1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

163 Commits

Author SHA1 Message Date
Jim McDonough
254938c636 r10911: part of #2861: add rename support for usrmgr.exe when using tdbsam
This gets it working before replacing tdb with the samba4 version.
(This used to be commit 8210b0503a)
2007-10-10 11:04:56 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Volker Lendecke
f74f7c933d r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function
pointers now.

Yes, Jeremy, this is about re-inventing C++... :-)

Volker
(This used to be commit a831e54738)
2007-10-10 10:56:39 -05:00
Volker Lendecke
d3d6126d94 r6351: This is quite a large and intrusive patch, but there are not many pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.

The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.

Volker
(This used to be commit f0bb44ac58)
2007-10-10 10:56:38 -05:00
Volker Lendecke
9f4c0afa0a r6277: This implements a new caching API for enumerating the pdb elements. It is
modeled after query_displayinfo and should hide the differences between users,
groups and aliases while allowing a cache analog load_sampw_entries:

struct pdb_search *pdb_search_users(uint16 acct_flags);
struct pdb_search *pdb_search_groups(void);
struct pdb_search *pdb_search_aliases(const DOM_SID *sid);
uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx,
                          uint32 max_entries,
                          struct samr_displayentry **result);
void pdb_search_destroy(struct pdb_search *search);

Why this API? Eventually we will need to apply the work gd has started on
enumerating users with paged ldap searches to groups and aliases. Before doing
that I want to clean up the search routines we have.

The sample application (more to follow) is 'net maxrid'.

Volker
(This used to be commit 8b4f67a1e9)
2007-10-10 10:56:34 -05:00
Jeremy Allison
202c7b4571 r6092: This much const causes the compiler on Fedora Core 2
to throw up.
Jeremy.
(This used to be commit 051f0ed807)
2007-10-10 10:56:21 -05:00
Volker Lendecke
e84ead0cfd r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the
change in pdb_enum_alias_memberships to match samr.idl a bit closer.

Volker
(This used to be commit 3a67865169)
2007-10-10 10:56:20 -05:00
Jim McDonough
cf7d098b2c r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us
again up to ~6x improvement on group membership lookups.
(This used to be commit e2117bcb09)
2007-10-10 10:56:13 -05:00
Gerald Carter
dbd5c968d7 r5951: gotta love that SGI compiler :-) (thanks Jason)
(This used to be commit e84d070275)
2007-10-10 10:56:10 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963ab)
2007-10-10 10:55:54 -05:00
Volker Lendecke
a90a58ff22 r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.
Could someone else please look at this patch, verifying that I did not break
the ldapsam:trusted = False fallback to the old behaviour? It works fine for
me, but you never know. You're certainly free to review the new code as well :-)

Thanks,

Volker
(This used to be commit e1c3ca182b)
2007-10-10 10:55:41 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac)
2007-10-10 10:55:38 -05:00
Gerald Carter
e512799c00 r4996: sync up copytights with trunk
(This used to be commit 8946efe102)
2007-10-10 10:55:11 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd)
2007-10-10 10:55:08 -05:00
Günther Deschner
1ed62fde09 r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.

Guenther
(This used to be commit 6394257cc7)
2007-10-10 10:53:59 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Volker Lendecke
f9e87b9ba6 r3705: Nobody has commented, so I'll take this as an ack...
abartlet, I'd like to ask you to take a severe look at this!

We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.

The parameter to activate this ldapsam behaviour is

ldapsam:trusted = yes

Volker
(This used to be commit b94838aff1)
2007-10-10 10:53:15 -05:00
Volker Lendecke
69ddbbf97b r3704: Implement a cache get saves the result of a pdb_getsampwnam for later
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls
to LDAP during a typical XP login. XP does a lookupnames, then an openuser and
some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all
the subsequent ones make us call getsampwsid. This patch gets this down to one
call to LDAP.

Yes, a more "correct" way would be to stick the information to the open user
handle, but this one is simpler and saves the LDAP roundtrip for the openuser
call.

Volker
(This used to be commit 3d9758fa3c)
2007-10-10 10:53:15 -05:00
Volker Lendecke
154d5f913b r3566: Completely replace the queryuseraliases call. The previous implementation does
not exactly match what you would expect.

XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.

