1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Commit Graph

163 Commits

Author SHA1 Message Date
James Peach
b4f19aea18 r21881: Make sure we are very specific when testing whether a backand can handle a
particular SID. Make sure that the passdb backend will accept the same set
range of local SIDs that the idmap system sends it.

Simo, Jerry - this is a 3_0_25 candidate. Can you please review?
(This used to be commit 86a70adb6a)
2007-10-10 12:18:43 -05:00
Volker Lendecke
0d91334fe7 r21784: Replace smb_register_idle_event() with event_add_timed(). This fixes winbind
who did not run the idle events to drop ldap connections.

Volker
(This used to be commit af3308ce5a)
2007-10-10 12:18:33 -05:00
Gerald Carter
2b52e35770 r21507: Fix some "cannot access LDAP when no root" bugs.
The two culprits were

* pdb_get_account_policy()
* pdb_get_group_sid()
(This used to be commit 6a69caf690)
2007-10-10 12:18:09 -05:00
Volker Lendecke
b906886e9e r20824: Send access to the trusted domain passwords through the pdb backend, so that
in the next step we can store them in LDAP to be replicated across DCs.

Thanks to Michael Adam <ma@sernet.de>

Volker
(This used to be commit 3c879745cf)
2007-10-10 12:17:10 -05:00
Volker Lendecke
dbea3a2b6f r20707: Clean up pdb_interface.c a bit -- patch from Michael Adam <ma@sernet.de>
(This used to be commit d78c18a9fa)
2007-10-10 12:17:04 -05:00
Simo Sorce
4225f9a4bd r20116: Start merging in the work done to create the new idmap subsystem.
Simo.
(This used to be commit 50cd8bffee)
2007-10-10 12:16:25 -05:00
Jeremy Allison
63609fbb04 r20090: Fix a class of bugs found by James Peach. Ensure
we never mix malloc and talloc'ed contexts in the
add_XX_to_array() and add_XX_to_array_unique()
calls. Ensure that these calls always return
False on out of memory, True otherwise and always
check them. Ensure that the relevent parts of
the conn struct and the nt_user_tokens are
TALLOC_DESTROYED not SAFE_FREE'd.
James - this should fix your crash bug in both
branches.
Jeremy.
(This used to be commit 0ffca7559e)
2007-10-10 12:16:24 -05:00
Gerald Carter
2145eff91d r19419: BUG 4109: Patch from Timur Bakeyev. Fix bug causing smbd to turn off
winbindd and fail to disable the _NO_WINBIND environment.
(This used to be commit a6366b40b3)
2007-10-10 12:15:34 -05:00
Jim McDonough
dc1f0804dd r19058: Implement "user cannot change password", and complete "user must change
password at next logon" code.  The "password last set time" of zero now
means "user must change password", because that's how windows seems to
use it.  The "can change" and "must change" times are now calculated
based on the "last set" time and policies.

We use the "can change" field now to indicate that a user cannot change
a password by putting MAX_TIME_T in it (so long as "last set" time isn't
zero).  Based on this, we set the password-can-change bit in the
faked secdesc.
(This used to be commit 21abbeaee9)
2007-10-10 12:15:06 -05:00
Günther Deschner
a3e1f7e44d r18703: Fix the annoying effect that happens when nscd is running:
We usually do not get the results from user/group script modifications
immediately. A lot of users do add nscd restart/refresh commands into
their scripts to workaround that while we could flush the nscd caches
directly using libnscd.

Guenther
(This used to be commit 7db6ce295a)
2007-10-10 12:00:49 -05:00
Gerald Carter
2b27c93a9a r18271: Big change:
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
  gen_ndr/ndr_security.c in SAMBA_4_0

The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28)
2007-10-10 11:51:18 -05:00
Volker Lendecke
b9142f20df r17831: Attempt to fix the build farm: 0x7fffffffffffffff needs special casing too I
think. This broke 'make test' because the newly created user was set to be
kicked off Mi, 22 Jan 1975 23:55:33 CET (unix time 159663333) with the
setuserinfo21 call.

