2001-04-09 22:11:37 +00:00
/*
2002-01-30 06:08:46 +00:00
Unix SMB / CIFS implementation .
2001-04-09 22:11:37 +00:00
passdb structures and parameters
Copyright ( C ) Gerald Carter 2001
Copyright ( C ) Luke Kenneth Casson Leighton 1998 - 2000
2003-05-12 18:12:31 +00:00
Copyright ( C ) Andrew Bartlett 2002
Copyright ( C ) Simo Sorce 2003
2009-05-28 14:09:44 +02:00
2001-04-09 22:11:37 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2001-04-09 22:11:37 +00:00
( at your option ) any later version .
2009-05-28 14:09:44 +02:00
2001-04-09 22:11:37 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-05-28 14:09:44 +02:00
2001-04-09 22:11:37 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2001-04-09 22:11:37 +00:00
*/
# ifndef _PASSDB_H
# define _PASSDB_H
2009-11-26 18:15:39 +01:00
/**********************************************************************
* Masks for mappings between unix uid and gid types and
* NT RIDS .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/* Take the bottom bit. */
# define RID_TYPE_MASK 1
# define RID_MULTIPLIER 2
/* The two common types. */
# define USER_RID_TYPE 0
# define GROUP_RID_TYPE 1
2003-05-12 18:12:31 +00:00
/*
2006-02-20 20:09:36 +00:00
* bit flags representing initialized fields in struct samu
2003-05-12 18:12:31 +00:00
*/
enum pdb_elements {
PDB_UNINIT ,
PDB_SMBHOME ,
PDB_PROFILE ,
PDB_DRIVE ,
PDB_LOGONSCRIPT ,
PDB_LOGONTIME ,
PDB_LOGOFFTIME ,
PDB_KICKOFFTIME ,
2004-02-19 15:57:53 +00:00
PDB_BAD_PASSWORD_TIME ,
2003-05-12 18:12:31 +00:00
PDB_CANCHANGETIME ,
PDB_MUSTCHANGETIME ,
PDB_PLAINTEXT_PW ,
PDB_USERNAME ,
PDB_FULLNAME ,
PDB_DOMAIN ,
PDB_NTUSERNAME ,
PDB_HOURSLEN ,
PDB_LOGONDIVS ,
PDB_USERSID ,
PDB_GROUPSID ,
PDB_ACCTCTRL ,
PDB_PASSLASTSET ,
PDB_ACCTDESC ,
PDB_WORKSTATIONS ,
2006-07-11 18:01:26 +00:00
PDB_COMMENT ,
2003-05-12 18:12:31 +00:00
PDB_MUNGEDDIAL ,
PDB_HOURS ,
2004-02-12 16:16:53 +00:00
PDB_FIELDS_PRESENT ,
2003-09-18 23:53:48 +00:00
PDB_BAD_PASSWORD_COUNT ,
PDB_LOGON_COUNT ,
2003-05-12 18:12:31 +00:00
PDB_UNKNOWN6 ,
PDB_LMPASSWD ,
PDB_NTPASSWD ,
2004-07-07 22:46:51 +00:00
PDB_PWHISTORY ,
2003-07-05 09:46:12 +00:00
PDB_BACKEND_PRIVATE_DATA ,
2003-05-12 18:12:31 +00:00
/* this must be the last element */
PDB_COUNT
} ;
enum pdb_group_elements {
PDB_GROUP_NAME ,
PDB_GROUP_SID ,
PDB_GROUP_SID_NAME_USE ,
PDB_GROUP_MEMBERS ,
/* this must be the last element */
PDB_GROUP_COUNT
} ;
enum pdb_value_state {
PDB_DEFAULT = 0 ,
PDB_SET ,
PDB_CHANGED
} ;
# define IS_SAM_SET(x, flag) (pdb_get_init_flags(x, flag) == PDB_SET)
# define IS_SAM_CHANGED(x, flag) (pdb_get_init_flags(x, flag) == PDB_CHANGED)
# define IS_SAM_DEFAULT(x, flag) (pdb_get_init_flags(x, flag) == PDB_DEFAULT)
2004-03-18 19:22:51 +00:00
/* cache for bad password lockout data, to be used on replicated SAMs */
2010-03-16 22:08:37 +01:00
struct login_cache {
2004-03-18 19:22:51 +00:00
time_t entry_timestamp ;
2010-05-21 10:38:04 +10:00
uint32_t acct_ctrl ;
uint16_t bad_password_count ;
2004-03-18 19:22:51 +00:00
time_t bad_password_time ;
2010-03-16 22:08:37 +01:00
} ;
2008-12-15 18:46:37 +01:00
