summaryrefslogtreecommitdiffstats
path: root/source3/winbindd
Commit message (Collapse)AuthorAgeFilesLines
* s3-winbind: Don't fail on users without a uid.Andreas Schneider2011-11-251-1/+18
| | | | | | | | | | | | | | | | | | | This fixes bug #8608. If you join samba with idmap_ad backend to an AD. When you try to enumerate users with 'getent passwd' and the user doesn't have a uid set, then getent is aborted cause of NT_STATUS_NONE_MAPPED. If we can't map a user we should not stop but continue enumerating users. This normally happens with the default user 'krbtgt' with idmap_ad but could also happen with other backends. Autobuild-User: Andreas Schneider <asn@cryptomilk.org> Autobuild-Date: Tue Nov 15 16:52:04 CET 2011 on sn-devel-104 (backported from commit 10b285ccc29b106f164a6c18116e237634867717) Signed-off-by: Andreas Schneider <asn@samba.org>
* s3:idmap_autorid: add an allocation range to autoridChristian Ambach2011-11-101-1/+94
| | | | | | | | | | this is needed to allocate gids for BUILTIN\Users and BUILTIN\Administrators and for local users/group that admins might want to create autorid will now allocate one range for this purpose and can so give out as many uids and gids as the configured rangesize allows
* s3:idmap_autorid: move HWM initialization into a functionChristian Ambach2011-11-101-11/+24
| | | | | we will need some more HWM soon, so move out initialization and optimize the logic using the new interface of dbwrap_fetch_uint32
* s3:idmap_autorid: use strings as parameter for range allocatorChristian Ambach2011-11-101-14/+14
| | | | | this prepares for allocation of non-domain ranges that cannot be expressed by a SID (e.g. an allocation pool)
* Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags.Jeremy Allison2011-11-011-2/+2
| | | | | | | | Fix confirmed by reporter. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Oct 28 23:04:47 CEST 2011 on sn-devel-104 (cherry picked from commit f30f71c14a0b89dea296910ac9b92d3ae4016613)
* Fix bug #8521 - winbindd cache timeout expiry test was reversedJeremy Allison2011-10-151-1/+1
| | | | | Found and fix reported by Micha Lenk <micha@lenk.info>. Thanks ! (cherry picked from commit 1e4761d05978b7a495d121acc1deaa7049f3911c)
* s3: Fix getent group if trusted domains are not reachableVolker Lendecke2011-08-301-2/+7
| | | | Fix bug #8420 (wb_group_members: non-resistance against garbage).
* s3: Use sys_read in fork_domain_childVolker Lendecke2011-08-301-1/+1
| | | | | | | | | | | | I've seen [2011/08/26 01:44:10.872057, 1] winbindd/winbindd_dual.c:1336(fork_domain_child) fork_domain_child: Could not read child status: nread=-1, error=Interrupted system call on a customer box. Not good. (cherry picked from commit 964e809ce2069ad888e0fb12dfe51bac5a461508) The last 3 patches address bug #8409 (f7d97868 created a new race condition).
