1996-05-04 11:50:46 +04:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
* SMB parameters and setup
2003-07-11 09:33:40 +04:00
* Copyright ( C ) Andrew Tridgell 1992 - 1998
* Modified by Jeremy Allison 1995.
* Modified by Gerald ( Jerry ) Carter 2000 - 2001 , 2003
* Modified by Andrew Bartlett 2002.
1996-05-04 11:50:46 +04:00
*
* This program is free software ; you can redistribute it and / or modify it under
* the terms of the GNU General Public License as published by the Free
2007-07-09 23:25:36 +04:00
* Software Foundation ; either version 3 of the License , or ( at your option )
1996-05-04 11:50:46 +04:00
* any later version .
*
* This program is distributed in the hope that it will be useful , but WITHOUT
* ANY WARRANTY ; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE . See the GNU General Public License for
* more details .
*
* You should have received a copy of the GNU General Public License along with
2007-07-10 09:23:25 +04:00
* this program ; if not , see < http : //www.gnu.org/licenses/>.
1996-05-04 11:50:46 +04:00
*/
# include "includes.h"
2011-03-18 20:58:37 +03:00
# include "passdb.h"
2011-02-25 19:14:22 +03:00
# include "system/passwd.h"
2011-02-26 01:20:06 +03:00
# include "system/filesys.h"
2010-08-03 00:52:00 +04:00
# include "../librpc/gen_ndr/samr.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2011-10-04 19:35:31 +04:00
# include "passdb/pdb_smbpasswd.h"
2020-08-07 21:17:34 +03:00
# include "lib/util/string_wrappers.h"
1996-05-04 11:50:46 +04:00
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_PASSDB
2000-11-14 02:03:34 +03:00
/*
smb_passwd is analogous to sam_passwd used everywhere
else . However , smb_passwd is limited to the information
stored by an smbpasswd entry
*/
2010-02-05 17:43:26 +03:00
2000-11-14 02:03:34 +03:00
struct smb_passwd
{
2015-05-09 23:34:31 +03:00
uint32_t smb_userid ; /* this is actually the unix uid_t */
2002-01-17 11:45:58 +03:00
const char * smb_name ; /* username string */
2000-11-14 02:03:34 +03:00
2003-07-11 09:33:40 +04:00
const unsigned char * smb_passwd ; /* Null if no password */
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
const unsigned char * smb_nt_passwd ; /* Null if no password */
2000-11-14 02:03:34 +03:00
2010-05-21 04:38:04 +04:00
uint16_t acct_ctrl ; /* account info (ACB_xxxx bit-mask) */
2000-11-14 02:03:34 +03:00
time_t pass_last_set_time ; /* password last set time */
} ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
struct smbpasswd_privates
{
/* used for maintain locks on the smbpasswd file */
int pw_file_lock_depth ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
/* Global File pointer */
FILE * pw_file ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
/* formerly static variables */
struct smb_passwd pw_buf ;
2007-11-21 04:18:16 +03:00
fstring user_name ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
unsigned char smbpwd [ 16 ] ;
unsigned char smbntpwd [ 16 ] ;
2000-11-14 02:03:34 +03:00
2018-05-04 23:23:39 +03:00
/* retrieve-once info */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char * smbpasswd_file ;
} ;
2001-04-26 02:12:13 +04:00
2000-02-26 01:25:25 +03:00
enum pwf_access_type { PWF_READ , PWF_UPDATE , PWF_CREATE } ;
2006-08-17 19:04:53 +04:00
static SIG_ATOMIC_T gotalarm ;
/***************************************************************
Signal function to tell us we timed out .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-02-19 18:14:47 +03:00
static void gotalarm_sig ( int signum )
2006-08-17 19:04:53 +04:00
{
gotalarm = 1 ;
}
/***************************************************************
Lock or unlock a fd for a known lock type . Abandon after waitsecs
seconds .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
static bool do_file_lock ( int fd , int waitsecs , int type )
2006-08-17 19:04:53 +04:00
{
2012-03-28 06:26:34 +04:00
struct flock lock ;
2006-08-17 19:04:53 +04:00
int ret ;
void ( * oldsig_handler ) ( int ) ;
gotalarm = 0 ;
2010-02-19 18:14:47 +03:00
oldsig_handler = CatchSignal ( SIGALRM , gotalarm_sig ) ;
2006-08-17 19:04:53 +04:00
lock . l_type = type ;
lock . l_whence = SEEK_SET ;
lock . l_start = 0 ;
lock . l_len = 1 ;
lock . l_pid = 0 ;
alarm ( waitsecs ) ;
/* Note we must *NOT* use sys_fcntl here ! JRA */
2012-03-28 06:32:54 +04:00
ret = fcntl ( fd , F_SETLKW , & lock ) ;
2006-08-17 19:04:53 +04:00
alarm ( 0 ) ;
2010-02-19 18:14:47 +03:00
CatchSignal ( SIGALRM , oldsig_handler ) ;
2006-08-17 19:04:53 +04:00
2009-01-15 00:17:38 +03:00
if ( gotalarm & & ret = = - 1 ) {
2006-08-17 19:04:53 +04:00
DEBUG ( 0 , ( " do_file_lock: failed to %s file. \n " ,
type = = F_UNLCK ? " unlock " : " lock " ) ) ;
return False ;
}
return ( ret = = 0 ) ;
}
2000-11-14 02:03:34 +03:00
/***************************************************************
Lock an fd . Abandon after waitsecs seconds .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
static bool pw_file_lock ( int fd , int type , int secs , int * plock_depth )
2000-11-14 02:03:34 +03:00
{
2004-09-13 12:52:24 +04:00
if ( fd < 0 ) {
return False ;
}
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
if ( * plock_depth = = 0 ) {
if ( ! do_file_lock ( fd , secs , type ) ) {
DEBUG ( 10 , ( " pw_file_lock: locking file failed, error = %s. \n " ,
strerror ( errno ) ) ) ;
return False ;
}
}
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
( * plock_depth ) + + ;
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
return True ;
2000-11-14 02:03:34 +03:00
}
/***************************************************************
Unlock an fd . Abandon after waitsecs seconds .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
static bool pw_file_unlock ( int fd , int * plock_depth )
2000-11-14 02:03:34 +03:00
{
2007-10-19 04:40:25 +04:00
bool ret = True ;
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
if ( fd = = 0 | | * plock_depth = = 0 ) {
return True ;
}
2002-07-15 14:35:28 +04:00
2004-09-13 12:52:24 +04:00
if ( * plock_depth = = 1 ) {
ret = do_file_lock ( fd , 5 , F_UNLCK ) ;
}
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
if ( * plock_depth > 0 ) {
( * plock_depth ) - - ;
}
2000-11-14 02:03:34 +03:00
2004-09-13 12:52:24 +04:00
if ( ! ret ) {
DEBUG ( 10 , ( " pw_file_unlock: unlocking file failed, error = %s. \n " ,
strerror ( errno ) ) ) ;
}
return ret ;
2000-11-14 02:03:34 +03:00
}
/**************************************************************
Intialize a smb_passwd struct
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2001-10-02 10:57:18 +04:00
2000-11-14 02:03:34 +03:00
static void pdb_init_smb ( struct smb_passwd * user )
{
2001-10-02 10:57:18 +04:00
if ( user = = NULL )
2000-11-14 02:03:34 +03:00
return ;
2001-10-02 10:57:18 +04:00
ZERO_STRUCTP ( user ) ;
2010-02-05 17:43:26 +03:00
2001-10-04 02:58:37 +04:00
user - > pass_last_set_time = ( time_t ) 0 ;
2000-11-14 02:03:34 +03:00
}
1998-03-12 00:11:04 +03:00
/***************************************************************
2000-02-26 01:25:25 +03:00
Internal fn to enumerate the smbpasswd list . Returns a void pointer
to ensure no modification outside this module . Checks for atomic
rename of smbpasswd file on update or create once the lock has
been granted to prevent race conditions . JRA .
1998-05-19 03:57:28 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-05-07 22:19:05 +04:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
static FILE * startsmbfilepwent ( const char * pfile , enum pwf_access_type type , int * lock_depth )
1998-03-12 00:11:04 +03:00
{
2004-09-13 12:52:24 +04:00
FILE * fp = NULL ;
const char * open_mode = NULL ;
int race_loop = 0 ;
int lock_type = F_RDLCK ;
if ( ! * pfile ) {
DEBUG ( 0 , ( " startsmbfilepwent: No SMB password file set \n " ) ) ;
return ( NULL ) ;
}
switch ( type ) {
case PWF_READ :
open_mode = " rb " ;
lock_type = F_RDLCK ;
break ;
case PWF_UPDATE :
open_mode = " r+b " ;
lock_type = F_WRLCK ;
break ;
case PWF_CREATE :
/*
* Ensure atomic file creation .
*/
{
int i , fd = - 1 ;
for ( i = 0 ; i < 5 ; i + + ) {
2012-03-28 05:48:00 +04:00
if ( ( fd = open ( pfile , O_CREAT | O_TRUNC | O_EXCL | O_RDWR , 0600 ) ) ! = - 1 ) {
2004-09-13 12:52:24 +04:00
break ;
}
2012-03-24 23:43:07 +04:00
usleep ( 200 ) ; /* Spin, spin... */
2004-09-13 12:52:24 +04:00
}
if ( fd = = - 1 ) {
DEBUG ( 0 , ( " startsmbfilepwent_internal: too many race conditions \
creating file % s \ n " , pfile));
return NULL ;
}
close ( fd ) ;
open_mode = " r+b " ;
lock_type = F_WRLCK ;
break ;
}
2011-03-27 13:06:02 +04:00
default :
DEBUG ( 10 , ( " Invalid open mode: %d \n " , type ) ) ;
return NULL ;
2004-09-13 12:52:24 +04:00
}
2010-02-05 17:43:26 +03:00
2004-09-13 12:52:24 +04:00
for ( race_loop = 0 ; race_loop < 5 ; race_loop + + ) {
DEBUG ( 10 , ( " startsmbfilepwent_internal: opening file %s \n " , pfile ) ) ;
2012-03-28 05:51:17 +04:00
if ( ( fp = fopen ( pfile , open_mode ) ) = = NULL ) {
2004-09-13 12:52:24 +04:00
/*
* If smbpasswd file doesn ' t exist , then create new one . This helps to avoid
* confusing error msg when adding user account first time .
*/
if ( errno = = ENOENT ) {
2012-03-28 05:51:17 +04:00
if ( ( fp = fopen ( pfile , " a+ " ) ) ! = NULL ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " startsmbfilepwent_internal: file %s did not \
exist . File successfully created . \ n " , pfile));
} else {
DEBUG ( 0 , ( " startsmbfilepwent_internal: file %s did not \
exist . Couldn ' t create new one . Error was : % s " ,
pfile , strerror ( errno ) ) ) ;
return NULL ;
}
} else {
DEBUG ( 0 , ( " startsmbfilepwent_internal: unable to open file %s. \
Error was : % s \ n " , pfile, strerror(errno)));
return NULL ;
}
}
1999-12-13 16:27:58 +03:00
2004-09-13 12:52:24 +04:00
if ( ! pw_file_lock ( fileno ( fp ) , lock_type , 5 , lock_depth ) ) {
DEBUG ( 0 , ( " startsmbfilepwent_internal: unable to lock file %s. \
Error was % s \ n " , pfile, strerror(errno) ));
fclose ( fp ) ;
return NULL ;
}
/*
* Only check for replacement races on update or create .