I'm not 100% sure that 0x7ff... means max time as I do it here, I vaguely
remember it to mean "don't touch".

Does anybody know that for sure?

Jeremy, please check this.

Thanks,

Volker
(This used to be commit 872d1299eb)
2007-10-10 11:38:52 -05:00
Gerald Carter
c9f9c65050 r17669: Remove RID algorithm support from unmapped users and groups
when using smbpasswd
(This used to be commit dde552336c)
2007-10-10 11:38:45 -05:00
Volker Lendecke
03e3cd1d5a r17554: Cleanup
(This used to be commit 761cbd52f0)
2007-10-10 11:38:38 -05:00
Volker Lendecke
76362d0d33 r17468: To minimize the diff later on, pre-commit some changes independently: Change
internal mapping.c functions to return NTSTATUS instead of BOOL.

Volker
(This used to be commit 4ebfc30a28)
2007-10-10 11:38:36 -05:00
Volker Lendecke
d802774e02 r17465: Get rid of add_initial_entry. In the two places it was called in it seemed a
bit pointless to me.

Volker
(This used to be commit 244b25ae49)
2007-10-10 11:38:36 -05:00
Volker Lendecke
e1e62d8999 r17463: A bit of cleanup work:
Remove some unused code: pdb_find_alias is not used anymore, and nobody I
think has ever used the pdb_nop operations for group mapping. smbpasswd and
tdb use the default ones and ldap has its own.

Make the functions pdb_getgr* return NTSTATUS instead of BOOL. Nobody right
now really makes use of it, but it feels wrong to throw away information so
early.

Volker
(This used to be commit f9856f6490)
2007-10-10 11:38:36 -05:00
Volker Lendecke
ff7c0a7c35 r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as an
argument.

Volker
(This used to be commit 873a5a1211)
2007-10-10 11:38:34 -05:00
Gerald Carter
9f6fb43eee r17150: MMC User & group plugins fixes:
* Make sure to lower case all usernames before
  calling the create, delete, or rename hooks.
* Preserve case for usernames in passdb
* Flush the getpwnam cache after renaming a user
* Add become/unbecome root block in _samr_delete_dom_user()
  when trying to verify the account's existence.
(This used to be commit bbe11b7a95)
2007-10-10 11:38:16 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Jeremy Allison
6c94466d7b r16628: Fix bug #3880, reported by jason@ncac.gwu.edu
by ensuring we return the correct enum for sid
type, not a uint32.
Jeremy.
(This used to be commit 98a5e20ff4)
2007-10-10 11:19:04 -05:00
Jeremy Allison
684dd7f2cf r16383: Klocwork #1086. No null deref.
Jeremy.
(This used to be commit 7b68a2acfc)
2007-10-10 11:18:50 -05:00
Jeremy Allison
f9147c4e40 r16241: Fix Klocwork #106 and others like it.
Make 2 important changes. pdb_get_methods()
returning NULL is a *fatal* error. Don't try
and cope with it just call smb_panic. This
removes a *lot* of pointless "if (!pdb)" handling
code. Secondly, ensure that if samu_init()
fails we *always* back out of a function. That
way we are never in a situation where the pdb_XXX()
functions need to start with a "if (sampass)"
test - this was just bad design, not defensive
programming.
Jeremy.
(This used to be commit a0d368197d)
2007-10-10 11:17:27 -05:00
Paul Green
31693197be r15283: Oh yeah. The build farm doesn't do much with head. OK, here is the patch to SAMBA_3_0 to declare prototypes for the initialization functions. These are the same changes I just made to head. --paulg
(This used to be commit 17774387ad)
2007-10-10 11:16:31 -05:00
Volker Lendecke
4cde26cfc9 r15009: Add a check for NULL
(This used to be commit 0a7d4f1ab1)
2007-10-10 11:15:56 -05:00
Gerald Carter
e4998337e7 r14868: I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.
I will not write code when changing to Daylight Savings Time.

