1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

56 Commits

Author SHA1 Message Date
Günther Deschner
64421129b6 lib/util/util_pw: share sys_get{pw,gr} group of calls.
Guenther
2011-03-30 01:13:06 +02:00
Volker Lendecke
16b007c223 Quite some callers of sid_split_rid do not care about the rid 2011-03-10 18:48:34 +01:00
Stefan Metzmacher
d7fa349052 s3:auth: change num_groups to from size_t to uint32_t
This will help with the change from UNIX_USER_TOKEN to security_unix_token

metze
2011-02-22 16:20:11 +11:00
Jeremy Allison
e1cfca1e2e Make getpwnam_alloc() static to lib/username.c, and ensure all username lookups go
through Get_Pwnam_alloc(), which is the correct wrapper function. We were using
it *some* of the time anyway, so this just makes us properly consistent.

Jeremy.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 20 16:02:12 UTC 2010 on sn-devel-104
2010-10-20 16:02:12 +00:00
Andrew Bartlett
170b345e0c s3-auth Use security_token_debug() from common code
This prints the security token including the privileges as strings
instead of just a bitmap.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14 02:35:04 +00:00
Andrew Bartlett
58cf83732a s3-auth use security_token_has_sid() from the common code
The wrapper call is left here to avoid changing semantics for
the NULL parameter case.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14 02:35:04 +00:00
Andrew Bartlett
f768b32e37 libcli/security Provide a common, top level libcli/security/security.h
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.

This includes (along with other security headers) dom_sid.h and
security_token.h

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 05:54:10 +00:00
Volker Lendecke
86919606c7 s3: Remove talloc_autofree_context() from get_root_nt_token()
The memcache_add_talloc() later on steals it anyway
2010-09-26 03:29:27 +02:00
Volker Lendecke
e4591eb8c1 s3: Fix a typo 2010-09-25 15:45:09 -07:00
Günther Deschner
4dbd743e46 s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.
Guenther
2010-09-20 14:04:37 -07:00
Andrew Bartlett
2387e3bcfe s3-privs Call security_token_set_privilege() rather than manual assignment
This avoids as much direct modifiction of the bitmask as possible.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:09 +10:00
Andrew Bartlett
b29b6c13a3 s3-privs Inline dump_se_priv into callers now that it's just a uint64_t
The previous 128 bit structure needed this helper function.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:07 +10:00
Andrew Bartlett
d1bb21b0d5 s3:auth Remove NT_USER_TOKEN
The all UPPER case typedef is no longer the preferred Samba style
and this makes it easier to see that this is the IDL-derivied structure

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:06 +10:00
Andrew Bartlett
4bfc8d3b1a s3-auth Change struct nt_user_token -> struct security_token
This common structure is defined in security.idl

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:05 +10:00
Andrew Bartlett
4bf783d4d6 s3-auth Change type of num_sids to uint32_t
size_t is overkill here, and in struct security_token in the num_sids
is uint32_t.

This includes a change to the prototype of add_sid_to_array()
and add_sid_to_array_unique(), which has had a number of
consequnetial changes as I try to sort out all the callers using
a pointer to the number of sids.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:05 +10:00
Andrew Bartlett
eee63b7e75 s3-auth Rename NT_USER_TOKEN privileges -> privilege_mask
This is closer to the struct security_token from security.idl

Andrew Bartlett
2010-08-31 11:25:41 +10:00
Andrew Bartlett
8c15cf54ae s3-auth Rename NT_USER_TOKEN user_sids -> sids
This is closer to the struct security_token from security.idl
2010-08-31 10:20:14 +10:00
Günther Deschner
aba1bf4b5e s3-build: only include memcache.h where needed.
Guenther
2010-08-26 00:20:28 +02:00
Günther Deschner
0f8e032628 s3-netlogon: remove global include of netlogon.h.
This reduces precompiled headers by another 4 MB and also slightly speeds up the
build.

