1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1156 Commits

Author SHA1 Message Date
Gerald Carter
0ce53f8ba5 r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'

* Add a SID domain to the group mapping enumeration passdb call
  to fix the checks for local and builtin groups.  The SID can be
  NULL if you want the old semantics for internal maintenance.
  I only updated the tdb group mapping code.

* remove any group mapping from the tdb that have a
  gid of -1 for better consistency with pdb_ldap.c.
  The fixes the problem with calling add_group_map() in
  the tdb code for unmapped groups which might have had
  a record present.

* Ensure that we distinguish between groups in the
  BUILTIN and local machine domains via getgrnam()
  Other wise BUILTIN\Administrators & SERVER\Administrators
  would resolve to the same gid.

* Doesn't strip the global_sam_name() from groups in the
  local machine's domain (this is required to work with
  'winbind default domain' code)

Still todo.

* Fix fallback Administrators membership for root and domain Admins
  if nested groups = no or winbindd is not running

* issues with "su - user -c 'groups'" command

* There are a few outstanding issues with BUILTIN\Users that
  Windows apparently tends to assume.  I worked around this
  presently with a manual group mapping but I do not think
  this is a good solution.  So I'll probably add some similar
  as I did for Administrators.
(This used to be commit 612979476a)
2007-10-10 11:15:28 -05:00
Volker Lendecke
b3d058a0ec r14103: Fix a memleak found by valgrind (!!)
(This used to be commit b880602c4c)
2007-10-10 11:11:12 -05:00
Volker Lendecke
56a99b1d1c r14102: Fix Coverity bug # 70
(This used to be commit 56dc19879c)
2007-10-10 11:11:12 -05:00
Jeremy Allison
e096440b74 r14088: Fix Coverity bug #20. Don't deref possible null.
Jeremy.
(This used to be commit 7f3ace5481)
2007-10-10 11:11:11 -05:00
Volker Lendecke
4357ef3bd6 r13979: We've dereferenced my_methods already, so there's no point in checking for
!= NULL. Coverity #149.

Volker
(This used to be commit d38e05329a)
2007-10-10 11:11:02 -05:00
Jeremy Allison
894358a8f3 r13915: Fixed a very interesting class of realloc() bugs found by Coverity.
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.

The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :

 tmp = realloc(p, size);
 if (!tmp) {
    SAFE_FREE(p);
    return error;
 } else {
    p = tmp;
 }

However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :

 p = realloc(p, size)
 if (!p) {
    return error;
 }

which will leak the memory pointed to by p on realloc fail.

This commit (hopefully) fixes all these cases by moving to
a standard idiom of :

 p = SMB_REALLOC(p, size)
 if (!p) {
    return error;
 }

Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.

For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :

 tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
 if (!tmp) {
    SAFE_FREE(p);
    return error;
 } else {
    p = tmp;
 }

SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).

It remains to be seen what this will do to our Coverity bug count :-).

Jeremy.
(This used to be commit 1d710d06a2)
2007-10-10 11:10:59 -05:00
Simo Sorce
d54010e219 r13843: Merge in net sam provision and some pdb_ldap fixes
(This used to be commit 705d811808)
2007-10-10 11:10:56 -05:00
Volker Lendecke
30675b36f5 r13791: Having S-1-1-0 show up in winbind lookupsid does not really make sense.
Volker
(This used to be commit ae9614ce01)
2007-10-10 11:10:54 -05:00
Simo Sorce
1da8345777 r13776: Merge in the editposix ldapsam optimization
(This used to be commit a374546c7e)
2007-10-10 11:10:53 -05:00
Gerald Carter
5837baa126 r13765: Fix bug reported by jra. Don't check for a group SID when storing
a user since we no longer pay any attention to the value.
(This used to be commit 085c6859ee)
2007-10-10 11:10:53 -05:00
Gerald Carter
a8325d28d2 r13756: use samu_new() rather than calling talloc() directly.
(This used to be commit c13af58f63)
2007-10-10 11:10:52 -05:00
Jeremy Allison
ddf14cc286 r13747: Fix the reference count for tdbsam_open() - on an
upgrade it calls tdbsam_convert() which calls tdbsam_open()
deep inside the init_sam_from_buffer_vX call.
If the ref count hasn't been set yet then we will close
the tdbsam reference in tdbsam_getsampwsid().
smbpasswd -a was core-dumping again :-).
Jeremy
(This used to be commit 993069eb87)
2007-10-10 11:10:51 -05:00
Volker Lendecke
2479b8305b r13729: Fix smbpasswd -x
(This used to be commit 2afcbbfb6f)
2007-10-10 11:10:51 -05:00
Volker Lendecke
06e720a66c r13728: No, we have not talked about this on irc less than 24h ago... ;-)
(This used to be commit 59f95ea752)
2007-10-10 11:10:51 -05:00
Volker Lendecke
ded57f29b3 r13727: Fix a segfault
(This used to be commit 76c100834d)
2007-10-10 11:10:51 -05:00
Günther Deschner
e54786b535 r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
  returning zero)