* s3: Use sys_write in fork_domain_childVolker Lendecke2011-08-301-1/+1
| | | | | | | | Counterpart for last checkin. A lot less likely, but not impossible in a child. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Aug 26 13:14:27 CEST 2011 on sn-devel-104 (cherry picked from commit e0e3d215b1902ecbeb3d469af9a196856711921e)
* s3: Fix a winbind race leading to 100% CPUVolker Lendecke2011-08-301-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | This fixes a race condition that leads to the winbindd_children list becoming corrupted. It happens when on a busy winbind SIGCHLD is a bit late. Imagine a winbind with multiple requests in the queue for a single child. Child dies, and before the SIGCHLD handler is called we find the socket to be dead. wb_child_request_done is called, receiving an error from wb_simple_trans_recv. It closes the socket. Then immediately the wb_child_request_trigger will do another fork_domain_child before the signal handler is called. This means that we do another fork_domain_child, we have child->sock==-1 at this point. fork_domain_child will do a DLIST_ADD(winbindd_children, child) a second time where the child is already part of that list. This corrupts the list. Then the signal handler kicks in, spinning in for (child = winbindd_children; child != NULL; child = child->next) { forever. Not good. This patch makes sure that both conditions (sock==-1 and not part of the list) for a winbindd_child struct match up. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Aug 26 18:51:24 CEST 2011 on sn-devel-104 (cherry picked from commit ed058f4dc3e059967f3c0538bc220866e9c63588)
* s3:idmap_tdb2: fix bug 8368 : correctly initialize "idmap config * : script" ↵Michael Adam2011-08-181-1/+1
| | | | | | with NULL this fixes the fallback to the deprecated spelling idmap:script
* s3:idmap_tdb2: remove the undocumented option of the silly name "tdb:idmap2.tdb"Michael Adam2011-07-271-5/+1
| | | | | | | | | | | | | | | | | | | In ancient times, when ctdb had not support for persistent databases and tdb2 was introduced as a two-layer solution and it was more important than today to be able to change the location of the permanent database file because it had to reside on shared storage. But these were times when idmap_tdb2 was not even officially released. Nowadays, with ctdb handling the persistent idmap2.tdb database, the path is stripped anyways, so this undocumented option has become unnecessary and is hence removed. Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Wed Jul 27 05:37:57 CEST 2011 on sn-devel-104 (cherry picked from commit 3276060da4e7d495bd5cf5cbf7237e64d948ee77) The last 10 patches address bug #8328 (final cleanup of idmap_tdb2 code and docs needed for release).
* s3:idmap_tdb2: remove a legacy comment (cherry picked from commit ↵Michael Adam2011-07-271-1/+0
| | | | 67cd2f9d867fad1f7df2d6a6a5cdb723336ac495)
* s3:idmap_tdb2: remove legacy comment (cherry picked from commit ↵Michael Adam2011-07-271-2/+0
| | | | 4b5ada3d27198b49771acb70ae979087235be783)
* s3:idmap_tdb2: remove superfluous initialization with bogus comment (cherry ↵Michael Adam2011-07-271-3/+0
| | | | picked from commit 551185573899b6e608863f833633d40ae04458d8)
* s3:idmap_tdb2: fix a legacy comment that does not apply any more (cherry ↵Michael Adam2011-07-271-2/+1
| | | | picked from commit 7d3dc2164b3929c642127659593e69fc865a6184)
* s3:idmap_tdb2: deprecate the idmap:script parameter and use "idmap config * ↵Michael Adam2011-07-271-18/+21
| | | | | | | | | | : script" instead With this patch, "idmap config * : script" will override "idmap : script". If "idmap : script" is present, a deprecation warning will be printed in any case. If "idmap config * : script" is not set, then the value of "idmap :script" will be used for backwards compatibility. (cherry picked from commit b6c82f18f17cdded771d285930566c1d104686aa)
* s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCsGünther Deschner2011-06-301-7/+19
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Jun 30 00:42:23 CEST 2011 on sn-devel-104
* s3: explicitly pass domain_sid to wbint_LookupRids() (bug #7841)Volker Lendecke2011-06-293-9/+10
| | | | | | Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Mon Jun 27 18:21:30 CEST 2011 on sn-devel-104 (cherry picked from commit 0a74caa473f491050bc5f64b6d6956c00088c5cd)
* s3:idmap_autorid: remove redundant codeMichael Adam2011-06-211-4/+0
| | | | The last 4 patches address bug #8213 (Fixes in idmap_autorid).
* s3:idmap_autorid: in initialize, don't leak storedconfig to talloc_tos() in ↵Michael Adam2011-06-211-2/+4
| | | | the success case
* s3:idmap_autorid: use "idmap config * : rangesize" instead of "autorid : ↵Michael Adam2011-06-211-1/+1
| | | | rangesize"
* s3:idmap_autorid: fail initialization if the domain is not "*"Michael Adam2011-06-211-0/+7
| | | | autorid can only be used as a backend for the default idmap configuration.