Guenther
2010-08-06 15:46:16 +02:00
Günther Deschner
c136b84f0d s3-secrets: only include secrets.h when needed.
Guenther
2010-08-05 10:12:25 +02:00
Volker Lendecke
c186f92437 s3: [ug]id_to_unix_... can not fail
Remove some silly failure checks
2010-07-11 17:33:34 +02:00
Simo Sorce
aa1a3cbad2 s3:auth create nt token from info3 directly
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-06-07 22:53:07 +10:00
Andrew Bartlett
cba7f8b827 s3:dom_sid Global replace of DOM_SID with struct dom_sid
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-05-21 10:39:59 +02:00
Günther Deschner
ca73e03eb7 security: merge builtin rid tables.
Guenther
2010-05-18 00:44:26 +02:00
Günther Deschner
3b529d50be s3-rpc_misc: clean out include/rpc_misc.h.
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.

Guenther
2010-05-18 00:44:26 +02:00
Volker Lendecke
7ba21a339c s3: Move user_in_group() and create_token_from_username() to token_utils.c
Goal is to be able to call check_sam_security from winbind
2010-04-11 22:59:45 +02:00
Jeremy Allison
da9356711b Implement Metze's suggestion of trying getpwuid(0) then getpwnam(root).
Jeremy.
2009-08-22 09:40:58 -07:00
Jeremy Allison
47c7063dc6 Try and fix the buildfarm by using getpwnam(root) instead
of getpwuid(0) if DEVELOPER is defined. I'm hoping the
build farm defines DEVELOPER...
Jeremy.
2009-08-21 21:08:02 -07:00
Jeremy Allison
8c347ed177 Fix bug #6647 - get_root_nt_token: getpwnam("root") failed!
Not all systems may have a "root" user, but all must have a passwd
entry for a uid of zero.
Jeremy.
2009-08-19 16:55:26 -07:00
Volker Lendecke
3c98d5bd98 Make memcache_add_talloc NULL out the source pointer
This is an orthogonality measure to make clear this pointer now belongs to the
cache.
(cherry picked from commit e6080c6e87d6fe3995b121a772bf3f6343fa666f)
2008-11-14 20:27:46 +01:00
Jeremy Allison
8962be69c7 Make us clean under valgrind --leak-check=full by using talloc_autofree_context() instead of NULL.
Remove the code in memcache that does a TALLOC_FREE on stored pointers. That's a disaster waiting
to happen. If you're storing talloc'ed pointers, you can't know their lifecycle and they should
be deleted when their parent context is deleted, so freeing them at some arbitrary point later
will be a double-free.
Jeremy.
2008-11-06 20:48:13 -08:00
Jelmer Vernooij
aa982895e5 Add data_blob_string_const_null() function that includes the terminating
null byte and use it in Samba 3.

This matches the behaviour prior to my data_blob changes.
2008-10-13 05:20:26 +02:00
Simo Sorce
3fa16da8c7 Revert "Split lookup_name() and create a new functiong called"
This reverts commit 8594edf666.
(This used to be commit ad462e2e2d)
2008-09-03 14:36:43 -04:00
Simo Sorce
5e7655fa27 Split lookup_name() and create a new functiong called
lookup_domain_name(). This new function accept separated
strings for domain and name.
(This used to be commit 8594edf666)
2008-08-17 19:54:41 -04:00
Tim Prouty
f18076cb32 Removed redundant logging from create_builtin_users and create_builtin_administrators
The Debug messages in create_builtin_users and create_builtin_users have now
been encapsulated in add_sid_to_builtin.
(This used to be commit ca153139b1)
2008-07-30 15:00:49 -07:00
Tim Prouty
097b27dbcc Enabled domain groups to be added to builtin groups at domain join time
Previously this was done at token creation time if the Administrators and Users
builtins hadn't been created yet.  A major drawback to this approach is that if
a customer is joined to a domain and decides they want to join a different
domain, the domain groups from this new domain will not be added to the
builtins.

It would be ideal if these groups could be added exclusively at domain join
time, but we can't rely solely on that because there are cases where winbindd
must be running to allocate new gids for the builtins.  In the future if there
is a way to allocate gids for builtins without running winbindd, this code
can be removed from create_local_nt_token.