* For read we don ' t mind if the data is one record out of date .
*/
if ( type = = PWF_READ ) {
break ;
} else {
SMB_STRUCT_STAT sbuf1 , sbuf2 ;
/*
* Avoid the potential race condition between the open and the lock
* by doing a stat on the filename and an fstat on the fd . If the
* two inodes differ then someone did a rename between the open and
* the lock . Back off and try the open again . Only do this 5 times to
* prevent infinate loops . JRA .
*/
2009-11-27 15:12:40 +03:00
if ( sys_stat ( pfile , & sbuf1 , false ) ! = 0 ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " startsmbfilepwent_internal: unable to stat file %s. \
Error was % s \ n " , pfile, strerror(errno)));
pw_file_unlock ( fileno ( fp ) , lock_depth ) ;
fclose ( fp ) ;
return NULL ;
}
2009-11-27 15:12:40 +03:00
if ( sys_fstat ( fileno ( fp ) , & sbuf2 , false ) ! = 0 ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " startsmbfilepwent_internal: unable to fstat file %s. \
Error was % s \ n " , pfile, strerror(errno)));
pw_file_unlock ( fileno ( fp ) , lock_depth ) ;
fclose ( fp ) ;
return NULL ;
}
2009-05-14 17:34:42 +04:00
if ( sbuf1 . st_ex_ino = = sbuf2 . st_ex_ino ) {
2004-09-13 12:52:24 +04:00
/* No race. */
break ;
}
/*
* Race occurred - back off and try again . . .
*/
pw_file_unlock ( fileno ( fp ) , lock_depth ) ;
fclose ( fp ) ;
}
}
if ( race_loop = = 5 ) {
DEBUG ( 0 , ( " startsmbfilepwent_internal: too many race conditions opening file %s \n " , pfile ) ) ;
return NULL ;
}
/* Set a buffer to do more efficient reads */
setvbuf ( fp , ( char * ) NULL , _IOFBF , 1024 ) ;
/* Make sure it is only rw by the owner */
2003-10-02 21:53:57 +04:00
# ifdef HAVE_FCHMOD
2004-09-13 12:52:24 +04:00
if ( fchmod ( fileno ( fp ) , S_IRUSR | S_IWUSR ) = = - 1 ) {
2003-10-02 21:53:57 +04:00
# else
2004-09-13 12:52:24 +04:00
if ( chmod ( pfile , S_IRUSR | S_IWUSR ) = = - 1 ) {
2003-10-02 21:53:57 +04:00
# endif
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " startsmbfilepwent_internal: failed to set 0600 permissions on password file %s. \
2000-03-02 06:04:26 +03:00
Error was % s \ n . " , pfile, strerror(errno) ));
2004-09-13 12:52:24 +04:00
pw_file_unlock ( fileno ( fp ) , lock_depth ) ;
fclose ( fp ) ;
return NULL ;
}
1999-12-13 16:27:58 +03:00
2004-09-13 12:52:24 +04:00
/* We have a lock on the file. */
return fp ;
1998-03-12 00:11:04 +03:00
}
/***************************************************************
1998-04-14 04:41:59 +04:00
End enumeration of the smbpasswd list .
1998-03-12 00:11:04 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-13 12:52:24 +04:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
static void endsmbfilepwent ( FILE * fp , int * lock_depth )
1998-03-12 00:11:04 +03:00
{
2002-07-15 14:35:28 +04:00
if ( ! fp ) {
return ;
}
1999-12-13 16:27:58 +03:00
2002-07-15 14:35:28 +04:00
pw_file_unlock ( fileno ( fp ) , lock_depth ) ;
fclose ( fp ) ;
DEBUG ( 7 , ( " endsmbfilepwent_internal: closed password file. \n " ) ) ;
2000-02-26 01:25:25 +03:00
}
- group database API. oops and oh dear, the threat has been carried out:
the pre-alpha "domain group" etc parameters have disappeared.
- interactive debug detection
- re-added mem_man (andrew's memory management, detects memory corruption)
- american spellings of "initialise" replaced with english spelling of
"initialise".
- started on "lookup_name()" and "lookup_sid()" functions. proper ones.
- moved lots of functions around. created some modules of commonly used
code. e.g the password file locking code, which is used in groupfile.c
and aliasfile.c and smbpass.c
- moved RID_TYPE_MASK up another bit. this is really unfortunate, but
there is no other "fast" way to identify users from groups from aliases.
i do not believe that this code saves us anything (the multipliers)
and puts us at a disadvantage (reduces the useable rid space).
the designers of NT aren't silly: if they can get away with a user-
interface-speed LsaLookupNames / LsaLookupSids, then so can we. i
spoke with isaac at the cifs conference, the only time for example that
they do a security context check is on file create. certainly not on
individual file reads / writes, which would drastically hit their
performance and ours, too.
- renamed myworkgroup to global_sam_name, amongst other things, when used
in the rpc code. there is also a global_member_name, as we are always
responsible for a SAM database, the scope of which is limited by the role
of the machine (e.g if a member of a workgroup, your SAM is for _local_
logins only, and its name is the name of your server. you even still
have a SID. see LsaQueryInfoPolicy, levels 3 and 5).
- updated functionality of groupname.c to be able to cope with names
like DOMAIN\group and SERVER\alias. used this code to be able to
do aliases as well as groups. this code may actually be better
off being used in username mapping, too.
- created a connect to serverlist function in clientgen.c and used it
in password.c
- initialisation in server.c depends on the role of the server. well,
it does now.
- rpctorture. smbtorture. EXERCISE EXTREME CAUTION.
(This used to be commit 0d21e1e6090b933f396c764af535ca3388a562db)
1998-11-17 19:19:04 +03:00
/*************************************************************************
1999-12-13 16:27:58 +03:00
Routine to return the next entry in the smbpasswd list .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2000-02-26 01:25:25 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
static struct smb_passwd * getsmbfilepwent ( struct smbpasswd_privates * smbpasswd_state , FILE * fp )
- group database API. oops and oh dear, the threat has been carried out:
the pre-alpha "domain group" etc parameters have disappeared.
- interactive debug detection
- re-added mem_man (andrew's memory management, detects memory corruption)
- american spellings of "initialise" replaced with english spelling of
"initialise".
- started on "lookup_name()" and "lookup_sid()" functions. proper ones.
- moved lots of functions around. created some modules of commonly used
code. e.g the password file locking code, which is used in groupfile.c
and aliasfile.c and smbpass.c
- moved RID_TYPE_MASK up another bit. this is really unfortunate, but
there is no other "fast" way to identify users from groups from aliases.
i do not believe that this code saves us anything (the multipliers)
and puts us at a disadvantage (reduces the useable rid space).
the designers of NT aren't silly: if they can get away with a user-
interface-speed LsaLookupNames / LsaLookupSids, then so can we. i
spoke with isaac at the cifs conference, the only time for example that
they do a security context check is on file create. certainly not on
individual file reads / writes, which would drastically hit their
performance and ours, too.
- renamed myworkgroup to global_sam_name, amongst other things, when used
in the rpc code. there is also a global_member_name, as we are always
responsible for a SAM database, the scope of which is limited by the role
of the machine (e.g if a member of a workgroup, your SAM is for _local_
logins only, and its name is the name of your server. you even still
have a SID. see LsaQueryInfoPolicy, levels 3 and 5).
- updated functionality of groupname.c to be able to cope with names
like DOMAIN\group and SERVER\alias. used this code to be able to
do aliases as well as groups. this code may actually be better
off being used in username mapping, too.
- created a connect to serverlist function in clientgen.c and used it
in password.c
- initialisation in server.c depends on the role of the server. well,
it does now.
- rpctorture. smbtorture. EXERCISE EXTREME CAUTION.
(This used to be commit 0d21e1e6090b933f396c764af535ca3388a562db)
1998-11-17 19:19:04 +03:00
{
2004-09-13 12:52:24 +04:00
/* Static buffers we will return. */
struct smb_passwd * pw_buf = & smbpasswd_state - > pw_buf ;
char * user_name = smbpasswd_state - > user_name ;
unsigned char * smbpwd = smbpasswd_state - > smbpwd ;
unsigned char * smbntpwd = smbpasswd_state - > smbntpwd ;
char linebuf [ 256 ] ;
unsigned char * p ;
long uidval ;
size_t linebuf_len ;
2005-09-30 21:13:37 +04:00
char * status ;
2004-09-13 12:52:24 +04:00
if ( fp = = NULL ) {
DEBUG ( 0 , ( " getsmbfilepwent: Bad password file pointer. \n " ) ) ;
return NULL ;
}
pdb_init_smb ( pw_buf ) ;
pw_buf - > acct_ctrl = ACB_NORMAL ;
/*
* Scan the file , a line at a time and check if the name matches .
*/
2005-09-30 21:13:37 +04:00
status = linebuf ;
while ( status & & ! feof ( fp ) ) {
2004-09-13 12:52:24 +04:00
linebuf [ 0 ] = ' \0 ' ;
2005-09-30 21:13:37 +04:00
status = fgets ( linebuf , 256 , fp ) ;
if ( status = = NULL & & ferror ( fp ) ) {
2004-09-13 12:52:24 +04:00
return NULL ;
}
/*
* Check if the string is terminated with a newline - if not
* then we must keep reading and discard until we get one .
*/
if ( ( linebuf_len = strlen ( linebuf ) ) = = 0 ) {
continue ;
}
if ( linebuf [ linebuf_len - 1 ] ! = ' \n ' ) {
while ( ! ferror ( fp ) & & ! feof ( fp ) ) {
2019-09-05 17:42:41 +03:00
int c ;
2004-09-13 12:52:24 +04:00
c = fgetc ( fp ) ;
if ( c = = ' \n ' ) {
break ;
}
}
} else {
linebuf [ linebuf_len - 1 ] = ' \0 ' ;
}
1999-12-13 16:27:58 +03:00
# ifdef DEBUG_PASSWORD
2004-09-13 12:52:24 +04:00
DEBUG ( 100 , ( " getsmbfilepwent: got line |%s| \n " , linebuf ) ) ;
1999-12-13 16:27:58 +03:00
# endif
2004-09-13 12:52:24 +04:00
if ( ( linebuf [ 0 ] = = 0 ) & & feof ( fp ) ) {
DEBUG ( 4 , ( " getsmbfilepwent: end of file reached \n " ) ) ;
break ;
}
/*
* The line we have should be of the form : -
*
* username : uid : 32 hex bytes : [ Account type ] : LCT - 12345678. . . . other flags presently
* ignored . . . .
*
* or ,
*
* username : uid : 32 hex bytes : 32 hex bytes : [ Account type ] : LCT - 12345678. . . . ignored . . . .
*
* if Windows NT compatible passwords are also present .
* [ Account type ] is an ascii encoding of the type of account .
* LCT - ( 8 hex digits ) is the time_t value of the last change time .
