Age | Commit message (Collapse) | Author | Files | Lines |
|
there are still some work to do on it but it's already functionnal.
J.F.
(This used to be commit 2506c98d19263bd5f367a488c2238dcdfec46ee9)
|
|
(This used to be commit 97b243c488e8b976e40c6d873282a153f80c06e4)
|
|
* PRINTER_ATTRIBUTE's
* "default devmode" parameter
(This used to be commit 90a7a1840b4823d4ebe047130a95dd15a824500b)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
|
|
Jeremy.
(This used to be commit c1b97226db63daf64359e79083a4754e7c7f8054)
|
|
and constness changes.
(This used to be commit cee0ec72746122c962e6c5278a736266a7f2c424)
|
|
(This used to be commit a61abaec063d00afe13ce0baa356245fb6e21bc0)
|
|
string in the loadparam Globals struct. Using pstrcpy was causing every
NULL string was being set to the name of the winbindd log file. (-:
(This used to be commit 24bae9f05523a7c85bf1988d349149ebeb5067f0)
|
|
code (one less global, hurrah !) - to allow NetBIOS aliasing to be used
with point and print.
Jeremy.
(This used to be commit 10d72f0b01e5950c667f3f73dff1b4da5b675ea3)
|
|
(This used to be commit 472121749460a73f684bdbd02b828e89fad101af)
|
|
(This used to be commit 59174310d419aa835031c7a318d85fe25ba28227)
|
|
probably will never actually be genearted, but I like the style in any case.
Also fix a segfault in 'net rpc' when the login failed and a small memory leak
on failure in the auth_info.c code.
Andrew Bartlett
(This used to be commit 2efae7cc522651c22fb120835bc800645559b63e)
|
|
Fixed winbindd to finally stop leaving log. file droppings :-).
Jeremy.
(This used to be commit 0bea6cf79a44f79fa3a4f2c8381e898e79c66509)
|
|
(This used to be commit 2ffefba86997c9d6bc2a9b6dac1e576f4b64c777)
|
|
(This used to be commit 102af994de6bbfbe94f13c1880fc31c6414c9f8e)
|
|
Ignacio you can update your howto ;-)
samsync: a small patch to try chaning challenges.
J.F.
(This used to be commit c99bc305599698f2291efbfe20024355cb2bcde0)
|
|
you need to set "use spnego = no" for w2k to be able to join a samba
domain. Otherwise the w2k box will assume we can do kerberos as a KDC
(This used to be commit b5cb57a367a6d9a82e082e2838e83e0997eb4930)
|
|
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the
definition of standard_sub_basic() to cope with that.
- removed the smb.conf: 'domain admin group' and 'domain guest group'
parameters ! We're not playing anymore with the user's group RIDs !
- in get_domain_user_groups(), if the user's gid is a group, put it first
in the group RID list.
I just have to write an HOWTO now ;-)
J.F.
(This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50)
|
|
that GROUPNAME_MAP has never been used.
I'll delete the smbd/groupname.c file too
J.F.
(This used to be commit 2285e98f205752ec801d11b4bb9afa33e768fd93)
|
|
We now default encrypt passwords = yes
We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.
(this kills off the 'local' backed. The sam backend may be renamed in its
place)
The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.
Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.
The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.
Andrew Bartlett
(This used to be commit e89b47f65e7eaf5eb288a3d6ba2d3d115c628e7e)
|
|
(This used to be commit 48df0d2b5dee3c010c88587352554220f8b92b0f)
|
|
winbind function if the id is obviously going to be local. Cleanup
of winbind [ug]id parameter handling.
(This used to be commit 4ab9ca31a02b3388aa89a00e0390ea9e4c76283a)
|
|
(This used to be commit 5a735a88e472a48cd4329832998dc31c1e230ecb)
|
|
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
|
|
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
|
|
(This used to be commit d51ef6bfa3d194b58c3ee7706a7d475ef042676d)
|
|
(This used to be commit 868999ad3c82ad72f11d5b3208b0e42b1ed95096)
|
|
per-share. I beleive that almost all the things that this could have done on
a per-share basis can be done with other tools, like 'force user'.
Almost all the user's of this paramater used it as a global anyway...
While this is one step at a time, I hope it will allow me to considerably
simplfy the make_connection() code, particularly for the user-level security
case.
