1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-28 07:21:54 +03:00
Commit Graph

398 Commits

Author SHA1 Message Date
Andrew Tridgell
4023a61892 merged the mangling test and passdb bugfixes into SAMBA_3_0
(This used to be commit 97eb3a121d)
2002-04-12 10:18:46 +00:00
Andrew Tridgell
9cd0306baa This split the mangling code up to allow for the possibility of multiple
mangling implementation, selectable using "mangling method = " in smb.conf

It also tidies the interface a little, although it is still nasty.
(This used to be commit be23d87a17)
2002-04-11 02:20:56 +00:00
Jeremy Allison
4ad0ff29bf Added Shirish's client side caching policy change.
Jeremy.
(This used to be commit 16015c07ea)
2002-04-10 01:04:13 +00:00
Jeremy Allison
87ea010ae1 Fix continual scanning of smb.conf if an include file doesn't exist. Found
by Herb.
Jeremy.
(This used to be commit f4f2a62740)
2002-04-02 19:56:54 +00:00
Jeremy Allison
0cb0c6e903 Added sys_adminlog() system for info the appliance admins really
need to know about. Different from the DEBUG system.
Jeremy.
(This used to be commit 74eac41c68)
2002-03-27 23:17:50 +00:00
Andrew Bartlett
43ba0aa8d9 Minor fixes:
- Fix warnings in loadparm.c
- Remove the unused 'passdb modules path' paramater

- Make pdb_ldap use $ termination rather than the workstation trust account
  flag becouse some 'machine' accounts appear as normal accounts at creation
  time.  Also covers domains etc.

Andrew Bartlett
(This used to be commit 8c82a3daf7)
2002-03-23 08:32:25 +00:00
Jeremy Allison
ffadd471b9 Sync up vfs changes from 2.2.x.
Jeremy.
(This used to be commit ad1e858d8e)
2002-03-19 02:32:39 +00:00
Jeremy Allison
5e3b923124 include/smb_macros.h: Don't round up an allocation if the size is zero.
"One of these locks is not like the others... One of these locks is not
quite the same" :-). When is a zero timeout lock not zero ? When it's
being processed by Windows 2000 of course.. This code change, ugly though
it is - completely fixes the foxpro/access multi-user file system database
problems that people have been having. I used a *wonderful* test program
donated by "Gerald Drouillard" <gerald@drouillard.ca> which allowed me
to completely reproduce this problem, and to finally determine the correct
fix. This also explains why Windows 2000 is *so slow* when responding to
the smbtorture lock tests. I *love* it when all these things come together
and finally make sense :-).
Jeremy.
(This used to be commit 8aa9860ea2)
2002-03-13 20:28:19 +00:00
Jeremy Allison
db4c62d7ed Implemented default ACL patch (set inherit acls = true on a per share basis).
Based on code donated by Olaf Frczyk <olaf@cbk.poznan.pl>. Further commit
will change to sending via vfs interface.
Jeremy.
(This used to be commit d85133e269)
2002-03-11 21:57:12 +00:00
Andrew Tridgell
14b1ec7ccd make default unix charset UTF8
this means that we at least support all unicode chars by default
(This used to be commit 54a3f37449)
2002-03-03 21:38:56 +00:00
Simo Sorce
81f66464b0 compile fix from vance
(This used to be commit b6d62b8b2e)
2002-03-02 19:06:15 +00:00
Andrew Bartlett
f0765f4efe Move these inside the #ifdef to fix the compile on non-LDAPsam systems.
(This used to be commit 75f72f0b6a)
2002-03-02 12:30:06 +00:00
Andrew Bartlett
72c49d2c09 This is now unused
(This used to be commit 6c5052a1a9)
2002-03-02 10:54:56 +00:00
Andrew Bartlett
2ef9be9a99 This patch merges my private LDAP tree into HEAD.
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf.  This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.

It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.

Non-unix account support is also added.  This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.

This code has stood up well under my production environment, so it relitivly
well tested.

I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).

Andrew Bartlett
(This used to be commit cd5234d7dd)
2002-03-02 10:16:28 +00:00
Jeremy Allison
2da4d64cfc Added "nt status support" parameter. Fix offline synchronisation.
Jeremy.
(This used to be commit 9243a9778e)
2002-02-27 21:46:53 +00:00
Herb Lewis
f4ab3072a6 add required flags to "nt acl support" so it will show up in SWAT
(This used to be commit d1ccdb5d1c)
2002-02-25 22:17:53 +00:00
Andrew Tridgell
aa56d46a0d enable large readwrite by default
this should improve performance with w2k clients and seems to work
fine
(This used to be commit 67a3135e04)
2002-02-20 22:54:23 +00:00
Tim Potter
3e5efdb05c Added comment in lp_string() about debugging memory problems.
(This used to be commit 98e97fac17)
2002-02-16 19:34:58 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Jean-François Micouleau
2452515a16 that's the wins replication daemon !
there are still some work to do on it but it's already functionnal.