# define SAMU_BUFFER_V0 0
# define SAMU_BUFFER_V1 1
# define SAMU_BUFFER_V2 2
# define SAMU_BUFFER_V3 3
2008-12-16 11:51:14 +01:00
/* nothing changed from V3 to V4 */
# define SAMU_BUFFER_V4 4
# define SAMU_BUFFER_LATEST SAMU_BUFFER_V4
2008-12-15 18:46:37 +01:00
2006-02-20 20:09:36 +00:00
struct samu {
2003-05-12 18:12:31 +00:00
struct pdb_methods * methods ;
2006-02-20 20:09:36 +00:00
/* initialization flags */
struct bitmap * change_flags ;
struct bitmap * set_flags ;
time_t logon_time ; /* logon time */
time_t logoff_time ; /* logoff time */
time_t kickoff_time ; /* kickoff time */
time_t bad_password_time ; /* last bad password entered */
time_t pass_last_set_time ; /* password last set time */
time_t pass_can_change_time ; /* password can change time */
time_t pass_must_change_time ; /* password must change time */
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
const char * username ; /* UNIX username string */
const char * domain ; /* Windows Domain name */
const char * nt_username ; /* Windows username string */
const char * full_name ; /* user's full name string */
const char * home_dir ; /* home directory string */
const char * dir_drive ; /* home directory drive string */
const char * logon_script ; /* logon script string */
const char * profile_path ; /* profile path string */
const char * acct_desc ; /* user description string */
const char * workstations ; /* login from workstations string */
2006-07-11 18:01:26 +00:00
const char * comment ;
2006-02-20 20:09:36 +00:00
const char * munged_dial ; /* munged path name and dial-back tel number */
2009-05-28 14:09:44 +02:00
2010-05-21 11:25:01 +10:00
struct dom_sid user_sid ;
struct dom_sid * group_sid ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
DATA_BLOB lm_pw ; /* .data is Null if no password */
DATA_BLOB nt_pw ; /* .data is Null if no password */
DATA_BLOB nt_pw_his ; /* nt hashed password history .data is Null if not available */
char * plaintext_pw ; /* is Null if not available */
2009-05-28 14:09:44 +02:00
2010-05-21 10:38:04 +10:00
uint32_t acct_ctrl ; /* account info (ACB_xxxx bit-mask) */
uint32_t fields_present ; /* 0x00ff ffff */
2009-05-28 14:09:44 +02:00
2010-05-21 10:38:04 +10:00
uint16_t logon_divs ; /* 168 - number of hours in a week */
uint32_t hours_len ; /* normally 21 bytes */
uint8_t hours [ MAX_HOURS_LEN ] ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
/* Was unknown_5. */
2010-05-21 10:38:04 +10:00
uint16_t bad_password_count ;
uint16_t logon_count ;
2006-02-20 20:09:36 +00:00
2010-05-21 10:38:04 +10:00
uint32_t unknown_6 ; /* 0x0000 04ec */
2006-02-20 20:09:36 +00:00
/* a tag for who added the private methods */
2006-02-24 21:36:40 +00:00
2006-02-20 20:09:36 +00:00
const struct pdb_methods * backend_private_methods ;
void * backend_private_data ;
void ( * backend_private_data_free_fn ) ( void * * ) ;
2009-05-28 14:09:44 +02:00
2006-02-21 19:22:49 +00:00
/* maintain a copy of the user's struct passwd */
2006-02-20 20:09:36 +00:00
2006-02-21 19:22:49 +00:00
struct passwd * unix_pw ;
2006-02-20 20:09:36 +00:00
} ;
2003-05-12 18:12:31 +00:00
2005-10-18 03:24:00 +00:00
