summaryrefslogtreecommitdiff
path: root/source3/groupdb
AgeCommit message (Collapse)AuthorFilesLines
2002-01-02Actually enforce the passdb API.Andrew Bartlett1-1/+1
Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
2001-12-04added a boolean to the group mapping functions to specify if we need orJean-François Micouleau1-27/+69
not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
2001-12-03added a tdb to store the account policy informations.Jean-François Micouleau1-0/+3
You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21)
2001-12-03init group db before useAndrew Tridgell1-0/+12
this fixes the smbpasswd segvs (This used to be commit d2bcdfd995b9562872d865e723b23ed84247a73f)
2001-12-01groups in the Builtin domain S-5-32 are alias and not well-known groupsJean-François Micouleau1-11/+15
J.F. (This used to be commit 192978e3fc96bc60fc3ceaad8f024bc91bf69da7)
2001-11-30Missing return in free_privilege()Tim Potter1-0/+2
(This used to be commit b35d90cd89849f0a01e8c79f0962ec9388673ad1)
2001-11-29Changed again how the privilege list is handled in the group mapping code.Jean-François Micouleau1-104/+307
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-24added "net join" commandAndrew Tridgell1-2/+2
this completes the first stage of the smbd ADS support (This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
2001-11-24added lsaenumprivsaccount and lsalookupprivvalue to rpcclientJean-François Micouleau1-0/+10
and more to come ... J.F. (This used to be commit 1748d5a2af1f2dcf718d6f162ed483b001542494)
2001-11-23Changed how the privileges are stored in the group mapping code. It's nowJean-François Micouleau1-52/+163
an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F. (This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter5-7/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-09-17move to SAFE_FREE()Simo Sorce1-3/+3
(This used to be commit e61aec84edaf55b9ee087b076d2f1311033dc839)
2001-09-17fixed compilation of groupdbAndrew Tridgell1-3/+3
(This used to be commit 23e2561a1c303942cfceae8929e0806db91b4aa4)
2001-09-17move to SAFE_FREE()Simo Sorce5-22/+15
(This used to be commit 89833bbbd8508dcdca70dff2c94e1d8f22535f1f)
2001-09-06got rid of USE_TDB_MMAP_FLAG as its not needed any moreAndrew Tridgell1-1/+1
(This used to be commit c26e0d3f27a05ecc8bd2390f9aab7f9451524e47)
2001-08-19Realloc fix.Jeremy Allison1-6/+5
Jeremy. (This used to be commit 82153dde951ff7af3655f466cb2ea42c3195bdff)
2001-08-19Realloc fixes.Jeremy Allison1-13/+8
Jeremy. (This used to be commit 6b90263292d03b1ae2d5d18952e78fc26066f30d)
2001-08-19Realloc fixes.Jeremy Allison1-6/+5
Jeremy. (This used to be commit e4ef9e332fff99eb66101a3737a7efc3b7493cc5)
2001-08-19Realloc fixes.Jeremy Allison1-2/+3
Jeremy. (This used to be commit 560ae7615eb8eca2c872b1196ce0b9534bf8ad76)
2001-08-12this is a big global fix for the ptr = Realloc(ptr, size) bug.Simo Sorce5-13/+42
many possible mem leaks, and segfaults fixed. someone should port this fix to 2.2 also. (This used to be commit fa8e55b8b465114ce209344965c1ca0333b84db9)
2001-07-30Added "use mmap" for HPUX.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 840802f10677cb0009cb4df4c37c7d01aa5edacd)
2001-07-09when retrieving by sid fill also the map.sid fieldJean-François Micouleau1-5/+6
(This used to be commit f47797fa9595fb19d9e29ef43c5d0135268db455)
2001-06-04use LDSHFLAGS not -shared in several placesAndrew Tridgell1-1/+1
(This used to be commit 8ec9c87b5d1a7dae17d5b1a30f58effaf5e69e4b)
2001-05-17groupdb/mapping.c: Fix gcc compiler warning.Jeremy Allison1-1/+1
smbd/connection.c: Sync up with code in 2.2 Jeremy. (This used to be commit 87025c223dd33f2e02060c2a5cd45502946c87c6)
2001-05-08fixes to the group mapping code.Jean-François Micouleau1-0/+1
Not ready yet. J.F. (This used to be commit 62a7a567fdea230b77cc97a3f74d868542c34700)
2001-05-04Big cleanup of passdb and backends.Jean-François Micouleau1-11/+26
I did some basic tests but I have probably broken something. Notably the password changing. So don't cry ;-) J.F. (This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
2001-04-13Merge of Andrew's changes in 2.2.Jeremy Allison1-4/+4
Jeremy. (This used to be commit fc76681812b1469208ad6c8847afdfc68bc6db49)
2001-03-23groupdb/mapping.c:Jeremy Allison1-1/+1
include/proto.h: Fix missing (void) in proto. rpc_server/srv_samr_nt.c: Fix user private group problem by filtering out groups that clash with users. smbd/posix_acls.c: Ensure default ACE's are sensible. utils/pdbedit.c: Fix from Simo Sorce. Jeremy. (This used to be commit 29414fe0d6665642d9b5f88a35e712426376c47f)