*/
if ( linebuf [ 0 ] = = ' # ' | | linebuf [ 0 ] = = ' \0 ' ) {
DEBUG ( 6 , ( " getsmbfilepwent: skipping comment or blank line \n " ) ) ;
continue ;
}
p = ( unsigned char * ) strchr_m ( linebuf , ' : ' ) ;
if ( p = = NULL ) {
DEBUG ( 0 , ( " getsmbfilepwent: malformed password entry (no :) \n " ) ) ;
continue ;
}
strncpy ( user_name , linebuf , PTR_DIFF ( p , linebuf ) ) ;
user_name [ PTR_DIFF ( p , linebuf ) ] = ' \0 ' ;
/* Get smb uid. */
p + + ; /* Go past ':' */
if ( * p = = ' - ' ) {
DEBUG ( 0 , ( " getsmbfilepwent: user name %s has a negative uid. \n " , user_name ) ) ;
continue ;
}
if ( ! isdigit ( * p ) ) {
DEBUG ( 0 , ( " getsmbfilepwent: malformed password entry for user %s (uid not number) \n " ,
user_name ) ) ;
continue ;
}
uidval = atoi ( ( char * ) p ) ;
while ( * p & & isdigit ( * p ) ) {
p + + ;
}
if ( * p ! = ' : ' ) {
DEBUG ( 0 , ( " getsmbfilepwent: malformed password entry for user %s (no : after uid) \n " ,
user_name ) ) ;
continue ;
}
pw_buf - > smb_name = user_name ;
pw_buf - > smb_userid = uidval ;
/*
* Now get the password value - this should be 32 hex digits
* which are the ascii representations of a 16 byte string .
* Get two at a time and put them into the password .
*/
/* Skip the ':' */
p + + ;
if ( linebuf_len < ( PTR_DIFF ( p , linebuf ) + 33 ) ) {
DEBUG ( 0 , ( " getsmbfilepwent: malformed password entry for user %s (passwd too short) \n " ,
user_name ) ) ;
continue ;
}
if ( p [ 32 ] ! = ' : ' ) {
DEBUG ( 0 , ( " getsmbfilepwent: malformed password entry for user %s (no terminating :) \n " ,
user_name ) ) ;
continue ;
}
if ( strnequal ( ( char * ) p , " NO PASSWORD " , 11 ) ) {
pw_buf - > smb_passwd = NULL ;
pw_buf - > acct_ctrl | = ACB_PWNOTREQ ;
} else {
if ( * p = = ' * ' | | * p = = ' X ' ) {
/* NULL LM password */
pw_buf - > smb_passwd = NULL ;
DEBUG ( 10 , ( " getsmbfilepwent: LM password for user %s invalidated \n " , user_name ) ) ;
} else if ( pdb_gethexpwd ( ( char * ) p , smbpwd ) ) {
pw_buf - > smb_passwd = smbpwd ;
} else {
pw_buf - > smb_passwd = NULL ;
DEBUG ( 0 , ( " getsmbfilepwent: Malformed Lanman password entry for user %s \
( non hex chars ) \ n " , user_name));
}
}
/*
* Now check if the NT compatible password is
* available .
*/
pw_buf - > smb_nt_passwd = NULL ;
p + = 33 ; /* Move to the first character of the line after the lanman password. */
if ( ( linebuf_len > = ( PTR_DIFF ( p , linebuf ) + 33 ) ) & & ( p [ 32 ] = = ' : ' ) ) {
if ( * p ! = ' * ' & & * p ! = ' X ' ) {
if ( pdb_gethexpwd ( ( char * ) p , smbntpwd ) ) {
pw_buf - > smb_nt_passwd = smbntpwd ;
}
}
p + = 33 ; /* Move to the first character of the line after the NT password. */
}
DEBUG ( 5 , ( " getsmbfilepwent: returning passwd entry for user %s, uid %ld \n " ,
user_name , uidval ) ) ;
if ( * p = = ' [ ' ) {
unsigned char * end_p = ( unsigned char * ) strchr_m ( ( char * ) p , ' ] ' ) ;
pw_buf - > acct_ctrl = pdb_decode_acct_ctrl ( ( char * ) p ) ;
/* Must have some account type set. */
if ( pw_buf - > acct_ctrl = = 0 ) {
pw_buf - > acct_ctrl = ACB_NORMAL ;
}
/* Now try and get the last change time. */
if ( end_p ) {
p = end_p + 1 ;
}
if ( * p = = ' : ' ) {
p + + ;
2011-05-13 22:23:36 +04:00
if ( * p & & ( strncasecmp_m ( ( char * ) p , " LCT- " , 4 ) = = 0 ) ) {
2004-09-13 12:52:24 +04:00
int i ;
p + = 4 ;
for ( i = 0 ; i < 8 ; i + + ) {
if ( p [ i ] = = ' \0 ' | | ! isxdigit ( p [ i ] ) ) {
break ;
}
}
if ( i = = 8 ) {
/*
* p points at 8 characters of hex digits -
* read into a time_t as the seconds since
* 1970 that the password was last changed .
*/
pw_buf - > pass_last_set_time = ( time_t ) strtol ( ( char * ) p , NULL , 16 ) ;
}
}
}
} else {
/* 'Old' style file. Fake up based on user name. */
/*
* Currently trust accounts are kept in the same
* password file as ' normal accounts ' . If this changes
* we will have to fix this code . JRA .
*/
if ( pw_buf - > smb_name [ strlen ( pw_buf - > smb_name ) - 1 ] = = ' $ ' ) {
pw_buf - > acct_ctrl & = ~ ACB_NORMAL ;
pw_buf - > acct_ctrl | = ACB_WSTRUST ;
}
}
return pw_buf ;
}
DEBUG ( 5 , ( " getsmbfilepwent: end of file reached. \n " ) ) ;
return NULL ;
1998-03-12 00:11:04 +03:00
}
2000-02-26 01:25:25 +03:00
/************************************************************************
Create a new smbpasswd entry - malloced space returned .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
This commit is number 4 of 4.
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29 10:35:11 +03:00
static char * format_new_smbpasswd_entry ( const struct smb_passwd * newpwd )
2000-02-26 01:25:25 +03:00
{
2004-09-13 12:52:24 +04:00
int new_entry_length ;
char * new_entry ;
char * p ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
new_entry_length = strlen ( newpwd - > smb_name ) + 1 + 15 + 1 + 32 + 1 + 32 + 1 +
NEW_PW_FORMAT_SPACE_PADDED_LEN + 1 + 13 + 2 ;
2000-02-26 01:25:25 +03:00
2004-12-07 21:25:53 +03:00
if ( ( new_entry = ( char * ) SMB_MALLOC ( new_entry_length ) ) = = NULL ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " format_new_smbpasswd_entry: Malloc failed adding entry for user %s. \n " ,
newpwd - > smb_name ) ) ;
return NULL ;
}
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
slprintf ( new_entry , new_entry_length - 1 , " %s:%u: " , newpwd - > smb_name , ( unsigned ) newpwd - > smb_userid ) ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
p = new_entry + strlen ( new_entry ) ;
pdb_sethexpwd ( p , newpwd - > smb_passwd , newpwd - > acct_ctrl ) ;
p + = strlen ( p ) ;
* p = ' : ' ;
p + + ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
pdb_sethexpwd ( p , newpwd - > smb_nt_passwd , newpwd - > acct_ctrl ) ;
p + = strlen ( p ) ;
* p = ' : ' ;
p + + ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
/* Add the account encoding and the last change time. */
slprintf ( ( char * ) p , new_entry_length - 1 - ( p - new_entry ) , " %s:LCT-%08X: \n " ,
pdb_encode_acct_ctrl ( newpwd - > acct_ctrl , NEW_PW_FORMAT_SPACE_PADDED_LEN ) ,
2010-05-21 04:38:04 +04:00
( uint32_t ) newpwd - > pass_last_set_time ) ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
return new_entry ;
2000-02-26 01:25:25 +03:00
}
1998-05-18 15:54:00 +04:00
/************************************************************************
Routine to add an entry to the smbpasswd file .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-05-19 03:57:28 +04:00
2006-07-11 22:01:26 +04:00
static NTSTATUS add_smbfilepwd_entry ( struct smbpasswd_privates * smbpasswd_state ,
struct smb_passwd * newpwd )
1998-03-12 00:11:04 +03:00
{
2004-09-13 12:52:24 +04:00
const char * pfile = smbpasswd_state - > smbpasswd_file ;
struct smb_passwd * pwd = NULL ;
FILE * fp = NULL ;
int wr_len ;
int fd ;
size_t new_entry_length ;
char * new_entry ;
2012-04-05 08:53:08 +04:00
off_t offpos ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2004-09-13 12:52:24 +04:00
/* Open the smbpassword file - for update. */
fp = startsmbfilepwent ( pfile , PWF_UPDATE , & smbpasswd_state - > pw_file_lock_depth ) ;
if ( fp = = NULL & & errno = = ENOENT ) {
/* Try again - create. */
fp = startsmbfilepwent ( pfile , PWF_CREATE , & smbpasswd_state - > pw_file_lock_depth ) ;
}
if ( fp = = NULL ) {
DEBUG ( 0 , ( " add_smbfilepwd_entry: unable to open file. \n " ) ) ;
2006-07-11 22:01:26 +04:00
return map_nt_error_from_unix ( errno ) ;
2004-09-13 12:52:24 +04:00
}
/*
* Scan the file , a line at a time and check if the name matches .
*/
while ( ( pwd = getsmbfilepwent ( smbpasswd_state , fp ) ) ! = NULL ) {
if ( strequal ( newpwd - > smb_name , pwd - > smb_name ) ) {
DEBUG ( 0 , ( " add_smbfilepwd_entry: entry with name %s already exists \n " , pwd - > smb_name ) ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
2006-07-11 22:01:26 +04:00
return NT_STATUS_USER_EXISTS ;
2004-09-13 12:52:24 +04:00
}
}
/* Ok - entry doesn't exist. We can add it */
/* Create a new smb passwd entry and set it to the given password. */
/*
* The add user write needs to be atomic - so get the fd from
* the fp and do a raw write ( ) call .
