summaryrefslogtreecommitdiff
path: root/source3/include/passdb.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r18271: Big change:Gerald Carter1-5/+5
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17554: CleanupVolker Lendecke1-3/+5
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2007-10-10r17463: A bit of cleanup work:Volker Lendecke1-3/+0
Remove some unused code: pdb_find_alias is not used anymore, and nobody I think has ever used the pdb_nop operations for group mapping. smbpasswd and tdb use the default ones and ldap has its own. Make the functions pdb_getgr* return NTSTATUS instead of BOOL. Nobody right now really makes use of it, but it feels wrong to throw away information so early. Volker (This used to be commit f9856f6490fe44fdba97ea86062237d8c74d4bdc)
2007-10-10r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as anVolker Lendecke1-2/+3
argument. Volker (This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-4/+4
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16628: Fix bug #3880, reported by jason@ncac.gwu.eduJeremy Allison1-3/+5
by ensuring we return the correct enum for sid type, not a uint32. Jeremy. (This used to be commit 98a5e20ff4ceacda65dcc0ce5498ed4ffde520f8)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-2/+2
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner1-5/+5
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-2/+3
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13601: * Remove unused code from pdb_ldap.cGerald Carter1-1/+3
* Add a 'struct passwd *' to the struct samu for later reference (I know this may be controversial but its easily reverted which is is why I'm checking this is as a seaparate patch before I get too deep). * Remove unix_homedir from struct samu {} and update the pdb wrapper functions associated with it. (This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
2007-10-10r13576: This is the beginnings of moving the SAM_ACCOUNT data structureGerald Carter1-68/+60
to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10r13509: remove unnecessary sql flagsGerald Carter1-2/+0
(This used to be commit c3702e804a74276ee53eb73f2d9b1fa9d3874b48)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-0/+26
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13460: by popular demand....Gerald Carter1-155/+5
* remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-5/+25
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12055: More cruftVolker Lendecke1-23/+0
(This used to be commit 4d91f9501cd041ee42410eeace6a9acd9cc57d1c)
2007-10-10r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke1-0/+14
build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10r11924: Added Volkers's (C) to srv_samr_nt.c, removed separate "builtin"Jeremy Allison1-1/+4
search enumeration, fixed count of groups and users to return zero if we're getting domain info on the builtin domain (need to fix the enumgroup and enumuser calls also). Added count_sam_aliases to return the correct alias count. Need to push the SID arg down into the group mapping interface so we only return the correct aliases. Upped passdb version numer for Volkers changes. SAM-MYSQL guys - you will need to fix your backend now. More tests needed. Jeremy. (This used to be commit b53d5cd565b05b0595979efba6176d0cafc8cb03)
2007-10-10r11922: Looks bigger than it is: There's no point in allocating arrays inVolker Lendecke1-6/+4
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-31/+29
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10911: part of #2861: add rename support for usrmgr.exe when using tdbsamJim McDonough1-1/+5
This gets it working before replacing tdb with the samba4 version. (This used to be commit 8210b0503a050e12ee1b4335fa6e50d10ad06577)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1/+19
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-3/+3
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r6367: Slim down pdb_interface.c a bit. next_entry and search_end are functionVolker Lendecke1-10/+3
pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-34/+52
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6277: This implements a new caching API for enumerating the pdb elements. It isVolker Lendecke1-0/+23
modeled after query_displayinfo and should hide the differences between users, groups and aliases while allowing a cache analog load_sampw_entries: struct pdb_search *pdb_search_users(uint16 acct_flags); struct pdb_search *pdb_search_groups(void); struct pdb_search *pdb_search_aliases(const DOM_SID *sid); uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx, uint32 max_entries, struct samr_displayentry **result); void pdb_search_destroy(struct pdb_search *search); Why this API? Eventually we will need to apply the work gd has started on enumerating users with paged ldap searches to groups and aliases. Before doing that I want to clean up the search routines we have. The sample application (more to follow) is 'net maxrid'. Volker (This used to be commit 8b4f67a1e9d459145cde10b1064781d58d62b805)
2007-10-10r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison1-2/+2
to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-5/+10
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough1-0/+15
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison1-1/+5
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-0/+12
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner1-12/+0
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r4932: Forgot to increase version with the account-policy-commit.Günther Deschner1-1/+1
Guenther (This used to be commit 42e380303ddce890f313c221a766dc1e1ee972fb)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-0/+12
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-3/+3
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-0/+12
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-3/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison1-3/+5
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-1/+80
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-18Password lockout for LDAP backend. Caches autolock flag, bad count, andJim McDonough1-0/+9
bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-02fix typo for callback bitJim McDonough1-1/+1
(This used to be commit 31a15164ffb3f551a5f7006e637036dc3b59bd22)
2004-02-19Add bad password time fieldsJim McDonough1-0/+2
(This used to be commit 59e7c3ababd0bb8bc91cbc421b7a842cca38101f)
2004-02-12More sync between passdb on 3.0 and HEAD.Jim McDonough1-2/+38
Replace unknown_3 with fields_present. Also causes rpc_samr structure field changes. (This used to be commit 1976843345efb6ca4f9cebd964a61acd8ae11d41)
2004-01-04- Put functions for generating SQL queries in pdb_sql.cJelmer Vernooij1-0/+2
- Add pgSQL backend (based on patch by Hamish Friedlander) - Use query generate functions from pdb_mysql and pdb_pgsql - Only pdb_pgsql.c needs to be changed whenever the fields in SAM_ACCOUNT change (This used to be commit 65ad2c02fd2bf36d535c279ad290ab81e39f6816)
2003-11-20Typo fix.Rafal Szczesniak1-2/+2
(This used to be commit 5054a1731e3bf3bec0687304af63fed475d5f864)
2003-09-18The "unknown_5" 32 bit field in the user structs is actually 2 16-bitJeremy Allison1-2/+6
fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+2
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+3
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-14/+8
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-2/+147
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)