2001-03-23first pass of the new group mapping codeJean-François Micouleau1-0/+754
J.F. (This used to be commit 7154deb026d53cb0cd503562174c3332a372be63)
2000-04-25moved trans2.h and nterr.h into includes.h with all our other includesAndrew Tridgell2-2/+0
(This used to be commit d7cd7c88fdabb01d9e40ae8a657737907a21ac37)
1999-12-132nd phase of head branch sync with SAMBA_2_0 - this delets all the files ↵Andrew Tridgell7-2762/+0
that were in the head branch but weren't in SAMBA_2_0 (This used to be commit d7b208786590b5a28618590172b8d523627dda09)
1999-12-13first pass at updating head branch to be to be the same as the SAMBA_2_0 branchAndrew Tridgell4-351/+160
(This used to be commit 453a822a76780063dff23526c35408866d0c0154)
1999-08-05reverted lookup change. from ignacio.Luke Leighton1-1/+1
(This used to be commit 5b8961a9d4ef6c8188062aaca7f42151ff9684ae)
1999-07-13renamed getfilepwent() and endfilepwent() to getfileent() and endfileent()Luke Leighton2-4/+4
as they are generic "file line-by-line" reading routines. lines with "#" at the front are ignored (as comments). this code started out as the password file reading code. (This used to be commit ef6df590fdf65a6d94b343998bac3a4d48ae07e0)
1999-07-08Ignacio Coupeau <icoupeau@unav.es> suggested modification to ldap search.Luke Leighton1-1/+1
(This used to be commit 7d6337641703884a5c6914ca6e292d67ea0c803b)
1999-03-09Greg Dickie spotted some wierd memory corruption problem with groupLuke Leighton3-21/+21
database enumeration. (This used to be commit b0381bb262f51fca916fb951fc0c7e54a58e2dd3)
1999-02-19last unix group not being listed. spotted by jacques sansdrap.Luke Leighton3-3/+3
(This used to be commit 2d5fc5c7cf2086c396c853c13a3409bfac77d05c)
1999-02-03cache unix groups so that two-level getgrent calls don't occur.Luke Leighton3-23/+146
(This used to be commit f7dfa55a2e191ae780d399026bce48f68cda4bf0)
1999-01-15Finally committing my LDAP changes.Matthew Chapman3-49/+385
* Added new APIs for modifying groups. * RIDs are allocated similarly to NT, starting from 1000 and incrementing by 1 for each new user/group. * RIDs are now consistently in hex * Fixed bugs reported by Allan Bjorklund <allan@umich.edu>: - ldap_close_connection is exported by OpenLDAP - changed to ldap_disconnect - Missing ldap_connect() in getusergroups functions - ldap_next_entry was being called too early while retrieving a sam_struct - LDAP globals should be extern in sampassldap.c * Fixed bugs reported by Martin Hofbauer <mh@bacher.at> - Newly added workstation trust accounts had attributes DU rather than W. - User dn's were forced to start with "uid=XX" rather than using the existing dn. (This used to be commit 91c77f5432169553572bb4d85ad5f09d17524f20)
1998-12-07added ldap files by Matthew Chapman.Luke Leighton3-0/+951
(This used to be commit 2bc031e8fafeafdc58c6a8056597b647d00657ae)
1998-12-07- lib/unix_sec_ctxt.cLuke Leighton8-31/+189
attempt at taking lib/uid.c and getting a unix security context change module that is independent of "cnums" and "snums". a security context is needed for pipes, not just IPC$ or other services. - group database API added add_group/alias_member, del_group/alias_member, del_group/alias_entry functions. del_builtin_entry() is deliberately set to NULL to cause an exception, you cannot delete builtin aliases. - parse_lsa.c srv_lsa.c fixed lookup_names code, it was a load of trash and didn't do anything. - cmd_samr.c rpcclient.c srv_samr.c added "deletegroup", "deletealias", "delaliasmem", "delgroupmem", "addgroupmem", "addaliasmem", "createalias", "creategroup", to both client and server code. server code calls into unix stubs right now, which don't actually do anything. the only instance where they are expected to do anything is in appliance mode NOT even in the ldap code or anything. client code modified to call samr_lookup_names() for group code (because we can) and lsa_lookup_names() for alias code (because we have to). - srv_lookup.c oops, lookup on unsplit name, we got lookup on DOMAIN, DOMAIN\name instead of DOMAIN, name. (This used to be commit b8175702ef61b8b37b078f38e81452c00a5e2986)
1998-12-02added rid and sid_name_use to DOMAIN_GRP_MEMBER, for use in group memberLuke Leighton1-3/+10
query. domain groups now work, hurrah! only thing is that the description is one character long, don't know why (which is wierd in itself). (This used to be commit 78a86c64960a7823b0db8b7bebfffabb4a5ba864)