*/
fd = fileno ( fp ) ;
2012-03-28 05:37:04 +04:00
if ( ( offpos = lseek ( fd , 0 , SEEK_END ) ) = = - 1 ) {
2006-07-11 22:01:26 +04:00
NTSTATUS result = map_nt_error_from_unix ( errno ) ;
2012-03-28 05:37:04 +04:00
DEBUG ( 0 , ( " add_smbfilepwd_entry(lseek): Failed to add entry for user %s to file %s. \
1999-12-13 16:27:58 +03:00
Error was % s \ n " , newpwd->smb_name, pfile, strerror(errno)));
2004-09-13 12:52:24 +04:00
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
2006-07-11 22:01:26 +04:00
return result ;
2004-09-13 12:52:24 +04:00
}
1997-11-02 22:27:26 +03:00
2004-09-13 12:52:24 +04:00
if ( ( new_entry = format_new_smbpasswd_entry ( newpwd ) ) = = NULL ) {
DEBUG ( 0 , ( " add_smbfilepwd_entry(malloc): Failed to add entry for user %s to file %s. \
1999-12-13 16:27:58 +03:00
Error was % s \ n " , newpwd->smb_name, pfile, strerror(errno)));
2004-09-13 12:52:24 +04:00
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
2006-07-11 22:01:26 +04:00
return NT_STATUS_NO_MEMORY ;
2004-09-13 12:52:24 +04:00
}
1997-11-02 22:27:26 +03:00
2004-09-13 12:52:24 +04:00
new_entry_length = strlen ( new_entry ) ;
1997-11-02 22:27:26 +03:00
# ifdef DEBUG_PASSWORD
2004-09-13 12:52:24 +04:00
DEBUG ( 100 , ( " add_smbfilepwd_entry(%d): new_entry_len %d made line |%s| " ,
2005-09-30 21:13:37 +04:00
fd , ( int ) new_entry_length , new_entry ) ) ;
1997-11-02 22:27:26 +03:00
# endif
2004-09-13 12:52:24 +04:00
if ( ( wr_len = write ( fd , new_entry , new_entry_length ) ) ! = new_entry_length ) {
2006-07-11 22:01:26 +04:00
NTSTATUS result = map_nt_error_from_unix ( errno ) ;
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " add_smbfilepwd_entry(write): %d Failed to add entry for user %s to file %s. \
1999-12-13 16:27:58 +03:00
Error was % s \ n " , wr_len, newpwd->smb_name, pfile, strerror(errno)));
1997-11-02 22:27:26 +03:00
2004-09-13 12:52:24 +04:00
/* Remove the entry we just wrote. */
2012-03-28 05:35:09 +04:00
if ( ftruncate ( fd , offpos ) = = - 1 ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " add_smbfilepwd_entry: ERROR failed to ftruncate file %s. \
1997-11-02 22:27:26 +03:00
Error was % s . Password file may be corrupt ! Please examine by hand ! \ n " ,
2004-09-13 12:52:24 +04:00
newpwd - > smb_name , strerror ( errno ) ) ) ;
}
1997-11-02 22:27:26 +03:00
2004-09-13 12:52:24 +04:00
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
free ( new_entry ) ;
2006-07-11 22:01:26 +04:00
return result ;
2004-09-13 12:52:24 +04:00
}
1997-11-02 22:27:26 +03:00
2004-09-13 12:52:24 +04:00
free ( new_entry ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
2006-07-11 22:01:26 +04:00
return NT_STATUS_OK ;
1997-11-02 22:27:26 +03:00
}
1998-03-12 00:11:04 +03:00
1998-05-18 15:54:00 +04:00
/************************************************************************
Routine to search the smbpasswd file for an entry matching the username .
and then modify its password entry . We can ' t use the startsmbpwent ( ) /
getsmbpwent ( ) / endsmbpwent ( ) interfaces here as we depend on looking
in the actual file to decide how much room we have to write data .
override = False , normal
override = True , override XXXXXXXX ' d out password or NO PASS
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1998-05-19 03:57:28 +04:00
2007-10-19 04:40:25 +04:00
static bool mod_smbfilepwd_entry ( struct smbpasswd_privates * smbpasswd_state , const struct smb_passwd * pwd )
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
{
2004-09-13 12:52:24 +04:00
/* Static buffers we will return. */
2007-11-21 04:18:16 +03:00
fstring user_name ;
1998-03-12 00:11:04 +03:00
2005-09-30 21:13:37 +04:00
char * status ;
2013-02-19 12:23:53 +04:00
# define LINEBUF_SIZE 255
char linebuf [ LINEBUF_SIZE + 1 ] ;
2004-09-13 12:52:24 +04:00
char readbuf [ 1024 ] ;
2018-05-09 19:05:01 +03:00
char ascii_p16 [ FSTRING_LEN + 20 ] ;
2004-09-13 12:52:24 +04:00
fstring encode_bits ;
unsigned char * p = NULL ;
size_t linebuf_len = 0 ;
FILE * fp ;
int lockfd ;
const char * pfile = smbpasswd_state - > smbpasswd_file ;
2007-10-19 04:40:25 +04:00
bool found_entry = False ;
bool got_pass_last_set_time = False ;
2004-09-13 12:52:24 +04:00
2012-04-05 08:53:08 +04:00
off_t pwd_seekpos = 0 ;
2004-09-13 12:52:24 +04:00
int i ;
int wr_len ;
int fd ;
if ( ! * pfile ) {
DEBUG ( 0 , ( " No SMB password file set \n " ) ) ;
return False ;
}
DEBUG ( 10 , ( " mod_smbfilepwd_entry: opening file %s \n " , pfile ) ) ;
2012-03-28 05:51:17 +04:00
fp = fopen ( pfile , " r+ " ) ;
2004-09-13 12:52:24 +04:00
if ( fp = = NULL ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: unable to open file %s \n " , pfile ) ) ;
return False ;
}
/* Set a buffer to do more efficient reads */
setvbuf ( fp , readbuf , _IOFBF , sizeof ( readbuf ) ) ;
lockfd = fileno ( fp ) ;
if ( ! pw_file_lock ( lockfd , F_WRLCK , 5 , & smbpasswd_state - > pw_file_lock_depth ) ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: unable to lock file %s \n " , pfile ) ) ;
fclose ( fp ) ;
return False ;
}
/* Make sure it is only rw by the owner */
chmod ( pfile , 0600 ) ;
/* We have a write lock on the file. */
/*
* Scan the file , a line at a time and check if the name matches .
*/
2005-09-30 21:13:37 +04:00
status = linebuf ;
while ( status & & ! feof ( fp ) ) {
2012-03-28 05:38:31 +04:00
pwd_seekpos = ftell ( fp ) ;
2004-09-13 12:52:24 +04:00
linebuf [ 0 ] = ' \0 ' ;
2013-02-19 12:23:53 +04:00
status = fgets ( linebuf , LINEBUF_SIZE , fp ) ;
2005-09-30 21:13:37 +04:00
if ( status = = NULL & & ferror ( fp ) ) {
2004-09-13 12:52:24 +04:00
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/*
* Check if the string is terminated with a newline - if not
* then we must keep reading and discard until we get one .
*/
linebuf_len = strlen ( linebuf ) ;
if ( linebuf [ linebuf_len - 1 ] ! = ' \n ' ) {
while ( ! ferror ( fp ) & & ! feof ( fp ) ) {
2019-09-05 17:42:41 +03:00
int c ;
2004-09-13 12:52:24 +04:00
c = fgetc ( fp ) ;
if ( c = = ' \n ' ) {
break ;
}
}
} else {
linebuf [ linebuf_len - 1 ] = ' \0 ' ;
}
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
# ifdef DEBUG_PASSWORD
2004-09-13 12:52:24 +04:00
DEBUG ( 100 , ( " mod_smbfilepwd_entry: got line |%s| \n " , linebuf ) ) ;
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
# endif
2004-09-13 12:52:24 +04:00
if ( ( linebuf [ 0 ] = = 0 ) & & feof ( fp ) ) {
DEBUG ( 4 , ( " mod_smbfilepwd_entry: end of file reached \n " ) ) ;
break ;
}
/*
* The line we have should be of the form : -
*
* username : uid : [ 32 hex bytes ] : . . . . other flags presently
* ignored . . . .
*
* or ,
*
* username : uid : [ 32 hex bytes ] : [ 32 hex bytes ] : [ attributes ] : LCT - XXXXXXXX : . . . ignored .
*
* if Windows NT compatible passwords are also present .
*/
if ( linebuf [ 0 ] = = ' # ' | | linebuf [ 0 ] = = ' \0 ' ) {
DEBUG ( 6 , ( " mod_smbfilepwd_entry: skipping comment or blank line \n " ) ) ;
continue ;
}
p = ( unsigned char * ) strchr_m ( linebuf , ' : ' ) ;
if ( p = = NULL ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry (no :) \n " ) ) ;
continue ;
}
strncpy ( user_name , linebuf , PTR_DIFF ( p , linebuf ) ) ;
user_name [ PTR_DIFF ( p , linebuf ) ] = ' \0 ' ;
if ( strequal ( user_name , pwd - > smb_name ) ) {
found_entry = True ;
break ;
}
}
if ( ! found_entry ) {
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
DEBUG ( 2 , ( " Cannot update entry for user %s, as they don't exist in the smbpasswd file! \n " ,
pwd - > smb_name ) ) ;
return False ;
}
DEBUG ( 6 , ( " mod_smbfilepwd_entry: entry exists for user %s \n " , pwd - > smb_name ) ) ;
/* User name matches - get uid and password */
p + + ; /* Go past ':' */
if ( ! isdigit ( * p ) ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (uid not number) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
while ( * p & & isdigit ( * p ) ) {
p + + ;
}
if ( * p ! = ' : ' ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (no : after uid) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/*
* Now get the password value - this should be 32 hex digits
* which are the ascii representations of a 16 byte string .
* Get two at a time and put them into the password .
*/
p + + ;
/* Record exact password position */
pwd_seekpos + = PTR_DIFF ( p , linebuf ) ;
if ( linebuf_len < ( PTR_DIFF ( p , linebuf ) + 33 ) ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (passwd too short) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return ( False ) ;
}
if ( p [ 32 ] ! = ' : ' ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (no terminating :) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/* Now check if the NT compatible password is available. */
p + = 33 ; /* Move to the first character of the line after the lanman password. */
if ( linebuf_len < ( PTR_DIFF ( p , linebuf ) + 33 ) ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (passwd too short) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return ( False ) ;
}
if ( p [ 32 ] ! = ' : ' ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: malformed password entry for user %s (no terminating :) \n " ,
pwd - > smb_name ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/*
* Now check if the account info and the password last
* change time is available .
*/
p + = 33 ; /* Move to the first character of the line after the NT password. */
if ( * p = = ' [ ' ) {
i = 0 ;
encode_bits [ i + + ] = * p + + ;
while ( ( linebuf_len > PTR_DIFF ( p , linebuf ) ) & & ( * p ! = ' ] ' ) ) {
encode_bits [ i + + ] = * p + + ;
}
encode_bits [ i + + ] = ' ] ' ;
encode_bits [ i + + ] = ' \0 ' ;
if ( i = = NEW_PW_FORMAT_SPACE_PADDED_LEN ) {
/*
* We are using a new format , space padded
* acct ctrl field . Encode the given acct ctrl
* bits into it .
*/
fstrcpy ( encode_bits , pdb_encode_acct_ctrl ( pwd - > acct_ctrl , NEW_PW_FORMAT_SPACE_PADDED_LEN ) ) ;
} else {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: Using old smbpasswd format for user %s. \
This is no longer supported . ! \ n " , pwd->smb_name));
DEBUG ( 0 , ( " mod_smbfilepwd_entry: No changes made, failing.! \n " ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/* Go past the ']' */
if ( linebuf_len > PTR_DIFF ( p , linebuf ) ) {
p + + ;
}
if ( ( linebuf_len > PTR_DIFF ( p , linebuf ) ) & & ( * p = = ' : ' ) ) {
p + + ;
/* We should be pointing at the LCT entry. */
2011-05-13 22:23:36 +04:00
if ( ( linebuf_len > ( PTR_DIFF ( p , linebuf ) + 13 ) ) & & ( strncasecmp_m ( ( char * ) p , " LCT- " , 4 ) = = 0 ) ) {
2004-09-13 12:52:24 +04:00
p + = 4 ;
for ( i = 0 ; i < 8 ; i + + ) {
if ( p [ i ] = = ' \0 ' | | ! isxdigit ( p [ i ] ) ) {
break ;
}
}
if ( i = = 8 ) {
/*
* p points at 8 characters of hex digits -
* read into a time_t as the seconds since
* 1970 that the password was last changed .
