Age | Commit message (Collapse) | Author | Files | Lines |
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
to winbindd. See README.idmap-and-winbind-changes for details.
(This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
|
|
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries.
ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX
functions fail. Getting ready to add caching.
Jeremy.
(This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
down failures.
Add a 'auto-add on modify' feature to guestsam
Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.
Make the 'private data' a bit more robust.
Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
|
|
- Try better to add the appropriate mapping between UID and SIDs, based
on Get_Pwnam()
- Look for previous users (lookup by SID) and correctly modify the existing
entry in that case
- Map the root user to the Admin SID as a 'well known user'
- Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update'
call on that user. This means that VL's very nice work on atomic LDAP
updates now really gets used properly!
- This also means that we know the right DN to update, without the extra
round-trips to the server.
Andrew Bartlett
(This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
|
|
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
beta2 is captured in the release branch
(This used to be commit 4b3a15917dd6935353d8998e918c750a6c090671)
|
|
Jeremy.
(This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
|
|
Jeremy.
(This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
|
|
* rename original sam auth method to sam_ignoredomain
* remove samstrict_dc auth method (now covered by 'sam')
* fix wbinfo -a '...' and getent passwd bugs when running
winbindd on a samba PDC (reported by Volker)
(This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
|
|
- changed --enable-developer debug to use -gstabs as it makes the
samba binaries about 10x smaller and is still quite functional for
samba debugging
(This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
|
|
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes
for multi-process access.
Jeremy.
(This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
|
|
(This used to be commit a59ea1d6d32337226f6099eefd19681fb28279c0)
|
|
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
|
|
The functions are unchanged. Next step is to make idmap_ldap use them.
Andrew Bartlett
(This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
|
|
and pdb_ldap.
So far, it's just a function rename, so that the next patch can be a very
simple matter of copying functions, without worrying about what changed
in the process.
Also removes the 'static' pointers for the rebind procedures, replacing them
with a linked list of value/key lookups. (Only needed on older LDAP client
libs)
Andrew Bartlett
(This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
|
|
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.
We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.
This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base
Simo.
(This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
|
|
There are lots of things wrong with this patch, including:
1) it overrides a user chosen configuration option
2) it adds lots of complexity inside a loop when a tiny piece of code
outside the loop would do the same thing
3) it does no error checking, and is sure to crash on some systems
If you want this functionality then try something like this at the end
of charset_name():
#ifdef HAVE_NL_LANGINFO
if (strcasecmp(ret, "LOCALE") == 0) {
const char *ln = nl_langinfo(CODESET);
if (ln) {
DEBUG(5,("Substituting charset '%s' for LOCALE\n", ln));
return ln;
}
}
#endif
then users can set 'display charset = LOCALE' to get the locale based
charset. You could even make that the default for systems that have
nl_langinfo().
(This used to be commit 382b9b806b1ecd227b1ea247e3825d6848090462)
|
|
Samba should preferentially use the locale information from the native system,
and only fall back on 'display charset' if this is unavailable or unsupported.
(This used to be commit 1e445fb4220cdf4700dd9d1850a42746a1065c5a)
|
|
the "don't use bzero" macros.
In general I think it would be better to have a separate script that
checks for deprecated functions like these using grep rather than
using these cpp tricks. They just get us into trouble.
(This used to be commit 2a227c880db0f233fb1f6dae5851450ea6020f3b)
|
|
keep putting bzero BSD'ism's into our source code. Make this an error like
bcopy and others to prevent it in future.
Jeremy.
(This used to be commit 80d043231626192db85f08ccea062b91fcf999cc)
|
|
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
|
|
and 3.0.0beta1 release
(This used to be commit 2619cc5d44f0162d829f5e18163df1b23b4ef5f5)
|
|
(This used to be commit f33aeaa039d49b4eef884b27dc81d3418a051f1a)
|
|
* remove 'winbind uid' and 'winbind gid' parameters (replaced
by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
(parameters are passed to idmap init() function
(This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
|
|
Jeremy.
(This used to be commit 99589b8a8f7081ced792e085ef448d9ebee135d3)
|
|
Jeremy.
(This used to be commit b863be794b7db11f91185ef2d669d0f89bbc1fae)
|
|
ensure they are tested.
Jeremy.
(This used to be commit 9ad02a7ba80c4796fecbaf2b4c75992988b002f7)
|
|
(to match win2003 behaviour)
- added the STR_TERMINATE_ASCII flag from samba4 so we can get the
string termination right for the case where it is supposed to be
non-terminated for UCS2 and terminated when ASCII
(This used to be commit 791a4cc7cf84eca77116bca00aeb5f95560f6705)
|
|
Jeremy.
(This used to be commit f42e164e9029c38279e36ee8955b9170b0fead87)
|
|
Jeremy.
(This used to be commit 024de9213e414659296cb518a6753e510c64f614)
|
|
Jeremy.
(This used to be commit 48853140749b74053f1a7857a983397b6e9a0234)
|
|
Includes sambaUnixIdPool objectclass
Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
|
|
<mezte@metzemix.de>
(This used to be commit c5e8acd3b7b8a7063aa6ffde1099196daf1c317b)
|
|
IS_NAME_VALID QPATHINFO level
(This used to be commit 1634346e2a6e73af80d4e68d50c6398fb24869a5)
|
|
(This used to be commit 3ac622532a27659b9f9e26b1aa6858ce156641ac)
|
|
allow them to be changed. Works well with W2K and above.
Jeremy.
(This used to be commit 685e4e518236079f201650f26152f6f9ad3c61ab)
|
|
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
|
|
This gets us closer to W2k+ in what we return for file ACLs. Fix horribly
broken make_sec_desc() that screwed up the size when given a SD with no
owner or group (how did it get this bad... ?).
Jeremy.
(This used to be commit 183c9ed4052ab14e269ed1234ca557053f77e77a)
|
|
(This used to be commit 7e352f5c62c4889bdf2662dded1e74a354890dc7)
|
|
(This used to be commit 2aad5736256968f27c42a6f94bdbc7a22c236c19)
|
|
(This used to be commit 0666e34d7c8f0863148763932f60a65ad936f2c9)
|
|
swapped.
(This used to be commit 92be28aa4a6ff42c601e9d2de978265a6c2e8c46)
|
|
(This used to be commit b1eb0dd7e0593e08f71aa9c4fc3d47ccdfabc691)
|
|
(This used to be commit 1f98ced3163e26818c12829801729bc28f858de7)
|
|
(This used to be commit 46e6621b2ebe7a8d1bd0c05197667aaa4e078efd)
|
|
Now we are defaulting to --with-quotas=no but anyway trying to test them in configure. This is done to get information about as much quota API variations as possible -- when --with-quotas=no this does not affect build but provides us with more detailed information on build farm.
(This used to be commit 3786695c72e6ff6a52a527382ac77142e236971b)
|