...

Fix my brain dead inverted logic for turning winbindd on and off
when run on a DC or when calling pdb functions from within winbindd.
(This used to be commit 021b3dc2db)
2007-10-10 11:15:52 -05:00
Gerald Carter
6c9eaa6880 r14855: Various fixes:
* depreacte 'acl group control' after discussion with Jeremy
  and implement functionality as part of 'dos filemode'
* fix winbindd on a non-member server to expand local groups
* prevent code previously only used by smbd from blindly
  turning _NO_WINBINDD back on
(This used to be commit 4ab372f4ca)
2007-10-10 11:15:51 -05:00
Jelmer Vernooij
ac2b7c0d93 r14696: make pdb_find_backend_entry public (for use by an external "multi" pdb backend)
(This used to be commit c149421ef7)
2007-10-10 11:15:44 -05:00
Gerald Carter
1839b4be14 r14634: Many bug fixes thanks to train rides and overnight stays in airports
* Finally fix parsing idmap uid/gid ranges not to break with spaces
  surrounding the '-'
* Allow local groups to renamed by adding info level 2 to
  _samr_set_aliasinfo()
* Fix parsing bug in _samr_del_dom_alias() reply
* Prevent root from being deleted via Samba
* Prevent builting groups from being renamed or deleted
* Fix bug in pdb_tdb that broke renaming user accounts
* Make sure winbindd is running when trying to create the Administrators
  and Users BUILTIN groups automatically from smbd (and not just check the
  winbind nexted groups parameter value).
* Have the top level rid allocator verify that the RID it is about to
  grant is not already assigned in our own SAM (retries up to 250 times).
  This fixes passdb with existing SIDs assigned to users from the RID algorithm
  but not monotonically allocating the RIDs from passdb.
(This used to be commit db1162241f)
2007-10-10 11:15:41 -05:00
Gerald Carter
5aa66fd039 r14577: BUG Fixes:
* Add back in the import/export support to pdbedit
* Fix segv in pam_smbpass
* Cleanup some error paths in pdb_tdb and pdb_interface
(This used to be commit df53d64910)
2007-10-10 11:15:37 -05:00
Gerald Carter
41a0da4cfc r14457: Add a few more special cases for RID 513 in the samr code.
Now that I know what all the requirements for this group are
I can generalize the code some more and make it cleaner.
But at least this is working with lusrmgr.msc on XP and 2k now.
(This used to be commit d2c1842978)
2007-10-10 11:15:31 -05:00
Gerald Carter
0ce53f8ba5 r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'

* Add a SID domain to the group mapping enumeration passdb call
  to fix the checks for local and builtin groups.  The SID can be
  NULL if you want the old semantics for internal maintenance.
  I only updated the tdb group mapping code.

* remove any group mapping from the tdb that have a
  gid of -1 for better consistency with pdb_ldap.c.
  The fixes the problem with calling add_group_map() in
  the tdb code for unmapped groups which might have had
  a record present.

* Ensure that we distinguish between groups in the
  BUILTIN and local machine domains via getgrnam()
  Other wise BUILTIN\Administrators & SERVER\Administrators
  would resolve to the same gid.

* Doesn't strip the global_sam_name() from groups in the
  local machine's domain (this is required to work with
  'winbind default domain' code)

Still todo.

