Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 77fe6a914888f09f96b4468ea5d1bc1953fe63c5)
|
|
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts
thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
(This used to be commit 6891393b5db868246fe52ff62b3dc6aa5ca6f726)
|
|
that any cached lpq information gathered during that time doesn't
stay around for longer than 1 hour.
Jeremy.
(This used to be commit 39fca711a5cf15a03d6c79639b202712d1749a64)
|
|
values so we can see what's going on.
Jeremy.
(This used to be commit 5ba4ba36339269b2059da7c103e63ecd948f7938)
|
|
Jeremy.
(This used to be commit 2b85d3570c2b149049482c3878c50cf8f5bfca61)
|
|
(This used to be commit a7fa0733badad66ae610eac5e01569cf264976f3)
|
|
Andrew Bartlett
(This used to be commit a9edcc1cb7c5f2692bc1931f0a2059a91891f178)
|
|
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.
It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.
Non-unix account support is also added. This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.
This code has stood up well under my production environment, so it relitivly
well tested.
I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).
Andrew Bartlett
(This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
|
|
using it anymore. This also removes an early #include of smb.h, making it
slightly easier to track whats being included where.
Andrew Bartlett
(This used to be commit 9d25e3023272a55a39f80305f0f336c655833d55)
|
|
(This used to be commit e3585e3c2ce2a09453fa1b59a947eccd67dfb88a)
|
|
Jeremy.
(This used to be commit 04965086711e9f794f0a0bcbfa0fd230e20b0cbe)
|
|
Rafal Szczesniak <mimir@diament.ists.pwr.wroc.pl>
This adds the 'net' tools to manipulate the trusted domains.
Andrew Bartlett
(This used to be commit 770c8a31d9804d3339ffa0de8b5072a5c7eb02df)
|
|
Jeremy.
(This used to be commit 9243a9778e52999d5c62cba484640637b24994d8)
|
|
(This used to be commit 0a3363ae686205c416c75e16f8d6ee55dc4366b5)
|
|
(and yes I know who you are..... :-).
Jeremy.
(This used to be commit 330b0df960329bcf4696b8fa4a7357e6c456f74e)
|
|
(This used to be commit c8dc59dfe877f63bea6976b7d7fd448e0c8722ba)
|
|
(This used to be commit 9a3e127aeacb01f5a642013a46148eaa31f41482)
|
|
This allow the user to select
'passdb backend = plugin : /path/to/plugin.so : pluging args'
And load any arbitary plugin. Apparently Jelmer has a mysql plugin in the
works - hence this patch.
We probably need to rework the interface a bit before 3.0 (add versioning of
some kind) but this is a good start.
Andrew Bartlett
(This used to be commit d6d18b70f0c377344b0b3d9df5a11d209793bfe0)
|
|
character set for conversion. To be used in Winbind and the 'net ads'
commands.
Andrew Bartlett
(This used to be commit fa9d3060ff7510e176d7608b49075379500f55c4)
|
|
(This used to be commit 60e84540fd8c27975066f7c7984d30bc88f6da5f)
|
|
(This used to be commit 3fb3bc0a1546dadb24231065b422349bd199e1bf)
|
|
(This used to be commit 3f7ba70615008d74a145a94aa087cae08efab343)
|
|
Jeremy.
(This used to be commit 771ef92fc6e43725b7cc351079998a8acb74abef)
|
|
(This used to be commit b9c843532508ea5fd4633dd7d82452fd89d63eab)
|
|
they were only being used correctly in one location, and all other assumed the semicolon wasn't there. Amazing that none of them mattered syntactically, until today.
(This used to be commit 6515c3e8ef546975657e45fce7f147fe4a08e9ca)
|
|
(This used to be commit a844d9af21d8047629129c5e842db7acbc059932)
|
|
The level2 field in SPOOL_Q_ADDFORM is probably part of the FORM structure
as a discriminated union.
(This used to be commit 2c906ff77d81bc7097129d3f34be48857ce3a48b)
|
|
(This used to be commit e4c13c51fa559d24da73f57b348cfe7d711b3c7d)
|
|
(This used to be commit 6f977036ad1053cc4c06f801b989afdd8cfca10d)
|
|
(This used to be commit 1b9b4e46d2dec69cc6de67aad93614412ae61379)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
in become_root()/unbecome_root().
Also only allocate the memory the client reqests - and don't allow the client
to trigger an SMB_ASSERT if they ask for 'more'.
Up the maximum number of sids allowed, and note that this is an arbiary guess,
and can be raised without consequence.