* s3:wb_lookupsids: add some paranoia checks to wb_lookupsids_recv()Stefan Metzmacher2011-06-171-0/+18
| | | | | | | | | | This hopefully catches future bugs. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Thu Jun 16 19:50:16 CEST 2011 on sn-devel-104 (cherry picked from commit 5961852d9c0e5cf64cea988586d610af9d63d487)
* s3:wb_lookupsids: don't ignore 'result' and check if we got useable valuesStefan Metzmacher2011-06-171-4/+48
| | | | | | | | The wrong fix for bug #8215 discovered this bug, as it caused sam_rids_to_names() to always return NT_STATUS_NONE_MAPPED. metze (cherry picked from commit 85809ccbe3a79f307af1fdd227f33b899d8db1b4)
* Revert "s3-winbind: Fix paranoia checks in winbindd_samr.c."Stefan Metzmacher2011-06-171-2/+2
| | | | | | | | | This reverts commit 207a84d725b905c2b119d2ef0f4f4d4eb391140d. This is the wrong fix for the problem, see bug #8215. metze (cherry picked from commit 283f8a7fb5089a7126f07e26315fd06ab59997d8)
* s3:winbindd/idmap_proto.h: add _WINBINDD_IDMAP_PROTO_H_ guard (cherry picked ↵Michael Adam2011-06-141-0/+4
| | | | from commit b88d80a97572a9d7730830f09b25a7d6dc655653)
* s3:winbindd/idmap_proto.h: add GPL/Copyright header (cherry picked from ↵Michael Adam2011-06-141-0/+25
| | | | commit 88078c856976ebcad68251129ddc0556663dcf9c)
* bug in source3/winbindd/winbindd_sids_to_xids.cHerb Lewis2011-06-141-1/+4
| | | | | | | | | | | | | | | I'm having trouble getting my system setup to do submits right now but I discovered a bug in the subject file that causes winbindd lookup sids command to assign incorrect unix ids. The change to sid_peek_rid fixes the case where you call lookup sids with sids s1 s2 s3 which cause them to be cached. then call with s1 s2 s4 and s4 will get the unix id of s1. The other change fixes the case where a sid that was not translated gets a value returned instead of being listed as unmapped. Could someone review this and push to master and 3.6 for me? Fix bug #8216 (winbind returns wrong results with sids2xids).
* s3-winbind: Fix paranoia checks in winbindd_samr.c.Andreas Schneider2011-06-141-2/+2
| | | | | | | This fixes looking up the correct unix user instead of allocation a new uid and creating it. Fix bug #8215 (winbind unix username lookup doesn't work correctly).
* Revert "Fix bug 8196 - Many (newer) header files don't have copyright / GPL ↵Karolin Seeger2011-06-071-29/+0
| | | | | | header comments." This reverts commit 6df3ff20620b3262ff232a478312c61a207ed4ff.
* s3:idmap_ldap: allow creation of ldap stored mappings for explicitly ↵Michael Adam2011-06-071-1/+1
| | | | | | | | | | | configured domains. After the preparations, this is achieved by using idmap_ldap_allocate_id_internal() as get_new_id rw method instead of idmap_ldap_allocate_id(). (cherry picked from commit 74cd06b3dff42bda4dd0a0f3fd250a975d0258ed) The last 3 patches address bug #8200 (Add Support for multiple writable ldap idmap domains).