* Fix fallback Administrators membership for root and domain Admins
  if nested groups = no or winbindd is not running

* issues with "su - user -c 'groups'" command

* There are a few outstanding issues with BUILTIN\Users that
  Windows apparently tends to assume.  I worked around this
  presently with a manual group mapping but I do not think
  this is a good solution.  So I'll probably add some similar
  as I did for Administrators.
(This used to be commit 612979476a)
2007-10-10 11:15:28 -05:00
Gerald Carter
a8325d28d2 r13756: use samu_new() rather than calling talloc() directly.
(This used to be commit c13af58f63)
2007-10-10 11:10:52 -05:00
Volker Lendecke
ded57f29b3 r13727: Fix a segfault
(This used to be commit 76c100834d)
2007-10-10 11:10:51 -05:00
Günther Deschner
e54786b535 r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
  returning zero)

Guenther
(This used to be commit 5b89e8bc24)
2007-10-10 11:10:25 -05:00
Jeremy Allison
2ef2e01314 r13704: Janitor for tpot.
Jeremy
-------------
Slightly smaller version of pdb_get_methods() patch.  Turns out that
callers to initialize_password_db() use the reload parameter so this
has turned in to a smaller cleanup than I thought.
(This used to be commit 7e243104eb)
2007-10-10 11:10:24 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
2007-10-10 11:10:23 -05:00
Gerald Carter
cd55919263 r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new()
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix()
(This used to be commit 6f1afa4acc)
2007-10-10 11:10:16 -05:00
Gerald Carter
2203bed32c r13576: This is the beginnings of moving the SAM_ACCOUNT data structure
to make full use of the new talloc() interface.  Discussed with Volker
and Jeremy.

* remove the internal mem_ctx and simply use the talloc()
  structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
  upcoming changes.  Groups will most likely be replaced with a
  'struct samg' in the future.

Note that there are now passbd API changes.  And for the most
part, the wrapper functions remain the same.

While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs.  The code also needs more testing under valgrind to
ensure it's not leaking memory.

But it's a start......
(This used to be commit 19b7593972)
2007-10-10 11:10:15 -05:00
Gerald Carter
fb5362c069 r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a)
2007-10-10 11:10:14 -05:00
Gerald Carter
671c0098f6 r13545: A patch which I think it's time has come. VOlker, we can talk about
this more but it gets around the primary group issue.

* don't map a SID to a name from the group mapping code if
  the map doesn't have a valid gid.  This is only an issue
  in a tdb setup
* Always allow S-1-$DOMAIN-513 to resolve (just like Windows)
* if we cannot resolve a users primary GID to a SID, then set
  it to S-1-$DOMAIN-513
* Ignore the primary group SID inside pdb_enum_group_memberships().
  Only look at the Unix group membersip.

Jeremy, this fixes a fresh install startup for smbd as far as my tests
are concerned.
(This used to be commit f79f4dc4c5)
2007-10-10 11:10:12 -05:00
Volker Lendecke
301d51e13a r13494: Merge the stuff I've done in head the last days.
Volker
(This used to be commit bb40e544de)
2007-10-10 11:10:06 -05:00
Volker Lendecke
3b67210eec r13493: module_name and module_location are the same string. Fix a valgrind
error.

Volker
(This used to be commit 5a92df31d6)
2007-10-10 11:10:06 -05:00
Gerald Carter
75ef18fa75 r13460: by popular demand....
* remove pdb_context data structure
* set default group for DOMAIN_RID_GUEST user as RID 513 (just
  like Windows)
* Allow RID 513 to resolve to always resolve to a name
* Remove auto mapping of guest account primary group given the
  previous 2 changes
(This used to be commit 7a2da5f0cc)
2007-10-10 11:10:04 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Volker Lendecke
661c5c741a r12163: Change lookup_sid and lookup_name to return const char * instead of char *,
use a temporary talloc_ctx for clarity.

Volker
(This used to be commit b15815c804)
2007-10-10 11:05:46 -05:00
Volker Lendecke
05ac2de0df r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm
reacts :-)

Volker
(This used to be commit 9f99d04a54)
2007-10-10 11:05:43 -05:00
Volker Lendecke
10bc204efb r11923: Add samr_lookup_rids for the builtin domain. Doing it this way feels a bit
wrong, but so far we don't have proper multi-domain support in passdb yet...

