Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 80e7f8f2f59136f53c236a37b5f16f6ffa0d391a)
|
|
paths handle the rest later.
Andrew Bartlett
(This used to be commit 09754ec797c4232d2016c7eff2e74044f28ebb7c)
|
|
The aim of this execise is to give the 'security>=user' code a straight paper
path. Security=share will sill call authorise_login(), but otherwise we avoid
that mess.
This allow *much* more accurate error code reporting, beocuse we don't start
pretending that we can use the (nonexistant) password etc.
Also in this patch is code to create the 'homes' share at session setup time
(as we have done in the past - been broken recently) and to record this on
the user's vuser struct for later reference. The changes here should also
allow for much better use of %H (some more changes to come here).
The service.c changes move a lot of code around, but are not as drastric
as they look...
(Also included is a fix to srv_srvsvc_nt.c where 'total_entries' not
'*total_entries' was compared).
This code is needs testing, but passes my basic tests.
I expect we have lost some functionality, but the stuff I had expected
to loose was already broken before I started. In particular, we don't 'fall
back' to guest if the user cannot access a share (for security=user). If you
want this kind of stuff then you really want security=share anyway.
Andrew Bartlett
(This used to be commit 4c0cbcaed95231f8cf11edb43f6adbec9a0d0b5c)
|
|
Jeremy.
(This used to be commit 1f46dc9cbf7f2da2865ae2e10146d5976ed801ea)
|
|
and renamed to str_list_* as it is a better name.
Elrond should be satisfied now :)
(This used to be commit 4ae260adb9505384fcccfb4c9929cb60a45f2e84)
|
|
rather than a string when configuring mulitple backends.
Also adjust some of the users of get_global_sam_sid() to cope with the fact
that it just might not exist (uninitialised, can't access secrets.tdb).
More places need conversion.
Add some const and remove silly casts.
Andrew Bartlett
(This used to be commit c264bf2ec93037d2a9927c00295fa60c88b7219d)
|
|
O'Connor(billy@oconnoronline.net)
(This used to be commit 88718883e031a3249152861300432dfc895ac587)
|
|
It will have the same meaning as the RestrictAnonymous registry
setting.
See Q143474 and Q246261 for more details.
(This used to be commit 2d2f6fcc559e90a5c7a761ec2860551f5eb86423)
|
|
print share is exported. Needs some more testing.
(This used to be commit 92b36482fd6aa5103c30dad40fe799c07dd2d8d7)
|
|
this is a first step only passdb stuff has beein "classized".
- so what can you do?
set debug level to: 1 poasdb:10
that will make all the code run at debug level 1 except the code in
passdb/* files that will run at level 10
TODO: fix the man page
- also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5
will set every smbd to have a default log level of 3 while passdb stuff
will be at level 5
and so no..
minor cosmetic fix to pdbedit is there too
(This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
|
|
cleanup some of the code in net_rpc_join re const warnings and
fstrings.
Passdb:
Make the %u and %U substituions in passdb work.
This is done by declaring these paramters to be 'const' and doing
the substitution manually. I'm told this is us going full circle,
but I can't really see a better way.
Finally these things actually seem to work properly...
Make the lanman code use the pdb's recorded values for homedir etc
rather than the values from lp_*()
Add code to set the plaintext password in the passdb, where it can
decide how to store/set it. For use with a future 'ldap password
change' option, or somthing like that...
Add pdb_unix, so as to remove the 'not in passdb' special cases from the
local_lookup_*() code. Quite small, as it uses the new 'struct passwd ->
SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd)
Other:
Fix up the adding of [homes] at session setup time to actually pass
the right string, that is the unix homedir, not the UNC path.
Fix up [homes] so that for winbind users is picks the correct name.
(bad interactions with the default domain code previously)
Change the rpc_server/srv_lsa_nt.c code to match NT when for the
SATUS_NONE_MAPPED reply: This was only being triggered on
no queries, now it is on the 'no mappings' (ie all mappings failed).
Checked against Win2k.
Policy Question: Should SID -> unix_user.234/unix_group.364 be
considered a mapping or not? Currently it isn't.
Andrew Bartlett
(This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
|
|
and there is no real reason for it to depend on more than the abilty
to compile the code.
(This used to be commit 64aaec137e39595e6e61b55eb525615683a1393c)
|
|
This option was badly maintained, useless and confused our users and
distirbutors. (its SSL, therfore it must be good...)
No windows client uses this protocol without help from an SSL tunnel.
