1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

85 Commits

Author SHA1 Message Date
Stefan Metzmacher
9fbbaa560a s3:passdb: avoid sid_to_gid() if the sid is "domain users"
If the call fails we would use the "domain users" sid anyway.

metze
2010-03-25 21:25:27 +01:00
Stefan Metzmacher
4dc2be2264 s3:passdb: only use gid_to_sid() result if the result is a group of our local sam
Otherwise retry with pdb_gid_to_sid().

metze
2010-02-09 12:57:01 +01:00
Stefan Metzmacher
e10d086956 s3:passdb: speed up pdb_get_group_sid()
Use the cached version gid_to_sid() instead
of pdb_gid_to_sid().

And also avoid the expensive lookup_sid() call
for wellkown domain groups.

metze
2010-02-08 11:23:23 +01:00
Volker Lendecke
004e3e400d s3: Hide some uses of pdb_get_init_flags (which I would love to remove...) 2010-02-05 21:11:17 +01:00
Stefan Metzmacher
0c93aa3cd5 s3:passdb: fix a type Domain Users has RID -513
metze
2010-02-04 15:19:50 +01:00
Volker Lendecke
3ea64e0ad8 s3: Replace most calls to sid_append_rid() by sid_compose() 2010-01-10 20:56:16 +01:00
Michael Adam
017ccd0bda s3:passdb: store the plain nt passwords hashes in history, not salted md5
This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...

The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.

This is part of the fix for bug #4347 .

Michael
2010-01-07 16:51:17 +01:00
Volker Lendecke
5e2fc28b63 s3: Simplify pdb_set_plaintext_passwd: pwhistory==NULL can not happen anymore 2010-01-07 11:07:54 +01:00
Volker Lendecke
2a11f3b3d7 s3: Simplify pdb_set_plaintext_passwd: pwHistLen==0 was checked above 2010-01-07 11:07:54 +01:00
Volker Lendecke
ec0998ada5 s3: Add a paranoia check to pdb_set_plaintext_passwd() 2010-01-07 11:07:54 +01:00
Volker Lendecke
a3f522202d s3: Simplify pdb_set_plaintext_passwd() by removing a redundant condition
if (current_history_len != pwHistLen) {
     if (current_history_len < pwHistLen) {
     }
}

The second "if" is a bit pointless here
2010-01-07 11:07:54 +01:00
Volker Lendecke
7633837026 s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes 2010-01-07 11:07:53 +01:00
Volker Lendecke
864ed92954 s3: Simplify pdb_set_plaintext_passwd by using talloc_zero_array 2010-01-07 11:07:53 +01:00
Volker Lendecke
e7290255f5 s3: Make use of talloc_array in pdb_set_plaintext_passwd() 2010-01-07 11:07:53 +01:00
Volker Lendecke
7ba006430f s3: Simplify pdb_set_plaintext_passwd() a bit
Remove an indentation by the early return in

+       if (pwHistLen == 0) {
+               /* Set the history length to zero. */
+               pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+               return true;
+       }
2010-01-07 11:07:52 +01:00
Volker Lendecke
ca6c1cdd5f s3: Simplify pdb_set_plaintext_passwd() slightly
No functional change, this just removes an indentation level by the early
"return True;" in

+       if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+               /*
+                * No password history for non-user accounts
+                */
+               return true;
+       }

Volker
2010-01-07 11:07:52 +01:00
Michael Adam
2fad148b27 s3:pdb_set_pw_history: free the old history before setting the new.
This is not strictly necessary, since this only leaks into the
struct samu, and this is not so long-lived in the code path that
changes the password, but it definitely correct and does not harm.

Michael
2010-01-07 11:07:51 +01:00
Günther Deschner
9f15ef11bd s3-account_policy: add pdb_policy_type enum.
Guenther
2009-07-14 12:12:18 +02:00
Andrew Bartlett
f28f113d8e Rework Samba3 to use new libcli/auth code (partial)
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).

We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server

Andrew Bartlett
2009-04-14 16:23:35 +10:00
Volker Lendecke
b1677505a5 Fix some nonempty blank lines 2009-02-08 13:53:49 +01:00
Volker Lendecke
2b3d03d6f1 Remove unix_homedir from struct user_struct
This makes pdb_get_unix_homedir unused. I wonder if that was ever really used...
(This used to be commit 36bfd32f1f)
2008-05-05 18:28:58 +02:00
Günther Deschner
7dfeae6073 Use netr_SamInfo3 in remaining places.
Guenther
(This used to be commit 92fca97951)
2008-02-17 02:12:01 +01:00
Volker Lendecke
900288a2b8 Replace sid_string_static by sid_string_dbg in DEBUGs
(This used to be commit bb35e794ec)
2007-12-15 22:09:36 +01:00
Jeremy Allison
66298d8080 More pstring elimination.
Jeremy.
(This used to be commit 15074de938)
2007-11-20 17:18:16 -08:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Jim McDonough
dc1f0804dd r19058: Implement "user cannot change password", and complete "user must change
password at next logon" code.  The "password last set time" of zero now
means "user must change password", because that's how windows seems to
use it.  The "can change" and "must change" times are now calculated
based on the "last set" time and policies.