Volker
(This used to be commit c917cfc320)
2007-10-10 11:05:36 -05:00
Volker Lendecke
046a8873b9 r11922: Looks bigger than it is: There's no point in allocating arrays in
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in
the pdb module. Remove the latter, this might happen more often.

Volker
(This used to be commit 57f0cf8cdd)
2007-10-10 11:05:36 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00
Jim McDonough
254938c636 r10911: part of #2861: add rename support for usrmgr.exe when using tdbsam
This gets it working before replacing tdb with the samba4 version.
(This used to be commit 8210b0503a)
2007-10-10 11:04:56 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Volker Lendecke
f74f7c933d r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function
pointers now.

Yes, Jeremy, this is about re-inventing C++... :-)

Volker
(This used to be commit a831e54738)
2007-10-10 10:56:39 -05:00
Volker Lendecke
d3d6126d94 r6351: This is quite a large and intrusive patch, but there are not many pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.

The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.

Volker
(This used to be commit f0bb44ac58)
2007-10-10 10:56:38 -05:00
Volker Lendecke
9f4c0afa0a r6277: This implements a new caching API for enumerating the pdb elements. It is
modeled after query_displayinfo and should hide the differences between users,
groups and aliases while allowing a cache analog load_sampw_entries:

struct pdb_search *pdb_search_users(uint16 acct_flags);
struct pdb_search *pdb_search_groups(void);
struct pdb_search *pdb_search_aliases(const DOM_SID *sid);
uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx,
                          uint32 max_entries,
                          struct samr_displayentry **result);
void pdb_search_destroy(struct pdb_search *search);

Why this API? Eventually we will need to apply the work gd has started on
enumerating users with paged ldap searches to groups and aliases. Before doing
that I want to clean up the search routines we have.

The sample application (more to follow) is 'net maxrid'.

Volker
(This used to be commit 8b4f67a1e9)
2007-10-10 10:56:34 -05:00
Jeremy Allison
202c7b4571 r6092: This much const causes the compiler on Fedora Core 2
to throw up.
Jeremy.
(This used to be commit 051f0ed807)
2007-10-10 10:56:21 -05:00
Volker Lendecke
e84ead0cfd r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the
change in pdb_enum_alias_memberships to match samr.idl a bit closer.

Volker
(This used to be commit 3a67865169)
2007-10-10 10:56:20 -05:00
Jim McDonough
cf7d098b2c r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us
again up to ~6x improvement on group membership lookups.
(This used to be commit e2117bcb09)
2007-10-10 10:56:13 -05:00
Gerald Carter
dbd5c968d7 r5951: gotta love that SGI compiler :-) (thanks Jason)
(This used to be commit e84d070275)
2007-10-10 10:56:10 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963ab)
2007-10-10 10:55:54 -05:00
Volker Lendecke
a90a58ff22 r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.
Could someone else please look at this patch, verifying that I did not break
the ldapsam:trusted = False fallback to the old behaviour? It works fine for
me, but you never know. You're certainly free to review the new code as well :-)

Thanks,

Volker
(This used to be commit e1c3ca182b)
2007-10-10 10:55:41 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac)
2007-10-10 10:55:38 -05:00
Gerald Carter
e512799c00 r4996: sync up copytights with trunk
(This used to be commit 8946efe102)
2007-10-10 10:55:11 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd)
2007-10-10 10:55:08 -05:00
Günther Deschner
1ed62fde09 r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.

Guenther
(This used to be commit 6394257cc7)
2007-10-10 10:53:59 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Volker Lendecke
f9e87b9ba6 r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!

We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.

