1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-14 19:24:43 +03:00

71 Commits

Author SHA1 Message Date
Gerald Carter
c04068a42b r21188: bumping passdb version number to make sure this is different than the 3.0.25 branch
(This used to be commit b10f4cdfc0767dbd88f29f42fa5a8d9a9c1959a2)
2007-10-10 12:17:46 -05:00
Volker Lendecke
58160aa0eb r20827: Increment the interface version.
Wilco: Existing modules should continue to work, they just must be recompiled.

Volker
(This used to be commit f5babdce9b79ba6abed5d6f57daecc0ed1e14e15)
2007-10-10 12:17:10 -05:00
Volker Lendecke
b906886e9e r20824: Send access to the trusted domain passwords through the pdb backend, so that
in the next step we can store them in LDAP to be replicated across DCs.

Thanks to Michael Adam <ma@sernet.de>

Volker
(This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10 12:17:10 -05:00
Simo Sorce
4225f9a4bd r20116: Start merging in the work done to create the new idmap subsystem.
Simo.
(This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10 12:16:25 -05:00
Gerald Carter
2b27c93a9a r18271: Big change:
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
  gen_ndr/ndr_security.c in SAMBA_4_0

The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10 11:51:18 -05:00
Volker Lendecke
03e3cd1d5a r17554: Cleanup
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2007-10-10 11:38:38 -05:00
Volker Lendecke
e1e62d8999 r17463: A bit of cleanup work:
Remove some unused code: pdb_find_alias is not used anymore, and nobody I
think has ever used the pdb_nop operations for group mapping. smbpasswd and
tdb use the default ones and ldap has its own.

Make the functions pdb_getgr* return NTSTATUS instead of BOOL. Nobody right
now really makes use of it, but it feels wrong to throw away information so
early.

Volker
(This used to be commit f9856f6490fe44fdba97ea86062237d8c74d4bdc)
2007-10-10 11:38:36 -05:00
Volker Lendecke
ff7c0a7c35 r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as an
argument.

Volker
(This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
2007-10-10 11:38:34 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10 11:19:14 -05:00
Jeremy Allison
6c94466d7b r16628: Fix bug #3880, reported by jason@ncac.gwu.edu
by ensuring we return the correct enum for sid
type, not a uint32.
Jeremy.
(This used to be commit 98a5e20ff4ceacda65dcc0ce5498ed4ffde520f8)
2007-10-10 11:19:04 -05:00
Gerald Carter
0ce53f8ba5 r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'

* Add a SID domain to the group mapping enumeration passdb call
  to fix the checks for local and builtin groups.  The SID can be
  NULL if you want the old semantics for internal maintenance.
  I only updated the tdb group mapping code.

* remove any group mapping from the tdb that have a
  gid of -1 for better consistency with pdb_ldap.c.
  The fixes the problem with calling add_group_map() in
  the tdb code for unmapped groups which might have had
  a record present.

* Ensure that we distinguish between groups in the
  BUILTIN and local machine domains via getgrnam()
  Other wise BUILTIN\Administrators & SERVER\Administrators
  would resolve to the same gid.

* Doesn't strip the global_sam_name() from groups in the
  local machine's domain (this is required to work with
  'winbind default domain' code)

Still todo.

* Fix fallback Administrators membership for root and domain Admins
  if nested groups = no or winbindd is not running

* issues with "su - user -c 'groups'" command

* There are a few outstanding issues with BUILTIN\Users that
  Windows apparently tends to assume.  I worked around this
  presently with a manual group mapping but I do not think
  this is a good solution.  So I'll probably add some similar
  as I did for Administrators.
(This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10 11:15:28 -05:00
Günther Deschner
e54786b535 r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
  returning zero)

Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10 11:10:25 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10 11:10:23 -05:00
Gerald Carter
6622ba566e r13601: * Remove unused code from pdb_ldap.c
* Add a 'struct passwd *' to the struct samu for later reference
  (I know this may be controversial but its easily reverted which is
  is why I'm checking this is as a seaparate patch before I get
  too deep).
* Remove unix_homedir from struct samu {} and update the pdb wrapper
  functions associated with it.
(This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
2007-10-10 11:10:18 -05:00
Gerald Carter
2203bed32c r13576: This is the beginnings of moving the SAM_ACCOUNT data structure
to make full use of the new talloc() interface.  Discussed with Volker
and Jeremy.

