1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-28 07:21:54 +03:00
Commit Graph

89 Commits

Author SHA1 Message Date
Günther Deschner
1ed62fde09 r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.

Guenther
(This used to be commit 6394257cc7)
2007-10-10 10:53:59 -05:00
Simo Sorce
d03c891eae r4153: port from trunk of pdbedit changes
(This used to be commit 9b322f232c)
2007-10-10 10:53:36 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Jeremy Allison
7fd7fbf472 r1812: Fix from Richard Renard <rrenard@idealx.com> to be able to reset
a users logon hours restrictions.
Jeremy.
(This used to be commit 887aa22dc9)
2007-10-10 10:52:21 -05:00
Jeremy Allison
14ba47482f r1537: Fix to stop printing accounts from resetting the bas password
and account lockout flags. This is set when an account is updated
only from smbd or pdbedit. Bug found by "Dunn, Drew A." <Drew.Dunn@jhuapl.edu>.
Jeremy.
(This used to be commit bb3a0fa61f)
2007-10-10 10:52:14 -05:00
Simo Sorce
75900ae526 r1478: Useful patch from Tom Alsberg <alsbergt@cs.huji.ac.il>, to export a single user from a backend.
(This used to be commit 083740e74e)
2007-10-10 10:52:12 -05:00
Jeremy Allison
d4ac326d46 r1412: Fix password history list in tdbsam. Fix some memory leaks. Add
my (C) to a header file that was at least 50% mine :-).
Jeremy.
(This used to be commit 8ee6060977)
2007-10-10 10:52:10 -05:00
Jeremy Allison
aa4abfb3b5 Fix "unable to initialize" bug when smbd hasn't been run with
new system and a user is being added via pdbedit/smbpasswd.
Found at Connectathon setup.
Jeremy.
(This used to be commit f9c7a42e89)
2004-02-23 20:12:31 +00:00
Jim McDonough
5fc9dd0be6 Enable checking/resetting of account lockout and bad password based on policy
(This used to be commit bd2e55399c)
2004-02-19 21:40:22 +00:00
Jim McDonough
f56317baef Add bad password reset and display of bad password count/time
(This used to be commit 34fe16e445)
2004-02-19 16:00:29 +00:00
Gerald Carter
da52004988 fix set/getsampwent iterator in tdbsam to use an allocated list
(This used to be commit 8734d91cd7)
2004-02-11 21:10:04 +00:00
Gerald Carter
d4420dc902 more initialization fixes
(This used to be commit 9e590d6035)
2004-01-29 22:16:58 +00:00
Jeremy Allison
521104359e Fix for pdbedit error code returns (sorry, forgot who sent in the patch).
Jeremy.
(This used to be commit 685097bc50)
2003-11-27 18:34:42 +00:00
Jelmer Vernooij
5def5d2bdb Fix typo
(This used to be commit 37db75fc95)
2003-09-21 02:58:08 +00:00
Tim Potter
80c1f1d865 Fixup a bunch of printf-style functions and debugs to use unsigned long when
displaying pid_t, uid_t and gid_t values.  This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba00)
2003-07-22 04:31:20 +00:00
Tim Potter
274f1f8806 Replace the eight (!) copies of dummy become/unbecome root with a single one.
(This used to be commit 8b818ce381)
2003-07-22 00:20:53 +00:00
Gerald Carter
03d5867d52 moving more code around.
* move rid allocation into IDMAP.  See comments in _api_samr_create_user()
  * add winbind delete user/group functions

I'm checking this in to sync up with everyone.  But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet.  Will do that tomorrow.

Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.

going to bed now.
(This used to be commit 0463045cc7)
2003-07-11 05:33:40 +00:00
Volker Lendecke
7f3f878abb pdbedit should not call idmap anymore. Otherwise pdbedit -L would
allocate id's.

Volker
(This used to be commit 0358cc7675)
2003-07-10 14:21:43 +00:00
Gerald Carter
816724fb39 more compile fixes for become/unbecome_root()
(This used to be commit f005f1cf12)
2003-07-09 03:32:07 +00:00
Gerald Carter
0b18acb841 and so it begins....
* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
2003-07-07 05:11:10 +00:00
Andrew Bartlett
4168d61fb2 This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP.  If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).  If we fail to read/add the domain entry, we just
fallback to the old behaviour.

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.

The code now allows modifications to the ID mapping in many cases.

Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).

The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'.  This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the bottom
of the range, and increment again if the user already exists.  The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.

Thanks to metze and AB for double-checking parts of this.

Andrew Bartlett
(This used to be commit 9c595c8c23)
2003-07-04 13:29:42 +00:00
Jeremy Allison
0e983b32fd Some const correctness. Stop tdb being used as a remote backend. If an
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509a)
2003-06-27 20:55:48 +00:00
Simo Sorce
f5974dfaae Found out a good number of NT_STATUS_IS_ERR used the wrong way.
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK

This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.

Simo.
(This used to be commit c501e84d41)
2003-06-22 10:09:52 +00:00
Simo Sorce
75a5c0b307 Ok, this patch removes the privilege stuff we had in, unused, for some time.
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.

We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.

This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base

Simo.
(This used to be commit e341e7c49f)
2003-06-18 15:24:10 +00:00
Jelmer Vernooij
2153494966 Setting account policy values is done using -C, not -V. Fixes bug #120
(This used to be commit daf443757b)
2003-05-29 22:00:54 +00:00
Jeremy Allison
6abef08100 Fix obvious compiler warnings.
Jeremy.
(This used to be commit 2a6d0c2481)
2003-05-12 21:27:54 +00:00
Simo Sorce
c823b191ab And finally IDMAP in 3_0
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.

Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.

The code has been tested and seem to work right, more testing is needed for
corner cases.

Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)

Simo.
(This used to be commit 0e58085978)
2003-05-12 18:12:31 +00:00
Andrew Bartlett
ca40b71686 Make it possible to actually use --user-SID and --group-SID on a standard command line.
Andrew Bartlett
(This used to be commit dd14da7566)
2003-05-12 00:17:44 +00:00
Jelmer Vernooij
0914e541f5 Reverse previous patch from Stefan and me after comments by Andrew Bartlett
(This used to be commit d817eaf0ec)
2003-05-10 11:49:51 +00:00
Jelmer Vernooij
c507ebe567 Patch from metze and me that adds dummy smb_register_*() functions so
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
2003-05-10 10:53:48 +00:00
Andrew Bartlett
281d95e2f3 Use a common function to create the SAM_ACCOUNT being used to add accounts
to the system.  This means that we always run Get_Pwnam(), and can never add
FOO when foo exists on the system (the idea is to instead add foo into
the passdb, using it's full name, RID etc).

Andrew Bartlett
(This used to be commit bb79b127e0)
2003-04-29 09:43:17 +00:00
Simo Sorce
43b3ea968b back port from HEAD
(This used to be commit f7cfdf20b7)
2003-04-26 01:15:57 +00:00
Tim Potter
63cbbe2692 Merge Jelmer's popt updates from HEAD.
(This used to be commit 98e84b3e83)
2003-04-14 03:30:20 +00:00
Volker Lendecke
7d4bfa0eda Implement abartlet's suggestion to add attribs to ldap if they
are 'SET' when adding the account.

I really don't like passing flags down to inner routines and
complicated if/else conditions, but this time he might be right. ;-)

Volker
(This used to be commit 339c149068)
2003-03-23 14:20:21 +00:00
Volker Lendecke
b8d83f7cdb This does two things:
* pdbedit -i -e sets all SAM_ACCOUNT elements
  to CHANGED to satisfy the new pdb_ldap.c handling

* pdbedit -g transfers group mappings. I made this
  separate from the user database, as current installations
  have to live with a split backend.

  So, if you are running 3_0 alphas with LDAP as a backend
  and upgrade to the next 3_0 alpha, you should call

  pdbedit -i tdbsam -e ldapsam -g

  to transfer your group mapping database to LDAP.

  You certainly have to have all your groups as posixGroup
  objects in LDAP and adapt the LDAP schema before this
  call.

Volker
(This used to be commit 09a3db0ffc)
2003-03-23 11:50:16 +00:00
Andrew Bartlett
d5ee9b2f48 Jeremy merged across my string parinoia fixes, but forgot to enable them! :-)
This patch catches up on the rest of the work - as much string checking
as is possible is done at compile time, and the rest at runtime.

Lots of code converted to pstrcpy() etc, and other code reworked to correctly
call sizeof().

Andrew Bartlett
(This used to be commit c5b604e2ee)
2003-03-18 11:22:52 +00:00
Volker Lendecke
13f65125ac Invert flag testing
(This used to be commit 05397c526d)
2003-02-07 08:03:37 +00:00
Volker Lendecke
21ee739b83 merge from HEAD
(This used to be commit 4ef6de20cb)
2003-02-06 17:10:38 +00:00
Volker Lendecke
d034ba5ce1 Fix memory leak. Thanks, Herb!
Volker
(This used to be commit 434e496289)
2003-01-07 20:55:43 +00:00
Volker Lendecke
b59dc9ee58 Merge from HEAD.
Volker
(This used to be commit 7977a025ae)
2003-01-07 10:39:23 +00:00
Andrew Bartlett
634c54310c Merge from HEAD - make Samba compile with -Wwrite-strings without additional
warnings.  (Adds a lot of const).

Andrew Bartlett
(This used to be commit 3a7458f947)
2003-01-03 08:28:12 +00:00
Jeremy Allison
af9599e3c4 Revert by Simo's request. HEAD and 3.0 should be in sync for
this except for the modules load.
Jeremy.
(This used to be commit 388cf13648)
2002-12-28 19:48:59 +00:00
Jeremy Allison
e114e03d3f Patch for coredump with missing arg from "Bradley W. Langhorst" <brad@langhorst.com>
Jeremy.
(This used to be commit 0958a2ae73)
2002-12-28 01:23:38 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Andrew Bartlett
6d7195d1d7 Merge passdb from HEAD -> 3.0
The work here includes:
 - metze' set/changed patch, which avoids making changes to ldap on unmodified
attributes.

 - volker's group mapping in passdb patch

 - volker's samsync stuff
 - volkers SAMR changes.

 - mezte's connection caching patch

 - my recent changes (fix magic root check, ldap ssl)

Andrew Bartlett
(This used to be commit 2044d60bbe)
2002-11-02 03:47:48 +00:00
Jelmer Vernooij
9b6cd7db77 sync with head...
(This used to be commit 9daaf66754)
2002-10-28 19:48:00 +00:00
Gerald Carter
7d1eb6f7b6 sync with HEAD
(This used to be commit ee9cbf5807)
2002-09-26 18:58:34 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
f0255b38bc sync 3.0 branch with HEAD
(This used to be commit 1b83b78e33)
2002-08-17 14:45:04 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00