struct acct_info {
fstring acct_name ; /* account name */
fstring acct_desc ; /* account name */
2010-05-21 10:38:04 +10:00
uint32_t rid ; /* domain-relative RID */
2004-04-07 12:43:44 +00:00
} ;
2003-05-12 18:12:31 +00:00
2005-04-15 13:41:49 +00:00
struct samr_displayentry {
2010-05-21 10:38:04 +10:00
uint32_t idx ;
uint32_t rid ;
uint32_t acct_flags ;
2005-04-15 13:41:49 +00:00
const char * account_name ;
const char * fullname ;
const char * description ;
} ;
enum pdb_search_type {
PDB_USER_SEARCH ,
PDB_GROUP_SEARCH ,
PDB_ALIAS_SEARCH
} ;
struct pdb_search {
enum pdb_search_type type ;
struct samr_displayentry * cache ;
2010-05-21 10:38:04 +10:00
uint32_t num_entries ;
2005-04-15 13:41:49 +00:00
ssize_t cache_size ;
2007-10-18 17:40:25 -07:00
bool search_ended ;
2005-06-24 20:25:18 +00:00
void * private_data ;
2007-10-18 17:40:25 -07:00
bool ( * next_entry ) ( struct pdb_search * search ,
2005-04-18 16:07:49 +00:00
struct samr_displayentry * entry ) ;
void ( * search_end ) ( struct pdb_search * search ) ;
2005-04-15 13:41:49 +00:00
} ;
2009-07-04 11:12:33 +02:00
struct pdb_domain_info {
char * name ;
char * dns_domain ;
char * dns_forest ;
struct dom_sid sid ;
struct GUID guid ;
} ;
2010-08-05 02:25:37 +02:00
/*
* trusted domain entry / entries returned by secrets_get_trusted_domains
* ( used in _lsa_enum_trust_dom call )
*/
struct trustdom_info {
char * name ;
struct dom_sid sid ;
} ;
2009-07-13 23:53:49 +02:00
/*
* Types of account policy .
*/
enum pdb_policy_type {
PDB_POLICY_MIN_PASSWORD_LEN = 1 ,
PDB_POLICY_PASSWORD_HISTORY = 2 ,
PDB_POLICY_USER_MUST_LOGON_TO_CHG_PASS = 3 ,
PDB_POLICY_MAX_PASSWORD_AGE = 4 ,
PDB_POLICY_MIN_PASSWORD_AGE = 5 ,
PDB_POLICY_LOCK_ACCOUNT_DURATION = 6 ,
PDB_POLICY_RESET_COUNT_TIME = 7 ,
PDB_POLICY_BAD_ATTEMPT_LOCKOUT = 8 ,
PDB_POLICY_TIME_TO_LOGOUT = 9 ,
PDB_POLICY_REFUSE_MACHINE_PW_CHANGE = 10
} ;
2009-06-28 17:36:12 +02:00
# define PDB_CAP_STORE_RIDS 0x0001
2009-06-28 17:43:48 +02:00
# define PDB_CAP_ADS 0x0002
2009-06-28 17:36:12 +02:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
/*****************************************************************
Functions to be implemented by the new ( v2 ) passdb API
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-07-15 10:35:28 +00:00
/*
* This next constant specifies the version number of the PASSDB interface
* this SAMBA will load . Increment this if * ANY * changes are made to the interface .
2005-10-18 03:24:00 +00:00
* Changed interface to fix int - > size_t problems . JRA .
2005-11-27 01:17:24 +00:00
* There ' s no point in allocating arrays in
* samr_lookup_rids twice . It was done in the srv_samr_nt . c code as well as in
* the pdb module . Remove the latter , this might happen more often . VL .
2006-06-28 17:56:10 +00:00
* changed to version 14 to move lookup_rids and lookup_names to return
2010-05-21 10:38:04 +10:00
* enum lsa_SidType rather than uint32_t .
2007-06-04 19:03:33 +00:00
* Changed to 16 for access to the trusted domain passwords ( obnox ) .
2007-12-26 17:58:55 +01:00
* Changed to 17 , the sampwent interface is gone .
