summaryrefslogtreecommitdiff
path: root/source3/include/passdb.h
AgeCommit message (Collapse)AuthorFilesLines
2007-12-26Remove the sampwent interfaceVolker Lendecke1-7/+2
(This used to be commit 9e80b969fb40766de2c9b1a05d16bf4d4c6e46f7)
2007-10-18RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison1-17/+17
bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23341: pdb interfaces should be versioned. As SAMBA_3_0 and SAMBA_3_0_26Jeremy Allison1-0/+1
are now identical, use the same version number (16) for both. Jeremy. (This used to be commit f2ac311ed408e1f17f468945b34289d4c6b915cc)
2007-10-10r22786: Some cleanup by Karolin Seeger: Remove unused pdb_find_alias, and changeVolker Lendecke1-3/+0
return values of some alias-releated pdb functions from BOOL to NTSTATUS Thanks :-) (This used to be commit 590d2164b3a33250410338771e160f6ebd1aa89d)
2007-10-10r21188: bumping passdb version number to make sure this is different than ↵Gerald Carter1-2/+1
the 3.0.25 branch (This used to be commit b10f4cdfc0767dbd88f29f42fa5a8d9a9c1959a2)
2007-10-10r20827: Increment the interface version.Volker Lendecke1-1/+2
Wilco: Existing modules should continue to work, they just must be recompiled. Volker (This used to be commit f5babdce9b79ba6abed5d6f57daecc0ed1e14e15)
2007-10-10r20824: Send access to the trusted domain passwords through the pdb backend, ↵Volker Lendecke1-0/+13
so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam <ma@sernet.de> Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
2007-10-10r20116: Start merging in the work done to create the new idmap subsystem.Simo Sorce1-0/+2
Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b)
2007-10-10r18271: Big change:Gerald Carter1-5/+5
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17554: CleanupVolker Lendecke1-3/+5
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2007-10-10r17463: A bit of cleanup work:Volker Lendecke1-3/+0
Remove some unused code: pdb_find_alias is not used anymore, and nobody I think has ever used the pdb_nop operations for group mapping. smbpasswd and tdb use the default ones and ldap has its own. Make the functions pdb_getgr* return NTSTATUS instead of BOOL. Nobody right now really makes use of it, but it feels wrong to throw away information so early. Volker (This used to be commit f9856f6490fe44fdba97ea86062237d8c74d4bdc)
2007-10-10r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as anVolker Lendecke1-2/+3
argument. Volker (This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-4/+4
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16628: Fix bug #3880, reported by jason@ncac.gwu.eduJeremy Allison1-3/+5
by ensuring we return the correct enum for sid type, not a uint32. Jeremy. (This used to be commit 98a5e20ff4ceacda65dcc0ce5498ed4ffde520f8)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-2/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner1-5/+5
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-2/+3
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13601: * Remove unused code from pdb_ldap.cGerald Carter1-1/+3
* Add a 'struct passwd *' to the struct samu for later reference (I know this may be controversial but its easily reverted which is is why I'm checking this is as a seaparate patch before I get too deep). * Remove unix_homedir from struct samu {} and update the pdb wrapper functions associated with it. (This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
2007-10-10r13576: This is the beginnings of moving the SAM_ACCOUNT data structureGerald Carter1-68/+60
to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10r13509: remove unnecessary sql flagsGerald Carter1-2/+0
(This used to be commit c3702e804a74276ee53eb73f2d9b1fa9d3874b48)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-0/+26
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13460: by popular demand....Gerald Carter1-155/+5
* remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-5/+25
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12055: More cruftVolker Lendecke1-23/+0
(This used to be commit 4d91f9501cd041ee42410eeace6a9acd9cc57d1c)
2007-10-10r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke1-0/+14
build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10r11924: Added Volkers's (C) to srv_samr_nt.c, removed separate "builtin"Jeremy Allison1-1/+4
search enumeration, fixed count of groups and users to return zero if we're getting domain info on the builtin domain (need to fix the enumgroup and enumuser calls also). Added count_sam_aliases to return the correct alias count. Need to push the SID arg down into the group mapping interface so we only return the correct aliases. Upped passdb version numer for Volkers changes. SAM-MYSQL guys - you will need to fix your backend now. More tests needed. Jeremy. (This used to be commit b53d5cd565b05b0595979efba6176d0cafc8cb03)
2007-10-10r11922: Looks bigger than it is: There's no point in allocating arrays inVolker Lendecke1-6/+4
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-31/+29
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10911: part of #2861: add rename support for usrmgr.exe when using tdbsamJim McDonough1-1/+5
This gets it working before replacing tdb with the samba4 version. (This used to be commit 8210b0503a050e12ee1b4335fa6e50d10ad06577)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1/+19
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-3/+3
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r6367: Slim down pdb_interface.c a bit. next_entry and search_end are functionVolker Lendecke1-10/+3
pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-34/+52
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6277: This implements a new caching API for enumerating the pdb elements. It isVolker Lendecke1-0/+23
modeled after query_displayinfo and should hide the differences between users, groups and aliases while allowing a cache analog load_sampw_entries: struct pdb_search *pdb_search_users(uint16 acct_flags); struct pdb_search *pdb_search_groups(void); struct pdb_search *pdb_search_aliases(const DOM_SID *sid); uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx, uint32 max_entries, struct samr_displayentry **result); void pdb_search_destroy(struct pdb_search *search); Why this API? Eventually we will need to apply the work gd has started on enumerating users with paged ldap searches to groups and aliases. Before doing that I want to clean up the search routines we have. The sample application (more to follow) is 'net maxrid'. Volker (This used to be commit 8b4f67a1e9d459145cde10b1064781d58d62b805)
2007-10-10r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison1-2/+2
to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-5/+10
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough1-0/+15
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison1-1/+5
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-0/+12
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner1-12/+0
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r4932: Forgot to increase version with the account-policy-commit.Günther Deschner1-1/+1
Guenther (This used to be commit 42e380303ddce890f313c221a766dc1e1ee972fb)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-0/+12
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-3/+3
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-0/+12
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-3/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison1-3/+5
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-1/+80
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-18Password lockout for LDAP backend. Caches autolock flag, bad count, andJim McDonough1-0/+9
bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)