* remove the internal mem_ctx and simply use the talloc()
  structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
  upcoming changes.  Groups will most likely be replaced with a
  'struct samg' in the future.

Note that there are now passbd API changes.  And for the most
part, the wrapper functions remain the same.

While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs.  The code also needs more testing under valgrind to
ensure it's not leaking memory.

But it's a start......
(This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10 11:10:15 -05:00
Gerald Carter
04af2ab06e r13509: remove unnecessary sql flags
(This used to be commit c3702e804a74276ee53eb73f2d9b1fa9d3874b48)
2007-10-10 11:10:08 -05:00
Volker Lendecke
301d51e13a r13494: Merge the stuff I've done in head the last days.
Volker
(This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10 11:10:06 -05:00
Gerald Carter
75ef18fa75 r13460: by popular demand....
* remove pdb_context data structure
* set default group for DOMAIN_RID_GUEST user as RID 513 (just
  like Windows)
* Allow RID 513 to resolve to always resolve to a name
* Remove auto mapping of guest account primary group given the
  previous 2 changes
(This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10 11:10:04 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10 11:06:23 -05:00
Volker Lendecke
efbbd89000 r12055: More cruft
(This used to be commit 4d91f9501cd041ee42410eeace6a9acd9cc57d1c)
2007-10-10 11:05:43 -05:00
Volker Lendecke
05ac2de0df r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm
reacts :-)

Volker
(This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10 11:05:43 -05:00
Jeremy Allison
48c2f9fc72 r11924: Added Volkers's (C) to srv_samr_nt.c, removed separate "builtin"
search enumeration, fixed count of groups and users to return
zero if we're getting domain info on the builtin domain (need
to fix the enumgroup and enumuser calls also). Added count_sam_aliases
to return the correct alias count. Need to push the SID arg
down into the group mapping interface so we only return the
correct aliases. Upped passdb version numer for Volkers
changes. SAM-MYSQL guys - you will need to fix your backend
now. More tests needed.
Jeremy.
(This used to be commit b53d5cd565b05b0595979efba6176d0cafc8cb03)
2007-10-10 11:05:36 -05:00
Volker Lendecke
046a8873b9 r11922: Looks bigger than it is: There's no point in allocating arrays in
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in
the pdb module. Remove the latter, this might happen more often.

Volker
(This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2007-10-10 11:05:36 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10 11:05:02 -05:00
Jim McDonough
254938c636 r10911: part of #2861: add rename support for usrmgr.exe when using tdbsam
This gets it working before replacing tdb with the samba4 version.
(This used to be commit 8210b0503a050e12ee1b4335fa6e50d10ad06577)
2007-10-10 11:04:56 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10 11:04:48 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10 10:58:00 -05:00
Volker Lendecke
f74f7c933d r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function
pointers now.

Yes, Jeremy, this is about re-inventing C++... :-)

Volker
(This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2007-10-10 10:56:39 -05:00
Volker Lendecke
d3d6126d94 r6351: This is quite a large and intrusive patch, but there are not many pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.

The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.

Volker
(This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10 10:56:38 -05:00
Volker Lendecke
9f4c0afa0a r6277: This implements a new caching API for enumerating the pdb elements. It is
modeled after query_displayinfo and should hide the differences between users,
groups and aliases while allowing a cache analog load_sampw_entries:

struct pdb_search *pdb_search_users(uint16 acct_flags);
struct pdb_search *pdb_search_groups(void);
struct pdb_search *pdb_search_aliases(const DOM_SID *sid);
uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx,
                          uint32 max_entries,
                          struct samr_displayentry **result);
void pdb_search_destroy(struct pdb_search *search);

Why this API? Eventually we will need to apply the work gd has started on
enumerating users with paged ldap searches to groups and aliases. Before doing
that I want to clean up the search routines we have.

The sample application (more to follow) is 'net maxrid'.

Volker
(This used to be commit 8b4f67a1e9d459145cde10b1064781d58d62b805)
2007-10-10 10:56:34 -05:00
Jeremy Allison
202c7b4571 r6092: This much const causes the compiler on Fedora Core 2
to throw up.
Jeremy.
(This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10 10:56:21 -05:00
Volker Lendecke
e84ead0cfd r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the
change in pdb_enum_alias_memberships to match samr.idl a bit closer.