Guenther
(This used to be commit 5b89e8bc24)
2007-10-10 11:10:25 -05:00
Jeremy Allison
2ef2e01314 r13704: Janitor for tpot.
Jeremy
-------------
Slightly smaller version of pdb_get_methods() patch.  Turns out that
callers to initialize_password_db() use the reload parameter so this
has turned in to a smaller cleanup than I thought.
(This used to be commit 7e243104eb)
2007-10-10 11:10:24 -05:00
Volker Lendecke
9fffb6ab5b r13693: More Solaris/LDAP fixes from Bjoern <bjoern@j3e.de>
(This used to be commit 7c098ca0ae)
2007-10-10 11:10:24 -05:00
Volker Lendecke
2ced94c54d r13683: Fix the 'valid users = +users' problem I introduced.
Volker
(This used to be commit dbdb8bdb99)
2007-10-10 11:10:23 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
2007-10-10 11:10:23 -05:00
Volker Lendecke
2b0277a1d6 r13678: Remove unneeded braces
(This used to be commit faf1d832a1)
2007-10-10 11:10:23 -05:00
Günther Deschner
cab298856a r13622: Allow to rename machine accounts in a Samba Domain. This still uses the
"rename user script" to do the rename of the posix machine account (this
might be changed later). Fixes #2331.

Guenther
(This used to be commit b2eac2e6eb)
2007-10-10 11:10:19 -05:00
Gerald Carter
6622ba566e r13601: * Remove unused code from pdb_ldap.c
* Add a 'struct passwd *' to the struct samu for later reference
  (I know this may be controversial but its easily reverted which is
  is why I'm checking this is as a seaparate patch before I get
  too deep).
* Remove unix_homedir from struct samu {} and update the pdb wrapper
  functions associated with it.
(This used to be commit 92c251fdf0)
2007-10-10 11:10:18 -05:00
Gerald Carter
7b9736eb74 r13600: Move functions local to tdbsam to pdb_tdb.c
(This used to be commit e3489f7edd)
2007-10-10 11:10:18 -05:00
Gerald Carter
6a09da5d9e r13593: consolidate pdb_set_sam_sids() into samu_set_unix() which
was the only place it was called from.
(This used to be commit 6568c9cb03)
2007-10-10 11:10:18 -05:00
Gerald Carter
cd55919263 r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new()
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix()
(This used to be commit 6f1afa4acc)
2007-10-10 11:10:16 -05:00
Gerald Carter
87ef96e6be r13589: Make sure we only try to close the tdbsam file in endsampwent() when we
have a valid pwent list from a setsampwent().  Fixes a bug with the
reference count on the open tdb.
(This used to be commit 77332f0738)
2007-10-10 11:10:16 -05:00
Gerald Carter
2203bed32c r13576: This is the beginnings of moving the SAM_ACCOUNT data structure
to make full use of the new talloc() interface.  Discussed with Volker
and Jeremy.

* remove the internal mem_ctx and simply use the talloc()
  structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
  upcoming changes.  Groups will most likely be replaced with a
  'struct samg' in the future.

Note that there are now passbd API changes.  And for the most
part, the wrapper functions remain the same.

While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs.  The code also needs more testing under valgrind to
ensure it's not leaking memory.

But it's a start......
(This used to be commit 19b7593972)
2007-10-10 11:10:15 -05:00
Gerald Carter
fb5362c069 r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a)
2007-10-10 11:10:14 -05:00
Gerald Carter
ac456c7440 r13550: remove pdb_guest
(This used to be commit db575c7641)
2007-10-10 11:10:13 -05:00
Jeremy Allison
952a631d5d r13548: Always use the get_remote_macinhe_name() as the key
for the creds store. This should fix the problems
Jerry reported (but I have still to run tests :-).
Jeremy.
(This used to be commit 43f095a38d)
2007-10-10 11:10:13 -05:00
Gerald Carter
671c0098f6 r13545: A patch which I think it's time has come. VOlker, we can talk about
this more but it gets around the primary group issue.