- Made create_builtin_users and create_builtin_administrators non-static so
they can be called from libnet
- Added a new function to libnet_join that will make a best effort to add
domain administrators and domain users to BUILTIN\Administrators and
BUILTIN\Users, respectively.  If the builtins don't exist yet, winbindd must be
running to allocate new gids, but if the builtins already exist, the domain
groups will be added even if winbindd is not running.  In the case of a
failure the error will be logged, but the join will not be failed.
- Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing.
(This used to be commit e92faf5996)
2008-07-30 14:06:36 -07:00
Tim Prouty
bbb02aa8e9 Refactored the code that adds Domain Admins to BUILTIN\Administrators to use the new helper functions.
- Modified create_builtin_administrators and add_builtin_administrators to take
in the domain sid to reduce the number of times it needs to be looked up.
- Changed create_builtin_administrators to call the new helper functions.
- Changed create_local_nt_token to call the new version of
create_builtin_administrators and handle the new error that can be returned.
- Made it more explicit that add_builtin_administrators is only called when
winbindd can't be pinged.
(This used to be commit f6411ccb4a)
2008-07-30 14:06:15 -07:00
Tim Prouty
fb41bb762f Refactored the code that adds Domain Users to BUILTIN\Users to use the new helper functions.
- Modified create_builtin_users to take in the domain sid to reduce the number
of times it needs to be looked up.
- Changed create_builtin_users to call the new helper functions.
- Changed create_local_nt_token to call the new version of create_builtin_users
and handle the new error that can be returned.
(This used to be commit 8d75d40b9f)
2008-07-30 14:06:00 -07:00
Tim Prouty
f738f9f7c9 Helper functions to enable domain groups to be added to builtin groups at domain join time
Added two new helper functions which wrap the raw pdb alias functions so they
can be more conveniently called while adding domain groups to builtin groups.
(This used to be commit 668ef31455)
2008-07-30 14:03:13 -07:00
Gerald W. Carter
d6aa45d29c BUG 5429: Clarify log msgs re: failure to create BUILTIN\{Administrators,Users}
Raise the debug msgs from Lvl 0 in the create_builtin_XX() functions
to prevent unnecessary panic from people reading the logs.
(This used to be commit 2983b9dc79)
2008-04-30 09:43:00 -05:00
Michael Adam
b64be89a6d auth: add SeDiskOperatorsPrivilege to get_root_nt_token to fix registry shares.
Michael
(This used to be commit 6bb107b17d)
2008-04-15 20:41:14 +02:00
Michael Adam
f3603d5a5a Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS.
Michael
(This used to be commit 6b2b9a60ef)
2008-01-09 01:47:10 +01:00
Volker Lendecke
99bd615a80 Fix a panic
get_root_nt_token asks for "struct nt_user_token". talloc_get_type is not smart
enough to see that this is the same as NT_USER_TOKEN... :-)
(This used to be commit 22a98bf7b8)
2007-12-29 21:42:56 +01:00
Volker Lendecke
245537f9bd Convert get_root_nt_token to memcache
(This used to be commit fada689893)
2007-12-28 17:24:39 +01:00
Michael Adam
3fa2183941 Reformat: Remove trailing spaces.
Michael
(This used to be commit 5249b3d204)
2007-12-17 13:25:49 +01:00
Michael Adam
720c65faed Fix flags in caller of lookup_name() in create_builtin_administrators().
Michael
(This used to be commit 46bfbf5c8a)
2007-12-17 13:06:09 +01:00
Volker Lendecke
900288a2b8 Replace sid_string_static by sid_string_dbg in DEBUGs
(This used to be commit bb35e794ec)
2007-12-15 22:09:36 +01:00
Michael Adam
0d8146d5de Fix typo in debug statement.
Michael
(This used to be commit da23684261)
2007-12-13 14:38:05 +01:00
Volker Lendecke
af082d096e Correctly unbecome_root() on error
(This used to be commit aec5f15126)
2007-12-10 12:37:37 +01:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00