summaryrefslogtreecommitdiff
path: root/source3/groupdb
AgeCommit message (Collapse)AuthorFilesLines
2003-11-24more access fixes for group enumeration in LDAP; bug 281Gerald Carter1-1/+7
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
2003-08-15Fix syntax error!Tim Potter1-1/+1
(This used to be commit cd0b6f74baa01dbe43c29cdadf1505083cdc878f)
2003-08-15fix compile warnings on IRIXGerald Carter1-5/+29
(This used to be commit b9779ba590a62acac12fa268c0e9dbe054176ae4)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-1/+1
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-18/+14
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15We should report if a group mapping fails. This should fix bug#225.Volker Lendecke1-3/+1
Jerry, this is assigned to you. Do you want to answer it? However, we have to decide what to do if a mapping is to be done for a unix group not in LDAP.... Volker (This used to be commit bf449d467cfe4987df17010490a16ab0472c0803)
2003-07-11moving more code around.Gerald Carter1-4/+2
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-56/+121
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-04Fix memleak in groupdb. Spotted by MetzeAlexander Bokovoy1-1/+1
(This used to be commit 5280c6953195c2664628ecaab59ea82b4863e8f7)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-510/+47
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18And some more memory leaks in mapping.c and pdb_tdb.c. tdb_nextkeyVolker Lendecke1-0/+2
mallocs its key, so we should free it after use. Volker (This used to be commit 9750799ba2e1aaa59fa255f23880c9c618195c3d)
2003-06-17And more other memory leaks. One new (idmap) and one ancient (groupdb).Volker Lendecke1-0/+4
Volker (This used to be commit 2392f460aeb11f32759e84faf1e7ace73c5db281)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-11/+12
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-04-29don't implement any group mapping functions in the guest sam moduleGerald Carter1-0/+48
(This used to be commit a354bf4b7eadec3e6aa5f5547b58c7856fda3471)
2003-04-14Fix broken regexp in cvsignore for *.po{,32} files.Tim Potter1-2/+2
(This used to be commit a17622103bcbcff8d59f390f809f4744dddf0110)
2003-04-09Ignore .po and .po32 files.Martin Pool1-0/+2
(This used to be commit f01d94b027e0ca1530b2e50782a34c22706c643c)
2003-03-23The group mapping functions are not calledVolker Lendecke1-6/+6
directly anymore, but instead through the passdb interface. So we can make them static. Volker (This used to be commit a91af4bea8e761a812f5c70fdc7c7cd15366b412)
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-0/+55
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2003-02-18add_initial_entry should fail if string_to_sid fails.Martin Pool1-1/+5
(This used to be commit bb095dc28d8369457286225ac63e03070889f394)
2003-01-15small merges from SAMBA_3_0; mostly typos, renames, etc...Gerald Carter4-1337/+0
(This used to be commit 9ac196dad4893b0ceef13281a140be5d85391e6c)
2003-01-02BIG patch...Andrew Bartlett1-3/+3
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-11-23Lots of fixes for error paths where tdb_fetch() data need freeing.Jeremy Allison1-11/+18
Found via a post from Arcady Chernyak <Arcady.Chernyak@efi.com>. Jeremy. (This used to be commit 19f86f1f72aca924e9e320e20a175b5d21de45ad)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-1/+1
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-5/+5
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-17Revert changesVolker Lendecke1-24/+16
(This used to be commit 975fd17f8af0f03f43995deb3fdd9bd5995a1c92)
2002-10-16Create group mappings on the fly.Volker Lendecke1-16/+24
Volker (This used to be commit e2fc1de34aaf875a7003f9d15d5f8ecf159130fb)
2002-10-04Add a timeout to tdb_lock_bystring(). Ensure we never have more thanJeremy Allison1-1/+1
MAX_PRINT_JOBS in a queue. Jeremy. (This used to be commit bb58a08af459b4abae9d53ab98c15f40638ce52b)
2002-09-23Ok, getting a bit more ambitious. Stop me, if this is wrong. ;-)Volker Lendecke1-2/+28
When creating a group you have to take care of the fact that the underlying unix might not like the group name. This change gets around that problem by giving the add group script the chance to invent a group name. It then must only return the newly created numerical gid. Volker (This used to be commit b959419ed38e66a12b63cad3e5fbfa849f952acc)