* s3:idmap_ldap: rename idmap_ldap_get_new_id to idmap_ldap_allocate_idMichael Adam2011-06-071-6/+6
| | | | | This is in preparation of allowing allocating ldap based domain-specific configs. (cherry picked from commit dea3ef1ab689a3d01846147d2a83377b09335f8f)
* s3:idmap_ldap: rename idmap_ldap_allocate_id to idmap_ldap_allocate_id_internalMichael Adam2011-06-071-3/+3
| | | | | This is in preparation of allowing allocating ldap based domain-specific configs. (cherry picked from commit 2de65b97b98e2c8cc218b60da749ac17195d8413)
* Fix bug #8203 - winbindd needs to reset the DC connection if an RPC times out.Jeremy Allison2011-06-071-15/+66
| | | | Based on Volker's original code.
* Fix bug 8196 - Many (newer) header files don't have copyright / GPL header ↵Jeremy Allison2011-06-071-0/+29
| | | | | | comments. Add missing GPL headers and (C) statements.
* s3-winbind: BUG 8166 - Don't lockout users when offline.Jim McDonough2011-06-011-1/+4
| | | | | | | | Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration. Autobuild-User: Jim McDonough <jmcd@samba.org> Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104 (cherry picked from commit b58534f1fca27e3e72f4f4107538ec05734bd42a)
* s3-libsmb: move protos to libsmb/proto.hGünther Deschner2011-05-161-0/+1
| | | | Guenther
* s3: only include tdb headers where needed.Günther Deschner2011-05-164-0/+4
| | | | | Guenther (cherry picked from commit d8cfca3a9bd2b6b6c562fd202377d95a98eb5472)
* s3: include ntdomain.h before including generated srv_ headers.Günther Deschner2011-05-163-2/+3
| | | | | Guenther (cherry picked from commit 0e76eddcc8a4e7e98167b8f92387fae015fae095)
* s3: remove various references to server side dcerpc structs (which are not ↵Günther Deschner2011-05-163-3/+0
| | | | | | | needed). Guenther (cherry picked from commit 0bb4701a747599042242b0612bc392a6e6d777af)
* s3-winbindd: remove unused headers.Günther Deschner2011-05-162-6/+0
| | | | | Guenther (cherry picked from commit 233779cce4f47799d5912f362faadcd564bbf096)
* s3: Use tevent_req_ntstatus properly in a few placesVolker Lendecke2011-05-1030-98/+49
| | | | | | Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Tue May 10 13:11:10 CEST 2011 on sn-devel-104 (cherry picked from commit 44cc1656276d99816614408b5cd846e6a57eacf0)
* Remove unused function parse_add_domuser().Jeremy Allison2011-05-042-26/+0
| | | | | | Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed May 4 20:05:42 CEST 2011 on sn-devel-104 (cherry picked from commit 54727f93163f1529eb78dfab5ac605e138391797)
* s3: Properly deal with exited winbind childrenVolker Lendecke2011-05-041-0/+5
| | | | | | | | | | | | | When a winbind child exits, we need to immediately close the socket. If not, the next request to that child will be sent to a socket without a listener, leading to a failed request. This failed request will then trigger a proper re-init. This patch avoids the one failed request. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed May 4 13:32:16 CEST 2011 on sn-devel-104 (cherry picked from commit d08414b6799747f224ba02300585c8b15ac6bc0e)
* s3: Avoid a potential 100% CPU loop in winbinddVolker Lendecke2011-04-291-0/+27