* don't map a SID to a name from the group mapping code if
  the map doesn't have a valid gid.  This is only an issue
  in a tdb setup
* Always allow S-1-$DOMAIN-513 to resolve (just like Windows)
* if we cannot resolve a users primary GID to a SID, then set
  it to S-1-$DOMAIN-513
* Ignore the primary group SID inside pdb_enum_group_memberships().
  Only look at the Unix group membersip.

Jeremy, this fixes a fresh install startup for smbd as far as my tests
are concerned.
(This used to be commit f79f4dc4c5)
2007-10-10 11:10:12 -05:00
Jeremy Allison
5f8a70d01e r13542: Don't reuse a pointer we just freed (Doh!).
Jeremy.
(This used to be commit e755155b0e)
2007-10-10 11:10:11 -05:00
Jeremy Allison
c7aad1deea r13538: Make sure we store all 16 bytes of credentials session
key and delete records that are old. We will need this
for the full 16 byte session key support.
Jeremy.
(This used to be commit cef240d571)
2007-10-10 11:10:11 -05:00
Jeremy Allison
3e4cf56fa3 r13519: Fix the credentials chaining across netlogon pipe disconnects.
I mean it this time :-).
Jeremy.
(This used to be commit 80f4868944)
2007-10-10 11:10:09 -05:00
Gerald Carter
ab4fa1958f r13512: Rewrite tdbsam code to use a reference count based open/close
on the tdb file.  This allow recusive calls to succeed
without complaining about failed opens since a tdb can
only be opened once per process.  We probably still need to backport
the transaction support from Samba 4 here though.
(This used to be commit 94c37e0652)
2007-10-10 11:10:08 -05:00
Volker Lendecke
301d51e13a r13494: Merge the stuff I've done in head the last days.
Volker
(This used to be commit bb40e544de)
2007-10-10 11:10:06 -05:00
Volker Lendecke
3b67210eec r13493: module_name and module_location are the same string. Fix a valgrind
error.

Volker
(This used to be commit 5a92df31d6)
2007-10-10 11:10:06 -05:00
Gerald Carter
75ef18fa75 r13460: by popular demand....
* remove pdb_context data structure
* set default group for DOMAIN_RID_GUEST user as RID 513 (just
  like Windows)
* Allow RID 513 to resolve to always resolve to a name
* Remove auto mapping of guest account primary group given the
  previous 2 changes
(This used to be commit 7a2da5f0cc)
2007-10-10 11:10:04 -05:00
Jeremy Allison
ad8b47a2ba r13407: Change the credentials code to be more like the Samba4 structure,
makes fixes much easier to port. Fix the size of dc->sess_key to
be 16 bytes, not 8 bytes - only store 8 bytes in the inter-smbd
store in secrets.tdb though. Should fix some uses of the dc->sess_key
where we where assuming we could read 16 bytes.
Jeremy.
(This used to be commit 5b3c2e63c7)
2007-10-10 11:09:59 -05:00
Volker Lendecke
7fc2c0befb r13389: get_ldap_filter is only used once, make it static
(This used to be commit d3b66fb871)
2007-10-10 11:09:58 -05:00
Volker Lendecke
74f32df289 r13338: Remove the experimental pdb modules
(This used to be commit a3bc4f5114)
2007-10-10 11:06:25 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
855e02f164 r13310: first round of server affinity patches for winbindd & net ads join
(This used to be commit 6c3480f9ae)
2007-10-10 11:06:23 -05:00
Volker Lendecke
b2e8358b3d r13209: Make smbpasswd -a work again if passdb did not exist.
Volker
(This used to be commit e747ea7250)
2007-10-10 11:06:17 -05:00
Jeremy Allison
139acd2470 r13190: Fix #3458 from Andriy Gapon <avg@icyb.net.ua>. Don't
access free'd memory.
Jerry please pick up for 3.0.21b !
Jeremy.
(This used to be commit c0ba64297a)
2007-10-10 11:06:16 -05:00
Jeremy Allison
114a24c19b r13175: Actually make adding a new user into an empty pdbtdb
file create the file.
Jeremy.
(This used to be commit 31b3201f53)
2007-10-10 11:06:16 -05:00
Jeremy Allison
3ea781f62a r13172: Fix incorrect error message when new tdb not created correctly.
Jeremy.
(This used to be commit e5f19ad5ac)
2007-10-10 11:06:16 -05:00
Gerald Carter
c5e7ddc63b r12913: missed merge to fix BUG 3391; ensure we can lookup account policies
(This used to be commit 77575c64e4)
2007-10-10 11:06:06 -05:00
Günther Deschner
c3a2101da0 r12714: Fix segfault in pdb_nds.c.
Guenther
(This used to be commit f78c7f8abe)
2007-10-10 11:06:01 -05:00
Volker Lendecke
3c50ec20fb r12663: Fix a memleak
(This used to be commit 3ee6b732f4)
2007-10-10 11:06:01 -05:00
Volker Lendecke
e0c989c949 r12645: Fix some memleaks. This will also be in the trunk checkin that comes next.
Volker
(This used to be commit dc167037b0)
2007-10-10 11:06:00 -05:00
Volker Lendecke
1de83ea53b r12603: NO, I'm not claiming maintainership of this.
Fix bug 3351.