Andrew Bartlett
(This used to be commit 6e7667125d142670db7393ed7a48386f3821d896)
|
|
(This used to be commit e72e511935ce7f2b658a133bd536833864bc6a92)
|
|
Jeremy.
(This used to be commit 27f65b3aad13ecd33bbb84048d70e3dde212f278)
|
|
Changed the way the wins record are handled in memory. Now they are living
much longer with the different states: active, released and tombstone.
Also added a version ID, some wins flags and the wins owner ip address to
the namrec->data struct, and a function to process messages sent by the
wins replication daemon.
the initiate_wins_processing() function is not correct, I'll fix it later.
J.F.
(This used to be commit b902e087d06c32797af19021a7f56895d86d7364)
|
|
J.F.
(This used to be commit 5fef8a5ad29074bcf02904a1cca72133d57cc3e4)
|
|
Jeremy.
(This used to be commit 0db93d8752197e213f0974edae53e2dafdd77b51)
|
|
(This used to be commit 04f492980b73800b60dde764fdeb43f2eab79624)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
This time its the pdb_getsampwuid() function - which was only being used by the
SAMR rpc subsystem to gain a 'user session key'. This 'user session key' is
actually generated at login time, and the other changes here simply move that
data around.
This also means that (when I check some details) we will be able to use the
user session key, even when we are not actually the DC, becouse its one of the
components of the info3 struct returned on logon.
Andrew Bartlett
(This used to be commit 799ac01fe08a338e4e94289f5d6767ebf905c1fa)
|
|
degree of seperation betwen reading/writing the raw NamedPipe SMB packets
and the matching operations inside smbd's RPC components.
This patch is designed for no change in behaviour, and my tests hold that to be
true. This patch does however allow for the future loadable modules interface
to specify function pointers in replacement of the fixed state.
The pipes_struct has been split into two peices, with smb_np_struct taking the
information that should be generic to where the data ends up.
Some other minor changes are made: we get another small helper function in
util_sock.c and some of the original code has better failure debugs and
variable use. (As per on-list comments).
Andrew Bartlett
(This used to be commit 8ef13cabdddf58b741886782297fb64b2fb7e489)
|
|
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps
them around for a long time - often past the next call...
This adds a getpwnam_alloc and a getpwuid_alloc to the collection.
These function as expected, returning a malloced structure that can be
free()ed with passwd_free(&passwd).
This patch also cuts down on the number of calls to getpwnam - mostly by
taking advantage of the fact that the passdb interface is already
case-insensiteve.
With this patch most of the recursive cases have been removed (that I know
of) and the problems are reduced further by not using the sys_ interface
in the new code. This means that pointers to the cache won't be affected.
(This is a tempoary HACK, I intend to kill the password cache entirly).
The only change I'm a little worried about is the change to
rpc_server/srv_samr_nt.c for private groups. In this case we are getting
groups from the new group mapping DB. Do we still need to check for private
groups? I've toned down the check to a case sensitve match with the new code,
but we might be able to kill it entirly.
I've also added a make_modifyable_passwd() function, that copies a passwd
struct into the form that the old sys_getpw* code provided. As far as I can
tell this is only actually used in the pass_check.c crazies, where I moved
the final 'special case' for shadow passwords (out of _Get_Pwnam()).
The matching case for getpwent() is dealt with already, in lib/util_getent.c
Also included in here is a small change to register the [homes] share at vuid
creation rather than just in one varient of the session setup. (This picks
up the SPNEGO cases). The home directory is now stored on the vuid, and I
am hoping this might provide a saner way to do %H substitions.
TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change
the remaining sys_getpwnam() callers to use getpwnam_alloc() and move
Get_Pwnam to return an allocated struct.
Andrew Bartlett
(This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
|
|
(This used to be commit 967c68858001cd620d2524d56180497c4b479c6b)
|
|
Jeremy.
(This used to be commit 0fcca6c627a5c9c2219ec9714df5e0bc1a44cc29)
|
|
-> NT STATUS
maps. Fixes problem with disk full returning incorrect error.
Jeremy.
(This used to be commit 16fcbf3c1ccf1d704765653f68395dd596c0d841)
|
|
Jeremy.
(This used to be commit 794c3e2c76aae57d054e46b185def104ca02977c)
|
|
HEAD soon.
Jeremy.
(This used to be commit 2f57257558b67b4a5106fece269ce55643464683)
|
|
and constness changes.
(This used to be commit cee0ec72746122c962e6c5278a736266a7f2c424)
|
|
(This used to be commit 04e3082f7d45c1b304adff5a46106136cff0e09e)
|
|
(This used to be commit 20a03facb6acf6329acc1645d4e9ead863a1a57c)
|