Volker
(This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10 10:56:20 -05:00
Jim McDonough
cf7d098b2c r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us
again up to ~6x improvement on group membership lookups.
(This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10 10:56:13 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10 10:55:54 -05:00
Volker Lendecke
a90a58ff22 r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.
Could someone else please look at this patch, verifying that I did not break
the ldapsam:trusted = False fallback to the old behaviour? It works fine for
me, but you never know. You're certainly free to review the new code as well :-)

Thanks,

Volker
(This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10 10:55:41 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10 10:55:38 -05:00
Günther Deschner
a851dcd09a r4932: Forgot to increase version with the account-policy-commit.
Guenther
(This used to be commit 42e380303ddce890f313c221a766dc1e1ee972fb)
2007-10-10 10:55:08 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10 10:55:08 -05:00
Günther Deschner
1ed62fde09 r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.

Guenther
(This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10 10:53:59 -05:00
Volker Lendecke
f9e87b9ba6 r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!

We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.

The parameter to activate this ldapsam behaviour is

ldapsam:trusted = yes

Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10 10:53:15 -05:00
Volker Lendecke
154d5f913b r3566: Completely replace the queryuseraliases call. The previous implementation does
not exactly match what you would expect.

XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.

Volker
(This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10 10:53:09 -05:00
Jeremy Allison
1c5867502a r1388: Adding password history code for ldap backend, based on a patch from
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to
linearised pstring due to ordering issues. A few other changes to
fix race conditions. I will add the tdb backend code next. This code
compiles but has not yet been tested with password history policy
set to greater than zero. Targeted for 3.0.6.
Jeremy.
(This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10 10:52:09 -05:00
Gerald Carter
7af3777ab3 r116: volker's patch for local group and group nesting
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10 10:51:10 -05:00
Jim McDonough
357998ddbd Password lockout for LDAP backend. Caches autolock flag, bad count, and
bad time locally, updating the directory only for hitting the policy limit
or resetting.

This needed to be done at the passdb level rather than auth, because some
of the functions need to be supported from tools such as pdbedit.  It was
done at the LDAP backend level instead of generically after discussion,
because of the complexity of inserting it at a higher level.

The login cache read/write/delete is outside of the ldap backend, so it could
easily be called by other backends.  tdbsam won't call it for obvious
reasons, and authors of other backends need to decide if they want to
implement it.
(This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-18 19:22:51 +00:00
Jim McDonough
db61673019 fix typo for callback bit
(This used to be commit 31a15164ffb3f551a5f7006e637036dc3b59bd22)
2004-03-02 18:04:16 +00:00
Jim McDonough
955ec7c6e2 Add bad password time fields
(This used to be commit 59e7c3ababd0bb8bc91cbc421b7a842cca38101f)
2004-02-19 15:57:53 +00:00
Jim McDonough
1fa1e931a3 More sync between passdb on 3.0 and HEAD.
Replace unknown_3 with fields_present.  Also causes rpc_samr structure field changes.
(This used to be commit 1976843345efb6ca4f9cebd964a61acd8ae11d41)
2004-02-12 16:16:53 +00:00
Jelmer Vernooij
430f9abd5f - Put functions for generating SQL queries in pdb_sql.c
- Add pgSQL backend (based on patch by Hamish Friedlander)
- Use query generate functions from pdb_mysql and pdb_pgsql
- Only pdb_pgsql.c needs to be changed whenever the fields in SAM_ACCOUNT change
(This used to be commit 65ad2c02fd2bf36d535c279ad290ab81e39f6816)
2004-01-04 21:09:42 +00:00
Rafal Szczesniak
382e96a614 Typo fix.
(This used to be commit 5054a1731e3bf3bec0687304af63fed475d5f864)
2003-11-20 23:56:42 +00:00
Jeremy Allison
3a48e4b287 The "unknown_5" 32 bit field in the user structs is actually 2 16-bit
fields, bad_password_count and logon_count. Ensure this is stored/fetched
in the various SAMs. As it replaces the unknown_5 field this fits
exactly into the tdb SAM without any binary problems. It also is added
to the LDAP SAM as two extra attributes. It breaks compatibility with
the experimental SAMs xml and mysql. The maintainers of these SAMs must
fix them so upgrades like this can be done transparently. I will insist
on the "experimental" status until this is solved.
Jeremy.
(This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-18 23:53:48 +00:00