix you use (2.0,
2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell,
msSFU30LoginShell, etc.) automatically.
If you also want to share the same uid/gid-space as SFU then also use PADL's
ad-idmap-Plugin:
idmap backend = ad
When using the idmap-plugin only those accounts will appear in Name Service
Switch that have those UNIX-attributes which avoids potential uid/gid-space
clashes between SFU-ids and automatically assigned idmap-ids.
Guenther
|
| |
|
|
|
| |
Make all LDAP timeouts consistent.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
User-, Group- and Machine-Accounts in Active Directory (this got lost
during the last trunk-merge).
This way we match e.g. default containers moved by redircmp.exe and
redirusr.exe in Windows 2003 and don't blindly default to cn=Users or
cn=Computers.
Further wkguids can be examied via "net ads search wellknownobjects=*".
This should still keep a samba3-client joining a samba4 dc. Fixes
Bugzilla #1343.
Guenther
|
| |
|
|
|
|
|
|
|
|
| |
Winbind tickets expired. We now check the expiration time, and acquire
new tickets. We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them. Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway. Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
|
