1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

1914 Commits

Author SHA1 Message Date
Christian Ambach
ad86e2a599 s3:passdb/pdb_util make pdb_create_builtin consider whether backend deals with BUILTIN
when creating a BUILTIN group, make the strategy dependent on passdb backend behavior
1. if passdb is responsible for BUILTIN (normal case), call pdb_create_builtin_alias with gid=0 argument
so it asks winbindd for a gid to be used
2. if passdb is not responsible, ask for a mapping for the group first and let pdb_create_builtin_alias
create the mapping based on the gid that was determined in the mapping request

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jun 21 12:49:10 CEST 2013 on sn-devel-104
2013-06-21 12:49:10 +02:00
Christian Ambach
2d2d13ee61 s3:passdb add a gid argument to pdb_create_builtin_alias
make it possible to skip the allocation of a new gid from winbind
by specifying the gid to be used

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:24 +02:00
Christian Ambach
df41835eea s3:passdb expose pdb_create_builtin function
this one first tries to map the principal before
allocating a new gid

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:23 +02:00
Christian Ambach
6a048b424a s3:passdb/pdb_tdb add parameter to control handling of BUILTIN
with tdbsam:map builtin, one can control if tdbsam should
be used to map entries from BUILTIN or not.
By default, they will be mapped (as in older releases)

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:23 +02:00
Christian Ambach
324b3cc00c s3:passdb/pdb_ldap remove an unnecessary check
as general passdb code already verifies for which
idmap domains the module is responsible, requests for
other domains should not come in here any more

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:22 +02:00
Christian Ambach
01e094b53f s3:passdb/pdb_ldap make the module handle well-known
overwrite the passdb defaults and let this module handle well-knowns

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:21 +02:00
Christian Ambach
987de8a971 s3:passdb make pdb_sid_to_id honor backend responsibilities
only ask passdb backend for mapping if it is responsible

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:21 +02:00
Christian Ambach
55dd9e6a9c s3:passdb/pdb_samba_dsdb make the module handle well-known
overwrite the passdb defaults and let this module handle well-knowns

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:20 +02:00
Christian Ambach
0ad38d777f s3:passdb add pdb_*_is_responsible_for* functions
allows PDB modules to specify for which special domains they
are responsible when it comes to SID->xid conversion

By default, passdb modules will be responsible for local BUILTIN,
local SAM and Unix Users/Groups

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:19 +02:00
Christian Ambach
0ad89c3cc9 s3:passdb/samba_dsdb fix some compiler warnings
about gids and group_sids being potentially uninitialized

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:18 +02:00
Christian Ambach
e211b5c5d2 s3:passdb/samba_dsdb fix a compiler warning
about discarding const modifier

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-06-21 10:44:18 +02:00
Andrew Bartlett
f073401abf passdb-machine_account_secrets: Remove #if SAMBA_BUILD_ == 4 now we only have the waf build
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:12 +10:00
Andrew Bartlett
1165776d86 pdb_ldap: Do not skip accounts without a sambaAcctFlags value
We allow this to mean a sambaAcctFlags value of zero in other parts of the code
and by allowing these users to show up in a search, we can read and correct them
during the classicupgrade, rather than not know they exist at all.

Most parts of the code do not look for ACB_NORMAL, which is why
these users appear to work.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16 19:02:02 +02:00
Alexander Bokovoy
5952755755 PASSDB: add support to set and enumerate UPN suffixes associated with our forest
Samba PDC may manage a forest containing DNS domains in addition to the primary one.
Information about them is advertised via netr_DsRGetForestTrustInformation when
trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and
via netr_GetForestTrustInformation.

This changeset only expands PASSDB API; how suffixes are maintained is left
to specific PDB modules. Set function is added so that suffixes could be
managed through 'net' and other Samba utilities, if possible.

One possible implementation is available for ipasam module in FreeIPA:
http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4

Reviewed-by: Andreas Schneider <asn@samba.org>
2013-04-09 20:29:18 +02:00
Andreas Schneider
b510e5e6c4 pdb: Fix array overrun by one.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-22 16:36:13 +01:00
Rusty Russell
2f4b21bb57 ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'
Since we open with dbwrap, it auto-converts old tdbs (which it will
rename to secrets.tdb.bak once it's done).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au>
Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-20 07:09:19 +01:00
Andreas Schneider
1b582c4bf8 Rename pdb_ldap to pdb_ldapsam
This patch moves pdb_ldap to pdb_ldapsam unconditionally
and makes possible to load ldapsam.so dynamically

Reviewed-by: Alexander Bokovoy <ab@samba.org>
2013-02-06 11:51:11 +01:00
Andreas Schneider
3d1abb9328 waf: Fix pdb_ldap which cannot be built as a module.
The module has two init functions, pdb_ldap_init() and
pdb_ldapsam_init(). As a shared module only one can be found until we
create a symlink.