2009-06-28 17:36:12 +02:00
* Changed to 18 , pdb_rid_algorithm - > pdb_capabilities
2009-11-14 01:07:34 +01:00
* Changed to 19 , removed uid_to_rid
2002-07-15 10:35:28 +00:00
*/
2009-11-14 01:07:34 +01:00
# define PASSDB_INTERFACE_VERSION 19
2002-07-15 10:35:28 +00:00
2006-02-11 21:27:08 +00:00
struct pdb_methods
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
{
2002-01-26 06:28:50 +00:00
const char * name ; /* What name got this module */
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
2009-07-04 11:12:33 +02:00
struct pdb_domain_info * ( * get_domain_info ) ( struct pdb_methods * ,
TALLOC_CTX * mem_ctx ) ;
2006-02-20 20:09:36 +00:00
NTSTATUS ( * getsampwnam ) ( struct pdb_methods * , struct samu * sam_acct , const char * username ) ;
2009-05-28 14:09:44 +02:00
2010-05-21 11:25:01 +10:00
NTSTATUS ( * getsampwsid ) ( struct pdb_methods * , struct samu * sam_acct , const struct dom_sid * sid ) ;
2006-02-13 17:08:25 +00:00
NTSTATUS ( * create_user ) ( struct pdb_methods * , TALLOC_CTX * tmp_ctx ,
2010-05-21 10:38:04 +10:00
const char * name , uint32_t acct_flags ,
uint32_t * rid ) ;
2006-02-13 17:08:25 +00:00
NTSTATUS ( * delete_user ) ( struct pdb_methods * , TALLOC_CTX * tmp_ctx ,
2006-02-20 20:09:36 +00:00
struct samu * sam_acct ) ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
NTSTATUS ( * add_sam_account ) ( struct pdb_methods * , struct samu * sampass ) ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
NTSTATUS ( * update_sam_account ) ( struct pdb_methods * , struct samu * sampass ) ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
NTSTATUS ( * delete_sam_account ) ( struct pdb_methods * , struct samu * username ) ;
2009-05-28 14:09:44 +02:00
2006-02-20 20:09:36 +00:00
NTSTATUS ( * rename_sam_account ) ( struct pdb_methods * , struct samu * oldname , const char * newname ) ;
2009-05-28 14:09:44 +02:00
2007-10-18 17:40:25 -07:00
NTSTATUS ( * update_login_attempts ) ( struct pdb_methods * methods , struct samu * sam_acct , bool success ) ;
2005-03-05 01:22:53 +00:00
2010-05-21 11:25:01 +10:00
NTSTATUS ( * getgrsid ) ( struct pdb_methods * methods , GROUP_MAP * map , struct dom_sid sid ) ;
2002-11-02 03:47:48 +00:00
2003-06-18 15:24:10 +00:00
NTSTATUS ( * getgrgid ) ( struct pdb_methods * methods , GROUP_MAP * map , gid_t gid ) ;
2002-11-02 03:47:48 +00:00
2003-06-18 15:24:10 +00:00
NTSTATUS ( * getgrnam ) ( struct pdb_methods * methods , GROUP_MAP * map , const char * name ) ;
2002-11-02 03:47:48 +00:00
2006-02-13 17:08:25 +00:00
NTSTATUS ( * create_dom_group ) ( struct pdb_methods * methods ,
TALLOC_CTX * mem_ctx , const char * name ,
2010-05-21 10:38:04 +10:00
uint32_t * rid ) ;
2006-02-13 17:08:25 +00:00
NTSTATUS ( * delete_dom_group ) ( struct pdb_methods * methods ,
2010-05-21 10:38:04 +10:00
TALLOC_CTX * mem_ctx , uint32_t rid ) ;
2006-02-13 17:08:25 +00:00
2002-11-02 03:47:48 +00:00
NTSTATUS ( * add_group_mapping_entry ) ( struct pdb_methods * methods ,
GROUP_MAP * map ) ;
NTSTATUS ( * update_group_mapping_entry ) ( struct pdb_methods * methods ,
GROUP_MAP * map ) ;
NTSTATUS ( * delete_group_mapping_entry ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
struct dom_sid sid ) ;
2002-11-02 03:47:48 +00:00
NTSTATUS ( * enum_group_mapping ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid , enum lsa_SidType sid_name_use ,
2005-10-18 03:24:00 +00:00
GROUP_MAP * * pp_rmap , size_t * p_num_entries ,
2007-10-18 17:40:25 -07:00
bool unix_only ) ;