The parameter to activate this ldapsam behaviour is

ldapsam:trusted = yes

Volker
(This used to be commit b94838aff1)
2007-10-10 10:53:15 -05:00
Volker Lendecke
69ddbbf97b r3704: Implement a cache get saves the result of a pdb_getsampwnam for later
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls
to LDAP during a typical XP login. XP does a lookupnames, then an openuser and
some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all
the subsequent ones make us call getsampwsid. This patch gets this down to one
call to LDAP.

Yes, a more "correct" way would be to stick the information to the open user
handle, but this one is simpler and saves the LDAP roundtrip for the openuser
call.

Volker
(This used to be commit 3d9758fa3c)
2007-10-10 10:53:15 -05:00
Volker Lendecke
154d5f913b r3566: Completely replace the queryuseraliases call. The previous implementation does
not exactly match what you would expect.

XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.

Volker
(This used to be commit 2508d4ed1e)
2007-10-10 10:53:09 -05:00
Volker Lendecke
69a91df4ed r145: pdb_create_alias now returns NTSTATUS. More of this to follow.
Volker
(This used to be commit 6e18bed170)
2007-10-10 10:51:11 -05:00
Gerald Carter
7af3777ab3 r116: volker's patch for local group and group nesting
(This used to be commit b393469d95)
2007-10-10 10:51:10 -05:00
Volker Lendecke
e692b991d1 And another little const
(This used to be commit f6bb3304fc)
2004-02-26 11:07:06 +00:00
Gerald Carter
eaece3bbe6 abartlet's pdb_set/changed flag fix for NULL passwords
(This used to be commit cfe80f0df7)
2004-02-12 17:51:23 +00:00
Gerald Carter
b6a320bdc1 stupid cut-n=paste error; my fault
(This used to be commit ee8f142b87)
2004-02-12 17:09:01 +00:00
Gerald Carter
471e558b28 move disabling code to context functions instead of backwards compatible wrappers
(This used to be commit e62ef2ba2d)
2004-02-04 19:46:29 +00:00
Gerald Carter
3141a26677 disable any account that doesn't have a password and doesn't had the ACB_PWNOTREQ bit set
(This used to be commit 52bf070b10)
2004-01-30 14:59:40 +00:00
Gerald Carter
d4420dc902 more initialization fixes
(This used to be commit 9e590d6035)
2004-01-29 22:16:58 +00:00
Gerald Carter
6566a89bee initialization fixes
(This used to be commit 54fd3992c3)
2004-01-29 20:14:50 +00:00
Jeremy Allison
94f59f5492 More tuning from cachegrind. Change most trim_string() calls to trim_char(0,
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b90)
2003-09-05 19:59:55 +00:00
Volker Lendecke
aca3fa9149 Add the 'guest' passdb backend automatically if
guest account != ""

Volker
(This used to be commit 21d330af10)
2003-06-30 14:55:45 +00:00
Gerald Carter
f51d769dd3 large change:
*)  consolidates the dc location routines again (dns
    and netbios)  get_dc_list() or get_sorted_dc_list()
    is the authoritative means of locating DC's again.

    (also inludes a flag to get_dc_list() to define
     if this should be a DNS only lookup or not)

    (however, if you set "name resolve order = hosts wins"
     you could still get DNS queries for domain name IFF
     ldap_domain2hostlist() fails.  The answer?  Fix your DNS
     setup)

*)  enabled DOMAIN<0x1c> lookups to be funneled through
    resolve_hosts resulting in a call to ldap_domain2hostlist()
    if lp_security() == SEC_ADS

*)  enables name cache for winbind ADS backend

*)  enable the negative connection cache for winbind
    ADS backend

*)  removes some old dead code

*)  consolidates some duplicate code

*)  moves the internal_name_resolve() to use an IP/port pair
    to deal with SRV RR dns replies.  The namecache code
    also supports the IP:port syntax now as well.

*)  removes 'ads server' and moves the functionality back
    into 'password server' (which can support "hostname:port"
    syntax now but works fine with defaults depending on
    the value of lp_security())
(This used to be commit d7f7fcda42)
2003-06-25 17:41:05 +00:00
Simo Sorce
f5974dfaae Found out a good number of NT_STATUS_IS_ERR used the wrong way.
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK

This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.