1998-12-01ok. unix-nt mapping code issuesLuke Leighton3-6/+6
need to check, when looking up group members, that a group member is a unix user [being mapped to an nt user] FIRST then if that fails check that a group member is a unix group [being mapped to an nt group]. why? because you can have group names in a unix /etc/group file with the same name as users. this _might_ be a problem... (This used to be commit 585d47644d3d709ccdfd5135c5f77166b609eb3b)
1998-11-30builtin alias password APILuke Leighton2-0/+727
(This used to be commit 58c0f0a77c396a6021596c84d4a30b1c9a4b1419)
1998-11-29weekend work. user / group database API.Luke Leighton6-201/+190
- split sam_passwd and smb_passwd into separate higher-order function tables - renamed struct smb_passwd's "smb_user" to "unix_user". added "nt_user" plus user_rid, and added a "wrap" function in both sam_passwd and smb_passwd password databases to fill in the blank entries that are not obtained from whatever password database API instance is being used. NOTE: whenever a struct smb_passwd or struct sam_passwd is used, it MUST be initialised with pwdb_sam_init() or pwd_smb_init(), see chgpasswd.c for the only example outside of the password database APIs i could find. - added query_useraliases code to rpcclient. - dealt with some nasty interdependencies involving non-smbd programs and the password database API. this is still not satisfactorily resolved completelely, but it's the best i can do for now. - #ifdef'd out some password database options so that people don't mistakenly set them unless they recompile to _use_ those options. lots of debugging done, it's still not finished. the unix/NT uid/gid and user-rid/group-rid issues are better, but not perfect. the "BUILTIN" domain is still missing: users cannot be added to "BUILTIN" groups yet, as we only have an "alias" db API and a "group" db API but not "builtin-alias" db API... (This used to be commit 5d5d7e4de7d1514ab87b07ede629de8aa00519a1)
1998-11-26we have a problem: resolution of "Primary Group RID" which we assumedLuke Leighton1-0/+1
would only be a domain group rid. it can also be a local group rid, which causes us problems in attempting to turn a unix gid into the correct rid (domain group or local group). sooo.... the fix is _in_ there, we just can't use it because it causes link / knock-on problems in nmbd. (This used to be commit e4ee6538709c33000774eb1676608f2dd67d5a30)
1998-11-25yeehaah got users to be included in S-1-5-xxx-yyy-zzz's local groups.Luke Leighton1-13/+32
now need search capability on S-1-5-20, which will need argh, a "group database API" on S-1-5-20, and the ability to add BUILTIN\Admins etc to "local group map" argh. (This used to be commit a24f6eb00ba7486479cbcf7fadf5456521c56179)
1998-11-25fixing group database issuesLuke Leighton1-1/+6
(This used to be commit 591c63e3e1e3201ddcd7582585b652fb848d80ca)
1998-11-25Makefile.in: Added maintainer mode fixes.Jeremy Allison1-11/+1
aclocal.m4: Added AC_LIBTESTFUNC. configure.in: Fixed -lsecurity -lsec problems. client.c: dos_ fixes. groupdb/aliasunix.c: Dead code removal. include/includes.h: Added default PRINTCAP_NAME. lib/genrand.c: dos_ fixes. lib/replace.c: Added strtoul. lib/system.c: dos_ fixes. lib/util.c: dos_ fixes. lib/util_sid.c: Signed/unsigned fixes. lib/util_str.c: removed bad const. locking/locking_slow.c: dos_ fixes. printing/printing.c: dos_ fixes. rpc_server/srv_samr.c: Dead code removal. rpc_server/srv_sid.c: global_myworkgroup defined with wrong size AGAIN ! smbd/dir.c: dos_ fixes. smbd/open.c: dos_ fixes. smbd/oplock.c: dos_ fixes. smbd/reply.c smbd/server.c smbd/service.c smbd/uid.c: dos_ fixes. Jeremy. (This used to be commit 6acb4b68f68d516e2ac3c47e500f5600d653435e)
1998-11-24sorting out difference between aliases and groups in the cases whereLuke Leighton2-20/+51
unix groups are not explicitly mapped. i.e as a PDC or BDC you can have domain groups, as a member of a domain you cannot. as a member of a domain, unmapped unix groups are assumed to be aliases, and as a PDC or BDC, unmapped unix groups are assumed to be unix groups. there is _one_ other check needed with aliases to be added: unmapped unix groups that have the same name as an NT group on the PDC (for which i will need to write an LsaLookupNames call) should be assumed to be domain groups on the PDC. (This used to be commit 53b49b44e13a4ca9818ebc947372b1374831b568)