*/
got_pass_last_set_time = True ;
} /* i == 8 */
2011-05-13 22:23:36 +04:00
} /* *p && strncasecmp_m() */
2004-09-13 12:52:24 +04:00
} /* p == ':' */
} /* p == '[' */
/* Entry is correctly formed. */
/* Create the 32 byte representation of the new p16 */
pdb_sethexpwd ( ascii_p16 , pwd - > smb_passwd , pwd - > acct_ctrl ) ;
/* Add on the NT md4 hash */
ascii_p16 [ 32 ] = ' : ' ;
wr_len = 66 ;
pdb_sethexpwd ( ascii_p16 + 33 , pwd - > smb_nt_passwd , pwd - > acct_ctrl ) ;
ascii_p16 [ 65 ] = ' : ' ;
ascii_p16 [ 66 ] = ' \0 ' ; /* null-terminate the string so that strlen works */
/* Add on the account info bits and the time of last password change. */
if ( got_pass_last_set_time ) {
slprintf ( & ascii_p16 [ strlen ( ascii_p16 ) ] ,
sizeof ( ascii_p16 ) - ( strlen ( ascii_p16 ) + 1 ) ,
" %s:LCT-%08X: " ,
2010-05-21 04:38:04 +04:00
encode_bits , ( uint32_t ) pwd - > pass_last_set_time ) ;
2004-09-13 12:52:24 +04:00
wr_len = strlen ( ascii_p16 ) ;
}
1998-04-16 00:00:41 +04:00
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
# ifdef DEBUG_PASSWORD
2004-09-13 12:52:24 +04:00
DEBUG ( 100 , ( " mod_smbfilepwd_entry: " ) ) ;
2015-05-09 23:34:31 +03:00
dump_data ( 100 , ( uint8_t * ) ascii_p16 , wr_len ) ;
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
# endif
2013-02-19 12:23:53 +04:00
if ( wr_len > LINEBUF_SIZE ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " mod_smbfilepwd_entry: line to write (%d) is too long. \n " , wr_len + 1 ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return ( False ) ;
}
/*
* Do an atomic write into the file at the position defined by
* seekpos .
*/
/* The mod user write needs to be atomic - so get the fd from
the fp and do a raw write ( ) call .
*/
fd = fileno ( fp ) ;
2012-03-28 05:37:04 +04:00
if ( lseek ( fd , pwd_seekpos - 1 , SEEK_SET ) ! = pwd_seekpos - 1 ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " mod_smbfilepwd_entry: seek fail on file %s. \n " , pfile ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
/* Sanity check - ensure the areas we are writing are framed by ':' */
if ( read ( fd , linebuf , wr_len + 1 ) ! = wr_len + 1 ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: read fail on file %s. \n " , pfile ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
if ( ( linebuf [ 0 ] ! = ' : ' ) | | ( linebuf [ wr_len ] ! = ' : ' ) ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: check on passwd file %s failed. \n " , pfile ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
1998-09-25 02:33:13 +04:00
2012-03-28 05:37:04 +04:00
if ( lseek ( fd , pwd_seekpos , SEEK_SET ) ! = pwd_seekpos ) {
2004-09-13 12:52:24 +04:00
DEBUG ( 0 , ( " mod_smbfilepwd_entry: seek fail on file %s. \n " , pfile ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
if ( write ( fd , ascii_p16 , wr_len ) ! = wr_len ) {
DEBUG ( 0 , ( " mod_smbfilepwd_entry: write failed in passwd file %s \n " , pfile ) ) ;
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return False ;
}
pw_file_unlock ( lockfd , & smbpasswd_state - > pw_file_lock_depth ) ;
fclose ( fp ) ;
return True ;
following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------
Makefile:
adding extra files
ipc.c :
send_trans_reply() - alignment issue. this makes the alignment
the same as that in NT. this should be looked at by people who
understand the SMB stuff better than i.
api_fd_commands[] - added samr and wkssvc pipes.
loadparm.c :
lp_domain_controller() changed to mean "samba is a domain controller".
it's a "yes/no" parameter, now. no, it isn't used _anywhere_.
namedbwork.c nameelect.c :
if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
host _and_ workgroup announcements. yes, you must do both: nt does.
namelogon.c :
important NETLOGON bug in SAMLOGON request parsing, which may be
the source of some people's problems with logging on to the Samba PDC.
password.c :
get_smbpwnam() renamed to get_smbpwd_entry().
pipes.c :
added samr and wkssvc pipes.
proto.h :
usual. can we actually _remove_ proto.h from the cvs tree, and
have it as one of the Makefile dependencies, or something?
reply.c :
get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
error code when logging in from a WORKSTATION$ account. yes, paul
is right: we need to know when to return the right error code, and why.
server.c :
added call to reset_chain_pnum().
#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif. jeremy,
you'd be proud: i did a compile without NTDOMAIN, and caught a link
error for this function.
smb.h :
defines and structures for samr and wkssvc pipes.
smbpass.c :
modified get_smbpwnam() to get_smbpwd_entry() and it now takes
two arguments. one for the name; if this is null, it looks up
by smb_userid instead.
oh, by the way, smb_userids are actually domain relative ids
(RIDs). concatenate a RID with the domain SID, and you have
an internet globally unique way of identifying a user.
we're using RIDs in the wrong way....
added mod_smbpwnam() function. this was based on code in smbpasswd.c
rpc_pipes/lsaparse.c :
added enum trusted domain parsing. this is incomplete: i need
a packet trace to write it properly.
rpc_pipes/pipe_hnd.c :
added reset_chain_pnum() function.
rpc_pipes/pipenetlog.c :
get_smbpwnam() function renamed to get_smbpwd_entry().
arcfour() issues.
removed capability of get_md4pw() function to automatically add
workstation accounts. this should either be done using
smbpasswd -add MACHINE$, or by using \PIPE\samr.
rpc_pipes/pipe_util.c :
create_pol_hnd() - creates a unique LSA Policy Handle. overkill
function: uses a 64 bit sequence number; current unix time and
the smbd pid.
rpc_pipes/smbparse.c :
arcfour() issues.
smb_io_unistr2() should advance by uni_str_len not uni_max_len.
smb_io_smb_hdr_rb() - request bind uses uint16 for the context
id, and uint8 for the num_syntaxes. oops, i put these both as
uint32s.
Added Files:
------------
rpc_pipes/lsa_hnd.c :
on the samr pipe, allocate and associate an LSA Policy Handle
with a SID. you receive queries with the LSA Policy Handle,
and have to turn this back into a SID in order to answer the
query...
rpc_pipes/pipesamr.c rpc_pipes/samrparse.c
\PIPE\samr processing. samr i presume is the SAM Replication pipe.
rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c
\PIPE\wkssvc processing. the Workstation Service pipe?
holy cow.
(This used to be commit 1bd084b3e690eb26a1006d616075e53d711ecd2f)
1997-11-07 02:03:58 +03:00
}
1998-05-19 03:57:28 +04:00
2000-02-26 01:25:25 +03:00
/************************************************************************
Routine to delete an entry in the smbpasswd file by name .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
static bool del_smbfilepwd_entry ( struct smbpasswd_privates * smbpasswd_state , const char * name )
2000-02-26 01:25:25 +03:00
{
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char * pfile = smbpasswd_state - > smbpasswd_file ;
2007-11-21 04:18:16 +03:00
char * pfile2 = NULL ;
2004-09-13 12:52:24 +04:00
struct smb_passwd * pwd = NULL ;
FILE * fp = NULL ;
FILE * fp_write = NULL ;
int pfile2_lockdepth = 0 ;
2007-11-21 04:18:16 +03:00
pfile2 = talloc_asprintf ( talloc_tos ( ) ,
" %s.%u " ,
2012-03-24 23:17:08 +04:00
pfile , ( unsigned ) getpid ( ) ) ;
2007-11-21 04:18:16 +03:00
if ( ! pfile2 ) {
return false ;
}
2004-09-13 12:52:24 +04:00
/*
* Open the smbpassword file - for update . It needs to be update
* as we need any other processes to wait until we have replaced
* it .
*/
if ( ( fp = startsmbfilepwent ( pfile , PWF_UPDATE , & smbpasswd_state - > pw_file_lock_depth ) ) = = NULL ) {
DEBUG ( 0 , ( " del_smbfilepwd_entry: unable to open file %s. \n " , pfile ) ) ;
return False ;
}
/*
* Create the replacement password file .
*/
if ( ( fp_write = startsmbfilepwent ( pfile2 , PWF_CREATE , & pfile2_lockdepth ) ) = = NULL ) {
DEBUG ( 0 , ( " del_smbfilepwd_entry: unable to open file %s. \n " , pfile ) ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
return False ;
}
/*
* Scan the file , a line at a time and check if the name matches .
*/
while ( ( pwd = getsmbfilepwent ( smbpasswd_state , fp ) ) ! = NULL ) {
char * new_entry ;
size_t new_entry_length ;
if ( strequal ( name , pwd - > smb_name ) ) {
2007-01-24 14:26:22 +03:00
DEBUG ( 10 , ( " del_smbfilepwd_entry: found entry with "
" name %s - deleting it. \n " , name ) ) ;
2004-09-13 12:52:24 +04:00
continue ;
}
/*
* We need to copy the entry out into the second file .
*/
if ( ( new_entry = format_new_smbpasswd_entry ( pwd ) ) = = NULL ) {
DEBUG ( 0 , ( " del_smbfilepwd_entry(malloc): Failed to copy entry for user %s to file %s. \
2000-02-26 01:25:25 +03:00
Error was % s \ n " , pwd->smb_name, pfile2, strerror(errno)));
2004-09-13 12:52:24 +04:00
unlink ( pfile2 ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
endsmbfilepwent ( fp_write , & pfile2_lockdepth ) ;
return False ;
}
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
new_entry_length = strlen ( new_entry ) ;
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
if ( fwrite ( new_entry , 1 , new_entry_length , fp_write ) ! = new_entry_length ) {
DEBUG ( 0 , ( " del_smbfilepwd_entry(write): Failed to copy entry for user %s to file %s. \
2000-02-26 01:25:25 +03:00
Error was % s \ n " , pwd->smb_name, pfile2, strerror(errno)));
2004-09-13 12:52:24 +04:00
unlink ( pfile2 ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
endsmbfilepwent ( fp_write , & pfile2_lockdepth ) ;
free ( new_entry ) ;
return False ;
}
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
free ( new_entry ) ;
}
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
/*
* Ensure pfile2 is flushed before rename .