Simo.
(This used to be commit c501e84d41)
2003-06-22 10:09:52 +00:00
Jim McDonough
187ef2eb2a Fix bug #136: "passdb backend = " caused smbd to segfault.
Instead, spit out an error message.
(This used to be commit 22f083b227)
2003-06-20 17:39:53 +00:00
Simo Sorce
75a5c0b307 Ok, this patch removes the privilege stuff we had in, unused, for some time.
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.

We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.

This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base

Simo.
(This used to be commit e341e7c49f)
2003-06-18 15:24:10 +00:00
Simo Sorce
9e9849c0ee add metze's patch for smb_register functions
(This used to be commit 1480c7e8c7)
2003-05-16 06:20:57 +00:00
Jelmer Vernooij
0914e541f5 Reverse previous patch from Stefan and me after comments by Andrew Bartlett
(This used to be commit d817eaf0ec)
2003-05-10 11:49:51 +00:00
Jelmer Vernooij
c507ebe567 Patch from metze and me that adds dummy smb_register_*() functions so
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
2003-05-10 10:53:48 +00:00
Jelmer Vernooij
d2373e7dce Make the version numbers ints (patch from metze)
(This used to be commit dbe36b4c43)
2003-04-30 23:06:44 +00:00
Jelmer Vernooij
17a3acafa8 Use NTSTATUS as return value for smb_register_*() functions and init_module()
function. Patch by metze with some minor modifications.
(This used to be commit bc4b51bcb2)
2003-04-28 17:48:48 +00:00
Jelmer Vernooij
ec750c5d52 - Get rid of module_path_get_name()
- Use find backend function to find duplicates
- declare static function before using it
(This used to be commit ad5ebd4f20)
2003-04-24 20:36:41 +00:00
Jelmer Vernooij
0971cbb9eb Pdb modules are in $libdir/pdb not $libdir/passdb
(This used to be commit 9c9d969c93)
2003-04-21 00:38:39 +00:00
Jelmer Vernooij
9c3cecbdac Use the new modules system for passdb (merge from HEAD)
(This used to be commit 1755d5f662)
2003-04-15 16:01:14 +00:00
Andrew Bartlett
3d8c50c874 Thanks to volker, merge passdb changes from HEAD:
- pdb_guest (including change defaults)
 - 'default' passdb actions (instead of 'not implemented' stubs in each module)

 - net_rpc_samsync no longer assumes pdb_unix

Andrew Bartlett
(This used to be commit 4bec53c8c8)
2003-03-22 09:03:46 +00:00
Jeremy Allison
ef8bd7c4f7 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6)
2002-12-20 20:21:31 +00:00
Jelmer Vernooij
7c64e03d9d Remove #ifdef's for NISPLUS_SAM - there are no function name collisions anymore
(This used to be commit 32c93921b0)
2002-11-14 18:21:22 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Andrew Bartlett
6d7195d1d7 Merge passdb from HEAD -> 3.0
The work here includes:
 - metze' set/changed patch, which avoids making changes to ldap on unmodified
attributes.

 - volker's group mapping in passdb patch

 - volker's samsync stuff
 - volkers SAMR changes.

 - mezte's connection caching patch

 - my recent changes (fix magic root check, ldap ssl)

Andrew Bartlett
(This used to be commit 2044d60bbe)
2002-11-02 03:47:48 +00:00
Jelmer Vernooij
12b1a63ceb Only run free_private_data when specified (reported by Steve Langasek aka vorlon)
(This used to be commit ecd3acbfcf)
2002-10-25 00:38:10 +00:00
Gerald Carter
7d1eb6f7b6 sync with HEAD
(This used to be commit ee9cbf5807)
2002-09-26 18:58:34 +00:00