| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions
remain, but I'm looking into them - they use non-winbind structs ATM).
This has particular benifits in returning out-of-domain SIDs for group
membership (Need to look into this a bit more) as well as general code quality.
This also removes much of the complexity from the idmap interface, which now
only deals with mapping IDs, not with SID->domain translations.
Breifly tested, but needs more. Fixes some valgrind-found bugs from my
previous commit.
Winbind cache chagned to using SID strings in some places, as I could not
follow exactly how to save and restore multiple packed sids properly.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
inline the call to prs_copy_all_data_out() so that we can know we are not
overrunning our buffer.
Also check more return values.
Andrew Bartlett
|
| |
|
|
|
| |
named. Ensure we can query them.
Jeremy.
|
| |
|
|
|
|
|
|
|
|
| |
variable hack, the feild on the pipe, and the server-side.
It only controlled some enum operations in any case.
This is to try and have less 'magic' environment variables.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* s/driverlocation/comment
* detect native mode domain and enumerate local groups
Also
* Added sendfile stats from SAMBA_2_2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This updates the 'winbind' authentication module and winbind's 'PAM' (actually
netlogon) code to allow smbd to cache connections to the DC.
This is particulary relevent when we need mutex locks already - there is no
parallelism to be gained anyway.
The winbind code authenticates the user, and if successful, passes back the
'info3' struct describing the user. smbd then interprets that in exactly the
same way as an 'ntdomain' logon.
Also, add parinoia to winbind about null termination.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
a getgr*() function that lists groups without numerating all the
group members. Instead of definiing a new nss method (which might
cause problems) I added an environment variable WINBIND_GETGRLST
that tells winbind not to fill in the group members in a gergrent()
request. This can speed up group listing by a factor of 20 or more
(on my test system with 50000 groups it reduces the time from an hour
to 2 minutes)
|
| |
|
|
| |
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
| |
this means "xcopy /o" has a chance of working with ACLs that contain
ACEs that use SIDs that the Samba server has no knowledge of.
It's a bit hackish, Tim, can you look at my uid.c changes?
|
| |
|
|
| |
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
|
| |
|
|
|
|
|
|
|
| |
the sid->uid and uid->sid conversions.
Remove some duplicate arguments from these funcitons, and update the
request/response structures for this and the 'winbind domain name' feature.
As such 'winbindd_lookup_name' now takes both a domain and username.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the list received at startup or we get an out of date list. I thought
there might be some sequence number that is incremented when a trusted
domain is added or removed - perhaps there is but I just haven't found it
yet.
- Renamed get_domain_info() to init_domain_list()
- Made an accessor function to return the list of trusted domains rather
than using a global so we don't have to remember to put a magic init
function
- The getent state can not keep a pointer to a winbind_domain structure as
it may be freed if init_domain_list() is called again so we keep the
domain name instead
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when they are added or removed on the PDC.
- renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID}
- renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID}
- use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in
preparation for moving to smbcontrol type messages (not sure whether to
ditch this altogether or not)
- tidy debugging messages in top level winbind user and group routines
- convert talloc_init() to talloc_init_named()
- make enumerations of the domain list use the same local variable names
|
| | |
|
| |
|
|
|
|
| |
I tried testing this by lowering the buffer size in
cli_samr_enum_dom_groups() but that didn't work - I think this needs
more looking into
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this one looks like just another winbind backend, and has the
following properties:
- does -ve and +ve cacheing of all queries
- can be disabled with -n switch to winbindd
- stores all records packed, so even huge domains are not a problem
for a complete cache
- handles the server being down
- uses sequence numbers for all entries
This fixes a lot of problems with winbindd. Serving from cache is now
*very* fast.
|
| | |
|
| |
|
|
|
|
|
| |
now do searches on SID. This allows me to do a true ldap sid_to_name()
function
one one function to go!
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
winbindd/ADS can now do initgroups()
|
| | |
|
| |
|
|
| |
fixed a winbindd crash when the group membership can't be looked up
|
| | |
|
| |
|
|
|
|
| |
also created winbindd_rpc.c which contains the functions that
have been converted to the new structure. There will soon be
a winbindd_ads.c for the ldap backend
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
| |
smbd/open.c: Fix "delete on close" for directories.
Jeremy.
|
| |
|
|
| |
winbindd_lookup_usergroups()
|
| |
|
|
| |
Now we just keep a record of the open pipes.
|
| |
|
|
| |
Get list of trusted domains if we haven't fetched them yet.
|
| |
|
|
|
|
|
|
|
| |
To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.
This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
|
| | |
|
| |
|
|
|
|
| |
as one memory leak that has been there for ages!
Changed the way talloc is used in get{pw,gr}nam routines.
|
| |
|
|
|
|
|
|
| |
per-call basis rather than per-connection.
Had a bit more of a reformatting fest.
Still need to run it through insure and handle downed connections.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
what was I thinking with those 4 character tabs?)
We now pass our winbindd test suite again!
Still to do:
- talloc_ctx on a per winbindd request basis not per connection
- clean up old crap we don't use any more
- test against multiple BDCs (I know this isn't going to work - group/user
handles have to be made against the same DC the domain and basic handles
are.
- implement network and dc failure recovery
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
I've wrapped up all the decisions about managing, making and closing
connections into a connection manager in nsswitch/winbindd_cm.c.
It's rather incomplete at the moment - only querying basic user info works
at the moment (i.e finger -m DOMAIN/user) and everything else is broken.
Jeremy, please take a look and I'll start moving across the rest of
winbindd to this new system.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
the client code still needs some work
|
