summaryrefslogtreecommitdiff
path: root/source3/groupdb
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-47/+0
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-2/+0
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-2/+2
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison1-1/+1
to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-5/+36
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5647: Caches are good for performance, but you get a consistency problem.Volker Lendecke1-0/+2
Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687)
2007-10-10r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner1-5/+5
Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-12/+1
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-10/+25
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r3561: Since we have tdb_reopen_all() after all forks, the local_pid logic ↵Volker Lendecke1-4/+1
is not correct anymore. If we actually open the tdb before the fork, we end up opening the tdb twice. Jerry, jra, this also happens in the locking and printing subsystems. You might want to check it there (not that it actually happens right now, but this gave me some confusion lately...). Volker (This used to be commit 40cad9dcc14ddec0ce74bb9010d13bd82e4d10af)
2007-10-10r2865: Add static and remove unused functions that only cload the blame-gameAndrew Bartlett1-122/+0
in finding out who is causing the massive performance problems with large LDAP directories. Andrew Bartlett (This used to be commit f16ed2616a67c412bc9b78354a5faf673e64cf42)
2007-10-10r2753: Workaround for the (rather broken) _samr_query_useraliases rpc-call.Günther Deschner1-14/+1
_samr_query_useraliases shows up with all kind of very weird memberships (global-groups, machine-accounts, etc.). Sometimes even if there is no alias-membership at all. One of the biggest mistakes is to convert any unix-group the user is a member of, into an alias by default in get_group_from_gid. get_alias_user_groups should be rewritten to use pdb_enum_alias_memberships. Guenther (This used to be commit 73ab2d2a74d3992167d9304dd41f60ad0805dd67)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-1/+459
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10r39: * importing .cvsignore filesGerald Carter1-2/+0
* updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
2004-03-09Fix to debug message lacking termination with '\n'.Rafal Szczesniak1-12/+12
rafal (This used to be commit 2a7dd469430459d124cb48d516b82766a2a249bc)
2004-02-17When creating a group via a script, don't let winbind do it as well.Volker Lendecke1-3/+1
Volker (This used to be commit 6a229f1488c2f0935c24e223614e4c88b36d15c0)
2004-01-25Fix memleak just introduced. Thanks to abartlet :-)Volker Lendecke1-0/+1
Volker (This used to be commit be485eea81c6bab8067642c26e41a14652ce7ee6)
2004-01-25On my SuSE 8.2 (glibc 2.3.2) the getpwnam inside pdb_getsampwnam resetVolker Lendecke1-30/+43
the surrounding getpwent loop to the first entry. So smbd went into an endless loop. Volker (This used to be commit 1797b16fadd61ef1f30a1be950e3afe7a2e1d791)
2004-01-02JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett1-28/+63
his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
2003-12-10more group lookup access fixes on the neverending bug 281Gerald Carter1-5/+23
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
2003-12-04* fix RemoveSidForeignDomain() ; bug 252Gerald Carter1-14/+16
* don't fall back to unmapped UNIX group for get_local_group_from_sid() * remove an extra become/unbecome_root() pair from group enumeration (This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
2003-11-24more access fixes for group enumeration in LDAP; bug 281Gerald Carter1-1/+7
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
2003-08-15Fix syntax error!Tim Potter1-1/+1
(This used to be commit cd0b6f74baa01dbe43c29cdadf1505083cdc878f)
2003-08-15fix compile warnings on IRIXGerald Carter1-5/+29
(This used to be commit b9779ba590a62acac12fa268c0e9dbe054176ae4)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-1/+1
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-18/+14
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15We should report if a group mapping fails. This should fix bug#225.Volker Lendecke1-3/+1
Jerry, this is assigned to you. Do you want to answer it? However, we have to decide what to do if a mapping is to be done for a unix group not in LDAP.... Volker (This used to be commit bf449d467cfe4987df17010490a16ab0472c0803)
2003-07-11moving more code around.Gerald Carter1-4/+2
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-56/+121
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-04Fix memleak in groupdb. Spotted by MetzeAlexander Bokovoy1-1/+1
(This used to be commit 5280c6953195c2664628ecaab59ea82b4863e8f7)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-510/+47
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18And some more memory leaks in mapping.c and pdb_tdb.c. tdb_nextkeyVolker Lendecke1-0/+2
mallocs its key, so we should free it after use. Volker (This used to be commit 9750799ba2e1aaa59fa255f23880c9c618195c3d)
2003-06-17And more other memory leaks. One new (idmap) and one ancient (groupdb).Volker Lendecke1-0/+4
Volker (This used to be commit 2392f460aeb11f32759e84faf1e7ace73c5db281)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-11/+12
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-04-29don't implement any group mapping functions in the guest sam moduleGerald Carter1-0/+48
(This used to be commit a354bf4b7eadec3e6aa5f5547b58c7856fda3471)
2003-04-14Fix broken regexp in cvsignore for *.po{,32} files.Tim Potter1-2/+2
(This used to be commit a17622103bcbcff8d59f390f809f4744dddf0110)
2003-04-09Ignore .po and .po32 files.Martin Pool1-0/+2
(This used to be commit f01d94b027e0ca1530b2e50782a34c22706c643c)
2003-03-23The group mapping functions are not calledVolker Lendecke1-6/+6
directly anymore, but instead through the passdb interface. So we can make them static. Volker (This used to be commit a91af4bea8e761a812f5c70fdc7c7cd15366b412)
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-0/+55
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2003-02-18add_initial_entry should fail if string_to_sid fails.Martin Pool1-1/+5
(This used to be commit bb095dc28d8369457286225ac63e03070889f394)
2003-01-15small merges from SAMBA_3_0; mostly typos, renames, etc...Gerald Carter4-1337/+0
(This used to be commit 9ac196dad4893b0ceef13281a140be5d85391e6c)
2003-01-02BIG patch...Andrew Bartlett1-3/+3
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-11-23Lots of fixes for error paths where tdb_fetch() data need freeing.Jeremy Allison1-11/+18
Found via a post from Arcady Chernyak <Arcady.Chernyak@efi.com>. Jeremy. (This used to be commit 19f86f1f72aca924e9e320e20a175b5d21de45ad)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-1/+1
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-5/+5
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-17Revert changesVolker Lendecke1-24/+16
(This used to be commit 975fd17f8af0f03f43995deb3fdd9bd5995a1c92)
2002-10-16Create group mappings on the fly.Volker Lendecke1-16/+24
Volker (This used to be commit e2fc1de34aaf875a7003f9d15d5f8ecf159130fb)
2002-10-04Add a timeout to tdb_lock_bystring(). Ensure we never have more thanJeremy Allison1-1/+1
MAX_PRINT_JOBS in a queue. Jeremy. (This used to be commit bb58a08af459b4abae9d53ab98c15f40638ce52b)
2002-09-23Ok, getting a bit more ambitious. Stop me, if this is wrong. ;-)Volker Lendecke1-2/+28
When creating a group you have to take care of the fact that the underlying unix might not like the group name. This change gets around that problem by giving the add group script the chance to invent a group name. It then must only return the newly created numerical gid. Volker (This used to be commit b959419ed38e66a12b63cad3e5fbfa849f952acc)