IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
security descriptor, allow read access. The code failed in this case.
Jeremy, could you please cross-check this? The way I understood your code it
could only work if smb.conf and secdesc said the same. This made the use of
srvmgr a bit difficult.... What was your intention on how to use the
share_info.tdb?
The current code might check the secdesc twice, but I don't see any decent way
around it that does not completely clutter the code.
Volker
pam_smbpass.so will load ok. Had to move some functions around to work
around dependency problems (hence the new passdb/lookup_sid.c)
Also make sure that libsmbclient.a is built and installed when
we support shared libraries.
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries.
ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX
functions fail. Getting ready to add caching.
Jeremy.
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
- user_ok() and user_in_group() now take a list of groups, instead of
looking for the user in the members of all groups.
- The 'server_info' returned from the authentication is now kept around
- in future we won't copy the sesion key, username etc, we will just
referece them directly.
- rhosts upgraded to use the SAM if possible, otherwise fake up based on
getpwnam().
- auth_util code to deal with groups upgraded to deal with non-winbind domain
members again.
Andrew Bartlett
This is not 100% the same as what SuSE shipped in their Samba, there is
a crash bug fix, a race condition fix, and a few logic changes I'd like to
discuss with Andreas. Added Andreas to (C) notices for posix_acls.c
Jeremy.
this means "xcopy /o" has a chance of working with ACLs that contain
ACEs that use SIDs that the Samba server has no knowledge of.
It's a bit hackish, Tim, can you look at my uid.c changes?
- Rework the name -> sid lookup function to always try local lookup first (for
local domain names) before trying winbind. This seems to eliminate my winbind
feedback loop problems. (I don't use winbind for nsswitch, where there are
almost certainly further issues).
Andrew Bartlett
smbd, and also makes it much cleaner inside winbindd.
It is mostly my code, with a few changes and testing performed by Alexander
Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and
security=ads, but more testing is always appricatiated.
The idea is that we no longer cart around a 'domain\user' string, we keep them
seperate until the last moment - when we push that string into a pwent on onto
the socket.
This removes the need to be constantly parsing that string - the domain prefix
is almost always already provided, (only a couple of functions actually changed
arguments in all this).
Some consequential changes to the RPC client code, to stop it concatonating the
two strings (it now passes them both back as params).
I havn't changed the cache code, however the usernames will no longer have a
double domain prefix in the key string. The actual structures are unchanged
- but the meaning of 'username' in the 'rid' will have changed. (The cache is
invalidated at startup, so on-disk formats are not an issue here).
Andrew Bartlett
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps
them around for a long time - often past the next call...
This adds a getpwnam_alloc and a getpwuid_alloc to the collection.
These function as expected, returning a malloced structure that can be
free()ed with passwd_free(&passwd).
This patch also cuts down on the number of calls to getpwnam - mostly by
taking advantage of the fact that the passdb interface is already
case-insensiteve.
With this patch most of the recursive cases have been removed (that I know
of) and the problems are reduced further by not using the sys_ interface
in the new code. This means that pointers to the cache won't be affected.
(This is a tempoary HACK, I intend to kill the password cache entirly).
The only change I'm a little worried about is the change to
rpc_server/srv_samr_nt.c for private groups. In this case we are getting
groups from the new group mapping DB. Do we still need to check for private
groups? I've toned down the check to a case sensitve match with the new code,
but we might be able to kill it entirly.
I've also added a make_modifyable_passwd() function, that copies a passwd
struct into the form that the old sys_getpw* code provided. As far as I can
tell this is only actually used in the pass_check.c crazies, where I moved
the final 'special case' for shadow passwords (out of _Get_Pwnam()).
The matching case for getpwent() is dealt with already, in lib/util_getent.c
Also included in here is a small change to register the [homes] share at vuid
creation rather than just in one varient of the session setup. (This picks
up the SPNEGO cases). The home directory is now stored on the vuid, and I
am hoping this might provide a saner way to do %H substitions.
TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change
the remaining sys_getpwnam() callers to use getpwnam_alloc() and move
Get_Pwnam to return an allocated struct.
Andrew Bartlett
not the privileges. Usually we don't need them, so the memory is free
early.
lib/util_sid.c: added some helper functions to check an SID.
passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !
rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.
J.F.
per-share. I beleive that almost all the things that this could have done on
a per-share basis can be done with other tools, like 'force user'.
Almost all the user's of this paramater used it as a global anyway...
While this is one step at a time, I hope it will allow me to considerably
simplfy the make_connection() code, particularly for the user-level security
case.
This already removes an absolute truckload of extra attempted password lookups
on the guest account.
Andrew Bartlett
In particular this commit focuses on:
Changing the Get_Pwnam code so that it can work in a const-enforced
environment.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes allow for 'const' in the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