| | | | | | | | | | | | | | | | | | | | | | In the clustering case if ctdb is unhappy, winbindd_reinit_after_fork fails. This can lead to an endless loop depending on the scheduling of the parent vs child. Parent forks, child is immediately scheduled and exits. Parent gets SIGCHLD, parent is then scheduled before it sends the request out to the child. Parent tries to fork again immediately. The code before this patch did not really take into account that reinit_after_fork can fail. The code now sends the result of winbindd_reinit_after_fork to the parent and the parent only considers the child alive when it got NT_STATUS_OK. This was seen in 3.4 winbind. winbind has changed significantly since then, so it might be possible that this does not happen anymore in exactly this way. But passing up the status of reinit_after_fork and only consider the child alive when that's ok is the correct thing to do anyway. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Apr 29 17:58:19 CEST 2011 on sn-devel-104 (cherry picked from commit df099e66240c7670c9f7b7dcccb1c38216bac3ec)
* s3: Make winbindd_reinit_after_fork return NTSTATUSVolker Lendecke2011-04-294-12/+23
| | | | (cherry picked from commit aa5abcaf7e2844e3bd3d8e8fe26488673ad3c00e)
* s3: In winbind, close parent/child socketsVolker Lendecke2011-04-294-5/+15
| | | | | This should further reduce fd load in winbind children (cherry picked from commit 0757688eb34ec1a22bf8c28f72416d6684756647)
* s3-tevent: only include ../lib/util/tevent wrappers where needed.Günther Deschner2011-04-292-0/+3
| | | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Fri Apr 29 14:00:30 CEST 2011 on sn-devel-104 (cherry picked from commit 50883cfeb4eed3d538f71443060745f8747044c9)
* s3: Close the winbind client fds after forkingVolker Lendecke2011-04-281-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In an overload situation, the winbind helper child process inherits all those hundreds of fd's which it will never talk to. Close them. We (Christian Ambach and me) just saw a crash in libkrb5. Christian's analysis showed that libkrb5 also does select, probably exceeding FD_SETSIZE and crashing due to that reason. The parent winbind in theory does not do Kerberos at all, so this should fix that problem. The crash is interesting because the child process did not really crash. Somewhere in glibc backtrace() is called, probably due to an assert() or some explicit consistency check. This then somehow generates a signal probably due to corrupted memory structures. That signal triggers Samba to again call backtrace(). This blocks hard on a ptrace_once(). Sorry for the long backtrace here, but this *is* interesting. The child process blocking and not really crashing makes the situation worse: The parent process does not get told the child has crashed and more client sockets pile up. This patch is intended to put some relief on this problem by closing the majority of sockets the parent holds. (gdb) bt \#0 0x00002ad686a2b07b in pthread_once () from /lib64/libpthread.so.0 \#1 0x00002ad6867adf87 in backtrace () from /lib64/libc.so.6 \#2 0x00002ad683eab27c in log_stack_trace () at lib/util.c:1580 \#3 0x00002ad683eab34b in smb_panic (why=0x2ad6841c6ec3 "internal error") at lib/util.c:1481 \#4 0x00002ad683e9af3e in fault_report (sig=1) at lib/fault.c:52 \#5 sig_fault (sig=1) at lib/fault.c:75 #6 <signal handler called> \#7 0x00002ad68673b005 in _int_malloc () from /lib64/libc.so.6 \#8 0x00002ad68673c95d in calloc () from /lib64/libc.so.6 \#9 0x00002ad684503e25 in _dl_new_object () from /lib64/ld-linux-x86-64.so.2 \#10 0x00002ad6844ffadc in _dl_map_object_from_fd () from /lib64/ld-linux-x86-64.so.2 \#11 0x00002ad684501d43 in _dl_map_object () from /lib64/ld-linux-x86-64.so.2 \#12 0x00002ad68450ac8d in dl_open_worker () from /lib64/ld-linux-x86-64.so.2 \#13 0x00002ad684506ed6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 \#14 0x00002ad68450a68c in _dl_open () from /lib64/ld-linux-x86-64.so.2 \#15 0x00002ad6867d0ba0 in do_dlopen () from /lib64/libc.so.6 \#16 0x00002ad684506ed6 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 \#17 0x00002ad6867d0d07 in __libc_dlopen_mode () from /lib64/libc.so.6 \#18 0x00002ad6867adeea in init () from /lib64/libc.so.6 \#19 0x00002ad686a2b083 in pthread_once () from /lib64/libpthread.so.0 \#20 0x00002ad6867adf87 in backtrace () from /lib64/libc.so.6 \#21 0x00002ad68673285f in __libc_message () from /lib64/libc.so.6 \#22 0x00002ad68673a30f in _int_free () from /lib64/libc.so.6 \#23 0x00002ad68673a76b in free () from /lib64/libc.so.6 \#24 0x00002ad6853fe346 in krb5int_sendto () from /usr/lib64/libkrb5.so.3 \#25 0x00002ad6853fe511 in krb5_sendto_kdc () from /usr/lib64/libkrb5.so.3 \#26 0x00002ad6853df7c4 in ?? () from /usr/lib64/libkrb5.so.3 \#27 0x00002ad6853e0919 in krb5_get_init_creds () from /usr/lib64/libkrb5.so.3 \#28 0x00002ad6853e2a94 in krb5_get_init_creds_password () from /usr/lib64/libkrb5.so.3 \#29 0x00002ad684169ff1 in kerberos_kinit_password_ext (principal=0x2ad684702180 "<sanitized>", password=0x2ad6844c5bb0 "<sanitized>", time_offset=0, expire_time=0x2ad6846bf380, renew_till_time=0x0, cache_name=0x2ad6843cb3e0 "MEMORY:winbind_ccache", request_pac=false, add_netbios_addr=false, renewable_time=<value optimized out>, ntstatus=0x0) at libads/kerberos.c:223 \#30 0x00002ad68416a223 in ads_kinit_password (ads=0x2ad6846bf330) at libads/kerberos.c:327 \#31 0x00002ad68415f725 in ads_sasl_spnego_bind (ads=0x2ad6846bf330) at libads/sasl.c:812 \#32 0x00002ad68415dbc1 in ads_sasl_bind (ads=0x2ad6846bf330) at libads/sasl.c:1114 \#33 0x00002ad68415c09b in ads_connect (ads=0x2ad6846bf330) at libads/ldap.c:711 \#34 0x00002ad683e1b8f7 in ads_cached_connection (domain=0x2ad6846b07c0) at winbindd/winbindd_ads.c:124 \#35 0x00002ad683e1bc85 in sequence_number (domain=0x2ad6846b07c0, seq=0x2ad6846b0cd8) at winbindd/winbindd_ads.c:1233 \#36 0x00002ad683dffdd7 in refresh_sequence_number (domain=0x2ad6846b07c0, force=128) at winbindd/winbindd_cache.c:510 \#37 0x00002ad683e00520 in wcache_fetch (cache=<value optimized out>, domain=0x2ad6846b07c0, format=0x2ad68419901e "U/%s") at winbindd/winbindd_cache.c:638 \#38 0x00002ad683e04ac8 in query_user (domain=0x2ad6846b07c0, mem_ctx=0x2ad6846bc920, user_sid=0x7fff1d0cb8c0, info=0x7fff1d0cb810) at winbindd/winbindd_cache.c:1910 \#39 0x00002ad683df2d38 in winbindd_dual_userinfo (domain=0x2ad6846b07c0, state=0x7fff1d0cc9c0) at winbindd/winbindd_user.c:173 \#40 0x00002ad683e232e0 in fork_domain_child (child=0x2ad6846c2440) at winbindd/winbindd_dual.c:485 \#41 schedule_async_request (child=0x2ad6846c2440) at winbindd/winbindd_dual.c:319 \#42 0x00002ad683e229f2 in async_request_fail (state=0x2ad6846c1d00) at winbindd/winbindd_dual.c:214 \#43 0x00002ad683ebabec in run_events (ev=0x2ad6846aebf0, selrtn=0, read_fds=0x7fff1d0ce910, write_fds=<value optimized out>) at lib/events.c:123 \#44 0x00002ad683df08cb in process_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at winbindd/winbindd.c:1113 \#45 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at winbindd/winbindd.c:1437 Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Thu Apr 28 12:06:12 CEST 2011 on sn-devel-104 (cherry picked from commit 2e1522f3785d542c429fce83264ad67f35bcef68)
generated by cgit (git 2.34.1) at 2025-08-28 22:26:47 +0000