Age | Commit message (Collapse) | Author | Files | Lines |
|
Tidyup in passdb.c
Jeremy.
(This used to be commit 676eea502a1bb2114a6e8055ecaf97ecab2e3a91)
|
|
people start doing using strlen(src) in strncpy() :-)
This occured when the talloc based passdb was reverted in favor of a pstring
based one. In the talloc version this was fine, becouse the buffer was
strlen(src) bytes long. This no longer applies...
This doesn't seem to have broken anything, but I'm chasing up an oddity with NT
password changing from the last merge.
Test & MERGE for 2.2.3
Andrew Bartlett
(This used to be commit 673ece2841e8b60966a17ece3591f9f202807332)
|
|
Thou shalt not reference SAM_ACCOUNT members directly - always use
pdb_get/pdb_set.
This is achived by making the whole of SAM_ACCOUNT have a .private member,
where the real members live. This caught a pile of examples, and these have
beeen fixed.
The pdb_get..() functions are 'const' (have been for some time) and this
required a few small changes to constify other functions.
I've also added some debugs to the pdb get and set, they can be removed if
requested.
I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb
interface, but I need the flags info to do it properly.
The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such
I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result.
Finally, any and all testing is always appriciated - but the basics seem to
work.
Andrew Bartlett
(This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
|
|
(This used to be commit 65e857b36e170e3ecd78bf6695ae73342e9c04cd)
|
|
but it will take more time as I don't want to loose any fixes that
are only in HEAD.
(This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
|
|
(This used to be commit 54cbfc7ebcdf1bd2094407b689b0050f0abfa46f)
|
|
members (such as uid and gid). This way we will be able to
keep ourselves from writing out default smb.conf settings when
the admin doesn't want to, That part is not done yet.
Tested compiles with ldap/tdb/smbpasswd. Tested connection with smbpasswd
backend.
oh...and smbpasswd doesn'y automatically expire accounts after 21 days
from the last password change either now. Just ifdef'd out that code
in build_sam_account().
Will merge updates into 2.2 as they are necessary.
jerry
(This used to be commit f0d43791157d8f04a13a07d029f203ad4384d317)
|
|
(This used to be commit c26623671e2b0b2e80c6d6383a99880c4f439f04)
|
|
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the
definition of standard_sub_basic() to cope with that.
- removed the smb.conf: 'domain admin group' and 'domain guest group'
parameters ! We're not playing anymore with the user's group RIDs !
- in get_domain_user_groups(), if the user's gid is a group, put it first
in the group RID list.
I just have to write an HOWTO now ;-)
J.F.
(This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50)
|
|
not the privileges. Usually we don't need them, so the memory is free
early.
lib/util_sid.c: added some helper functions to check an SID.
passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !
rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.
J.F.
(This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
|
|
You can change them with either usermanager->policies->account
or from a command prompt on NT/W2K: net accounts /domain
we can add a rpc accounts to the net command. As the net_rpc.c is still
empty, I did not start. How should I add command to it ? Should I take the
rpcclient/cmd_xxx functions and call them from there ?
alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more
for jeremy ;-)
J.F.
(This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21)
|
|
and cleanup and comments in passdb/passdb.c
J.F.
(This used to be commit 6533339887832ca6dd42d99385c615db7bee3d43)
|
|
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It
makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP
struct as some privilege showing in USRMGR.EXE are not real privs but a
bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT
3.1 box to verify, but I'm too lazy (yes I still have my CDs).
Added 3 more LSA calls: SetSystemAccount, AddPrivileges and
RemovePrivileges, we can manage all this privilege from UserManager.
Time to change the NT_USER_TOKEN struct and add checks in all the rpc
functions. Fun, fun, fun.
J.F.
(This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
|
|
structre contains pointers (well not if you intend of free those pointers
at some stage)
There is no reason (given the new passdb interface) that you can't modify a
SAM_ACCOUNT in any case.