        J.F.
(This used to be commit 2506c98d19)
2002-01-25 22:53:49 +00:00
Tim Potter
01a1516f15 Initialise password server to "*" in init_globals()
(This used to be commit 97b243c488)
2002-01-25 05:16:40 +00:00
Gerald Carter
528ff0d6f7 merge from 2.2. of
* PRINTER_ATTRIBUTE's
  * "default devmode" parameter
(This used to be commit 90a7a1840b)
2002-01-22 18:14:31 +00:00
Andrew Bartlett
1a74d8d1f0 This is another *BIG* change...
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem.  In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.

This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime.  The 'passdb backend' paramater
has been created (and documented!) to support this.

As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.

This patch also introduces two new backends:  smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd.  These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.

While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly).  Most of this was
to do with % macro expansion on stored data.  It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them.  tdbsam needs
to use a similar system to pdb_ldap in this regard.

This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these.  I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.

Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.

The non-unix-account support in this patch has been proven!  It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!

Other changes:

Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.

pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend).  Extra checks have been added in
some places.

Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.

pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.

The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly.  This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.

Doco:

I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c5)
2002-01-20 14:30:58 +00:00
Andrew Bartlett
1fb9ccc4e2 This is the 'winbind default domain' patch from Alexander Bokovoy
<a.bokovoy@sam-solutions.net>.

The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.

This 'corrects' that - but is not without its own problems.

As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.

The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.

I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.

As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.

(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)

Andrew Bartlett
(This used to be commit 07a21fcd23)
2002-01-18 02:37:55 +00:00
Jeremy Allison
08019e8a33 Separate out get_user_home_dir() from get_user_home_service_dir().
Jeremy.
(This used to be commit c1b97226db)
2002-01-16 23:53:10 +00:00
Martin Pool
fed604bfa3 Roll back PSTRING_SANCTIFY patch; just leave non-controversial type
and constness changes.
(This used to be commit cee0ec7274)
2002-01-16 02:42:07 +00:00
Martin Pool
9964e1f966 Add constness to parameters
(This used to be commit a61abaec06)
2002-01-15 01:38:05 +00:00
Tim Potter
bf22d9cca8 For hysterical raisins you must use string_set() to set the value of a
string in the loadparam Globals struct.  Using pstrcpy was causing every
NULL string was being set to the name of the winbindd log file.  (-:
(This used to be commit 24bae9f055)
2002-01-09 04:17:24 +00:00
Jeremy Allison
4702494dce Added get_called_name() function, which replaces global_myname in printing
code (one less global, hurrah !) - to allow NetBIOS aliasing to be used
with point and print.
Jeremy.
(This used to be commit 10d72f0b01)
2002-01-08 00:46:56 +00:00
Martin Pool
0b66e623f2 Put a name on lp_talloc pool
(This used to be commit 4721217494)
2002-01-03 05:57:21 +00:00
Gerald Carter
93913173ee sync up ldap defaults with 2.2
(This used to be commit 59174310d4)
2002-01-02 22:44:15 +00:00
Andrew Bartlett
f6e6c678ad Add a pile of doxygen style comments to various parts of Samba. Many of these
probably will never actually be genearted, but I like the style in any case.

Also fix a segfault in 'net rpc' when the login failed and a small memory leak
on failure in the auth_info.c code.

Andrew Bartlett
(This used to be commit 2efae7cc52)
2001-12-30 10:54:58 +00:00
Jeremy Allison
9ed10f83d7 Removed global debugf. Replaced with lp_set_logfile(name).
Fixed winbindd to finally stop leaving log. file droppings :-).
Jeremy.
(This used to be commit 0bea6cf79a)
2001-12-20 22:27:05 +00:00
Andrew Tridgell
89f97bb254 fixed sscanf() of gid_t values
(This used to be commit 102af994de)
2001-12-20 09:48:02 +00:00
Jean-François Micouleau
9f59fc64b8 update the ldap support code. it compiles.
Ignacio you can update your howto ;-)

samsync: a small patch to try chaning challenges.