2002-11-02 03:47:48 +00:00
2005-02-20 13:47:16 +00:00
NTSTATUS ( * enum_group_members ) ( struct pdb_methods * methods ,
TALLOC_CTX * mem_ctx ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * group ,
2010-05-21 10:38:04 +10:00
uint32_t * * pp_member_rids ,
2005-10-18 03:24:00 +00:00
size_t * p_num_members ) ;
2005-02-20 13:47:16 +00:00
2004-11-12 15:49:47 +00:00
NTSTATUS ( * enum_group_memberships ) ( struct pdb_methods * methods ,
2006-02-03 22:19:41 +00:00
TALLOC_CTX * mem_ctx ,
2006-02-20 20:09:36 +00:00
struct samu * user ,
2010-05-21 11:25:01 +10:00
struct dom_sid * * pp_sids , gid_t * * pp_gids ,
2005-10-18 03:24:00 +00:00
size_t * p_num_groups ) ;
2004-11-12 15:49:47 +00:00
2006-02-13 17:08:25 +00:00
NTSTATUS ( * set_unix_primary_group ) ( struct pdb_methods * methods ,
TALLOC_CTX * mem_ctx ,
2006-02-20 20:09:36 +00:00
struct samu * user ) ;
2006-02-13 17:08:25 +00:00
NTSTATUS ( * add_groupmem ) ( struct pdb_methods * methods ,
TALLOC_CTX * mem_ctx ,
2010-05-21 10:38:04 +10:00
uint32_t group_rid , uint32_t member_rid ) ;
2006-02-13 17:08:25 +00:00
NTSTATUS ( * del_groupmem ) ( struct pdb_methods * methods ,
TALLOC_CTX * mem_ctx ,
2010-05-21 10:38:04 +10:00
uint32_t group_rid , uint32_t member_rid ) ;
2006-02-13 17:08:25 +00:00
2004-04-07 12:43:44 +00:00
NTSTATUS ( * create_alias ) ( struct pdb_methods * methods ,
2010-05-21 10:38:04 +10:00
const char * name , uint32_t * rid ) ;
2004-04-07 12:43:44 +00:00
NTSTATUS ( * delete_alias ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid ) ;
2004-04-07 12:43:44 +00:00
NTSTATUS ( * get_aliasinfo ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid ,
2004-04-07 12:43:44 +00:00
struct acct_info * info ) ;
NTSTATUS ( * set_aliasinfo ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid ,
2004-04-07 12:43:44 +00:00
struct acct_info * info ) ;
NTSTATUS ( * add_aliasmem ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * alias , const struct dom_sid * member ) ;
2004-04-07 12:43:44 +00:00
NTSTATUS ( * del_aliasmem ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * alias , const struct dom_sid * member ) ;
2004-04-07 12:43:44 +00:00
NTSTATUS ( * enum_aliasmem ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * alias , TALLOC_CTX * mem_ctx ,
struct dom_sid * * members , size_t * p_num_members ) ;
2004-04-07 12:43:44 +00:00
NTSTATUS ( * enum_alias_memberships ) ( struct pdb_methods * methods ,
2005-03-27 16:33:04 +00:00
TALLOC_CTX * mem_ctx ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * domain_sid ,
const struct dom_sid * members ,
2005-10-18 03:24:00 +00:00
size_t num_members ,
2010-05-21 10:38:04 +10:00
uint32_t * * pp_alias_rids ,
2005-10-18 03:24:00 +00:00
size_t * p_num_alias_rids ) ;
2005-09-30 17:13:37 +00:00
2005-03-22 20:50:29 +00:00
NTSTATUS ( * lookup_rids ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * domain_sid ,
2005-03-22 20:50:29 +00:00
int num_rids ,
2010-05-21 10:38:04 +10:00
uint32_t * rids ,
2005-11-26 22:04:28 +00:00
const char * * pp_names ,
2006-09-08 14:28:06 +00:00
enum lsa_SidType * attrs ) ;
2004-04-07 12:43:44 +00:00
2005-12-03 18:34:13 +00:00
NTSTATUS ( * lookup_names ) ( struct pdb_methods * methods ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * domain_sid ,
2005-12-03 18:34:13 +00:00
int num_names ,
const char * * pp_names ,
2010-05-21 10:38:04 +10:00
uint32_t * rids ,
2006-09-08 14:28:06 +00:00
enum lsa_SidType * attrs ) ;
2005-12-03 18:34:13 +00:00
2005-09-30 17:13:37 +00:00
