Age | Commit message (Collapse) | Author | Files | Lines |
|
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts
thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
(This used to be commit 6891393b5db868246fe52ff62b3dc6aa5ca6f726)
|
|
(This used to be commit 8836015467158de6947689300ead74f1e9044805)
|
|
requested build of included popt.
(This used to be commit 4b4430f1c56a5c9a0d53dd8b624022644d8061e1)
|
|
when complete, this will be used to backup critical tdbs at samba
startup and possibly periodically while Samba is running so that if
tdb corruption is caused by a power failure Samba can restore from the
backup.
(This used to be commit f619330082712cab72ec2d2ab76d67b8e9f3194c)
|
|
(This used to be commit 4f887f01e52b04d4cf4517aaefeae7042170a511)
|
|
Jeremy.
(This used to be commit 10e3e6855be93b8c4d97d67a063d92ccee391fec)
|
|
(This used to be commit b179a5d85f2e364b26191adf0cb61fcf17ae7687)
|
|
This allow the user to select
'passdb backend = plugin : /path/to/plugin.so : pluging args'
And load any arbitary plugin. Apparently Jelmer has a mysql plugin in the
works - hence this patch.
We probably need to rework the interface a bit before 3.0 (add versioning of
some kind) but this is a good start.
Andrew Bartlett
(This used to be commit d6d18b70f0c377344b0b3d9df5a11d209793bfe0)
|
|
(This used to be commit 9c1c25db792d58f451df3736f1b875c493e7d67c)
|
|
(This used to be commit 690c1fae9ce0ad6a8adef42ed5a7d8cfedab261d)
|
|
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.
In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.
Added code to wbinfo to display these - makes a big difference in debugging
winbindd.
The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)
Andrew Bartlett
(This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
|
|
(This used to be commit 085f5ab03e0e4994315b9a0eeb5cb2a625b784f8)
|
|
automatically generated on first 'make'. This wasn't being picked up by the
build farm becouse of the explicit 'make proto'.
The 'make proto' bit isn't somthing our alpha testers know about (its certainly
not clearly documented) and its meant to be automatic.
I hope this works...
Andrew Bartlett
(This used to be commit 3a413ef1eabbb28b589e5238d9c837a8275b54d0)
|
|
there are still some work to do on it but it's already functionnal.
J.F.
(This used to be commit 2506c98d19263bd5f367a488c2238dcdfec46ee9)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps
them around for a long time - often past the next call...
This adds a getpwnam_alloc and a getpwuid_alloc to the collection.
These function as expected, returning a malloced structure that can be
free()ed with passwd_free(&passwd).
This patch also cuts down on the number of calls to getpwnam - mostly by
taking advantage of the fact that the passdb interface is already
case-insensiteve.
With this patch most of the recursive cases have been removed (that I know
of) and the problems are reduced further by not using the sys_ interface
in the new code. This means that pointers to the cache won't be affected.
(This is a tempoary HACK, I intend to kill the password cache entirly).
The only change I'm a little worried about is the change to
rpc_server/srv_samr_nt.c for private groups. In this case we are getting
groups from the new group mapping DB. Do we still need to check for private
groups? I've toned down the check to a case sensitve match with the new code,
but we might be able to kill it entirly.
I've also added a make_modifyable_passwd() function, that copies a passwd
struct into the form that the old sys_getpw* code provided. As far as I can
tell this is only actually used in the pass_check.c crazies, where I moved
the final 'special case' for shadow passwords (out of _Get_Pwnam()).
The matching case for getpwent() is dealt with already, in lib/util_getent.c
Also included in here is a small change to register the [homes] share at vuid
creation rather than just in one varient of the session setup. (This picks
up the SPNEGO cases). The home directory is now stored on the vuid, and I
am hoping this might provide a saner way to do %H substitions.
TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change
the remaining sys_getpwnam() callers to use getpwnam_alloc() and move
Get_Pwnam to return an allocated struct.
