1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1907 Commits

Author SHA1 Message Date
Christian Ambach
55dd9e6a9c s3:passdb/pdb_samba_dsdb make the module handle well-known
overwrite the passdb defaults and let this module handle well-knowns

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:20 +02:00
Christian Ambach
0ad38d777f s3:passdb add pdb_*_is_responsible_for* functions
allows PDB modules to specify for which special domains they
are responsible when it comes to SID->xid conversion

By default, passdb modules will be responsible for local BUILTIN,
local SAM and Unix Users/Groups

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:19 +02:00
Christian Ambach
0ad89c3cc9 s3:passdb/samba_dsdb fix some compiler warnings
about gids and group_sids being potentially uninitialized

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:18 +02:00
Christian Ambach
e211b5c5d2 s3:passdb/samba_dsdb fix a compiler warning
about discarding const modifier

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:18 +02:00
Andrew Bartlett
f073401abf passdb-machine_account_secrets: Remove #if SAMBA_BUILD_ == 4 now we only have the waf build
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:12 +10:00
Andrew Bartlett
1165776d86 pdb_ldap: Do not skip accounts without a sambaAcctFlags value
We allow this to mean a sambaAcctFlags value of zero in other parts of the code
and by allowing these users to show up in a search, we can read and correct them
during the classicupgrade, rather than not know they exist at all.

Most parts of the code do not look for ACB_NORMAL, which is why
these users appear to work.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16 19:02:02 +02:00
Alexander Bokovoy
5952755755 PASSDB: add support to set and enumerate UPN suffixes associated with our forest
Samba PDC may manage a forest containing DNS domains in addition to the primary one.
Information about them is advertised via netr_DsRGetForestTrustInformation when
trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and
via netr_GetForestTrustInformation.

This changeset only expands PASSDB API; how suffixes are maintained is left
to specific PDB modules. Set function is added so that suffixes could be
managed through 'net' and other Samba utilities, if possible.

One possible implementation is available for ipasam module in FreeIPA:
http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4

Reviewed-by: Andreas Schneider <asn@samba.org>
2013-04-09 20:29:18 +02:00
Andreas Schneider
b510e5e6c4 pdb: Fix array overrun by one.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22 16:36:13 +01:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andreas Schneider
1b582c4bf8 Rename pdb_ldap to pdb_ldapsam
This patch moves pdb_ldap to pdb_ldapsam unconditionally
and makes possible to load ldapsam.so dynamically

Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-06 11:51:11 +01:00
Andreas Schneider
3d1abb9328 waf: Fix pdb_ldap which cannot be built as a module.
The module has two init functions, pdb_ldap_init() and
pdb_ldapsam_init(). As a shared module only one can be found until we
create a symlink.

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 23 10:51:59 CET 2013 on sn-devel-104
2013-01-23 10:51:59 +01:00
Andrew Bartlett
b9fbce2061 passdb: Add discard_const_p() to pdb_samba_dsdb
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-10 18:46:22 +11:00
Michael Adam
61e8b80c85 s3:passdb: fix building pdb_ldap as shared module
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec  3 19:12:29 CET 2012 on sn-devel-104
2012-12-03 19:12:29 +01:00
Michael Adam
93c0c0749a s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
The backends (tdbsam and ldapsam) do this.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:31 +01:00
Michael Adam
5fbdc5f35a s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:31 +01:00
Michael Adam
a0f4129448 s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
wellknown sids and "Unix User" and "Unix Group" domains.

This broadens up the check moved here in commit
02e25b2a43.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
671f534e5e s3:passdb: add sid_check_object_is_for_passdb()
Variant of sid_check_is_for_passdb() that only checks for objects
in the various domains, not for the domain sids themselves.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
d96aeded61 s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
The special treatment of the "Unix User" and "Unix Group" pseudo domains
can be reused.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
ef0ed56eb1 s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
This code treats the own sam, builtin, wellknown, and sids from the
"Unix User" and "Unix Group" pseudo-domains.

