| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
we get a response from WINS for a PDC, if the PDC isn't responding.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
|
| |
|
|
|
|
| |
from some of the callers.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(and yes, some of these are real bugs)
In particular, the samr code was doing an &foo of various types, to a function
that assumed uint32. If time_t isn't 32 bits long, that broke.
They are assignment compatible however, so use that and an intermediate
variable.
Andrew Bartlett
|
| |
|
|
|
| |
same name as the machine name exists. (we ended up setting the users
password, not the machines password!)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
membership from an ADS server. We now use a 'member' query on the
group and do a separate call to convert the resulting distinguished
name to a name, rid etc. This is *much* faster for very large numbers
of groups (on a quantum test system with 10000 groups it drops the
time from an hour to about 35 seconds).
strangely enough, this actually *increases* the amount of ldap
traffic, its just that the MS LDAP server answers these queries much
faster.
|
| |
|
|
| |
a char** isn't quite the same thing as a struct berval** :)
|
| |
|
|
| |
broken
|
| |
|
|
|
| |
this fixes the huge number of struct berval warnings on non-ads
compiles
|
| |
|
|
| |
str_list_copy(). Perhaps its proto should be fixed.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
though it is up to the calling function to decide whether values are
strings or not. Attributes are not converted at this point, though support
for it would be simple.
I have tested it with users and groups using non-ascii chars, and if the
check for alphanumeric user/domain names is removed form sesssetup.c, even
a user with accented chars can connect, or even login (via winbind).
I have also simplified the interfaces to ads_mod_*, though we will probably
want to expand this by a few functions in the near future. We just had
too many ways to do the same thing...
|
| | |
|
| |
|
|
| |
changes ...
|
| | |
|
| |
|
|
|
|
| |
- Add doxygen comments
- remove server sort control (ms implementation was not reliable)
- rename ads_do_search_all2() to ads_do_search_all_fn()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Added sort control to ads_do_paged_search. It allows a char * to be passed
as the sort key. If NULL, no sort is done.
- fixed a bug in the processing of controls (loop wasn't incremented properly)
- Added ads_do_search_all2, which funs a function that is passed in against
each entry. No ldapmessage structures are returned. Allows results to
be processed as the come in on each page.
I'd like ads_do_search_all2 to replace ads_do_search_all, but there's some
work to be done in winbindd_ads.c first.
Also, perhaps now we can do async ldap searches? Allow us to process a
page while the server retrieves the next one?
|
| |
|
|
| |
out since it's already in ads_errstr() in ads_status.c
|
| |
|
|
| |
I've got the cases besides gssapi...anyone know how to get those?
|
| |
|
|
|
|
|
|
| |
entry returned from a search, and applies it to the results. Re-structured
ads_dump to use this, plus changed the ber_free in ads_dump from (b,1) to
(b,0), in accordance with openldap manpages. Also allows proper free of
result using ldap_msgfree afterwards, so you can do something with the
results after an ads_dump.
|
| |
|
|
| |
defeats the purpose.
|
| |
|
|
|
|
| |
the scope limited to the domain at hand, and also keeps the openldap
libs happy, since they don't currently chase referrals and return
server controls properly at the same time.
|
| |
|
|
|
| |
to paged searches. This makes updating winbindd to used paged searches
trivial.
|
| |
|
|
|
| |
referrals parsing in the openldap libs. By disabling referrals we get
valid controls back and the cookies work.
|
| |
|
|
| |
ads_do_paged_search, is the same as ads_do_search, but it also contains a count of records returned in this page, and a cookie for resuming, to be passed back. The cookie must start off NULL, and when it returns as NULL, the search is done.
|
| |
|
|
|
|
| |
the problem is, how the heck do we properly handle these? Jerry?
It seems that the Win2000 ADS server only returns a max of 1000 records!
|
| | |
|
| |
|
|
|
|
|
|
| |
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts
thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
|
| | |
|
| |
|
|
| |
should be LDAP_MOD_REPLACE. Caught by Alexey Kotovich.
|
| | |
|
| |
|
|
| |
malloc checks and return ADS_ERROR(LDAP_NO_MEMORY) if they fail.
|
| |
|
|
|
| |
get trusted domains query but leave the domain SID blank - we need to
fail the add of the trusted domain in winbindd in that case
|
| |
|
|
| |
control for permissive modify.
|
| |
|
|
| |
BOOLs. Add support for bervals in mod lists. Also put undocumented AD ldap control in to allow modifications when an attribute does not yet exist.
|
| |
|
|
| |
attributes until a method for checking for their existence is done.
|
| |
|
|
| |
to void **
|
| | |
|
| |
|
|
| |
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
|
| |
|
|
| |
a username on the commandline. Also don't continue past the kinit if a password is entered and fails because existing tickets would be used, which may not be desired if the username was specified.
|
| | |
|
| |
|
|
|
|
|
|
| |
This fixes up a problem where a machine would join (or downgrade by trust
password change) to NT4 membership and not be able to regain full ADS
membership until a 'net ads leave'.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
We now include the libber.h file if required, but currently we just don't use
ldap. (I'll chase this up).
In the meantime, I've moved the ads_status code about, its now in its own file,
and has a couple of #ifdefs to allow smbd to link - becouse the lack of LDAP
caused HAVE_ADS to be undefined. (I hope its not too ugly).
Andrew Bartlett
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
- gss error code patch from a.bokovoy@sam-solutions.net
- better sid dumping in ads_dump
- fixed help in wbinfo
|
| | |
|
