IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
calls to init_unistr2() in the code and every one of them got the 3rd
argument incorrect, so I thought it best just to remove the argument.
The incorrect usage was caused by callers using strlen() to determine
the length of the string. The 3rd argument to init_unistr2() was
supposed to be the character length, not the byte length of the
string, so for non-english this could come out wrong.
I also removed the bogus 'always allocate at least 256 bytes'
hack. There may be some code that relies on this, but if there is then
the code is broken and needs fixing.
This is not 100% the same as what SuSE shipped in their Samba, there is
a crash bug fix, a race condition fix, and a few logic changes I'd like to
discuss with Andreas. Added Andreas to (C) notices for posix_acls.c
Jeremy.
Currently this calls back to mapping.c, but we have the framework
to get the information into LDAP and the passdb.tdb (should we? I
think so..).
This has received moderate testing with net rpc vampire and
usrmgr. I found the add_groupmem segfault in add_aliasmem as
well, but that will be another checkin.
Volker
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
better job of working with usrmgr. Previously we were blanking out entires,
and all sort of mischif.
The new patch (which I've now had a chance to test/modify) also takes care not
to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to store
\\server\user back) and to correctly notice 'not set' compared to 'null string'
etc.
Andrew Bartlett
When creating a group you have to take care of the fact that the
underlying unix might not like the group name. This change gets around
that problem by giving the add group script the chance to invent a
group name. It then must only return the newly created numerical gid.
Volker
acb_mask/all_machines flag combination. The avoids a bug where we were listing
users in the 'trusting domains' dialog in usrmgr.
We might also need to invalidate the cache for some other SAMR actions.
Andrew Bartlett
the DC's SAM. We were only returning workstations, not PDCs or BDCs.
Win2k's 'Computer Manager' tool uses this to list all computers in the domain
(as opposed to using NetBIOS).
Andrew Bartlett
might be ugly, etc - please don't blame me for anything but instead try to fix
the code :-). Compiling of the new sam system can be enabled with the
configure option --with-sam
Removing passdb/passgrp.c as it's unused
fix typo in utils/testparm.c
patches:
Andrew Bartlett
From his e-mail:
Below I attach the following patches as a result of my work
on trusted domains support:
1) srv_samr_nt.c.diff
This fixes a bug which caused to return null string as
the first entry of enumerated accounts list (no matter what
entry, it was always null string and rid) and possibly
spoiled further names, depeding on their length.
I found that while testing my 'net rpc trustdom list'
against nt servers and samba server.
2) libsmb.diff
Now, fallback to anonymous connection works correctly.
3) smbpasswd.c.diff
Just a little fix which actually allows one to create
a trusting domain account using smbpasswd
4) typos.diff
As the name suggests, it's just a few typos fix :)
(and yes, some of these are real bugs)
In particular, the samr code was doing an &foo of various types, to a function
that assumed uint32. If time_t isn't 32 bits long, that broke.
They are assignment compatible however, so use that and an intermediate
variable.
Andrew Bartlett
the 'user cannot change password' button work. Needs help from a future SAM
backend, but at least this parses the data, and returns an error.
Andrew Bartlett
This is not the final solution, I think this will probably changed with the
move to the new SAM subsystem, but it allows some research and gives us
somthing to start with.
It should also help with getting proper NT_TOKEN passing set-up.
Original patch by "Kai Krueger" <kai@kruegernetz.de>, which I have modified to
pass back NTSTATUS returns in more places and to use a little more common code.
Andrew Bartlett
*.o) and implment new enum_dom_users code in the SAMR RPC subsystem.
Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the
eventual hope that we might one day support muliple domains off a single
passdb. To extract the RID, we use sid_peek_check_rid(), and supply an
'expected' domain SID.
The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to
srv_samr_util.c, to ease linking in passdb users.
Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in
pdb_compat.c
Andrew Bartlett
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
involving the use of lp_winbind_gid() without checking if they have been
set.
Also revert the 'clashing user' check back to a Get_Pwnam() - I probably should
never have changed it.
Andrew Bartlett
initialising function. This patch thanks to the work of
"Stefan (metze) Metzmacher" <metze@metzemix.de>
This is partly to enable the transition to SIDs in the the passdb.
Andrew Bartlett
returning access denied for a SAMR_CONNECT by an anonymous user which
seems to be the way 2K does it rather than blocking individual RPC
calls like NT.
Also checked is the SAMR_GET_DOM_PWINFO rpc which for some reason
doesn't require a policy handle to return information. No idea what
it's actually used.
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions.
srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one.
Importantly:
The removal of the silly 'delete user script' behaviour when secuity=domain.
I have left the name the same - as it still does the (previously documented,
but not in smb.conf(5)) sane behaviour of deleting users on request.
When we decide what to do with the 'add user' functionality, we might
rename it.
Andrew Bartlett
