1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-21 01:59:07 +03:00

2652 Commits

Author SHA1 Message Date
Gerald Carter
0b18acb841 and so it begins....
* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-07 05:11:10 +00:00
Andrew Bartlett
85921dbd6f Add some debug statments to our vampire code - try to make it easier to track
down failures.

Add a 'auto-add on modify' feature to guestsam

Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.

Make the 'private data' a bit more robust.

Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05 10:39:41 +00:00
Andrew Bartlett
a3ddfa5069 Fixes to our LDAP/vampire codepaths:
- Try better to add the appropriate mapping between UID and SIDs, based
   on Get_Pwnam()
 - Look for previous users (lookup by SID) and correctly modify the existing
   entry in that case
 - Map the root user to the Admin SID as a 'well known user'
 - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update'
   call on that user.  This means that VL's very nice work on atomic LDAP
   updates now really gets used properly!
 - This also means that we know the right DN to update, without the extra
   round-trips to the server.

Andrew Bartlett
(This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05 09:46:12 +00:00
Andrew Bartlett
4168d61fb2 This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP.  If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).  If we fail to read/add the domain entry, we just
fallback to the old behaviour.

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.

The code now allows modifications to the ID mapping in many cases.

Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).

The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'.  This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the bottom
of the range, and increment again if the user already exists.  The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.

Thanks to metze and AB for double-checking parts of this.

Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04 13:29:42 +00:00
Jeremy Allison
ce72beb2b5 Removed strupper/strlower macros that automatically map to strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03 19:11:31 +00:00
Andrew Bartlett
61116049ca This patch takes the work the jerry did for beta2, and generalises it:
- The 'not implmented' checks are now done by all auth modules
 - the ntdomain/trustdomain/winbind modules are more presise as to
   what domain names they can and cannot handle
 - The become_root() calls are now around the winbind pipe opening only,
   not the entire auth call
 - The unix username is kept seperate from the NT username, removing the
   need for 'clean off the domain\' in parse_net.c
 - All sid->uid translations are now validated with getpwuid() to put a very
   basic stop to logins with 'half deleted' accounts.

Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
2003-07-03 14:36:42 +00:00
Gerald Carter
46bd7fed98 SAMBA_3_0 will now become beta3
beta2 is captured in the release branch
(This used to be commit 4b3a15917dd6935353d8998e918c750a6c090671)
2003-07-02 03:40:06 +00:00
Jeremy Allison
58fca50742 Adding jcmd's share ACL on XP patch. Thanks Jim !
Jeremy.
(This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
2003-07-01 21:47:13 +00:00
Jeremy Allison
a12556742f Merge of Volkers patch to make the logic clearer (with my mod).
Jeremy.
(This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30 22:07:47 +00:00
Gerald Carter
f265935101 * rename samstrict auth method to sam
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
  winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30 17:24:59 +00:00
Andrew Tridgell
0a4959d48d - added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug )
- changed --enable-developer debug to use -gstabs as it makes the
  samba binaries about 10x smaller and is still quite functional for
  samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
2003-06-30 02:11:13 +00:00
Jeremy Allison
8d31403fe8 Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLY
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes
for multi-process access.
Jeremy.
(This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-26 23:48:46 +00:00
Gerald Carter
99a467662a fix build on non-ldap platforms
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
2003-06-25 19:39:16 +00:00
Gerald Carter
f51d769dd3 large change:
*)  consolidates the dc location routines again (dns
    and netbios)  get_dc_list() or get_sorted_dc_list()
    is the authoritative means of locating DC's again.

    (also inludes a flag to get_dc_list() to define
     if this should be a DNS only lookup or not)

    (however, if you set "name resolve order = hosts wins"
     you could still get DNS queries for domain name IFF
     ldap_domain2hostlist() fails.  The answer?  Fix your DNS
     setup)

*)  enabled DOMAIN<0x1c> lookups to be funneled through
    resolve_hosts resulting in a call to ldap_domain2hostlist()
    if lp_security() == SEC_ADS

*)  enables name cache for winbind ADS backend

*)  enable the negative connection cache for winbind
    ADS backend

*)  removes some old dead code

*)  consolidates some duplicate code

*)  moves the internal_name_resolve() to use an IP/port pair
    to deal with SRV RR dns replies.  The namecache code
    also supports the IP:port syntax now as well.

*)  removes 'ads server' and moves the functionality back
    into 'password server' (which can support "hostname:port"
    syntax now but works fine with defaults depending on
    the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25 17:41:05 +00:00
Andrew Bartlett
eb61c82382 Patch to move functions directly from pdb_ldap.c into lib/smbldap.c
The functions are unchanged.  Next step is to make idmap_ldap use them.

Andrew Bartlett
(This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-25 12:51:58 +00:00
Andrew Bartlett
f70cc4cdc1 This patch works towards to goal of common code shared between idmap_ldap
and pdb_ldap.

So far, it's just a function rename, so that the next patch can be a very
simple matter of copying functions, without worrying about what changed
in the process.

