| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the segfaults I introduced in the previous conneciton caching
patch. It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.
If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.
There is still a memory leak in here somewhere - but this code also cleans up a
number of these.
Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.
Andrew Bartlett
|
| |
|
|
| |
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the list received at startup or we get an out of date list. I thought
there might be some sequence number that is incremented when a trusted
domain is added or removed - perhaps there is but I just haven't found it
yet.
- Renamed get_domain_info() to init_domain_list()
- Made an accessor function to return the list of trusted domains rather
than using a global so we don't have to remember to put a magic init
function
- The getent state can not keep a pointer to a winbind_domain structure as
it may be freed if init_domain_list() is called again so we keep the
domain name instead
|
| |
|
|
|
|
| |
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
|
| |
|
|
| |
IPC$ connections to domain controllers.
|
| |
|
|
|
|
| |
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
|
| | |
|
| |
|
|
|
|
|
| |
consistent backends (like ADS) always give correct primary group
info, so we can play cache tricks to speed things up a lot
inconsistent backends (like MSRPC) need to fetch stuff more often
|
| |
|
|
|
|
|
|
| |
the backends
at startup, loop until we get the domain sid for our primary domain,
trying every 10 seconds. This makes winbindd handle a room-wide power
failure better
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this one looks like just another winbind backend, and has the
following properties:
- does -ve and +ve cacheing of all queries
- can be disabled with -n switch to winbindd
- stores all records packed, so even huge domains are not a problem
for a complete cache
- handles the server being down
- uses sequence numbers for all entries
This fixes a lot of problems with winbindd. Serving from cache is now
*very* fast.
|
| |
|
|
| |
sequence number via ldap when using ads
|
| | |
|
| |
|
|
|
|
|
| |
now do searches on SID. This allows me to do a true ldap sid_to_name()
function
one one function to go!
|
| |
|
|
| |
winbindd/ADS can now do initgroups()
|
| | |
|
| |
|
|
| |
fixed a winbindd crash when the group membership can't be looked up
|
| | |
|
| |
|
|
|
|
|
| |
I spent quite a while trying to work out how to make this call
via ldap and failed. I then found that MS servers seem use rpc
for sid_to_name, and it works even when in native mode, I ended
up just implementing it via rpc
|
| | |
|
| |
|
|
|
|
| |
also created winbindd_rpc.c which contains the functions that
have been converted to the new structure. There will soon be
a winbindd_ads.c for the ldap backend
|
| |
|
|
|
|
| |
This just splits off the dispinfo call behind a methods structure.
I'll split off a few more functions soon, then we will be ready for
LDAP replacement methods
|
| |
|
|
|
|
|
|
| |
be easily added (a one liner) once we know the correct error codes returned
by a W2K DC.
All other winbindd calls should go through a similar transparent caching layer
(and will soon).
Jeremy.
|
| |
|
|
|
|
| |
as one memory leak that has been there for ages!
Changed the way talloc is used in get{pw,gr}nam routines.
|
| |
|
|
|
|
|
|
| |
per-call basis rather than per-connection.
Had a bit more of a reformatting fest.
Still need to run it through insure and handle downed connections.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
I've wrapped up all the decisions about managing, making and closing
connections into a connection manager in nsswitch/winbindd_cm.c.
It's rather incomplete at the moment - only querying basic user info works
at the moment (i.e finger -m DOMAIN/user) and everything else is broken.
Jeremy, please take a look and I'll start moving across the rest of
winbindd to this new system.
|
| | |
|
| | |
|
| |
|
|
| |
but I haven't actually run it yet so it probably doesn't work. (-:
|
| |
|
|
|
| |
renamed ntdom to winbind
I think that using winbind in /etc/nsswitch.conf is better than ntdom
|
|
|
this does not yet compile, but I'm working on that.
|