Volker
(This used to be commit 082763988d)
2007-10-10 11:06:00 -05:00
Jeremy Allison
5a4881bf39 r12522: Try and fix bug #2926 by removing setlocale(LC_ALL, "C")
and replace calls to isupper/islower/toupper/tolower with
ASCII equivalents (mapping into _w variants).
Jeremy.
(This used to be commit c2752347eb)
2007-10-10 11:05:58 -05:00
Gerald Carter
830149e6d9 r12400: one line patch for Sun LDAP libs pointed out by Nicholas Brealey <nick@brealey.org>
(This used to be commit 5121d38069)
2007-10-10 11:05:55 -05:00
Gerald Carter
5ac6b21f09 r12398: adding Guenther's account policy migration fix
(This used to be commit be32f10609)
2007-10-10 11:05:54 -05:00
Volker Lendecke
28fb5b6f97 r12313: Introduce yet another copy of the string_sub function:
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.

realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.

Volker
(This used to be commit be6c9012da)
2007-10-10 11:05:53 -05:00
Jeremy Allison
3a405096c5 r12245: eDirectory returns LDAP_UNWILLING_TO_PERFORM if the
account is disabled. If we get this we can't check
the password so have to tell the client the account
was disabled.
Jeremy.
(This used to be commit 43c2d545ab)
2007-10-10 11:05:50 -05:00
Volker Lendecke
661c5c741a r12163: Change lookup_sid and lookup_name to return const char * instead of char *,
use a temporary talloc_ctx for clarity.

Volker
(This used to be commit b15815c804)
2007-10-10 11:05:46 -05:00
Volker Lendecke
ab51c18cc9 r12129: Fix uninitialized variables.
Volker
(This used to be commit 8a7d6eb2c0)
2007-10-10 11:05:46 -05:00
Volker Lendecke
05ac2de0df r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm
reacts :-)

Volker
(This used to be commit 9f99d04a54)
2007-10-10 11:05:43 -05:00
Jeremy Allison
d1f91f7c72 r12043: It's amazing the warnings you find when compiling on a 64-bit
box with gcc4 and -O6...
Fix a bunch of C99 dereferencing type-punned pointer will break
strict-aliasing rules errors. Also added prs_int32 (not uint32...)
as it's needed in one place. Find places where prs_uint32 was being
used to marshall/unmarshall a time_t (a big no no on 64-bits).
More warning fixes to come.
Thanks to Volker for nudging me to compile like this.
Jeremy.
(This used to be commit c65b752604)
2007-10-10 11:05:42 -05:00
Volker Lendecke
bd21ee68e5 r11999: Re-add "passdb expand explicit".
We came to the conclusion that changing the default is something that has to
wait one or two more releases, but it will happen one way or the other.

Volker
(This used to be commit 30fcdf84d8)
2007-10-10 11:05:41 -05:00
Volker Lendecke
6f04dc477e r11947: Back out passdb:expand_explicit until we find consensus. I'll file this as a
bugzilla entry.

Volker
(This used to be commit d228cb62a7)
2007-10-10 11:05:38 -05:00
Volker Lendecke
10bc204efb r11923: Add samr_lookup_rids for the builtin domain. Doing it this way feels a bit
wrong, but so far we don't have proper multi-domain support in passdb yet...

Volker
(This used to be commit c917cfc320)
2007-10-10 11:05:36 -05:00
Volker Lendecke
046a8873b9 r11922: Looks bigger than it is: There's no point in allocating arrays in
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in
the pdb module. Remove the latter, this might happen more often.

Volker
(This used to be commit 57f0cf8cdd)
2007-10-10 11:05:36 -05:00
Volker Lendecke
d36eb68cb5 r11920: Rename local_lookup_rid to lookup_global_sam_rid, add lookup_builtin_rid.
Volker
(This used to be commit bc8836d5d7)
2007-10-10 11:05:35 -05:00
Volker Lendecke
add1493a86 r11919: The generic mappings in srv_samr_nt.c are only used there -- make them
static.

One long overdue simplification: Change local_lookup_sid to local_lookup_rid
its responsible for "our" domain only, in fact it checked for it.