Volker
(This used to be commit 2508d4ed1e)
2007-10-10 10:53:09 -05:00
Volker Lendecke
69a91df4ed r145: pdb_create_alias now returns NTSTATUS. More of this to follow.
Volker
(This used to be commit 6e18bed170)
2007-10-10 10:51:11 -05:00
Gerald Carter
7af3777ab3 r116: volker's patch for local group and group nesting
(This used to be commit b393469d95)
2007-10-10 10:51:10 -05:00
Volker Lendecke
e692b991d1 And another little const
(This used to be commit f6bb3304fc)
2004-02-26 11:07:06 +00:00
Gerald Carter
eaece3bbe6 abartlet's pdb_set/changed flag fix for NULL passwords
(This used to be commit cfe80f0df7)
2004-02-12 17:51:23 +00:00
Gerald Carter
b6a320bdc1 stupid cut-n=paste error; my fault
(This used to be commit ee8f142b87)
2004-02-12 17:09:01 +00:00
Gerald Carter
471e558b28 move disabling code to context functions instead of backwards compatible wrappers
(This used to be commit e62ef2ba2d)
2004-02-04 19:46:29 +00:00
Gerald Carter
3141a26677 disable any account that doesn't have a password and doesn't had the ACB_PWNOTREQ bit set
(This used to be commit 52bf070b10)
2004-01-30 14:59:40 +00:00
Gerald Carter
d4420dc902 more initialization fixes
(This used to be commit 9e590d6035)
2004-01-29 22:16:58 +00:00
Gerald Carter
6566a89bee initialization fixes
(This used to be commit 54fd3992c3)
2004-01-29 20:14:50 +00:00
Jeremy Allison
94f59f5492 More tuning from cachegrind. Change most trim_string() calls to trim_char(0,
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b90)
2003-09-05 19:59:55 +00:00
Volker Lendecke
aca3fa9149 Add the 'guest' passdb backend automatically if
guest account != ""

Volker
(This used to be commit 21d330af10)
2003-06-30 14:55:45 +00:00
Gerald Carter
f51d769dd3 large change:
*)  consolidates the dc location routines again (dns
    and netbios)  get_dc_list() or get_sorted_dc_list()
    is the authoritative means of locating DC's again.

    (also inludes a flag to get_dc_list() to define
     if this should be a DNS only lookup or not)

    (however, if you set "name resolve order = hosts wins"
     you could still get DNS queries for domain name IFF
     ldap_domain2hostlist() fails.  The answer?  Fix your DNS
     setup)

*)  enabled DOMAIN<0x1c> lookups to be funneled through
    resolve_hosts resulting in a call to ldap_domain2hostlist()
    if lp_security() == SEC_ADS

*)  enables name cache for winbind ADS backend

*)  enable the negative connection cache for winbind
    ADS backend

*)  removes some old dead code

*)  consolidates some duplicate code

*)  moves the internal_name_resolve() to use an IP/port pair
    to deal with SRV RR dns replies.  The namecache code
    also supports the IP:port syntax now as well.

*)  removes 'ads server' and moves the functionality back
    into 'password server' (which can support "hostname:port"
    syntax now but works fine with defaults depending on
    the value of lp_security())
(This used to be commit d7f7fcda42)
2003-06-25 17:41:05 +00:00
Simo Sorce
f5974dfaae Found out a good number of NT_STATUS_IS_ERR used the wrong way.
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK

This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.

Simo.
(This used to be commit c501e84d41)
2003-06-22 10:09:52 +00:00
Jim McDonough
187ef2eb2a Fix bug #136: "passdb backend = " caused smbd to segfault.
Instead, spit out an error message.
(This used to be commit 22f083b227)
2003-06-20 17:39:53 +00:00
Simo Sorce
75a5c0b307 Ok, this patch removes the privilege stuff we had in, unused, for some time.
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.

We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.

This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base

Simo.
(This used to be commit e341e7c49f)
2003-06-18 15:24:10 +00:00
Simo Sorce
9e9849c0ee add metze's patch for smb_register functions
(This used to be commit 1480c7e8c7)
2003-05-16 06:20:57 +00:00
Jelmer Vernooij
0914e541f5 Reverse previous patch from Stefan and me after comments by Andrew Bartlett
(This used to be commit d817eaf0ec)
2003-05-10 11:49:51 +00:00
Jelmer Vernooij
c507ebe567 Patch from metze and me that adds dummy smb_register_*() functions so
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
2003-05-10 10:53:48 +00:00
Jelmer Vernooij
d2373e7dce Make the version numbers ints (patch from metze)
(This used to be commit dbe36b4c43)
2003-04-30 23:06:44 +00:00
Jelmer Vernooij
17a3acafa8 Use NTSTATUS as return value for smb_register_*() functions and init_module()
function. Patch by metze with some minor modifications.
(This used to be commit bc4b51bcb2)
2003-04-28 17:48:48 +00:00
Jelmer Vernooij
ec750c5d52 - Get rid of module_path_get_name()
- Use find backend function to find duplicates
- declare static function before using it
(This used to be commit ad5ebd4f20)
2003-04-24 20:36:41 +00:00
Jelmer Vernooij
0971cbb9eb Pdb modules are in $libdir/pdb not $libdir/passdb
(This used to be commit 9c9d969c93)
2003-04-21 00:38:39 +00:00
Jelmer Vernooij
9c3cecbdac Use the new modules system for passdb (merge from HEAD)
(This used to be commit 1755d5f662)
2003-04-15 16:01:14 +00:00
Andrew Bartlett
3d8c50c874 Thanks to volker, merge passdb changes from HEAD:
- pdb_guest (including change defaults)
 - 'default' passdb actions (instead of 'not implemented' stubs in each module)