*/
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
if ( fflush ( fp_write ) ! = 0 ) {
DEBUG ( 0 , ( " del_smbfilepwd_entry: Failed to flush file %s. Error was %s \n " , pfile2 , strerror ( errno ) ) ) ;
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
endsmbfilepwent ( fp_write , & pfile2_lockdepth ) ;
return False ;
}
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
/*
* Do an atomic rename - then release the locks .
*/
2000-02-26 01:25:25 +03:00
2004-09-13 12:52:24 +04:00
if ( rename ( pfile2 , pfile ) ! = 0 ) {
unlink ( pfile2 ) ;
}
2007-11-21 04:18:16 +03:00
2004-09-13 12:52:24 +04:00
endsmbfilepwent ( fp , & smbpasswd_state - > pw_file_lock_depth ) ;
endsmbfilepwent ( fp_write , & pfile2_lockdepth ) ;
return True ;
2000-02-26 01:25:25 +03:00
}
2000-11-14 02:03:34 +03:00
/*********************************************************************
2006-02-20 23:09:36 +03:00
Create a smb_passwd struct from a struct samu .
2001-04-26 02:12:13 +04:00
We will not allocate any new memory . The smb_passwd struct
2006-02-20 23:09:36 +03:00
should only stay around as long as the struct samu does .
2000-11-14 02:03:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-13 12:52:24 +04:00
2007-10-19 04:40:25 +04:00
static bool build_smb_pass ( struct smb_passwd * smb_pw , const struct samu * sampass )
2000-11-14 02:03:34 +03:00
{
2010-05-21 04:38:04 +04:00
uint32_t rid ;
2001-10-31 13:46:25 +03:00
2001-10-02 10:57:18 +04:00
if ( sampass = = NULL )
2000-11-14 02:03:34 +03:00
return False ;
2003-05-12 22:12:31 +04:00
ZERO_STRUCTP ( smb_pw ) ;
2003-05-13 05:00:25 +04:00
if ( ! IS_SAM_DEFAULT ( sampass , PDB_USERSID ) ) {
rid = pdb_get_user_rid ( sampass ) ;
2010-02-05 17:43:26 +03:00
2003-05-13 05:00:25 +04:00
/* If the user specified a RID, make sure its able to be both stored and retreived */
2010-05-18 00:04:24 +04:00
if ( rid = = DOMAIN_RID_GUEST ) {
2014-02-03 06:22:13 +04:00
struct passwd * passwd = Get_Pwnam_alloc ( NULL , lp_guest_account ( ) ) ;
2003-05-13 05:00:25 +04:00
if ( ! passwd ) {
2014-02-03 06:22:13 +04:00
DEBUG ( 0 , ( " Could not find guest account via Get_Pwnam_alloc()! (%s) \n " , lp_guest_account ( ) ) ) ;
2003-05-13 05:00:25 +04:00
return False ;
}
smb_pw - > smb_userid = passwd - > pw_uid ;
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( passwd ) ;
2004-08-17 23:59:22 +04:00
} else if ( algorithmic_pdb_rid_is_user ( rid ) ) {
smb_pw - > smb_userid = algorithmic_pdb_user_rid_to_uid ( rid ) ;
2003-05-13 05:00:25 +04:00
} else {
DEBUG ( 0 , ( " build_sam_pass: Failing attempt to store user with non-uid based user RID. \n " ) ) ;
return False ;
}
}
2000-11-14 02:03:34 +03:00
2002-01-17 11:45:58 +03:00
smb_pw - > smb_name = ( const char * ) pdb_get_username ( sampass ) ;
2000-11-14 02:03:34 +03:00
2001-05-04 19:44:27 +04:00
smb_pw - > smb_passwd = pdb_get_lanman_passwd ( sampass ) ;
smb_pw - > smb_nt_passwd = pdb_get_nt_passwd ( sampass ) ;
2000-11-14 02:03:34 +03:00
2001-10-02 10:57:18 +04:00
smb_pw - > acct_ctrl = pdb_get_acct_ctrl ( sampass ) ;
smb_pw - > pass_last_set_time = pdb_get_pass_last_set_time ( sampass ) ;
2000-11-14 02:03:34 +03:00
2001-10-02 10:57:18 +04:00
return True ;
2001-04-26 02:12:13 +04:00
}
1999-12-13 16:27:58 +03:00
2000-11-14 02:03:34 +03:00
/*********************************************************************
2006-02-20 23:09:36 +03:00
Create a struct samu from a smb_passwd struct
2000-11-14 02:03:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-13 12:52:24 +04:00
2007-10-19 04:40:25 +04:00
static bool build_sam_account ( struct smbpasswd_privates * smbpasswd_state ,
2006-02-20 23:09:36 +03:00
struct samu * sam_pass , const struct smb_passwd * pw_buf )
1999-12-13 16:27:58 +03:00
{
2001-05-04 19:44:27 +04:00
struct passwd * pwfile ;
2010-02-05 17:43:26 +03:00
2006-02-21 17:34:11 +03:00
if ( ! sam_pass ) {
2006-02-20 23:09:36 +03:00
DEBUG ( 5 , ( " build_sam_account: struct samu is NULL \n " ) ) ;
2001-05-04 19:44:27 +04:00
return False ;
}
2002-11-05 10:20:27 +03:00
2003-07-11 09:33:40 +04:00
/* verify the user account exists */
2006-07-26 01:48:13 +04:00
2006-08-22 01:53:02 +04:00
if ( ! ( pwfile = Get_Pwnam_alloc ( NULL , pw_buf - > smb_name ) ) ) {
2003-07-11 09:33:40 +04:00
DEBUG ( 0 , ( " build_sam_account: smbpasswd database is corrupt! username %s with uid "
" %u is not in unix passwd database! \n " , pw_buf - > smb_name , pw_buf - > smb_userid ) ) ;
2002-07-15 14:35:28 +04:00
return False ;
2001-12-02 03:03:35 +03:00
}
2010-02-05 17:43:26 +03:00
2006-02-25 00:36:40 +03:00
if ( ! NT_STATUS_IS_OK ( samu_set_unix ( sam_pass , pwfile ) ) )
2003-07-11 09:33:40 +04:00
return False ;
2010-02-05 17:43:26 +03:00
2006-02-20 20:59:58 +03:00
TALLOC_FREE ( pwfile ) ;
2003-07-11 09:33:40 +04:00
/* set remaining fields */
2010-02-05 17:43:26 +03:00
2008-03-15 01:26:28 +03:00
if ( ! pdb_set_nt_passwd ( sam_pass , pw_buf - > smb_nt_passwd , PDB_SET ) )
return False ;
if ( ! pdb_set_lanman_passwd ( sam_pass , pw_buf - > smb_passwd , PDB_SET ) )
return False ;
2002-11-02 06:47:48 +03:00
pdb_set_acct_ctrl ( sam_pass , pw_buf - > acct_ctrl , PDB_SET ) ;
pdb_set_pass_last_set_time ( sam_pass , pw_buf - > pass_last_set_time , PDB_SET ) ;
pdb_set_pass_can_change_time ( sam_pass , pw_buf - > pass_last_set_time , PDB_SET ) ;
2010-02-05 17:43:26 +03:00
2000-11-14 02:03:34 +03:00
return True ;
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2000-11-14 02:03:34 +03:00
/*****************************************************************
Functions to be implemented by the new passdb API
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-13 12:52:24 +04:00
2000-11-14 02:03:34 +03:00
/****************************************************************
Search smbpasswd file by iterating over the entries . Do not
call getpwnam ( ) for unix account information until we have found
the correct entry
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2004-09-13 12:52:24 +04:00
2002-09-26 22:58:34 +04:00
static NTSTATUS smbpasswd_getsampwnam ( struct pdb_methods * my_methods ,
2006-02-20 23:09:36 +03:00
struct samu * sam_acct , const char * username )
1999-12-13 16:27:58 +03:00
{
2002-09-26 22:58:34 +04:00
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
2002-07-15 14:35:28 +04:00
struct smbpasswd_privates * smbpasswd_state = ( struct smbpasswd_privates * ) my_methods - > private_data ;
2001-05-04 19:44:27 +04:00
struct smb_passwd * smb_pw ;
2006-07-11 22:01:26 +04:00
FILE * fp = NULL ;
2000-11-14 02:03:34 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 10 , ( " getsampwnam (smbpasswd): search by name: %s \n " , username ) ) ;
2000-11-14 02:03:34 +03:00
/* startsmbfilepwent() is used here as we don't want to lookup
the UNIX account in the local system password file until
we have a match . */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
fp = startsmbfilepwent ( smbpasswd_state - > smbpasswd_file , PWF_READ , & ( smbpasswd_state - > pw_file_lock_depth ) ) ;
2000-11-14 02:03:34 +03:00
2001-05-04 19:44:27 +04:00
if ( fp = = NULL ) {
2003-07-02 05:23:13 +04:00
DEBUG ( 0 , ( " Unable to open passdb database. \n " ) ) ;
2002-09-26 22:58:34 +04:00
return nt_status ;
2000-11-14 02:03:34 +03:00
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
while ( ( ( smb_pw = getsmbfilepwent ( smbpasswd_state , fp ) ) ! = NULL ) & & ( ! strequal ( smb_pw - > smb_name , username ) ) )
2000-11-14 02:03:34 +03:00
/* do nothing....another loop */ ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
endsmbfilepwent ( fp , & ( smbpasswd_state - > pw_file_lock_depth ) ) ;
2000-11-14 02:03:34 +03:00
/* did we locate the username in smbpasswd */
if ( smb_pw = = NULL )
2002-09-26 22:58:34 +04:00
return nt_status ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 10 , ( " getsampwnam (smbpasswd): found by name: %s \n " , smb_pw - > smb_name ) ) ;
2001-05-04 19:44:27 +04:00
if ( ! sam_acct ) {
2006-02-20 23:09:36 +03:00
DEBUG ( 10 , ( " getsampwnam (smbpasswd): struct samu is NULL \n " ) ) ;
2002-09-26 22:58:34 +04:00
return nt_status ;
2001-05-04 19:44:27 +04:00
}
2010-02-05 17:43:26 +03:00
2006-02-20 23:09:36 +03:00
/* now build the struct samu */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! build_sam_account ( smbpasswd_state , sam_acct , smb_pw ) )
2002-09-26 22:58:34 +04:00
return nt_status ;
2000-11-14 02:03:34 +03:00
/* success */
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK ;
1999-12-13 16:27:58 +03:00
}
2010-05-21 05:25:01 +04:00
static NTSTATUS smbpasswd_getsampwsid ( struct pdb_methods * my_methods , struct samu * sam_acct , const struct dom_sid * sid )
1999-12-13 16:27:58 +03:00
{
2002-09-26 22:58:34 +04:00
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
2002-07-15 14:35:28 +04:00
struct smbpasswd_privates * smbpasswd_state = ( struct smbpasswd_privates * ) my_methods - > private_data ;
2001-05-04 19:44:27 +04:00
struct smb_passwd * smb_pw ;
2018-12-11 18:39:19 +03:00
struct dom_sid_buf buf ;
2006-07-11 22:01:26 +04:00
FILE * fp = NULL ;
2010-05-21 04:38:04 +04:00
uint32_t rid ;
2010-02-05 17:43:26 +03:00
2007-12-15 23:11:36 +03:00
DEBUG ( 10 , ( " smbpasswd_getsampwrid: search by sid: %s \n " ,
2018-12-11 18:39:19 +03:00
dom_sid_str_buf ( sid , & buf ) ) ) ;