Andrew Bartlett
(This used to be commit e8e73f7f0fcd86c8c2bfe3fc0b44ea2fd6570cc5)
|
|
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
(This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
|
|
(This used to be commit 80667cb0dd1a2cdef17711c8580af9f524971cea)
|
|
The problem is that we don't use the bitmap field, and so have to guess what
feilds to change. NT4 sets the RID to NULL in its reply, (as a no-change
value) and we were attempting to set that as a RID.
jfm: Can you get me the info on that bitmap, so I can construct a proper fix
to all this?
Thanks!
(This used to be commit 39f9c78d07d7af6abc71b33a6018ac0237608b6a)
|
|
code.
In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.
Major Changes:
- Fully malloc'ed structures.
- Massive rework of the code so that all structures are made and destroyed
using malloc and free, rather than hanging around on the stack.
- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
to be declared 'invalid' without the chance that people might get ROOT by
default.
- kill off some of the "DOMAIN\user" lookups. These can be readded at a more
appropriate place (probably domain_client_validate.c) in the future. They
don't belong in session setups.
- Massive introduction of DATA_BLOB structures, particularly for passwords.
- Use NTLMSSP flags to tell the backend what its getting, rather than magic
lenghths.
- Fix winbind back up again, but tpot is redoing this soon anyway.
- Abstract much of the work in srv_netlog_nt back into auth helper functions.
This is a LARGE change, and any assistance is testing it is appriciated.
Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.
Needs testing with a wide variety of MS clients.
Andrew Bartlett
(This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
|
|
more.
(Previously it set them to 'XXXX' or similar when only the flags were being
changed - a bug I must have introduced when I reworked the passdb end of things
a few weeks back.)
Adds a new local flag: LOCAL_SET_PASSWORD to specify that the password is
actually to be changed.
Andrew Bartlett
(This used to be commit cea6b6cb228c7e1f0c2d45951590e0d8fb8b315c)
|
|
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
|
|
In particular this commit focuses on:
The guts of the moving about inside passdb.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes allow for the introduction of a large dose of 'const' to
the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
passdb/
- Kill off disp_info stuff, it isn't used any more - Kill off
support for writing to the old smbpasswd format, it isn't relevent
to Samba 3.0
- Move around and modify the pdb_...() helper functions, adding
one that sets the last changed time to 'now' and that sets the
must change time appropriately.
- Remove the ugly forced update of the LCT- value in
pdb_smbpasswd. - Remove the implicit modification of the ACB
flags when both NT and LM passwords are set.
- Removed substation in pdb_getsampwnam output, as a single
password change will render them inoperable in any case (they
will be substituted and stored)
- Added a default RID to the init_sam_from_pw() function, based on
our rid algorithm.
- Added checks that an smbpasswd stored user has a uid-based RID.
- Fail to store tdb based users without a RID
lib/
- Change the substituion code to use global_myname if there is
no connection (and therefore no called name) at the present time.
(This used to be commit 8f607810eb24ed1157bbd2e896c2c167bc34d986)
|
|
In particular this commit focusses on:
Adding the new 'pass changed now' helper function.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
(This used to be commit a8971a5448cf6d203b379c3ed01e331d5263c9ee)
|
|
functions correctly deal with the SID_NAME_TYPE. One fix for connection user
lookup in LSA.
Jeremy.
(This used to be commit 29730027d8118ec7d207c89d0fd7fb24ac173fde)
|
|
knowing what you are doing!
(This used to be commit 5805cfef78a72ae6166206a2996423f89baf7580)
|
|
change these timestamp settings without good reason.
Remove CLEAR_IF_FIRST flag is tdb is read-only.
Jeremy.
(This used to be commit a71d9d98b013a6c30fd85524b7cdc929bdbd9bcb)
|
|
(This used to be commit ead3d41f1a8293bcd2062af918b58022f4d9b10e)
|
|
other access. Problem was max time was being set to 0xffffffff, instead of
0x7fffffff.
Jeremy.
