IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Do:
wbinfo -C alias
net groupmap set alias alias -L
net rpc group addmem alias DOMAIN\\group -S localhost -Uroot%secret
getent group alias
And hopefully the members of domain\\group show up :-)
Still have to get them to show up in 'getent group'.
Volker
This patch add privilege support for samba
Currently it is implemented only for tdbsam backend but estending it to
other sam backends is straightforward.
I must make a big thank to JFM for his teachings on the matter and the
functions at the base of this work.
At thye moment only samr_create_user honours SeAddUsersPrivilege and
SeMachineAccountPrivilege to permit any user to add machines and/or users to
the server.
The command "net priv" has been provided to manipulate the privileges
database.
There are still many things to do (like support in "net rpc vampire") but
the working core is here.
Feel free to comment/extend on this work.
Of course I will deny that any bug may affect this code :-)
Simo.
This patch adds also my patch about add share command enhancements.
merge to 3_0, as the pdb interfaces has changed a bit between the two.
This has not been tested too severly (which means it's completely broken ;-),
but I want it in for review. Feel free to revert it :-)
TODO:
make 'net groupmap' a bit more friendly for alias members.
Put that stuff into pdb_ldap.
Getting the information over to winbind. One plan without linking pdb into
winbind would be to fill group_mapping.tdb with the membership information and
have that as a cache (or use gencache.tdb?). smbd on a PDC or stand-alone
could trigger that itself, the problem is a BDC using LDAP. This needs to do
it on a regular basis. The BDC smbd needs to be informed about SAM changes
somehow...
Volker
new functionality and testing interface for new pdb functions.
Also, quite a bit of objects is being added to pdbedit in order to make
it able to find domain sid automatically (if not given explicitly).
If such amount of "wisdom" is not required to be in pdbedit, I'll move
it to 'net' which will have this new functionality, anyway.
rafal
I was rather annoyed by the net groupmap syntax, I could never get it
right.
net groupmap set "domain admins" domadm
creates a mapping,
net groupmap set "domain admins" -C "Comment" -N "newntname"
should also do what you expect.
net groupmap cleanup
solves a problem I've had two times now: Our SID changed, and a user's primary
group was mapped to a SID that is not ours. net groupmap cleanup removes all
mappings that are not from our domain sid.
Volker
Even if it's our own lock context, we need to wait here as
there may be an unlock on the way.
So I removed a "&& !my_lock_ctx" from the following
if statement.
if ((lock_timeout != 0) && lp_blocking_locks(SNUM(conn)) && ERROR_WAS_LOCK_DENIED(status)) {
Jeremy.
Fix bug in previous global_sam_sid() commit. I broke the 'read from
MACHINE.SID' file functionality.
Also, before we print out the results of 'net getlocalsid' and 'net
getdomainsid', ensure we have tried to read that file, or have
generated one.
Andrew Bartlett
different share modes. It also has a commented out test to see if we can
actually open a renamed file, and it turns out that we can, it seems. I am
not sure at this stage how long that is the case for, though.
I *hate* global variables...
OK, what was happening here was that we would invalidate global_sam_sid
when we set the sid into secrets.tdb, to force a re-read.
The problem was, we would do *two* writes into the TDB, and the second one
(in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups
to fail, on a blank TDB.
By using a local variable in the pdb_generate_sam_sid() code, we avoid this
particular trap.
I've also added better debugging for the case where this all matters, which
is particularly for LDAP, where it finds out a domain SID from the sambaDomain
object.
Andrew Bartlett
group_info4 in set_dom_group_info also has the level in the record
itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can
still create a domain group on a samba machine.
Volker
Found by Fabien Chevalier <fabien.chevalier@supelec.fr> and
JustFillBug <mozbugbox@yahoo.com.au> on the Samba lists - a 'max
password age' of zero should be considered as 'never expire'.
For the timebeing we just set it like -1, but we might revisit this
for closer-to-ms behaviour.
Andrew Bartlett
on an initial open the desired_access field *must* contain DELETE_ACCESS,
simply having it map from a GENERIC_ALL won't do. Fixes delete on close test.
Jeremy.