We use the "can change" field now to indicate that a user cannot change
a password by putting MAX_TIME_T in it (so long as "last set" time isn't
zero).  Based on this, we set the password-can-change bit in the
faked secdesc.
(This used to be commit 21abbeaee9)
2007-10-10 12:15:06 -05:00
Jim McDonough
e04dda6a2a r18722: Fix up password change times. The can change and must change times are
calculated based on the last change time, policies, and acb flags.

Next step will be to not bother storing them.  Right now I'm just trying to
get them reported correctly.
(This used to be commit fd5761c9e5)
2007-10-10 12:00:52 -05:00
Gerald Carter
3c222089ed r18684: pdb_get_group_sid() has to use the Get_Pwnam_alloc() call
to ensure it finds the Unix user.
(This used to be commit 4cea9bfca1)
2007-10-10 12:00:47 -05:00
Gerald Carter
2b27c93a9a r18271: Big change:
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
  gen_ndr/ndr_security.c in SAMBA_4_0

The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28)
2007-10-10 11:51:18 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Jeremy Allison
795c99d6b8 r16381: Now samu can't be null don't check it on set. Klockwork
related fix.
Jeremy.
(This used to be commit 2e5a881478)
2007-10-10 11:18:50 -05:00
Jeremy Allison
f9147c4e40 r16241: Fix Klocwork #106 and others like it.
Make 2 important changes. pdb_get_methods()
returning NULL is a *fatal* error. Don't try
and cope with it just call smb_panic. This
removes a *lot* of pointless "if (!pdb)" handling
code. Secondly, ensure that if samu_init()
fails we *always* back out of a function. That
way we are never in a situation where the pdb_XXX()
functions need to start with a "if (sampass)"
test - this was just bad design, not defensive
programming.
Jeremy.
(This used to be commit a0d368197d)
2007-10-10 11:17:27 -05:00
Gerald Carter
6e807c763f r15310: only store lanman passwords on a change if 'lanman auth = yes'
(This used to be commit b6904e0950)
2007-10-10 11:16:34 -05:00
Jeremy Allison
d0c0079ef8 r14780: Fix coverity bug #272, null deref.
Jeremy.
(This used to be commit 1588ce8efe)
2007-10-10 11:15:48 -05:00
Günther Deschner
e54786b535 r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
  returning zero)

Guenther
(This used to be commit 5b89e8bc24)
2007-10-10 11:10:25 -05:00
Gerald Carter
d95e13e68f r13679: Commiting the rm_primary_group.patch posted on samba-technical
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
  primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
  talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
  BOOL to callers.  Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
2007-10-10 11:10:23 -05:00
Gerald Carter
6622ba566e r13601: * Remove unused code from pdb_ldap.c
* Add a 'struct passwd *' to the struct samu for later reference
  (I know this may be controversial but its easily reverted which is
  is why I'm checking this is as a seaparate patch before I get
  too deep).
* Remove unix_homedir from struct samu {} and update the pdb wrapper
  functions associated with it.
(This used to be commit 92c251fdf0)
2007-10-10 11:10:18 -05:00
Gerald Carter
2203bed32c r13576: This is the beginnings of moving the SAM_ACCOUNT data structure
to make full use of the new talloc() interface.  Discussed with Volker
and Jeremy.

* remove the internal mem_ctx and simply use the talloc()
  structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
  upcoming changes.  Groups will most likely be replaced with a
  'struct samg' in the future.

Note that there are now passbd API changes.  And for the most
part, the wrapper functions remain the same.

While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs.  The code also needs more testing under valgrind to
ensure it's not leaking memory.

But it's a start......
(This used to be commit 19b7593972)
2007-10-10 11:10:15 -05:00
Gerald Carter
671c0098f6 r13545: A patch which I think it's time has come. VOlker, we can talk about
this more but it gets around the primary group issue.

* don't map a SID to a name from the group mapping code if
  the map doesn't have a valid gid.  This is only an issue
  in a tdb setup
* Always allow S-1-$DOMAIN-513 to resolve (just like Windows)
* if we cannot resolve a users primary GID to a SID, then set
  it to S-1-$DOMAIN-513
* Ignore the primary group SID inside pdb_enum_group_memberships().
  Only look at the Unix group membersip.

Jeremy, this fixes a fresh install startup for smbd as far as my tests
are concerned.
(This used to be commit f79f4dc4c5)
2007-10-10 11:10:12 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac)
2007-10-10 10:55:38 -05:00
Gerald Carter
46d8ff2320 r5015: (based on abartlet's original patch to restrict password changes)
* added SE_PRIV checks to access_check_samr_object() in order
  to deal with the run-time security descriptor and their
  interaction with user rights

* Reordered original patch in _samr_set_userinfo[2] to still
  allow root/administrative password changes for users and machines.
(This used to be commit f9f9e6039b)
2007-10-10 10:55:12 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd)
2007-10-10 10:55:08 -05:00
Gerald Carter
c3ba8b9a53 r4736: small set of merges from rtunk to minimize the diffs
(This used to be commit 4b351f2fcc)
2007-10-10 10:53:52 -05:00