This reverts part of commit 02e25b2a43.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
845a142107 build the new sid_check_is_for_passdb() function into passdb
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:29 +01:00
Christian Ambach
43606bcbbf s3:passdb formatting changes
fix some trailing whitespace and a typo
2012-09-27 04:36:52 +02:00
Andrew Bartlett
3902e7332d lib/util/charset: We do not use fucntions from wchar.h any more
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 26 02:13:10 CEST 2012 on sn-devel-104
2012-09-26 02:13:10 +02:00
Andrew Bartlett
fe2071cd3b build: Fix enabled handling for HAVE_LDAP, we need to use bld.CONFIG_SET
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 09:09:17 CEST 2012 on sn-devel-104
2012-09-22 09:09:16 +02:00
Christian Ambach
83ed9b52e7 s3:pdb_ldap remove unused function
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Sat Sep 22 04:28:37 CEST 2012 on sn-devel-104
2012-09-22 04:28:37 +02:00
Alexander Bokovoy
86a4ca2864 s3: make smbldaphelper subsystem an internal library
Break pdb_ldap -> smbldaphelper -> pdb -> pdb_ldap loop by
making smbldaphelp intentionally underlinked internal library.

It means that libsmbldaphelp is not usable unless its user is
also linked to libpdb (that is the case for both its users,
idmap_ldap and pdb_ldap, already) but gives us a break of
the circular dependency in case pdb_ldap statically linked
into pdb (default).

This should solve case when idmap_ldap and pdb_ldap are dynamically
loaded modules

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 14 01:02:21 CEST 2012 on sn-devel-104
2012-09-14 01:02:21 +02:00
Alexander Bokovoy
be7a856f5b s3: make ldapsam-related functions a smbldaphelper subsystem
Since these functions are used in pdb_ldap and idmap_ldap, and
pdb_ldap might be statically linked to libpdb (default), it is
better to keep them as separate subsystem to avoid polluting libpdb
namespace.

This is first step in refactoring libpdb. Right now I cannot move
these functions into proper libsmbldaphelper as it uses more of
libpdb-included functions and linking pdb_ldap against libsmbldaphelper
library would have created a loop if pdb_ldap is included into libpdb.

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Sep 13 17:36:07 CEST 2012 on sn-devel-104
2012-09-13 17:36:07 +02:00
Alexander Bokovoy
d55980ccad s3-pdb: filter out more symbols only used in ldapsam internals 2012-09-12 08:49:32 +02:00
Alexander Bokovoy
d709748070 s3-passdb: update abi_match and ignore more statically linked functions
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Mon Sep 10 16:14:50 CEST 2012 on sn-devel-104
2012-09-10 16:14:50 +02:00
Alexander Bokovoy
140bb288be s3-smbldap: use smbldap_ prefixed functions 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
a43774a257 s3-waf: avoid exporting init symbols from statically linked modules
WAF builds with and without AD DC affect list of statically linked
modules that are added into libpdb. This makes impossible to have
ABI for libpdb that does not depend on configured features.

By making init functions from statically linked modules to have local
scope in shared libraries, we avoid unwarranted ABI changes.

Additionally, pdb_samba_dsdb imports IDMAP subsystem of source4/ as
it is not a shared library. Making its symbols private as well.

Finally, in order to have the filtering of symbols work, libpdb
has to be public library.
2012-09-07 12:31:42 +02:00
Alexander Bokovoy
d08242c840 s3-passdb: convert pdb_ipa to use secrets wrappers 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
57ce825c8b s3-passdb: convert pdb_ldap to use secrets wrappers 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
c2e2857db4 s3-passdb: wrap secrets.tdb accessors used by PDB modules
PDB modules store domain sid and guid in secrets.tdb to cooperate
with other parts of smbd. If PDB module is built outside Samba
source code it has to be linked against internal libsecrets.