2000-11-14 02:03:34 +03:00
2003-03-22 12:03:46 +03:00
if ( ! sid_peek_check_rid ( get_global_sam_sid ( ) , sid , & rid ) )
return NT_STATUS_UNSUCCESSFUL ;
2000-11-14 02:03:34 +03:00
2002-09-25 19:19:00 +04:00
/* More special case 'guest account' hacks... */
2010-05-18 00:04:24 +04:00
if ( rid = = DOMAIN_RID_GUEST ) {
2014-02-03 06:22:13 +04:00
const char * guest_account = lp_guest_account ( ) ;
2002-09-25 19:19:00 +04:00
if ( ! ( guest_account & & * guest_account ) ) {
2018-05-04 23:23:54 +03:00
DEBUG ( 1 , ( " Guest account not specified! \n " ) ) ;
2002-09-26 22:58:34 +04:00
return nt_status ;
2002-09-25 19:19:00 +04:00
}
return smbpasswd_getsampwnam ( my_methods , sam_acct , guest_account ) ;
}
2000-11-14 02:03:34 +03:00
/* Open the sam password file - not for update. */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
fp = startsmbfilepwent ( smbpasswd_state - > smbpasswd_file , PWF_READ , & ( smbpasswd_state - > pw_file_lock_depth ) ) ;
2000-11-14 02:03:34 +03:00
2001-05-04 19:44:27 +04:00
if ( fp = = NULL ) {
2003-07-02 05:23:13 +04:00
DEBUG ( 0 , ( " Unable to open passdb database. \n " ) ) ;
2002-09-26 22:58:34 +04:00
return nt_status ;
2000-11-14 02:03:34 +03:00
}
2004-08-17 23:59:22 +04:00
while ( ( ( smb_pw = getsmbfilepwent ( smbpasswd_state , fp ) ) ! = NULL ) & & ( algorithmic_pdb_uid_to_user_rid ( smb_pw - > smb_userid ) ! = rid ) )
2000-11-14 02:03:34 +03:00
/* do nothing */ ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
endsmbfilepwent ( fp , & ( smbpasswd_state - > pw_file_lock_depth ) ) ;
2000-11-14 02:03:34 +03:00
/* did we locate the username in smbpasswd */
if ( smb_pw = = NULL )
2002-09-26 22:58:34 +04:00
return nt_status ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 10 , ( " getsampwrid (smbpasswd): found by name: %s \n " , smb_pw - > smb_name ) ) ;
2010-02-05 17:43:26 +03:00
2001-05-04 19:44:27 +04:00
if ( ! sam_acct ) {
2006-02-20 23:09:36 +03:00
DEBUG ( 10 , ( " getsampwrid: (smbpasswd) struct samu is NULL \n " ) ) ;
2002-09-26 22:58:34 +04:00
return nt_status ;
2001-05-04 19:44:27 +04:00
}
2006-02-20 23:09:36 +03:00
/* now build the struct samu */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! build_sam_account ( smbpasswd_state , sam_acct , smb_pw ) )
2002-09-26 22:58:34 +04:00
return nt_status ;
2000-11-14 02:03:34 +03:00
2003-03-22 12:03:46 +03:00
/* build_sam_account might change the SID on us, if the name was for the guest account */
2010-08-26 17:48:50 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) & & ! dom_sid_equal ( pdb_get_user_sid ( sam_acct ) , sid ) ) {
2018-12-11 18:39:19 +03:00
struct dom_sid_buf buf1 , buf2 ;
2007-12-15 23:11:36 +03:00
DEBUG ( 1 , ( " looking for user with sid %s instead returned %s "
2018-12-11 18:39:19 +03:00
" for account %s!?! \n " ,
dom_sid_str_buf ( sid , & buf1 ) ,
dom_sid_str_buf ( pdb_get_user_sid ( sam_acct ) , & buf2 ) ,
2007-12-15 23:11:36 +03:00
pdb_get_username ( sam_acct ) ) ) ;
2003-03-22 12:03:46 +03:00
return NT_STATUS_NO_SUCH_USER ;
}
2000-11-14 02:03:34 +03:00
/* success */
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK ;
1999-12-13 16:27:58 +03:00
}
2006-02-20 23:09:36 +03:00
static NTSTATUS smbpasswd_add_sam_account ( struct pdb_methods * my_methods , struct samu * sampass )
2002-07-15 14:35:28 +04:00
{
struct smbpasswd_privates * smbpasswd_state = ( struct smbpasswd_privates * ) my_methods - > private_data ;
2001-05-04 19:44:27 +04:00
struct smb_passwd smb_pw ;
2010-02-05 17:43:26 +03:00
2006-02-20 23:09:36 +03:00
/* convert the struct samu */
This commit is number 2 of 4.
In particular this commit focuses on:
The guts of the moving about inside passdb.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes allow for the introduction of a large dose of 'const' to
the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
passdb/
- Kill off disp_info stuff, it isn't used any more - Kill off
support for writing to the old smbpasswd format, it isn't relevent
to Samba 3.0
- Move around and modify the pdb_...() helper functions, adding
one that sets the last changed time to 'now' and that sets the
must change time appropriately.
- Remove the ugly forced update of the LCT- value in
pdb_smbpasswd. - Remove the implicit modification of the ACB
flags when both NT and LM passwords are set.
- Removed substation in pdb_getsampwnam output, as a single
password change will render them inoperable in any case (they
will be substituted and stored)
- Added a default RID to the init_sam_from_pw() function, based on
our rid algorithm.
- Added checks that an smbpasswd stored user has a uid-based RID.
- Fail to store tdb based users without a RID
lib/
- Change the substituion code to use global_myname if there is
no connection (and therefore no called name) at the present time.
(This used to be commit 8f607810eb24ed1157bbd2e896c2c167bc34d986)
2001-10-29 10:24:49 +03:00
if ( ! build_smb_pass ( & smb_pw , sampass ) ) {
2002-09-26 22:58:34 +04:00
return NT_STATUS_UNSUCCESSFUL ;
This commit is number 2 of 4.
In particular this commit focuses on:
The guts of the moving about inside passdb.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes allow for the introduction of a large dose of 'const' to
the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
passdb/
- Kill off disp_info stuff, it isn't used any more - Kill off
support for writing to the old smbpasswd format, it isn't relevent
to Samba 3.0
- Move around and modify the pdb_...() helper functions, adding
one that sets the last changed time to 'now' and that sets the
must change time appropriately.
- Remove the ugly forced update of the LCT- value in
pdb_smbpasswd. - Remove the implicit modification of the ACB
flags when both NT and LM passwords are set.
- Removed substation in pdb_getsampwnam output, as a single
password change will render them inoperable in any case (they
will be substituted and stored)
- Added a default RID to the init_sam_from_pw() function, based on
our rid algorithm.
- Added checks that an smbpasswd stored user has a uid-based RID.
- Fail to store tdb based users without a RID
lib/
- Change the substituion code to use global_myname if there is
no connection (and therefore no called name) at the present time.
(This used to be commit 8f607810eb24ed1157bbd2e896c2c167bc34d986)
2001-10-29 10:24:49 +03:00
}
2010-02-05 17:43:26 +03:00
2000-11-14 02:03:34 +03:00
/* add the entry */
2006-07-11 22:01:26 +04:00
return add_smbfilepwd_entry ( smbpasswd_state , & smb_pw ) ;
1999-12-13 16:27:58 +03:00
}
2006-02-20 23:09:36 +03:00
static NTSTATUS smbpasswd_update_sam_account ( struct pdb_methods * my_methods , struct samu * sampass )
2000-11-14 02:03:34 +03:00
{
2002-07-15 14:35:28 +04:00
struct smbpasswd_privates * smbpasswd_state = ( struct smbpasswd_privates * ) my_methods - > private_data ;
2001-05-04 19:44:27 +04:00
struct smb_passwd smb_pw ;
2010-02-05 17:43:26 +03:00
2006-02-20 23:09:36 +03:00
/* convert the struct samu */
2002-07-15 14:35:28 +04:00
if ( ! build_smb_pass ( & smb_pw , sampass ) ) {
DEBUG ( 0 , ( " smbpasswd_update_sam_account: build_smb_pass failed! \n " ) ) ;
2002-09-26 22:58:34 +04:00
return NT_STATUS_UNSUCCESSFUL ;
2002-07-15 14:35:28 +04:00
}
2010-02-05 17:43:26 +03:00
2000-11-14 02:03:34 +03:00
/* update the entry */
2002-07-15 14:35:28 +04:00
if ( ! mod_smbfilepwd_entry ( smbpasswd_state , & smb_pw ) ) {
DEBUG ( 0 , ( " smbpasswd_update_sam_account: mod_smbfilepwd_entry failed! \n " ) ) ;
2002-09-26 22:58:34 +04:00
return NT_STATUS_UNSUCCESSFUL ;
2002-07-15 14:35:28 +04:00
}
2010-02-05 17:43:26 +03:00
2002-09-26 22:58:34 +04:00
return NT_STATUS_OK ;
2000-11-14 02:03:34 +03:00
}
1998-05-19 03:57:28 +04:00
2006-02-20 23:09:36 +03:00
static NTSTATUS smbpasswd_delete_sam_account ( struct pdb_methods * my_methods , struct samu * sampass )
2000-11-14 02:03:34 +03:00
{
2002-07-15 14:35:28 +04:00
struct smbpasswd_privates * smbpasswd_state = ( struct smbpasswd_privates * ) my_methods - > private_data ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
const char * username = pdb_get_username ( sampass ) ;
2002-09-26 22:58:34 +04:00
if ( del_smbfilepwd_entry ( smbpasswd_state , username ) )
return NT_STATUS_OK ;
return NT_STATUS_UNSUCCESSFUL ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
2005-10-21 00:40:47 +04:00
static NTSTATUS smbpasswd_rename_sam_account ( struct pdb_methods * my_methods ,
2006-02-20 23:09:36 +03:00
struct samu * old_acct ,
2005-10-21 00:40:47 +04:00
const char * newname )
{
2019-11-05 13:49:28 +03:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
2007-11-21 04:18:16 +03:00
char * rename_script = NULL ;
2006-02-20 23:09:36 +03:00
struct samu * new_acct = NULL ;
2007-10-19 04:40:25 +04:00
bool interim_account = False ;
2007-11-21 04:18:16 +03:00
TALLOC_CTX * ctx = talloc_tos ( ) ;
2005-10-21 00:40:47 +04:00
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL ;
2019-11-05 13:49:28 +03:00
if ( ! * ( lp_rename_user_script ( talloc_tos ( ) , lp_sub ) ) )
2005-10-21 00:40:47 +04:00
goto done ;
2006-02-25 00:36:40 +03:00
if ( ! ( new_acct = samu_new ( NULL ) ) ) {
return NT_STATUS_NO_MEMORY ;
}
2010-02-05 17:43:26 +03:00
2006-02-25 00:36:40 +03:00
if ( ! pdb_copy_sam_account ( new_acct , old_acct )