Volker
(This used to be commit 35ba5e083c)
2007-10-10 11:05:35 -05:00
Volker Lendecke
ace1212dec r11914: After talking to Jeremy, implement passdb:expand_explicit with a default of
no. This changes our default behaviour.

Sorry, Ingo, this *is* a bug that needs fixing.

Jerry, you might want to put a marker into the WHATSNEW.txt when this is due.

Volker
(This used to be commit 6622db97bb)
2007-10-10 11:05:34 -05:00
Günther Deschner
092e3e514b r11874: Merge LDAP connection setup in lib/smbldap.c and pdb_nds.c.
Also allow to use START_TLS in the pdb_nds_update_login_attempts
function when doing simple binds to eDir.

Guenther
(This used to be commit 04a3ac5e50)
2007-10-10 11:05:33 -05:00
Gerald Carter
ac331c48db r11863: BUG 3196: patch from Alex Deiter <tiamat@komi.mts.ru> to compile against the Sun LDAP client libs. But not for AD support; just ldap support
(This used to be commit a33e78aced)
2007-10-10 11:05:31 -05:00
Günther Deschner
0e8b90e45d r11847: Fix typo.
Guenther
(This used to be commit 6aefb3aebb)
2007-10-10 11:05:29 -05:00
Jeremy Allison
cef9443a87 r11256: Remove use of long long and strtoll in libsmbclient (we
can't assume long long is always there). Removed unused
var in new a/c rename code.
long long still used in eventlog code but Jerry has promised
to fix that.
Jeremy.
(This used to be commit f46d847065)
2007-10-10 11:05:09 -05:00
Jim McDonough
1113cad9c0 r11236: Implement user rename for smbpasswd and ldap backends. Some cleanup on
tdb as well to make naming consistent.
(This used to be commit ee91eb9a39)
2007-10-10 11:05:08 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00
Jim McDonough
254938c636 r10911: part of #2861: add rename support for usrmgr.exe when using tdbsam
This gets it working before replacing tdb with the samba4 version.
(This used to be commit 8210b0503a)
2007-10-10 11:04:56 -05:00
Jeremy Allison
e127501d45 r10792: Fix the "schannel not stored across client disconnects" problem.
Based on the Samba4 solution - stores data in
$samba/private/schannel_store.tdb.
This tdb is not left open but open and closed on demand.
Jeremy.
(This used to be commit a6d8a4b1ff)
2007-10-10 11:04:54 -05:00
Volker Lendecke
ba51ce6053 r10658: It's so nice to have CVSIN to blame for this kind of bugs :-)
Volker
(This used to be commit cf06a090a3)
2007-10-10 11:04:49 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Gerald Carter
dbbaccc2c0 r10606: pdb_*sql patches from
Uli Meis <a.sporto@gmail.com>
Peter Rindfuss <rindfuss@wz-berlin.de>
(This used to be commit 8bf124adaf)
2007-10-10 11:04:48 -05:00
Gerald Carter
f44e11c100 r9661: fallback to cn attribubte if displayName is not available
(This used to be commit b1524999e0)
2007-10-10 11:03:24 -05:00
Gerald Carter
be0f3f159f r9660: real fix for group enumeration bug in 3.0.20; only affected the ldapsam code
(This used to be commit 62f9fb5e3a)
2007-10-10 11:03:24 -05:00
Günther Deschner
1d1d2418f0 r9522: Give better error-message when "NDS Universal Password" change fails.
Guenther
(This used to be commit df90ea016a)
2007-10-10 11:01:11 -05:00
James Peach
2c42509673 r9303: Clobber compiler warnings. Patch from Jason Mader <jason@ncac.gwu.edu> plus
some extra function declarations. Bugzilla bug #2523.
(This used to be commit 98d364459d)
2007-10-10 11:00:32 -05:00
Lars Müller
f5024ae257 r9051: Fix from Fernando Schapachnik <fernando@mecon.gov.ar> to add logon hours
support for the Postgres backend.

Also add these changes from svn rev 7787 to trunk.
(This used to be commit 7423895900)
2007-10-10 11:00:24 -05:00
Günther Deschner
faa4b4a9f2 r8797: avoid unset rids for builtin-aliases.
Guenther
(This used to be commit c2810bcf66)
2007-10-10 11:00:17 -05:00
Günther Deschner
ecc0d00a6d r8787: Make enumeration of builtin-aliases work again.
Guenther
(This used to be commit 0c8859474d)
2007-10-10 11:00:17 -05:00
Günther Deschner
235bece8ff r8542: - (re-)add better search-semantics: look for Interdomain trust accounts
below the machine-suffix (this is where we create them)) to avoid
  digging through thousands of user-accounts just to find a handful of
  trust-accounts in the enumdomusers-samr-call.