Reviewed-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 23 10:51:59 CET 2013 on sn-devel-104
2013-01-23 10:51:59 +01:00
Andrew Bartlett
b9fbce2061 passdb: Add discard_const_p() to pdb_samba_dsdb
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-01-10 18:46:22 +11:00
Michael Adam
61e8b80c85 s3:passdb: fix building pdb_ldap as shared module
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec  3 19:12:29 CET 2012 on sn-devel-104
2012-12-03 19:12:29 +01:00
Michael Adam
93c0c0749a s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
The backends (tdbsam and ldapsam) do this.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:31 +01:00
Michael Adam
5fbdc5f35a s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:31 +01:00
Michael Adam
a0f4129448 s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
wellknown sids and "Unix User" and "Unix Group" domains.

This broadens up the check moved here in commit
02e25b2a43.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
671f534e5e s3:passdb: add sid_check_object_is_for_passdb()
Variant of sid_check_is_for_passdb() that only checks for objects
in the various domains, not for the domain sids themselves.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
d96aeded61 s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
The special treatment of the "Unix User" and "Unix Group" pseudo domains
can be reused.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
ef0ed56eb1 s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
This code treats the own sam, builtin, wellknown, and sids from the
"Unix User" and "Unix Group" pseudo-domains.

This reverts part of commit 02e25b2a43.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:30 +01:00
Michael Adam
845a142107 build the new sid_check_is_for_passdb() function into passdb
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:29 +01:00
Christian Ambach
43606bcbbf s3:passdb formatting changes
fix some trailing whitespace and a typo
2012-09-27 04:36:52 +02:00
Andrew Bartlett
3902e7332d lib/util/charset: We do not use fucntions from wchar.h any more
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 26 02:13:10 CEST 2012 on sn-devel-104
2012-09-26 02:13:10 +02:00
Andrew Bartlett
fe2071cd3b build: Fix enabled handling for HAVE_LDAP, we need to use bld.CONFIG_SET
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Sep 22 09:09:17 CEST 2012 on sn-devel-104
2012-09-22 09:09:16 +02:00
Christian Ambach
83ed9b52e7 s3:pdb_ldap remove unused function
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Sat Sep 22 04:28:37 CEST 2012 on sn-devel-104
2012-09-22 04:28:37 +02:00
Alexander Bokovoy
86a4ca2864 s3: make smbldaphelper subsystem an internal library
Break pdb_ldap -> smbldaphelper -> pdb -> pdb_ldap loop by
making smbldaphelp intentionally underlinked internal library.

It means that libsmbldaphelp is not usable unless its user is
also linked to libpdb (that is the case for both its users,
idmap_ldap and pdb_ldap, already) but gives us a break of
the circular dependency in case pdb_ldap statically linked
into pdb (default).

This should solve case when idmap_ldap and pdb_ldap are dynamically
loaded modules

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 14 01:02:21 CEST 2012 on sn-devel-104
2012-09-14 01:02:21 +02:00
Alexander Bokovoy
be7a856f5b s3: make ldapsam-related functions a smbldaphelper subsystem
Since these functions are used in pdb_ldap and idmap_ldap, and
pdb_ldap might be statically linked to libpdb (default), it is
better to keep them as separate subsystem to avoid polluting libpdb
namespace.

This is first step in refactoring libpdb. Right now I cannot move
these functions into proper libsmbldaphelper as it uses more of
libpdb-included functions and linking pdb_ldap against libsmbldaphelper
library would have created a loop if pdb_ldap is included into libpdb.