| | ! pdb_set_username ( new_acct , newname , PDB_CHANGED ) )
{
2005-10-21 00:40:47 +04:00
goto done ;
2006-02-25 00:36:40 +03:00
}
2007-11-21 04:18:16 +03:00
2005-10-21 00:40:47 +04:00
ret = smbpasswd_add_sam_account ( my_methods , new_acct ) ;
if ( ! NT_STATUS_IS_OK ( ret ) )
goto done ;
interim_account = True ;
/* rename the posix user */
2019-11-05 13:49:28 +03:00
rename_script = lp_rename_user_script ( ctx , lp_sub ) ;
2007-11-21 04:18:16 +03:00
if ( ! rename_script ) {
ret = NT_STATUS_NO_MEMORY ;
goto done ;
}
2005-10-21 00:40:47 +04:00
if ( * rename_script ) {
int rename_ret ;
2007-11-21 04:18:16 +03:00
rename_script = talloc_string_sub2 ( ctx ,
rename_script ,
" %unew " ,
newname ,
true ,
false ,
true ) ;
if ( ! rename_script ) {
ret = NT_STATUS_NO_MEMORY ;
goto done ;
}
rename_script = talloc_string_sub2 ( ctx ,
rename_script ,
" %uold " ,
pdb_get_username ( old_acct ) ,
true ,
false ,
true ) ;
if ( ! rename_script ) {
ret = NT_STATUS_NO_MEMORY ;
goto done ;
}
2006-02-22 13:28:02 +03:00
2016-10-12 18:55:15 +03:00
rename_ret = smbrun ( rename_script , NULL , NULL ) ;
2005-10-21 00:40:47 +04:00
DEBUG ( rename_ret ? 0 : 3 , ( " Running the command `%s' gave %d \n " , rename_script , rename_ret ) ) ;
2006-09-20 04:15:50 +04:00
if ( rename_ret = = 0 ) {
smb_nscd_flush_user_cache ( ) ;
}
2007-11-21 04:18:16 +03:00
if ( rename_ret )
goto done ;
2005-10-21 00:40:47 +04:00
} else {
goto done ;
}
smbpasswd_delete_sam_account ( my_methods , old_acct ) ;
interim_account = False ;
2007-11-21 04:18:16 +03:00
done :
2005-10-21 00:40:47 +04:00
/* cleanup */
if ( interim_account )
smbpasswd_delete_sam_account ( my_methods , new_acct ) ;
if ( new_acct )
2006-02-20 23:09:36 +03:00
TALLOC_FREE ( new_acct ) ;
2010-02-05 17:43:26 +03:00
2005-10-21 00:40:47 +04:00
return ( ret ) ;
}
2009-06-28 19:36:12 +04:00
static uint32_t smbpasswd_capabilities ( struct pdb_methods * methods )
2006-02-04 01:19:41 +03:00
{
2009-06-28 19:36:12 +04:00
return 0 ;
2006-02-04 01:19:41 +03:00
}
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
static void free_private_data ( void * * vp )
{
struct smbpasswd_privates * * privates = ( struct smbpasswd_privates * * ) vp ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
endsmbfilepwent ( ( * privates ) - > pw_file , & ( ( * privates ) - > pw_file_lock_depth ) ) ;
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
* privates = NULL ;
/* No need to free any further, as it is talloc()ed */
1998-05-19 03:57:28 +04:00
}
2007-12-25 02:04:39 +03:00
struct smbpasswd_search_state {
uint32_t acct_flags ;
struct samr_displayentry * entries ;
uint32_t num_entries ;
ssize_t array_size ;
uint32_t current ;
} ;
static void smbpasswd_search_end ( struct pdb_search * search )
{
struct smbpasswd_search_state * state = talloc_get_type_abort (
search - > private_data , struct smbpasswd_search_state ) ;
TALLOC_FREE ( state ) ;
}
static bool smbpasswd_search_next_entry ( struct pdb_search * search ,
struct samr_displayentry * entry )
{
struct smbpasswd_search_state * state = talloc_get_type_abort (
search - > private_data , struct smbpasswd_search_state ) ;
if ( state - > current = = state - > num_entries ) {
return false ;
}
2008-02-04 21:33:56 +03:00
entry - > idx = state - > entries [ state - > current ] . idx ;
entry - > rid = state - > entries [ state - > current ] . rid ;
entry - > acct_flags = state - > entries [ state - > current ] . acct_flags ;
entry - > account_name = talloc_strdup (
2009-02-12 19:48:52 +03:00
search , state - > entries [ state - > current ] . account_name ) ;
2008-02-04 21:33:56 +03:00
entry - > fullname = talloc_strdup (
2009-02-12 19:48:52 +03:00
search , state - > entries [ state - > current ] . fullname ) ;
2008-02-04 21:33:56 +03:00
entry - > description = talloc_strdup (
2009-02-12 19:48:52 +03:00
search , state - > entries [ state - > current ] . description ) ;
2008-02-04 21:33:56 +03:00
if ( ( entry - > account_name = = NULL ) | | ( entry - > fullname = = NULL )
| | ( entry - > description = = NULL ) ) {
DEBUG ( 0 , ( " talloc_strdup failed \n " ) ) ;
return false ;
}
2007-12-25 02:04:39 +03:00
2008-02-04 21:33:56 +03:00
state - > current + = 1 ;
2007-12-25 02:04:39 +03:00
return true ;
}
static bool smbpasswd_search_users ( struct pdb_methods * methods ,
struct pdb_search * search ,
uint32_t acct_flags )
{
struct smbpasswd_privates * smbpasswd_state =
( struct smbpasswd_privates * ) methods - > private_data ;
struct smbpasswd_search_state * search_state ;
struct smb_passwd * pwd ;
FILE * fp ;
2009-02-12 19:48:52 +03:00
search_state = talloc_zero ( search , struct smbpasswd_search_state ) ;
2007-12-25 02:04:39 +03:00
if ( search_state = = NULL ) {
DEBUG ( 0 , ( " talloc failed \n " ) ) ;
return false ;
}
search_state - > acct_flags = acct_flags ;
fp = startsmbfilepwent ( smbpasswd_state - > smbpasswd_file , PWF_READ ,
& smbpasswd_state - > pw_file_lock_depth ) ;
if ( fp = = NULL ) {
DEBUG ( 10 , ( " Unable to open smbpasswd file. \n " ) ) ;
TALLOC_FREE ( search_state ) ;
return false ;
}
while ( ( pwd = getsmbfilepwent ( smbpasswd_state , fp ) ) ! = NULL ) {
struct samr_displayentry entry ;
struct samu * user ;
if ( ( acct_flags ! = 0 )
& & ( ( acct_flags & pwd - > acct_ctrl ) = = 0 ) ) {
continue ;
}
user = samu_new ( talloc_tos ( ) ) ;
if ( user = = NULL ) {
DEBUG ( 0 , ( " samu_new failed \n " ) ) ;
break ;
}
if ( ! build_sam_account ( smbpasswd_state , user , pwd ) ) {
/* Already got debug msgs... */
break ;
}
ZERO_STRUCT ( entry ) ;
entry . acct_flags = pdb_get_acct_ctrl ( user ) ;
sid_peek_rid ( pdb_get_user_sid ( user ) , & entry . rid ) ;
entry . account_name = talloc_strdup (
search_state , pdb_get_username ( user ) ) ;
entry . fullname = talloc_strdup (
search_state , pdb_get_fullname ( user ) ) ;
entry . description = talloc_strdup (
search_state , pdb_get_acct_desc ( user ) ) ;
TALLOC_FREE ( user ) ;
if ( ( entry . account_name = = NULL ) | | ( entry . fullname = = NULL )
| | ( entry . description = = NULL ) ) {
DEBUG ( 0 , ( " talloc_strdup failed \n " ) ) ;
break ;
}
ADD_TO_LARGE_ARRAY ( search_state , struct samr_displayentry ,
entry , & search_state - > entries ,
& search_state - > num_entries ,
& search_state - > array_size ) ;
}
endsmbfilepwent ( fp , & ( smbpasswd_state - > pw_file_lock_depth ) ) ;
search - > private_data = search_state ;
search - > next_entry = smbpasswd_search_next_entry ;
search - > search_end = smbpasswd_search_end ;
return true ;
}
2006-02-12 00:27:08 +03:00
static NTSTATUS pdb_init_smbpasswd ( struct pdb_methods * * pdb_method , const char * location )
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
{
NTSTATUS nt_status ;
struct smbpasswd_privates * privates ;
2006-02-12 00:27:08 +03:00
if ( ! NT_STATUS_IS_OK ( nt_status = make_pdb_method ( pdb_method ) ) ) {
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
return nt_status ;
}
2002-01-25 14:44:15 +03:00
( * pdb_method ) - > name = " smbpasswd " ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
( * pdb_method ) - > getsampwnam = smbpasswd_getsampwnam ;
2002-07-15 14:35:28 +04:00
( * pdb_method ) - > getsampwsid = smbpasswd_getsampwsid ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
( * pdb_method ) - > add_sam_account = smbpasswd_add_sam_account ;
( * pdb_method ) - > update_sam_account = smbpasswd_update_sam_account ;
( * pdb_method ) - > delete_sam_account = smbpasswd_delete_sam_account ;
2005-10-21 00:40:47 +04:00
( * pdb_method ) - > rename_sam_account = smbpasswd_rename_sam_account ;
2007-12-25 02:04:39 +03:00
( * pdb_method ) - > search_users = smbpasswd_search_users ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
2009-06-28 19:36:12 +04:00
( * pdb_method ) - > capabilities = smbpasswd_capabilities ;
2006-02-04 01:19:41 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
/* Setup private data and free function */
2011-06-07 05:44:43 +04:00
if ( ! ( privates = talloc_zero ( * pdb_method , struct smbpasswd_privates ) ) ) {
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
DEBUG ( 0 , ( " talloc() failed for smbpasswd private_data! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
/* Store some config details */
if ( location ) {
2006-02-12 00:27:08 +03:00
privates - > smbpasswd_file = talloc_strdup ( * pdb_method , location ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
} else {
2006-02-12 00:27:08 +03:00
privates - > smbpasswd_file = talloc_strdup ( * pdb_method , lp_smb_passwd_file ( ) ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
}
2010-02-05 17:43:26 +03:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 17:30:58 +03:00
if ( ! privates - > smbpasswd_file ) {
DEBUG ( 0 , ( " talloc_strdp() failed for storing smbpasswd location! \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
( * pdb_method ) - > private_data = privates ;
( * pdb_method ) - > free_private_data = free_private_data ;
return NT_STATUS_OK ;
}
2003-04-15 20:01:14 +04:00
2017-04-20 22:24:43 +03:00
NTSTATUS pdb_smbpasswd_init ( TALLOC_CTX * ctx )
2003-04-15 20:01:14 +04:00
{
2003-06-17 14:38:22 +04:00
return smb_register_passdb ( PASSDB_INTERFACE_VERSION , " smbpasswd " , pdb_init_smbpasswd ) ;
2003-04-15 20:01:14 +04:00
}