Wrap required secrets_* calls to avoid direct linking. libpdb
is linked against libsecrets by itself and this is enough.
2012-09-07 12:31:42 +02:00
Michele Baldessari
d0159f6673 Free protect_ids in secret_store_domain_guid() as the caller of fetch_secrets() must free the result in order to not leak memory.
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  7 04:11:43 CEST 2012 on sn-devel-104
2012-09-07 04:11:43 +02:00
Michele Baldessari
e00ac55994 Free protect_ids in secret_store_domain_sid() as the caller of fetch_secrets() must free the result in order to not leak memory.
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep  5 22:20:45 CEST 2012 on sn-devel-104
2012-09-05 22:20:45 +02:00
Volker Lendecke
1c9b1e0766 s3: Fix some nonempty blank lines
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-09-04 15:15:00 -07:00
Andrew Bartlett
9983ad7a80 s3-passdb: Rename pdb_samba4 to samba_dsdb and autoconfigure when we are a AD DC
The name samba_dsdb is not ideal, but it matches the primary ldb
module we use, and more importantly it avoids having '4' in the name.
We should slowly avoid using the term samba4 in long-term places like
the smb.conf because it is confusing to users given we are shipping
Samba 4.0 as an AD DC as well as all the other supported roles (domain
member/standalone server/classic DC)

Additionally, samba4 will be an odd name when we eventually release
Samba 5.0!

samba4 remains accepted as an alias to ensure existing smb.conf files
load, but to allow changes here in the future, we set the value during
the smb.conf load, and not during the provision when we are an AD DC.

This simplifies the default smb.conf for the vast majority of our
users and reduces the number of things listed in smb.conf files that
we later have to work around if we wish to change the
name/implementation of the passdb glue module again.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep  4 04:45:16 CEST 2012 on sn-devel-104
2012-09-04 04:45:16 +02:00
Volker Lendecke
2ffe69082e s3: Remove a shadowing variable declaration 2012-09-01 03:33:21 +02:00
Andrew Bartlett
5aa9a6c936 s3-passdb: Allow reload of the static passdb from python
This is then used in provision when the passdb backend is forced.

Andrew Bartlett
2012-08-28 07:57:30 +10:00
Andrew Bartlett
f2d9be5af6 s3-secrets: Use talloc_stackframe() in secrets_init_path() 2012-08-28 07:57:29 +10:00
Andrew Bartlett
5adf8c8634 s3-secrets: Handle all valid ROLE_ values in get_default_sec_channel() 2012-08-28 07:57:29 +10:00
Andrew Bartlett
708ce41b32 s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
secrets_tdb_sync will be a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.

While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
cbecd1595c s3: fix compile warning on openindiana
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Thu Aug 23 18:22:13 CEST 2012 on sn-devel-104
2012-08-23 18:22:13 +02:00
Andrew Bartlett
02e25b2a43 s3-passdb: Allow pdb_sid_to_id to work on any SID
This is needed so that pdb_samba4 can map any SID during a provision.

At runtime, winbindd will be asked first, but this shortcut direct to the
ldb file makes it possible to set the permissions on the sysvol share at
provision time.

Andrew Bartlett
2012-08-21 15:25:49 +10:00
Andrew Bartlett
ff5d177a69 s3-passdb: Silence scary DEBUG(0) message on first use of secrets.tdb databases
When pdb_samba4 first opens this databse, this message is printed.

Andrew Bartlett
2012-08-14 15:37:22 +02:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Jeremy Allison
526e875cec Check error returns from strupper_m() (in all reasonable places). 2012-08-09 12:06:54 -07:00
Andrew Bartlett
e658421fe1 s3-passdb: Simplify idmap wrapper in pdb_samba4
The source3 consumers of this API are now quite happy to be given an answer
of ID_TYPE_BOTH, so we do not need this extra code to try and force the
answer to UID or GID.

Andrew Bartlett
2012-08-07 14:57:33 +10:00
Andrew Bartlett
b041d29c11 s3-pypassdb: Fix wrapper for pdb_domain_info to return correct dns_{domain,forest} 2012-08-02 11:35:19 +02:00
Volker Lendecke
3bc1f4570e s3: Fix Coverity ID 710803 Resource leak
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-07-31 11:40:23 +02:00