	J.F.
(This used to be commit c99bc30559)
2001-12-13 18:09:29 +00:00
Andrew Tridgell
99c431695c added a "use spnego" option
you need to set "use spnego = no" for w2k to be able to join a samba
domain. Otherwise the w2k box will assume we can do kerberos as a KDC
(This used to be commit b5cb57a367)
2001-12-07 01:01:10 +00:00
Jean-François Micouleau
e0066d2dd4 again an intrusive patch:
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the
definition of standard_sub_basic() to cope with that.

- removed the smb.conf: 'domain admin group' and 'domain guest group'
parameters ! We're not playing anymore with the user's group RIDs !

- in get_domain_user_groups(), if the user's gid is a group, put it first
in the group RID list.

I just have to write an HOWTO now ;-)

        J.F.
(This used to be commit fef52c4b96)
2001-12-06 13:09:15 +00:00
Jean-François Micouleau
f3bffe143c removed the #ifdef USING_GROUPNAME_MAP/#endif blocks
that GROUPNAME_MAP has never been used.

I'll delete the smbd/groupname.c file too

	J.F.
(This used to be commit 2285e98f20)
2001-12-01 23:53:32 +00:00
Andrew Bartlett
4499007e45 A number of things to clean up the auth subsytem a bit...
We now default encrypt passwords = yes

We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.

(this kills off the 'local' backed.  The sam backend may be renamed in its
place)

The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.

Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.

The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.

Andrew Bartlett
(This used to be commit e89b47f65e)
2001-11-26 06:47:04 +00:00
Andrew Tridgell
2eb736f2c3 updated server_role for ADS
(This used to be commit 48df0d2b5d)
2001-11-26 06:18:09 +00:00
Tim Potter
64dd6c3412 Another merge from appliance-head: in [ug]id_to_sid don't call the
winbind function if the id is obviously going to be local.  Cleanup
of winbind [ug]id parameter handling.
(This used to be commit 4ab9ca31a0)
2001-11-26 04:27:51 +00:00
Andrew Tridgell
481c644b7b added 'security=ADS'
(This used to be commit 5a735a88e4)
2001-11-25 23:05:13 +00:00
Andrew Tridgell
ad2974cd05 added "net join" command
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee90)
2001-11-24 14:16:41 +00:00
Andrew Bartlett
d0a2faf78d This is another rather major change to the samba authenticaion
subystem.

The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.

This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality.  While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.

This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists.  It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.

Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.

While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.

The following parameters have changed:
 - use rhosts =

  This has been replaced by the 'rhosts' authentication method,
 and can be specified like 'auth methods = guest rhosts'

 - hosts equiv =

  This needs both this parameter and an 'auth methods' entry
  to be effective.  (auth methods = guest hostsequiv ....)

 - plaintext to smbpasswd =

  This is replaced by specifying 'sam' rather than 'local'
  in the auth methods.

The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.

The available auth methods are:

guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)


Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.

Andrew Bartlett
(This used to be commit 8d31eae52a)
2001-11-24 12:12:38 +00:00
Martin Pool
7883798301 Move all other paths into dynconfig
(This used to be commit d51ef6bfa3)
2001-11-19 05:49:20 +00:00
Martin Pool
caef2d2884 LIBDIR and LOCKDIR are dynamically configured too.
(This used to be commit 868999ad3c)
2001-11-19 03:35:27 +00:00
Andrew Bartlett
395aa946cd This change updates lp_guestaccount() to be a *global* paramater, rather than
per-share.  I beleive that almost all the things that this could have done on
a per-share basis can be done with other tools, like 'force user'.

Almost all the user's of this paramater used it as a global anyway...

While this is one step at a time, I hope it will allow me to considerably
simplfy the make_connection() code, particularly for the user-level security
case.

This already removes an absolute truckload of extra attempted password lookups
on the guest account.

Andrew Bartlett
(This used to be commit 8e708332ed)
2001-11-09 11:16:06 +00:00
Gerald Carter
e9ba1dff09 old merge from 2.2
(This used to be commit 292a0265a9)
2001-11-05 05:28:03 +00:00
Andrew Bartlett
6ab678d42b Small 'const' updates ahead of some AuthRewrite merging.
(This used to be commit 3b5e72bda3)
2001-10-31 06:22:19 +00:00
Andrew Tridgell
b728042334 added basic NTLMSSP support in smbd. This is still quite rough, and
loses things like username mapping. I wanted to get this in then
discuss it a bit to see how we want to split up the existing
session setup code
(This used to be commit b74fda69bf)
2001-10-17 08:54:19 +00:00