- don't access freed data in DEBUG-statement

Guenther
(This used to be commit 793c82c017)
2007-10-10 11:00:08 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Jeremy Allison
aeb3e96cdb r7787: Fix from Fernando Schapachnik <fernando@mecon.gov.ar> to add logon hours
support for the Postgres backend.
Jeremy.
(This used to be commit dd5d36c95f)
2007-10-10 10:57:21 -05:00
Volker Lendecke
e6ef7ba7a4 r7730: Some merges
(This used to be commit 5b4720598b)
2007-10-10 10:57:20 -05:00
Volker Lendecke
5b08e6688e r7718: Remove some unused code
(This used to be commit 10606be050)
2007-10-10 10:57:20 -05:00
Gerald Carter
3c47e65e93 r7577: switching to macro for IS_DC
(This used to be commit e6df9a7ac7)
2007-10-10 10:57:14 -05:00
Gerald Carter
fed660877c r7415: * big change -- volker's new async winbindd from trunk
(This used to be commit a0ac9a8ffd)
2007-10-10 10:57:08 -05:00
Gerald Carter
27ccf6ba6a r7142: removing 'ldap filter' smb.conf option
(This used to be commit e2f8eeb4e2)
2007-10-10 10:57:03 -05:00
Gerald Carter
f24d88cf9d r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1
(This used to be commit 9727d05241)
2007-10-10 10:57:02 -05:00
Volker Lendecke
4853a5d509 r6774: Fix 2 memleaks
(This used to be commit 6af57d4bae)
2007-10-10 10:56:54 -05:00
Volker Lendecke
8bb2b294f3 r6770: Fix bug 2705. Thanks, John, for beating my stuff :-)
Volker
(This used to be commit f406dda687)
2007-10-10 10:56:54 -05:00
Volker Lendecke
848cec55a0 r6748: With reconnects, state->connection->ldap_struct can change in smbldap_search
and friends. This should be a fix for bug 2701. Thanks to jht for giving me
access to his box!

Volker
(This used to be commit 85320c1257)
2007-10-10 10:56:53 -05:00
Gerald Carter
27bef67b3a r6713: another talloc() fix. This time in pdb_xml.c
(This used to be commit b0289d2258)
2007-10-10 10:56:52 -05:00
Jelmer Vernooij
620f8b899e r6635: Fix build of the various sql pdb backends after new talloc.
(This used to be commit 0a7eabd46d)
2007-10-10 10:56:48 -05:00
Jeremy Allison
7b9d6ac23e r6595: This is Volkers new-talloc patch. Just got the go-ahead from
Volker to commit. Woo Hoo !
Jeremy.
(This used to be commit 316df944a4)
2007-10-10 10:56:46 -05:00
Volker Lendecke
2e0cac8e3e r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for
--enable-developer=yes?

Volker
(This used to be commit 61d40ac60d)
2007-10-10 10:56:41 -05:00
Gerald Carter
57eb9f47d0 r6421: use add machine script when creating a user (ACB_NORMAL)
who has a name ending in '$' (usrmgr.exe does this for
domain trusts (that's was jfm's original comment I think).

avoid an assert() call in libldap.
(This used to be commit 0ac57ae942)
2007-10-10 10:56:41 -05:00
Volker Lendecke
f74f7c933d r6367: Slim down pdb_interface.c a bit. next_entry and search_end are function
pointers now.

Yes, Jeremy, this is about re-inventing C++... :-)

Volker
(This used to be commit a831e54738)
2007-10-10 10:56:39 -05:00
Volker Lendecke
d3d6126d94 r6351: This is quite a large and intrusive patch, but there are not many pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.

The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.

Volker
(This used to be commit f0bb44ac58)
2007-10-10 10:56:38 -05:00
Volker Lendecke
9f4c0afa0a r6277: This implements a new caching API for enumerating the pdb elements. It is
modeled after query_displayinfo and should hide the differences between users,
groups and aliases while allowing a cache analog load_sampw_entries:

struct pdb_search *pdb_search_users(uint16 acct_flags);
struct pdb_search *pdb_search_groups(void);
struct pdb_search *pdb_search_aliases(const DOM_SID *sid);
uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx,
                          uint32 max_entries,
                          struct samr_displayentry **result);
void pdb_search_destroy(struct pdb_search *search);

Why this API? Eventually we will need to apply the work gd has started on
enumerating users with paged ldap searches to groups and aliases. Before doing
that I want to clean up the search routines we have.