Also removes the 'static' pointers for the rebind procedures, replacing them
with a linked list of value/key lookups.  (Only needed on older LDAP client
libs)

Andrew Bartlett
(This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-21 00:45:03 +00:00
Simo Sorce
75a5c0b307 Ok, this patch removes the privilege stuff we had in, unused, for some time.
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.

We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.

This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base

Simo.
(This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18 15:24:10 +00:00
Andrew Tridgell
8cd67d7668 reverted locale patch put in by jht (originally from vorlon).
There are lots of things wrong with this patch, including:

1) it overrides a user chosen configuration option

2) it adds lots of complexity inside a loop when a tiny piece of code
   outside the loop would do the same thing

3) it does no error checking, and is sure to crash on some systems

If you want this functionality then try something like this at the end
of charset_name():

#ifdef HAVE_NL_LANGINFO
	if (strcasecmp(ret, "LOCALE") == 0) {
		const char *ln = nl_langinfo(CODESET);
		if (ln) {
			DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln));
			return ln;
		}
	}
#endif

then users can set 'display charset = LOCALE' to get the locale based
charset. You could even make that the default for systems that have
nl_langinfo().
(This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
2003-06-16 02:22:52 +00:00
John Terpstra
489956c823 Patch from vorlon@debian.org, see bugzilal
Samba should preferentially use the locale information from the native system,
and only fall back on 'display charset' if this is unavailable or unsupported.
(This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
2003-06-15 06:07:53 +00:00
Andrew Tridgell
d368845418 on AIX FD_ZERO() is defined in terms of bzero(), so we can't have
the "don't use bzero" macros.

In general I think it would be better to have a separate script that
checks for deprecated functions like these using grep rather than
using these cpp tricks. They just get us into trouble.
(This used to be commit 2a227c880db0f233fb1f6dae5851450ea6020f3b)
2003-06-11 05:34:14 +00:00
Jeremy Allison
5cee22714c Ok, I've tried being Mr. Nice Guy and people (you know who you are) still
keep putting bzero BSD'ism's into our source code. Make this an error like
bcopy and others to prevent it in future.
Jeremy.
(This used to be commit 80d043231626192db85f08ccea062b91fcf999cc)
2003-06-10 17:30:28 +00:00
Andrew Tridgell
2cfc19f899 added an auth flag that indicates if we should be allowed to fallback
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
2003-06-10 03:47:42 +00:00
Gerald Carter
dd87bcb699 bumping cvs version number to distinguish between SAMBA_3_0 cvs tree
and 3.0.0beta1 release
(This used to be commit 2619cc5d44f0162d829f5e18163df1b23b4ef5f5)
2003-06-07 18:07:30 +00:00
Gerald Carter
70da79f8a8 fix build on systems w/o LDAP libs
(This used to be commit f33aeaa039d49b4eef884b27dc81d3418a051f1a)
2003-06-06 20:31:19 +00:00
Gerald Carter
711f8d0a13 * break out more common code used between pdb_ldap and idmap_ldap
* remove 'winbind uid' and 'winbind gid' parameters (replaced
  by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
  idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
  (parameters are passed to idmap init() function
(This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-06 13:48:39 +00:00
Jeremy Allison
dff2bf904e Fixup of typos.
Jeremy.
(This used to be commit 99589b8a8f7081ced792e085ef448d9ebee135d3)
2003-06-06 07:08:21 +00:00
Jeremy Allison
5d609bc9ff metze noticed some conn elements remaining in a VFS_NEXT.
Jeremy.
(This used to be commit b863be794b7db11f91185ef2d669d0f89bbc1fae)
2003-06-06 06:35:24 +00:00
Jeremy Allison
b61d61dd60 Fix for VFS_NEXT xattr calls (from metze). I will add these to skel.c to
ensure they are tested.
Jeremy.
(This used to be commit 9ad02a7ba80c4796fecbaf2b4c75992988b002f7)
2003-06-06 06:17:41 +00:00
Andrew Tridgell
6b943b5b21 - the 8.3 name in BOTH_DIRECTORY_INFO is supposed to be always unicode
(to match win2003 behaviour)

- added the STR_TERMINATE_ASCII flag from samba4 so we can get the
  string termination right for the case where it is supposed to be
  non-terminated for UCS2 and terminated when ASCII
(This used to be commit 791a4cc7cf84eca77116bca00aeb5f95560f6705)
2003-06-06 05:15:28 +00:00
Jeremy Allison
398ce536e9 Missed (name) arg in fgetxattr.
Jeremy.
(This used to be commit f42e164e9029c38279e36ee8955b9170b0fead87)
2003-06-06 00:45:57 +00:00
Jeremy Allison
6fe5940109 Added EA operations to VFS layer.
Jeremy.
(This used to be commit 024de9213e414659296cb518a6753e510c64f614)
2003-06-06 00:04:27 +00:00
Jeremy Allison
8e047054e8 Get ready for EA code... Add Linux interface.
Jeremy.
(This used to be commit 48853140749b74053f1a7857a983397b6e9a0234)
2003-06-05 20:29:55 +00:00
Gerald Carter
3bdfd57a2d working draft of the idmap_ldap code.
Includes sambaUnixIdPool objectclass

Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-05 02:34:30 +00:00
Alexander Bokovoy
07aaa59018 Sync VFS API changes for vfs_nt_*get_acl. Patch from Stefan Metzmacher <mezte@metzemix.de>
(This used to be commit c5e8acd3b7b8a7063aa6ffde1099196daf1c317b)
2003-06-04 12:50:07 +00:00
Andrew Tridgell
3db0d893f3 added the COMPRESSION_INFO trans2 QFILEINFO level and fixed the
IS_NAME_VALID QPATHINFO level
(This used to be commit 1634346e2a6e73af80d4e68d50c6398fb24869a5)
2003-06-01 13:43:21 +00:00
Volker Lendecke
5466c1f19b Fix compile.
(This used to be commit 3ac622532a27659b9f9e26b1aa6858ce156641ac)
2003-05-31 09:10:32 +00:00
Jeremy Allison
974d402d6d Ensure 'blank' entries show up in both default and normal entries to
allow them to be changed. Works well with W2K and above.
Jeremy.
(This used to be commit 685e4e518236079f201650f26152f6f9ad3c61ab)
2003-05-30 23:07:33 +00:00
Jim McDonough
4f276f9696 More on bug 137: rename more of krb5_xxx functions to not start with krb5_
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-05-30 20:11:34 +00:00
Jeremy Allison
545e8d4999 Change get_nt_acl() to include security_info wanted. Only return this.
This gets us closer to W2k+ in what we return for file ACLs. Fix horribly
broken make_sec_desc() that screwed up the size when given a SD with no
owner or group (how did it get this bad... ?).
Jeremy.
(This used to be commit 183c9ed4052ab14e269ed1234ca557053f77e77a)
2003-05-29 23:49:31 +00:00
Jelmer Vernooij
69b50029f4 Add smb_register_idmap(). Based on a patch from metze
(This used to be commit 7e352f5c62c4889bdf2662dded1e74a354890dc7)
2003-05-29 19:08:40 +00:00
Jelmer Vernooij
e731ec1ed6 Get the events API right. Patch from metze with some minor modifications.
(This used to be commit 2aad5736256968f27c42a6f94bdbc7a22c236c19)
2003-05-29 14:40:55 +00:00
Tim Potter
4f0b44cceb DNS domain/server name constants were also swapped.
(This used to be commit 0666e34d7c8f0863148763932f60a65ad936f2c9)
2003-05-28 05:14:10 +00:00
Tim Potter
50407e57dd The constants for NetBIOS domain and server names in a NTLMSSP name list were
swapped.
(This used to be commit 92be28aa4a6ff42c601e9d2de978265a6c2e8c46)
2003-05-28 04:32:26 +00:00
Gerald Carter
8b0f689451 updating version
(This used to be commit b1eb0dd7e0593e08f71aa9c4fc3d47ccdfabc691)
2003-05-22 14:53:02 +00:00
Gerald Carter
931dc9d25a remove WITH_TDB_SAM & USE_SMBPASS_DB
(This used to be commit 1f98ced3163e26818c12829801729bc28f858de7)
2003-05-20 18:30:37 +00:00
Alexander Bokovoy
3a12379a84 Fix macros for next and opaque quota ops. Spotted by metze
(This used to be commit 46e6621b2ebe7a8d1bd0c05197667aaa4e078efd)
2003-05-19 09:09:37 +00:00
Alexander Bokovoy
2c01eef4d7 Evolve quotas configure check more. Patch from Stefan (metze) Metzemacher. Now we are defaulting to --with-quotas=no but anyway trying to test them in configure. This is done to get information about as much quota API variations as possible -- when --with-quotas=no this does not affect build but provides us with more detailed information on build farm.
(This used to be commit 3786695c72e6ff6a52a527382ac77142e236971b)
2003-05-14 14:38:11 +00:00
Alexander Bokovoy
bc2a3748e9 Prefix VFS API macros with SMB_ for consistency and to avoid problems with VFS_ macros at system side. We currently have one clash with AIX and its VFS_LOCK. Compiled and tested -- no new functionality or code, just plain rename of macros for yet-unreleased VFS API version. Needs to be done before a24 is out
(This used to be commit c2689ed118b490e49497a76ed6a2251262018769)
2003-05-14 10:59:01 +00:00
Simo Sorce
c823b191ab And finally IDMAP in 3_0
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.

Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.

The code has been tested and seem to work right, more testing is needed for
corner cases.

Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)

Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12 18:12:31 +00:00
Alexander Bokovoy
e8573c8fa9 Add NT quota support. Patch from Stefan (metze) Metzemacher
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab
2. Disabled by default and when requested, will be probed and enabled only on Linux where it works
3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far
Documentation to follow
(This used to be commit 4bf022ce9e45be85609426762ba2644ac2031326)
2003-05-12 01:20:17 +00:00