Andrew Bartlett
(This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
|
|
This work was sponsored by Optifacio Software Services, Inc.
Andrew Bartlett
(various e-mails announcements merged into some form of commit message below:)
This patch which adds basics of universal groups support
into Samba 3. Currently, only Winbind with RPC calls supports this, ADS
support requires additional (possibly huge) work on KRB5 PAC. However,
basic infrastructure is here.
This patch adds:
1. Storing of universal groups for particular user logged into Samba
software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array
of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb.
2. Fetching of unversal groups for given user rid and domain sid from
netlogon_unigrp.tdb.
Since this is used in both smbd and winbindd, main code is in
source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as
UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ.
This patch has had a few versions, the final version in particular:
Many thanks to Andrew Bartlett for critics and comments, and partly
rewritten code.
New:
- updated fetching code to changed byte order macros
- moved functions to proper namespace
- optimized memory usage by reusing caller's memory context
- enhanced code to more follow Samba coding rules
Todo:
- proper universal group expiration after timeout
(This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43)
|
|
This should make things a little happier...
Andrew Bartlett
(This used to be commit 6ce467a65fdaabbcfac258a1b899c833602b6d92)
|
|
prompt dmalloc to log information about what happening, so you can see
in flight why smbd is getting bloated.
(This used to be commit bcb443c5c4bf97fe6b5b0993e42496c2e64f0124)
|
|
- allow winbindd and wbinfo to build without shared libraries
(This used to be commit d5db2518be8458f24f66eaa17434504b994ebb9a)
|
|
- don't attempt to build winbindd if we can't do shared libs
(This used to be commit c98158f3f818118fb13cc7ae6f45634204343b46)
|
|
The auth_authsupplied_info typedef is now just a plain struct - auth_context,
but it has been modified to contain the function pointers to the rest
of the auth subsystem's components.
(Who needs non-static functions anyway?)
In working all this mess out, I fixed a number of memory leaks and moved the
entire auth subsystem over to talloc().
Note that the TALLOC_CTX attached to the auth_context can be rather long-lived,
it is provided for things that are intended to live as long. (The
global_negprot_auth_context lasts the whole life of the smbd).
I've also adjusted a few things in auth_domain.c, mainly passing the domain as
a paramater to a few functions instead of looking up lp_workgroup(). I'm
hopign to make this entire thing a bit more trusted domains (as PDC) freindly
in the near future.
Other than that, I moved a bit of the code around, hence the rather messy diff.
Andrew Bartlett
(This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048)
|
|
be information about memory usage, but this is not done yet.
(This used to be commit 830a126a442bdde28fc42e23e7260c344b6534b9)
|
|
Tidyup in passdb.c
Jeremy.
(This used to be commit 676eea502a1bb2114a6e8055ecaf97ecab2e3a91)
|
|
samsync. The libsmb version should do fine.
(This used to be commit 001fe3481f26e27964b3d60c067524b45f085304)
|
|
Also removed the dependency on auth_util.o, which makes things nicer.
Finally, this kills off the NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ
makefile variable - becouse Samba dependencies are starting to be sane again!
Andrew Bartlett
(This used to be commit 4609edcac3b70c11025f0c5aa0ddbeed93369c84)
|
|
- Move rpc_client/cli_trust.c to smbd/change_trust_pw.c
- It hasn't been used by anything else since smbpasswd lost its -j
- Add a TALLOC_CTX to the auth subsytem. These are only valid for the length
of the calls to the individual modules, if you want a longer context hide it
in your private data.
Similarly, all returns (like the server_info) should still be malloced.
- Move the 'ntdomain' module (security=domain in oldspeak) over to use the new
libsmb domain logon code. Also rework much of the code to use some better
helper functions for the connection - getting us much better error returns
(the new code is NTSTATUS).
The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for
the LUID feilds is sufficient, or if we should do random LUIDs as per the old
code.
Similarly, I'll move winbind over to this when I get a chance.