I can't see any reason why setting up a unix-side SSL wrapper would
be any more difficult than the > 10 config options this mess added
to samba in any case.
On the Samba client end, I think the LIBSMB_PROG hack should be
sufficient to start stunnel on the unix side. We might extend this
to take %i and %p (IP and port) if there is demand.
Andrew Bartlett
(This used to be commit b04561d3fd3ee732877790fb4193b20ad72a75f8)
|
|
things; compiles and shouldnt break, but needs testing
(This used to be commit 19b9b50d9039afe614284aaf379f9f1078e2e307)
|
|
Jeremy.
(This used to be commit 6d957924579d64407bdd94d7e78088fb1ea5c9ce)
|
|
param/loadparm.c: Added missing debugs that would have helped me find a misconfiguration
I lost a day on....
Jeremy.
(This used to be commit 6e9572379784c77f3c4e6a95e18a9641880a8ffc)
|
|
sane) from ab.
Attached is his e-mail to the samba-technical list, as it describes it rather
well:
Andrew Bartlett
Subject:
[PATCH] Parametrical options support for Samba 3.0
Date:
Fri, 12 Apr 2002 19:13:13 +0300
From:
Alexander Bokovoy <a.bokovoy@sam-solutions.net>
To:
samba-technical@samba.org
CC:
tridge@samba.org
Greetings!
Attached patch makes possible arbitrary options to be specified in
smb.conf and later queried from VFS modules (and other places)
without problems. Below such options are called 'parametrical options'.
Patch introduces new notation to smb.conf option's language, as discussed
today with Tridgell on @samba-technical:
TYPE: OPTION = VALUE
Colon sign is important here, it is what distinguishes parametrical
options from ones hardcoded in param/loadparm.c.
TYPE is 'option domain', OPTION is option name itself.
In order to access values of parametrical options, lp_parm_string()
function was implemented:
char *lp_parm_string(const char *servicename, const char *type, const char
*option);
This function accepts service name, type and option name, and returns
value of option or NULL if this option is underfined. Service name can be
NULL, resulting in search in 'global' section only.
If option does not exist in specified service, 'global' section is
scanned. This allows propagation of globally specified options to all
services and later overloading of the option in some services.
Caution: 'TYPE: OPTION' combination is case sensitive.
So far, testparm is able to handle parametrical options, while SWAT
can't. Thus, everyone familiar with SWAT internals is welcomed to add
parametrical options support.
(This used to be commit bfd7cd43556bed3131d0d18869abfd1cbc30bcd0)
|
|
All uids and gids must create valid RIDs, becouse other code expects this, and
can't handle the failure case. (ACL code in particular)
Allow admins to adjust the base of the RID algorithm, so avoid clashes with
users brought in from NT (for example).
Put all the algorithm code back in one place, so that this change is global.
Better coping with NULL sid pointers - but it still breaks a lot of stuff.
BONUS: manpage entry for new paramater :-)
counter based rids for normal users in tdbsam is disabled for the timebeing,
idra and I will work out some things here soon I hope.
Andrew Bartlett
(This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
|
|
it seems to be a much better scheme
(This used to be commit c8e2250ab1eae3aebecd8669e63f95f8656ae361)
|
|
mangling implementation, selectable using "mangling method = " in smb.conf
It also tidies the interface a little, although it is still nasty.
(This used to be commit be23d87a178e7d0691e7d942adf89bb3d2d533c2)
|
|
Jeremy.
(This used to be commit 16015c07eab2e57fa3771051e3e08fde21757cfa)
|
|
by Herb.
Jeremy.
(This used to be commit f4f2a62740625495fa2dae03751829a4528713cc)
|
|
need to know about. Different from the DEBUG system.
Jeremy.
(This used to be commit 74eac41c681f92a6da0ae2167f031e021862e0d8)
|
|
- Fix warnings in loadparm.c
- Remove the unused 'passdb modules path' paramater
- Make pdb_ldap use $ termination rather than the workstation trust account
flag becouse some 'machine' accounts appear as normal accounts at creation
time. Also covers domains etc.
Andrew Bartlett
(This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
|
|
Jeremy.
(This used to be commit ad1e858d8e72adf924ff435eab8da3e60842e2e6)
|
|
"One of these locks is not like the others... One of these locks is not
quite the same" :-). When is a zero timeout lock not zero ? When it's
being processed by Windows 2000 of course.. This code change, ugly though
it is - completely fixes the foxpro/access multi-user file system database
problems that people have been having. I used a *wonderful* test program
donated by "Gerald Drouillard" <gerald@drouillard.ca> which allowed me
to completely reproduce this problem, and to finally determine the correct
fix. This also explains why Windows 2000 is *so slow* when responding to
the smbtorture lock tests. I *love* it when all these things come together
and finally make sense :-).
