IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We should not write to memory marked as const
(returned from pdb_get_pw_history())!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
ctdb gives us 0-sized records for deleted passdb entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Nov 11 16:19:37 CET 2014 on sn-devel-104
This avoids some duplication in setting the machine account passsword
for the domain member and DC case.
This does not yet remove the duplication, that requires a bigger
restructure of the various routines used here to obtain the machine
and domain trust secrets.
Also no longer used is the timeout/2 code to not set the previous
password. It is now always passed to the caller.
Andrew Bartlett
Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Sep 20 08:29:31 CEST 2014 on sn-devel-104
The issue here is that pdb_set_plaintext_passwd() re-used the memory from pdb_get_pw_history() as input
We need to free this after we copy and set it.
Found by AddressSanitizer
Andrew Bartlett
Change-Id: I4e148e23ccbbe5444c969ff8f91709791c7696bb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
We now return the plaintext passwords for trusted domains so winbindd can use them.
Change-Id: Ifcd59b0be815d25b73bdbc41db7477895461c7b6
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Share options like "force group" and "valid users = @group1"
triggered a NT_STATUS_NO_SUCH_GROUP. While the group was found in
the SAM backend, its objectclass was not retrived.
This fix also revealed a talloc access after free in the group
branch of pdb_samba_dsdb_getgrfilter.
[Bug 9570] Access failure for shares with "force group" or "valid users = @group"
https://bugzilla.samba.org/show_bug.cgi?id=9570
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The pdb_samba_dsdb_getgrfilter() function first determines the security type
of a group and sets map->sid_name_use accordingly. A little later, this
variable is set again, undoing the previous work.
https://bugzilla.samba.org/show_bug.cgi?id=10777
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Aug 23 02:48:52 CEST 2014 on sn-devel-104
Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Aug 9 00:44:06 CEST 2014 on sn-devel-104
This is generic enough that it could be used in all code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 18 15:43:33 CEST 2014 on sn-devel-104
This is not allowed to be odd length, as otherwise we can not send it over the SAMR transport correctly.
Allocating one byte less memory than required causes malloc() heap corruption
and then a crash or lockup of the SAMR server.
Andrew Bartlett
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130
Change-Id: I5c0c531c1d660141e07f884a4789ebe11c1716f6
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This will allow winbindd to know when we are an RODC
without needing to dig into sam.ldb.
Change-Id: Ibdfa37fe6269305ccc5db42479f4a8db5eea53f3
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@samba.org>
This patch seems odd, but the pdb_samba_dsdb module has exactly this
semantics. That is, the pdb_samba_dsdb is responsible for all IDMAP
values, due to backing on to the idmap.ldb allocator. This option is
added so we can continue to support the mappings written into that
database even when switching winbindd implementations - the source4/
winbind code would only ask the idmap_ldb code, no matter what the
SID.
Almost all of the behaviour for this is already in winbindd, but we
need this extra flag function so as to avoid (currently intentional)
errors at startup due to not having a per-domain allocation
configured in the smb.conf.
Andrew Bartlett
Change-Id: I6b0d7a1463fe28dfd36715af0285911ecc07585c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
This avoids use-after-free errors and tdb database churn.
Andrew Bartlett
Change-Id: If7ab2e24556d9dffc7ad22c0489d665dd75a0cab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@zentyal.com>
Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Kamen Mazdrashki <kamenim@samba.org>
Autobuild-Date(master): Fri May 30 15:29:29 CEST 2014 on sn-devel-104
And don't cache in the pdb_ldap module on the id_to_sid calls.
Signed-off-by: Alexander Werth <alexander.werth@de.ibm.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat May 3 04:14:05 CEST 2014 on sn-devel-104
This allows us to avoid the domain lookup in the constructed attribute
when not required.
By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.
Andrew Bartlett
Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.
Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If we have no name indexes for a domain, all names were domain
names and have been resolved earlier, including the domain name.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10463
Change-Id: I5a7a387fa89d2b2bdd465c13b3dca0e18ca0482c
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Feb 25 11:17:18 CET 2014 on sn-devel-104
Coverity-id: 1107228,1107227
Signed-off-by: Poornima Gurusiddaiah <pgurusid@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Moved the call to the talloc autofree function to as early a point as
possible. init_ldap_from_sam() already calls smbldap_set_mod(), and there's
a chance that the init will fail after having already allocated memory for
&mods.
Coverity-Id: 1167997
Change-Id: Ic26bfb3c530f90aa885e447b8409deba49708d64
Reviewed-by: Ira Cooper <ira@samba.org>
Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>
Reviewed-by: Simo Sorce <idra@samba.org>
This is in preparation to support handing flags to backends,
in particular activating read only record support for ctdb
databases. For a start, this does nothing but adding the
parameter, and all databases use DBWRAP_FLAG_NONE.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 9 22:35:25 CET 2014 on sn-devel-104
when creating a BUILTIN group, make the strategy dependent on passdb backend behavior
1. if passdb is responsible for BUILTIN (normal case), call pdb_create_builtin_alias with gid=0 argument
so it asks winbindd for a gid to be used
2. if passdb is not responsible, ask for a mapping for the group first and let pdb_create_builtin_alias
create the mapping based on the gid that was determined in the mapping request
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jun 21 12:49:10 CEST 2013 on sn-devel-104
make it possible to skip the allocation of a new gid from winbind
by specifying the gid to be used
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
this one first tries to map the principal before
allocating a new gid
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
with tdbsam:map builtin, one can control if tdbsam should
be used to map entries from BUILTIN or not.
By default, they will be mapped (as in older releases)
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
as general passdb code already verifies for which
idmap domains the module is responsible, requests for
other domains should not come in here any more
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
overwrite the passdb defaults and let this module handle well-knowns
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
only ask passdb backend for mapping if it is responsible
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Christian Ambach <ambi@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
overwrite the passdb defaults and let this module handle well-knowns
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