This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in
rpc_client, at least as far as smbd is concerned.
While I've given this a basic rundown, any testing is as always appriciated.
Andrew Bartlett
(This used to be commit d870edce76ecca259230fbdbdacd0c86793b4837)
|
|
We now include the libber.h file if required, but currently we just don't use
ldap. (I'll chase this up).
In the meantime, I've moved the ads_status code about, its now in its own file,
and has a couple of #ifdefs to allow smbd to link - becouse the lack of LDAP
caused HAVE_ADS to be undefined. (I hope its not too ugly).
Andrew Bartlett
(This used to be commit 14407c87e2dcccae1784290e3eb7a2d611516aff)
|
|
(This used to be commit 6697e46183719c894ec115c0fd8a18ad4191b347)
|
|
(This used to be commit b60d6f11972892a17bf6df5e7ee3dd2e498bc4c0)
|
|
(This used to be commit 51268c512dbae94aba308668df9facaf15a2ce9e)
|
|
(This used to be commit 412e79c448bf02e3097b5c14a36fe0172d8d2895)
|
|
nsswitch code uses vsyslog without checking for it.
Provide replacement for vsyslog in lib/snprintf if not found by configure.
Jeremy.
(This used to be commit ab2e55cdb376d6699c9a09fac243fba7d3840447)
|
|
by default.
(This used to be commit e3390669958f01672f5638ebf975e8bd4fd67665)
|
|
Jeremy.
(This used to be commit ad9a5a26e088f3fedce9562f688c518d610dbef2)
|
|
Jeremy.
(This used to be commit 59e01a22c5cb1046758c8cd6b09333c19d6cd26e)
|
|
(This used to be commit 1ef98625404a2df0fb0b70b40041e3b8cdbc5f5d)
|
|
(This used to be commit 564bfd77287b3006c7246065990ca9b91f79826a)
|
|
I'm looking at chaining the credentials
J.F.
(This used to be commit d49c8e4d3d64b48e243d0f517b9e7f037103af13)
|
|
(This used to be commit 5bf6f9193774bcb6abb955efb346d2eb966a03d0)
|
|
a SMB server
particularly useful for ADS is:
net time set -S DOMAIN#1B
this makes kerberos clock skew problems go away :)
(This used to be commit b3ba2293d0e4eac3b6408c3abc3dcacfa3f67fe4)
|
|
IPC$ connections to domain controllers.
(This used to be commit 1217ef28a6c18c085fcb2eac3bf04866c166d959)
|
|
- added lsaquerysecobj to rpcclient
- renamed querysecobj to samquerysecobj
- removed duplicated display_sec_acl() code from cmd_spoolss.c and
cmd_samr.c and moved it into display_sec.c
(This used to be commit 59b2e3f408a5ff22f2d81a927d010a7df5f19f7f)
|
|
not visible later on.
(This used to be commit 8edd29e09959a14a2b87c65930df7df2c2d88b03)
|
|
cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a79c2a517adcd7726933aeef3fa924b)
|
|
you did make headers - fixed
(This used to be commit ce84993e8e66a151fcb7d5709763b0bf2d513a7c)
|
|
it gets removed on a make clean
it gets created on a make headers (if it doesn't already exist)
This makes it so I only rebuild everthing once after a make clean and
also so nothing gets rebuilt after jfm does a make headers (proto)
(This used to be commit bc918bce104954b39bd54cab3149a0f4573feb5f)
|
|
It forced a complete build to occur each time the proto are rebuild !
J.F.
(This used to be commit 9866c18193226ec4dc69ccc459f4f9b36610b945)
|
|
don't set WINBIND variables unless configure was run --with-winbind
(This used to be commit 83ec4c0f4dbfa43c893f18af1c6bb58c55043c9b)
|
|
paths. This make it hard to use a script that overrides CFLAGS options.
(This used to be commit 646b5ae752f7cd00e057d0d7cc6001161125fd3f)
|