| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- packing/unpacking utility functions for trusted domain
password struct; can be used to prepare buffer to store
in secrets.tdb or (soon) passdb backend
- similiar functions for DOM_SID
- respectively modified secrets_(fetch|store) routines
- new auth mapping code utilising introduced is_trusted_domain
function
- added tdb (un)packing of single bytes
Rafal
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current locking scheme in winbind is a complete mess - indeed, the
next step should be to push the locking into cli_full_connection(), but
I'll leave it for now.
This patch works on the noted behaviour that 2 parts of the connection
process need protection - and independent protection. Tim Potter did
some work on this a little while back, verifying the second case.
The two cases are:
- between connect() and first session setup
- during the auth2 phase of the netlogon pipe setup.
I've removed the counter on the lock, as I fail to see what it gains us.
This patch also adds 'anonymous fallback' to our winbindd -> DC connection.
If the authenticated connection fails (wbinfo -A specifed) - say that
account isn't trusted by a trusted DC - then we try an anonymous.
Both tpot and mbp like the patch.
Andrew Bartlett
|
|
|
|
|
|
| |
- Add smb_probe_module()
- Add init_modules()
- Call these functions
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intention is to remove the muliple passdb backends, but we need the
'guest' account to always be there. If the admin adds the guest account to
(say) LDAP, there will only be one backend required for operation.
This helps remove some nasty behaviours with adding accounts to the system
for both the RPC 'create user' and the SAMSYNC code. Users 'added' with
an 'add user/machine' script won't magicly appear, and machine accounts
'pre-added' to unix, but not the smbpasswd file will not cause mayhem.
This commit also implements somthing tridge discussed with me, the concept
of 'default' passdb operation pointers - so that each backend does not
need it's own stub funcitons wrapping the default tdb privilages/group
mapping code.
This also removes an implicit 'sid->name' and 'name->sid' mapping from our
own local SID space, to winbind usernames. When adding mapping for NIS/LDAP
non-sam users in future, we need to be careful.
Andrew Bartlett
|
|
|
|
| |
hooked into pdb, and we need some access control on changing privileges. That's next
|
|
|
|
|
|
|
| |
get them in should be indeterminate, so just picking the first one would be
bad...
Andrew Bartlett
|
|
|
|
|
|
|
|
| |
blame for the realloc() stuff.
Plus a couple of minor updates to libads.
Andrew Bartlett
|
| |
|
|
|
|
| |
Jeremy.
|
|
|
|
| |
remove ldap_msgfree(result); as result is unitialized at this point
|
|
|
|
|
|
| |
connectivity problems.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
| |
last changed at '0'.
We need to actually change this password sometime...
Andrew Bartlett
|
|
|
|
|
| |
on work by <steve@griffin.sio2.nl>.
Jeremy.
|
|
|
|
|
|
|
|
|
| |
don't need a second just for pdb.
Also, remove magic 'is lp_guest_account' test - the magic RID should be
up to the passdb backend to set.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes Samba compile cleanly with -Wwrite-strings.
- That is, all string literals are marked as 'const'. These strings are
always read only, this just marks them as such for passing to other functions.
What is most supprising is that I didn't need to change more than a few lines of code (all
in 'net', which got a small cleanup of net.h and extern variables). The rest
is just adding a lot of 'const'.
As far as I can tell, I have not added any new warnings - apart from making all
of tdbutil.c's function const (so they warn for adding that const string to
struct).
Andrew Bartlett
|
|
|
|
|
| |
named. Ensure we can query them.
Jeremy.
|
|
|
|
| |
server = DC1 *
|
|
|
|
| |
use FUNCTION_MACRO instead of __FUNCTION_
|
|
|
|
| |
more useful error codes.
|
|
|
|
|
| |
look for the record count after an invalid search. This fixes a segv
in ldapsam
|
| |
|
| |
|
|
|
|
| |
anymore
|
|
|
|
|
|
| |
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This gets user mangler for doamins working again.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
sam account object, then pdb_update_sam_account() can be used to
update an account. This code path could lead to the methods element of
the account being used when uninitialised (leading to a segv)
Easiest fix is to always make that that when creating a sam_account
object we initialise the methods to null, so that the passdb code
knows that it needs to be filled in.
|
|
|
|
|
|
|
| |
Also tidied up some of Richard's code (I don't think he uses the compiler
flags -g -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual like
I do :-) :-).
Jeremy.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
this will fix some of the problems on the build farm @ Compaq (where they have
a *lot* of accounts...).
|
| |
|
|
|
|
|
|
|
| |
say exactly the same thing - in particular that we can algorithmic rid base ==
1000, and use the BASE_RID macro to avoid the use of magic numbers.
Andrew Bartlett
|
|
|
|
| |
Volker
|
|
|
|
| |
here.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
attributes rather than calling getpwnam() on the user.
This should help fix some of metze's performance issues - particularly on
enumerations.
There is a consequential change to the operation of 'non unix account's in LDAP
- they are no longer restricted to being 'within' the NUA range, but will
always be added to that range.
Finally, there is the doco for this and the previous LDAP SSL changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Default is now for start-tls, on the ldap (not ldaps) port
- We check for 'I am currently root' in the right place now, and don't
accidentily use a cached connection.
- We don't loop on failure to be root, or some other errors.
- A bit cleaner error reporting for add/modify.
- Both the OpenLDAP and manual URI parsing tested.
Andrew Bartlett
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch, from "Stefan (metze) Metzmacher" <metze@metzemix.de> implements an
LDAP connection cache. This removes the quite silly situation where every
single passdb operation involved a new LDAP connection.
The hope is that this will give us a decent performance boost in some usrmgr
related activities, and in the sid->name/sid->uid code.
The remaining things I think are 'todo' for pdb_ldap (in the near term) are:
- intergrate volker's next_rid patch for NUA accounts,
- add a 'trust ldap ids' option (remove Get_Pwnam() hit on enumerations).
- put the group mapping actually into ldap
- Schema fixes and do utf8 conversion
- server failover (try a second server for the rebind on fail)
- ensure we block between an 'add' and the ldap master replicating to our
local slave (mezte found this issue, kills domain joins)
Andrew Bartlett
|
| |
|
|
|
|
| |
aka vorlon)
|
|
|
|
|
|
| |
like user RIDs.
Volker
|