This already removes an absolute truckload of extra attempted password lookups
on the guest account.
Andrew Bartlett
(This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71)
|
|
(This used to be commit 292a0265a9de7f5fa06140768ecf27056d59f6c1)
|
|
(This used to be commit 3b5e72bda3263c6bdf81dfface4fae4f06b71032)
|
|
loses things like username mapping. I wanted to get this in then
discuss it a bit to see how we want to split up the existing
session setup code
(This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875)
|
|
(This used to be commit bef729741e5151574710286f7406852981580945)
|
|
and also completes the switch to lang_tdb.c. SWAT should now work
with a po file in the lib/ directory
also removed useless SYSLOG defines in many files
(This used to be commit 5296b20ad85d7519c870768455cb4d8df048c55a)
|
|
Jeremy.
(This used to be commit ebba334c15619610475a5c8242a55ed4fcdedf7c)
|
|
(This used to be commit 062bba07f2faedfce7612c8b4a16072fa200349e)
|
|
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
|
|
(This used to be commit efc6df5a3914da9e7b792ccaccd1403c72c09f78)
|
|
Jeremy.
(This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
|
|
TO enable configure with --with-i18n-swat
to support this gettext is integrated
and a new directories name "po" and "intl" are created.
now these languages are supported:
en - English (default)
ja - Japanese
po - Polish
tr - Turkish
To add your language,
to create ${your_language}.po by translating source/po/en.po
into your language is needed.
some of html and image files of various language version are not
included yet, though message catalogue files are installed.
you need to copy files manually under
${swatdir}/lang/$ln/{help,images,included,using_samba}
And also added a option to intall manual pages:
of various lang version
To enable configure with --with-manlangs
but manual pages themself are not included yet.
(This used to be commit 486b79a6fc4ba20a751aab544bd0f7ccff2b3d19)
|
|
than NT_STATUS_LOGON_FAILURE. This also brings us (almost) back in line with
their implementation.
Kill off SMBENCRYPT() macro
Kill off 'nt smb support' paramater - tridge okayed this one.
Andrew Bartlett
(This used to be commit 67947bf6e31ee9758f8a2186f83031ba21b716f2)
|
|
(This used to be commit c4d8ad2c2e48ff31dae7477ff02e5bfc013832a9)
|
|
(This used to be commit fb0984e60fd69100d9866304b83b4f3c85e9aea2)
|
|
system-dependent and can allow (when unix password sync = yes) the
'syncronisation' of root's password by a normal user :-(
Andrew Bartlett
(This used to be commit eecda11eef8bff73286c6a3c9f89ed0d1dcd7f73)
|
|
This should finally kill off the remaining places where we
attempt reverse lookups of the IP of the client. It may be that some
pam modules called via the session code will need "hostname lookups = yes"
but I've left it off by default as most sites don't need it and so
many sites have broken reverse maps
(This used to be commit 2b83ad03965d00bba88fe56452d2990099b75ef1)
|
|
which should now be used instead of DEBUG(0) or printf() for
interactive messages
I have only converted client.c to use d_printf(), and the code hasn't
had much testing yet. Eventually we want all interactive code to use
d_printf(), plus SWAT
(This used to be commit 266d8e67669adb329f25676c4bc4d4c50f223428)
|
|
Richard Bollinger <rabollinger@home.com>.
Jeremy.
(This used to be commit 408c0595bbeafca87795e5278656471fbe0540e8)
|
|
need to fiind a way to make it fast
(This used to be commit 42b147d1f26093c45110077a309c5e0d3010a28d)
|
|
This should make it clear that the meaning of the parameter value has
changed. It no longer represents *the* WINS server, but a list of WINS
servers.
I have made other changes in the code such that the lp_wins_server()
function is no longer necessary. Whenever smb.conf is reloaded the list
managed by lib/wins_srv.c is refreshed. The wins_srv_count() function
returns the number of entries in the list so, if the list is empty, it
will return 0 (which can be interpreted as "false" in an if() statement).
Chris -)-----
(This used to be commit 968c947e8bb35cf2441f3ebbb234429f5c1733c6)
|
|
Volker
(This used to be commit 5fc8c51983f36b0b2bbb2704a522026dc64d0b65)
|