The sample application (more to follow) is 'net maxrid'.

Volker
(This used to be commit 8b4f67a1e9)
2007-10-10 10:56:34 -05:00
Volker Lendecke
83e11ba86c r6263: Get rid of generate_wellknown_sids, they are const static and initializable
statically.

Volker
(This used to be commit 3493d9f383)
2007-10-10 10:56:33 -05:00
Herb Lewis
978ca84860 r6225: get rid of warnings from my compiler about nested externs
(This used to be commit efea76ac71)
2007-10-10 10:56:30 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Jeremy Allison
202c7b4571 r6092: This much const causes the compiler on Fedora Core 2
to throw up.
Jeremy.
(This used to be commit 051f0ed807)
2007-10-10 10:56:21 -05:00
Volker Lendecke
e84ead0cfd r6080: Port some of the non-critical changes from HEAD to 3_0. The main one is the
change in pdb_enum_alias_memberships to match samr.idl a bit closer.

Volker
(This used to be commit 3a67865169)
2007-10-10 10:56:20 -05:00
Jim McDonough
cf7d098b2c r5965: Apply Volker's patch for "ldapsam trusted = yes" for samr_lookup_rids. Gives us
again up to ~6x improvement on group membership lookups.
(This used to be commit e2117bcb09)
2007-10-10 10:56:13 -05:00
Gerald Carter
ec139622c5 r5957: BUGS 2478, 2093: compiler warning patches from Jason Mader
(This used to be commit b0f4346082)
2007-10-10 10:56:12 -05:00
Gerald Carter
dbd5c968d7 r5951: gotta love that SGI compiler :-) (thanks Jason)
(This used to be commit e84d070275)
2007-10-10 10:56:10 -05:00
Jim McDonough
b824fcb081 r5927: Fix ldapsam trusted enum_group_members. We were searching in the user
suffix instead of the group suffix.

Thanks to John Janosik (jpjanosi@us.ibm.com).
(This used to be commit bf3ce651ff)
2007-10-10 10:56:09 -05:00
Jeremy Allison
91d355772f r5817: Patch from Vince Brimhall <vbrimhall@novell.com> to change the way pdb_nds
handles users with no Universal or Simple Password. Bug #2453.
Jeremy.
(This used to be commit 0976793e30)
2007-10-10 10:56:03 -05:00
Volker Lendecke
5ba3fb825b r5767: Get rid of some compiler warnings
(This used to be commit 66471de977)
2007-10-10 10:56:00 -05:00
Gerald Carter
f651bb0bea r5746: remove unneeded header that caused problems on rh73
(This used to be commit 68fe1f194a)
2007-10-10 10:55:59 -05:00
Jelmer Vernooij
a9a218f5e6 r5733: Don't crash when the SID column contains NULL (Fixes #2316)
Patch by Justin Ossevoort
(This used to be commit a281148168)
2007-10-10 10:55:58 -05:00
Jelmer Vernooij
cbe4adaec7 r5718: Don't update fields that haven't changed (fixes #1957)
(This used to be commit 5c682c665d)
2007-10-10 10:55:57 -05:00
Gerald Carter
32416866dd r5708: BUG 2424: patch from Vince Brimhall <vbrimhall@novell.com> to ensure that uidNumber and gidNumber use match the rfc2307 schema
(This used to be commit c1727dc9e0)
2007-10-10 10:55:56 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963ab)
2007-10-10 10:55:54 -05:00
Volker Lendecke
f17c4ad8ae r5481: Fix a memleak
(This used to be commit 36bcfc5dae)
2007-10-10 10:55:42 -05:00
Volker Lendecke
a90a58ff22 r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.
Could someone else please look at this patch, verifying that I did not break
the ldapsam:trusted = False fallback to the old behaviour? It works fine for
me, but you never know. You're certainly free to review the new code as well :-)

Thanks,

Volker
(This used to be commit e1c3ca182b)
2007-10-10 10:55:41 -05:00
Volker Lendecke
f51677051c r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This
gives some new warnings in smbldap.c, but a the callers are cleaned up.