 - net_rpc_samsync no longer assumes pdb_unix

Andrew Bartlett
(This used to be commit 4bec53c8c8)
2003-03-22 09:03:46 +00:00
Jeremy Allison
ef8bd7c4f7 Forward port the change to talloc_init() to make all talloc contexts
named. Ensure we can query them.
Jeremy.
(This used to be commit 09a218a9f6)
2002-12-20 20:21:31 +00:00
Jelmer Vernooij
7c64e03d9d Remove #ifdef's for NISPLUS_SAM - there are no function name collisions anymore
(This used to be commit 32c93921b0)
2002-11-14 18:21:22 +00:00
Jeremy Allison
2f194322d4 Removed global_myworkgroup, global_myname, global_myscope. Added liberal
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8)
2002-11-12 23:20:50 +00:00
Andrew Bartlett
6d7195d1d7 Merge passdb from HEAD -> 3.0
The work here includes:
 - metze' set/changed patch, which avoids making changes to ldap on unmodified
attributes.

 - volker's group mapping in passdb patch

 - volker's samsync stuff
 - volkers SAMR changes.

 - mezte's connection caching patch

 - my recent changes (fix magic root check, ldap ssl)

Andrew Bartlett
(This used to be commit 2044d60bbe)
2002-11-02 03:47:48 +00:00
Jelmer Vernooij
12b1a63ceb Only run free_private_data when specified (reported by Steve Langasek aka vorlon)
(This used to be commit ecd3acbfcf)
2002-10-25 00:38:10 +00:00
Gerald Carter
7d1eb6f7b6 sync with HEAD
(This used to be commit ee9cbf5807)
2002-09-26 18:58:34 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Tim Potter
18d011d736 Fixed memory leak in make_pdb_context_name()
Some reformatting and spelling fixes.
(This used to be commit a0f7bbad11)
2002-04-04 03:53:43 +00:00
Simo Sorce
050b80356e second step to gain free uid<->rid mapping
we still need to free gid<->rid mapping and few other stuff
(This used to be commit aa4b6f8181)
2002-03-19 13:57:53 +00:00
Simo Sorce
9fffb0859d Start to switch away from the alghorithmic uid->rid mapping model
(This used to be commit 724390a8da)
2002-03-18 11:35:53 +00:00
Tim Potter
ab13654dc9 Renamed get_nt_error_msg() to nt_errstr().
(This used to be commit 1f007d3ed4)
2002-03-17 04:36:35 +00:00
Andrew Bartlett
2ef9be9a99 This patch merges my private LDAP tree into HEAD.
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf.  This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.

It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.

Non-unix account support is also added.  This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.

This code has stood up well under my production environment, so it relitivly
well tested.

I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).

Andrew Bartlett
(This used to be commit cd5234d7dd)
2002-03-02 10:16:28 +00:00
Andrew Bartlett
527aaf6def Add the pdb_plugin module from Jelmer Vernooij <jelmer@nl.linux.org>.
This allow the user to select
'passdb backend = plugin : /path/to/plugin.so : pluging args'

And load any arbitary plugin.  Apparently Jelmer has a mysql plugin in the
works - hence this patch.

We probably need to rework the interface a bit before 3.0 (add versioning of
some kind) but this is a good start.

Andrew Bartlett
(This used to be commit d6d18b70f0)
2002-02-22 02:47:53 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Andrew Bartlett
806991158e fix typo
(This used to be commit 8ffc024ebc)
2002-01-26 06:18:59 +00:00
Andrew Bartlett
320f7cb4ac Passdb changes:
Modules now name themselves, which should allow for sane behaviour when we get
an 'extern' passdb module (which in turn loads a .so).

Fix up tdbsam for non-unix-accounts.  Not sure if this fixes idra's bug, but
its a start...

Andrew Bartlett
(This used to be commit 7d576d89d7)
2002-01-25 11:44:15 +00:00
Andrew Bartlett
1a74d8d1f0 This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem.  In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.

This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime.  The 'passdb backend' paramater
has been created (and documented!) to support this.

As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.

This patch also introduces two new backends:  smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd.  These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.

While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly).  Most of this was
to do with % macro expansion on stored data.  It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them.  tdbsam needs
to use a similar system to pdb_ldap in this regard.

This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these.  I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.

Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.

The non-unix-account support in this patch has been proven!  It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!

Other changes:

Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.

pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend).  Extra checks have been added in
some places.

Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.

pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.

The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly.  This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.

Doco:

I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c5)
2002-01-20 14:30:58 +00:00