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Sep 13 17:36:07 CEST 2012 on sn-devel-104
2012-09-13 17:36:07 +02:00
Alexander Bokovoy
d55980ccad s3-pdb: filter out more symbols only used in ldapsam internals 2012-09-12 08:49:32 +02:00
Alexander Bokovoy
d709748070 s3-passdb: update abi_match and ignore more statically linked functions
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Mon Sep 10 16:14:50 CEST 2012 on sn-devel-104
2012-09-10 16:14:50 +02:00
Alexander Bokovoy
140bb288be s3-smbldap: use smbldap_ prefixed functions 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
a43774a257 s3-waf: avoid exporting init symbols from statically linked modules
WAF builds with and without AD DC affect list of statically linked
modules that are added into libpdb. This makes impossible to have
ABI for libpdb that does not depend on configured features.

By making init functions from statically linked modules to have local
scope in shared libraries, we avoid unwarranted ABI changes.

Additionally, pdb_samba_dsdb imports IDMAP subsystem of source4/ as
it is not a shared library. Making its symbols private as well.

Finally, in order to have the filtering of symbols work, libpdb
has to be public library.
2012-09-07 12:31:42 +02:00
Alexander Bokovoy
d08242c840 s3-passdb: convert pdb_ipa to use secrets wrappers 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
57ce825c8b s3-passdb: convert pdb_ldap to use secrets wrappers 2012-09-07 12:31:42 +02:00
Alexander Bokovoy
c2e2857db4 s3-passdb: wrap secrets.tdb accessors used by PDB modules
PDB modules store domain sid and guid in secrets.tdb to cooperate
with other parts of smbd. If PDB module is built outside Samba
source code it has to be linked against internal libsecrets.

Wrap required secrets_* calls to avoid direct linking. libpdb
is linked against libsecrets by itself and this is enough.
2012-09-07 12:31:42 +02:00
Michele Baldessari
d0159f6673 Free protect_ids in secret_store_domain_guid() as the caller of fetch_secrets() must free the result in order to not leak memory.
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  7 04:11:43 CEST 2012 on sn-devel-104
2012-09-07 04:11:43 +02:00
Michele Baldessari
e00ac55994 Free protect_ids in secret_store_domain_sid() as the caller of fetch_secrets() must free the result in order to not leak memory.
Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep  5 22:20:45 CEST 2012 on sn-devel-104
2012-09-05 22:20:45 +02:00
Volker Lendecke
1c9b1e0766 s3: Fix some nonempty blank lines
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-09-04 15:15:00 -07:00
Andrew Bartlett
9983ad7a80 s3-passdb: Rename pdb_samba4 to samba_dsdb and autoconfigure when we are a AD DC
The name samba_dsdb is not ideal, but it matches the primary ldb
module we use, and more importantly it avoids having '4' in the name.
We should slowly avoid using the term samba4 in long-term places like
the smb.conf because it is confusing to users given we are shipping
Samba 4.0 as an AD DC as well as all the other supported roles (domain
member/standalone server/classic DC)

Additionally, samba4 will be an odd name when we eventually release
Samba 5.0!

samba4 remains accepted as an alias to ensure existing smb.conf files
load, but to allow changes here in the future, we set the value during
the smb.conf load, and not during the provision when we are an AD DC.

This simplifies the default smb.conf for the vast majority of our
users and reduces the number of things listed in smb.conf files that
we later have to work around if we wish to change the
name/implementation of the passdb glue module again.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep  4 04:45:16 CEST 2012 on sn-devel-104
2012-09-04 04:45:16 +02:00
Volker Lendecke
2ffe69082e s3: Remove a shadowing variable declaration 2012-09-01 03:33:21 +02:00
Andrew Bartlett
5aa9a6c936 s3-passdb: Allow reload of the static passdb from python
This is then used in provision when the passdb backend is forced.

Andrew Bartlett
2012-08-28 07:57:30 +10:00
Andrew Bartlett
f2d9be5af6 s3-secrets: Use talloc_stackframe() in secrets_init_path() 2012-08-28 07:57:29 +10:00
Andrew Bartlett
5adf8c8634 s3-secrets: Handle all valid ROLE_ values in get_default_sec_channel() 2012-08-28 07:57:29 +10:00
Andrew Bartlett
708ce41b32 s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
secrets_tdb_sync will be a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.

While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.

Andrew Bartlett
2012-08-28 07:57:29 +10:00
Björn Jacke
cbecd1595c s3: fix compile warning on openindiana
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Thu Aug 23 18:22:13 CEST 2012 on sn-devel-104
2012-08-23 18:22:13 +02:00