2002-09-21Sorry for the new parameter, but I think to really reflect what's comingVolker Lendecke1-3/+21
in via deltas, we need a way to set a user's primary group. Volker (This used to be commit 9f7a16acf1b1f3b100b85339aad8268254512e68)
2002-08-28Put in intermediate version of new SAM system. It's not stable yet, codeJelmer Vernooij2-6/+2
might be ugly, etc - please don't blame me for anything but instead try to fix the code :-). Compiling of the new sam system can be enabled with the configure option --with-sam Removing passdb/passgrp.c as it's unused fix typo in utils/testparm.c (This used to be commit 4b7de5ee236c043e6169f137992baf09a95c6f2c)
2002-06-07Globally replace 'global_sam_sid' with get_global_sam_sid(), a selfAndrew Bartlett1-6/+4
initialising function. This patch thanks to the work of "Stefan (metze) Metzmacher" <metze@metzemix.de> This is partly to enable the transition to SIDs in the the passdb. Andrew Bartlett (This used to be commit 96afea638e15d4cbadc57023a511094a770c6adc)
2002-04-19DEBUG cleanup.Jean-François Micouleau1-1/+1
J.F. (This used to be commit 1ece80a6b70ab26eb1a8484134b536efa007f6f9)
2002-01-30Removed version number from file header.Tim Potter5-9/+8
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-29Since we have dynamic initialisation in the group mapping code, makeTim Potter1-72/+94
init_group_mapping() a static function and don't call it from any client programs. Not sure whether I've made a bigger mess here or not... (This used to be commit 3c887d9021269aaa9fc0bc771af8589077e6208e)
2002-01-27Patch from Kevin Stefanik <kstef@mtppi.org> to do some more error checking forAndrew Bartlett1-6/+24
group mapping init failures. (This used to be commit cd6a2dad4e3092a19f784b6548fce49ecd8bb549)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-1/+2
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2002-01-13don't try to allocate zero bytesAndrew Tridgell1-10/+7
(This used to be commit d09616da6823b69a03a8a008987c4eb02ca0061b)
2002-01-09When re-writing tdb version numbers as little endian int32, we mustJeremy Allison1-6/+8
change the version number also. Jeremy. (This used to be commit 3dec9cf99a82bd15626eb99e7d937ff00183cc05)
2002-01-09Fixed all uses of tdb_fetch/store/_int to use explicit int32 little endianJeremy Allison1-5/+18
in tdb's. All except winbindd_idmap.... Hmmmmmm. Jeremy. (This used to be commit ec71f1732b6b27bd2d65b250a6f3720a235dc38d)
2002-01-03Fixed nasty cast of tdb_delete in traversals.Jeremy Allison1-1/+1
Jeremy. (This used to be commit a0cdec3acc82d1ce0292fadd4b8dac23638450f3)
2002-01-02Actually enforce the passdb API.Andrew Bartlett1-1/+1
Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
2001-12-04added a boolean to the group mapping functions to specify if we need orJean-François Micouleau1-27/+69
not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
2001-12-03added a tdb to store the account policy informations.Jean-François Micouleau1-0/+3
You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21)
2001-12-03init group db before useAndrew Tridgell1-0/+12
this fixes the smbpasswd segvs (This used to be commit d2bcdfd995b9562872d865e723b23ed84247a73f)
2001-12-01groups in the Builtin domain S-5-32 are alias and not well-known groupsJean-François Micouleau1-11/+15
J.F. (This used to be commit 192978e3fc96bc60fc3ceaad8f024bc91bf69da7)
2001-11-30Missing return in free_privilege()Tim Potter1-0/+2
(This used to be commit b35d90cd89849f0a01e8c79f0962ec9388673ad1)
2001-11-29Changed again how the privilege list is handled in the group mapping code.Jean-François Micouleau1-104/+307
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-24added "net join" commandAndrew Tridgell1-2/+2
this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
2001-11-24added lsaenumprivsaccount and lsalookupprivvalue to rpcclientJean-François Micouleau1-0/+10
and more to come ... J.F. (This used to be commit 1748d5a2af1f2dcf718d6f162ed483b001542494)
2001-11-23Changed how the privileges are stored in the group mapping code. It's nowJean-François Micouleau1-52/+163
an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)