NTSTATUS ( * get_account_policy ) ( struct pdb_methods * methods ,
2009-07-13 23:53:49 +02:00
enum pdb_policy_type type ,
uint32_t * value ) ;
2005-09-30 17:13:37 +00:00
NTSTATUS ( * set_account_policy ) ( struct pdb_methods * methods ,
2009-07-13 23:53:49 +02:00
enum pdb_policy_type type ,
uint32_t value ) ;
2005-09-30 17:13:37 +00:00
NTSTATUS ( * get_seq_num ) ( struct pdb_methods * methods , time_t * seq_num ) ;
2007-10-18 17:40:25 -07:00
bool ( * search_users ) ( struct pdb_methods * methods ,
2005-04-15 13:41:49 +00:00
struct pdb_search * search ,
2010-05-21 10:38:04 +10:00
uint32_t acct_flags ) ;
2007-10-18 17:40:25 -07:00
bool ( * search_groups ) ( struct pdb_methods * methods ,
2005-04-15 13:41:49 +00:00
struct pdb_search * search ) ;
2007-10-18 17:40:25 -07:00
bool ( * search_aliases ) ( struct pdb_methods * methods ,
2005-04-15 13:41:49 +00:00
struct pdb_search * search ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid ) ;
2005-04-15 13:41:49 +00:00
2007-10-18 17:40:25 -07:00
bool ( * uid_to_sid ) ( struct pdb_methods * methods , uid_t uid ,
2010-05-21 11:25:01 +10:00
struct dom_sid * sid ) ;
2007-10-18 17:40:25 -07:00
bool ( * gid_to_sid ) ( struct pdb_methods * methods , gid_t gid ,
2010-05-21 11:25:01 +10:00
struct dom_sid * sid ) ;
bool ( * sid_to_id ) ( struct pdb_methods * methods , const struct dom_sid * sid ,
2006-09-08 14:28:06 +00:00
union unid_t * id , enum lsa_SidType * type ) ;
2006-02-03 22:19:41 +00:00
2009-06-28 17:36:12 +02:00
uint32_t ( * capabilities ) ( struct pdb_methods * methods ) ;
2010-05-21 10:38:04 +10:00
bool ( * new_rid ) ( struct pdb_methods * methods , uint32_t * rid ) ;
2006-02-03 22:19:41 +00:00
2007-01-16 08:17:26 +00:00
2007-10-18 17:40:25 -07:00
bool ( * get_trusteddom_pw ) ( struct pdb_methods * methods ,
2007-01-16 08:17:26 +00:00
const char * domain , char * * pwd ,
2010-05-21 11:25:01 +10:00
struct dom_sid * sid , time_t * pass_last_set_time ) ;
2007-10-18 17:40:25 -07:00
bool ( * set_trusteddom_pw ) ( struct pdb_methods * methods ,
2007-01-16 08:17:26 +00:00
const char * domain , const char * pwd ,
2010-05-21 11:25:01 +10:00
const struct dom_sid * sid ) ;
2007-10-18 17:40:25 -07:00
bool ( * del_trusteddom_pw ) ( struct pdb_methods * methods ,
2007-01-16 08:17:26 +00:00
const char * domain ) ;
NTSTATUS ( * enum_trusteddoms ) ( struct pdb_methods * methods ,
2010-05-21 10:38:04 +10:00
TALLOC_CTX * mem_ctx , uint32_t * num_domains ,
2007-01-16 08:17:26 +00:00
struct trustdom_info * * * domains ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
void * private_data ; /* Private data of some kind */
2009-05-28 14:09:44 +02:00
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
void ( * free_private_data ) ( void * * ) ;
2006-02-11 21:27:08 +00:00
} ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
2006-02-11 21:27:08 +00:00
typedef NTSTATUS ( * pdb_init_function ) ( struct pdb_methods * * , const char * ) ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
2002-02-22 02:47:53 +00:00
struct pdb_init_function_entry {
2003-01-03 08:28:12 +00:00
const char * name ;
2006-02-11 21:27:08 +00:00
2002-07-15 10:35:28 +00:00
/* Function to create a member of the pdb_methods list */
pdb_init_function init ;
2006-02-11 21:27:08 +00:00
2003-04-15 16:01:14 +00:00
struct pdb_init_function_entry * prev , * next ;
This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20 14:30:58 +00:00
} ;
2001-04-09 22:11:37 +00:00
# endif /* _PASSDB_H */