Jeremy.
(This used to be commit 8aa9860ea2ea7f5aed4b6aa12794fffdfa81b0d0)
|
|
Based on code donated by Olaf Fr±czyk <olaf@cbk.poznan.pl>. Further commit
will change to sending via vfs interface.
Jeremy.
(This used to be commit d85133e2697eb22f1573c78447b57791ae63dd6b)
|
|
this means that we at least support all unicode chars by default
(This used to be commit 54a3f374496316ccc6d0e4aa2267963193690a23)
|
|
(This used to be commit b6d62b8b2e0d72b0588fbe10b12c3877feb5ca71)
|
|
(This used to be commit 75f72f0b6a698e462a0567674613319dde789084)
|
|
(This used to be commit 6c5052a1a9e47c2efe0d5e84bee05ae335d79e60)
|
|
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.
It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.
Non-unix account support is also added. This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.
This code has stood up well under my production environment, so it relitivly
well tested.
I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).
Andrew Bartlett
(This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
|
|
Jeremy.
(This used to be commit 9243a9778e52999d5c62cba484640637b24994d8)
|
|
(This used to be commit d1ccdb5d1cb3d624285b13e662153e1e74ba3d71)
|
|
this should improve performance with w2k clients and seems to work
fine
(This used to be commit 67a3135e044b40467d0d06d271ed981768700b95)
|
|
(This used to be commit 98e97fac17b766a6da658daa1ec40ffaf6f5bb2e)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
there are still some work to do on it but it's already functionnal.
J.F.
(This used to be commit 2506c98d19263bd5f367a488c2238dcdfec46ee9)
|
|
(This used to be commit 97b243c488e8b976e40c6d873282a153f80c06e4)
|
|
* PRINTER_ATTRIBUTE's
* "default devmode" parameter
(This used to be commit 90a7a1840b4823d4ebe047130a95dd15a824500b)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
<a.bokovoy@sam-solutions.net>.
The idea is the domain\username is rather harsh for unix systems - people don't
expect to have to FTP, SSH and (in particular) e-mail with a username like
that.
This 'corrects' that - but is not without its own problems.
As you can see from the changes to files like username.c and wb_client.c (smbd's
winbind client code) a lot of assumptions are made in a lot of places about
lp_winbind_seperator determining a users's status as a domain or local user.
The main change I will shortly be making is to investigate and kill off
winbind_initgroups() - as far as I know it was a workaround for an old bug in
winbind itself (and a bug in RH 5.2) and should no longer be relevent.
I am also going to move to using the 'winbind uid' and 'winbind gid' paramaters
to determine a user/groups's 'local' status, rather than the presence of the
seperator.
As such, this functionality is recommended for servers providing unix services,
but is currently less than optimal for windows clients.
(TODO: remove all references to lp_winbind_seperator() and
lp_winbind_use_default_domain() from smbd)
Andrew Bartlett
(This used to be commit 07a21fcd2311d2d9b430b99303e3532a8c1159e4)
|
|
Jeremy.
(This used to be commit c1b97226db63daf64359e79083a4754e7c7f8054)
|
|
and constness changes.
(This used to be commit cee0ec72746122c962e6c5278a736266a7f2c424)
|
|
(This used to be commit a61abaec063d00afe13ce0baa356245fb6e21bc0)
|
|
string in the loadparam Globals struct. Using pstrcpy was causing every
NULL string was being set to the name of the winbindd log file. (-:
(This used to be commit 24bae9f05523a7c85bf1988d349149ebeb5067f0)
|
|
code (one less global, hurrah !) - to allow NetBIOS aliasing to be used
with point and print.
Jeremy.
(This used to be commit 10d72f0b01e5950c667f3f73dff1b4da5b675ea3)
|
|
(This used to be commit 472121749460a73f684bdbd02b828e89fad101af)
|
|
(This used to be commit 59174310d419aa835031c7a318d85fe25ba28227)
|
|
probably will never actually be genearted, but I like the style in any case.
Also fix a segfault in 'net rpc' when the login failed and a small memory leak
on failure in the auth_info.c code.
Andrew Bartlett
(This used to be commit 2efae7cc522651c22fb120835bc800645559b63e)
|