Volker
(This used to be commit 543799fc0d)
2007-10-10 10:55:40 -05:00
Volker Lendecke
bc10e4067a r5421: Fix a memleak
(This used to be commit a7df3b5f06)
2007-10-10 10:55:40 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac)
2007-10-10 10:55:38 -05:00
Gerald Carter
25edc545fc r5337: BUG 1439: make sure to initialize pointer to prevent invalide free()'s on exit
(This used to be commit a882a349df)
2007-10-10 10:55:38 -05:00
Jeremy Allison
eed0e6875b r5166: From James Peach - remove minor C99-isms.
Jeremy.
(This used to be commit 54ac409d4f)
2007-10-10 10:55:31 -05:00
Günther Deschner
26dcc2aa74 r5058: Due to the fragileness how windows reacts on unmapped sids sometimes,
don't leave administator-sid unmapped. Simply return "Administrator"

Guenther
(This used to be commit 168ddf31d1)
2007-10-10 10:55:13 -05:00
Gerald Carter
46d8ff2320 r5015: (based on abartlet's original patch to restrict password changes)
* added SE_PRIV checks to access_check_samr_object() in order
  to deal with the run-time security descriptor and their
  interaction with user rights

* Reordered original patch in _samr_set_userinfo[2] to still
  allow root/administrative password changes for users and machines.
(This used to be commit f9f9e6039b)
2007-10-10 10:55:12 -05:00
Gerald Carter
e512799c00 r4996: sync up copytights with trunk
(This used to be commit 8946efe102)
2007-10-10 10:55:11 -05:00
Günther Deschner
a548e710d8 r4994: Patch from abartlet:
When migrating account policies to ldapsam, handle the fact that an
admin might have changed the default location of the sambaDomain-object
after installation.

Guenther
(This used to be commit 78c3c71274)
2007-10-10 10:55:11 -05:00
Günther Deschner
de87569cfb r4988: After speaking with Jerry, remove old lp_admin_users to
administrator-sid mapping completely.

Guenther
(This used to be commit 4cbe37ecd5)
2007-10-10 10:55:10 -05:00
Günther Deschner
0b3889e346 r4964: Fix our lsa lookupsid $OURDOMAINSID-500.
Give the admin-user (rid 500) a chance to be found in passdb, not
returning the (possibly obscure) first entry of "admin users" before
that.

Guenther
(This used to be commit d319c0e189)
2007-10-10 10:55:09 -05:00
Günther Deschner
e3971524d2 r4926: Use LDAP_SCOPE_ONELEVEL instead of OpenLDAP's LDAP_SCOPE_ONE-scope.
Guenther
(This used to be commit eee0bd806b)
2007-10-10 10:55:08 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd)
2007-10-10 10:55:08 -05:00
Gerald Carter
811df6699c r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the profile path, logon home and logon script values
(This used to be commit 504ea4ac68)
2007-10-10 10:54:00 -05:00
Günther Deschner
320d765081 r4851: Preleminary fix for ldapsam_enum_group_memberships when
ldapsam:trusted=True. Don't bail out when ldap-search returns pure
posixgroups (w.o. samba group-mapping).

This way those unix-memberships do not appear in user and nt user token.
Volker, could you please look over that one?

Guenther
(This used to be commit 853a8b7f1c)
2007-10-10 10:53:59 -05:00
Günther Deschner
1ed62fde09 r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).

Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.

Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.

Guenther
(This used to be commit 6394257cc7)
2007-10-10 10:53:59 -05:00
Günther Deschner
0c6010238d r4840: * Add more generic root-dse inspection function to check for given
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in
ldapsam).

Guenther
(This used to be commit ced58bd884)
2007-10-10 10:53:57 -05:00
Jelmer Vernooij
5d47f8e5e5 r4802: Don't try to update a column with the name "NULL"
(This used to be commit ed38e60264)
2007-10-10 10:53:55 -05:00
Jelmer Vernooij
69e24e59a4 r4788: Don't log mysql password at debug level 1.
(This used to be commit 760455875f)
2007-10-10 10:53:54 -05:00
Gerald Carter
c3ba8b9a53 r4736: small set of merges from rtunk to minimize the diffs
(This used to be commit 4b351f2fcc)
2007-10-10 10:53:52 -05:00
Gerald Carter
d94d87472c r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
(This used to be commit 77c10ff9aa)
2007-10-10 10:53:51 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00
Jelmer Vernooij
2956b574df r3974: - Fix assignment of a couple of fields in pdb_{mysql,pgsql}
- Use new DTD URL in pdb_xml
(This used to be commit 99dc2f36d1)
2007-10-10 10:53:26 -05:00
Jeremy Allison
c5c2dd6dba r3948: Fix incorrect declaration. Bug #2083.
Jeremy.
(This used to be commit 05b905a28f)
2007-10-10 10:53:26 -05:00
Jeremy Allison
90a18110e9 r3931: Fix all "may be used uninitialized" and "shadow" warnings.
Jeremy.
(This used to be commit 8e979772a6)
2007-10-10 10:53:25 -05:00