(This used to be commit 94403d841710391ec26539e4b4157439d5778ff7)
|
|
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
|
|
- move the arbitrary 21 day timeout to local.h
(This used to be commit 11075f543470c3283accce0246d0b2983420695a)
|
|
Of particular note is the change to pdb_free_sam() to take its sam argument by
reference, allowing it to be NULLified by the SAFE_FREE() macro, and the
changed to local_password_change() both to make it work and to remove the
duplicate code that caused so much breakage over the last few days.
- Small change in behaviour: when LOCAL_ADD_USER is set, the user doesn't
actually exist locally but does exist in the passdb we don't attempt to do a
GetPwnam(). (How the entry got there is another matter, and most passdbs won't
allow this anyway).
Andrew Bartlett
(This used to be commit 6b45e342fd1ed82d7f5bd613048fe862a6a6f2a1)
|
|
error in here...
Now you can change local passwords again. There is stil somthing broken about
remote (via windows/sampasswd) password changing.
I shall have to revise my testing, I honestly don't know how this slipped
through the net.
MERGE for 2.2.2.
Sorry,
Andrew Bartlett
(This used to be commit 1f83184f881d0cabb698947660a12f729e625fae)
|
|
Jeremy.
(This used to be commit 65bf4a36ef5967b0844ab985d7b3ea31138dd4c5)
|
|
- call pdb_reset_sam() after each getent call.
Fix bug in get_group_alias_entries(), were if num_entries was zero this caused
talloc() to return NULL, failing a test below with NT_STATUS_NO_MEMORY.
Fix pdb_reset_sam() to correctly initalise the sam structure.
Move default value code into a single place, likewise for sam freeing code.
- should make things easier if we decide to malloc other strings, or get more
non-zero default values.
Finally, add a function in init a sam struct from a getpwnam() return.
Andrew Bartlett
(This used to be commit a41fb44f5e90cf8734d57217e836e14f4a80bd47)
|
|
(This used to be commit 247b9c3eba78f0ddd26d836e5e18f6630bf302c7)
|
|
interfaces to the existing set NT and LM functions, but ensures we always do it
in the same way.
This also allows for the possibility for the unix password sync code to be
hidden behind the passdb interface as some stage.
(This used to be commit 33e3591b2db377e720ec484872e2cbe7343350b1)
|
|
(This used to be commit e0e05cb5a51e0e46162febd0a45ea4f59b6f6573)
|
|
Jeremy.
(This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
|
|
(This used to be commit 64d35e94fe6f7e56353b286162f670c8595a90e6)
|
|
(This used to be commit 42417a425b524bc74360fdf6f1a16bfad38b9818)
|
|
lib/smbpasswd.c which will contain routines related to manipulating
smbpasswd entries.
- renamed and moved pdb_{get,set}hexpwd() functions
- renamed and moved pdb_{decode,encode}acct_ctrl() functions
- started hiding references to the cruftalicious
NEW_PW_FORMAT_SPACE_PADDED_LEN constant
- started gradual rename of references to acct_ctrl to acb_info which is
the nomenclature used in MSDN and header files
There's still more work to be done. Currently there are several places
where smbpasswd entries are iterated etc. Ideally this should all happen
through the passdb system.
(This used to be commit 4a01e240305fb6fead973beef4937a016b15d744)
|
|
configure to get the new NTSTATUS stuff right
(This used to be commit 9bae57cfe30825174536d11983bb3434498e3f03)
|
|
(This used to be commit c04c67fec85b1c81ef0b3cebacde304a1de0d854)
|
|
(This used to be commit 45254ae23b9bcbc94857b986c69b2b1770c79c54)
|
|
Jeremy.
(This used to be commit ed5a1f70c6d155788b62e9e6e8c5d97a5ca0858d)
|
|
can't redefine them. damn.
(This used to be commit c41fc06376d1a2b83690612304e85010b5e5f3cf)
|
|
J.F.
(This used to be commit c29dfdc46a2d642722da12739138c1a7d5ee9526)
|
|
Not ready yet.
J.F.
(This used to be commit 62a7a567fdea230b77cc97a3f74d868542c34700)
|
|
(This used to be commit 9aefc86e355bf160300580acb85a58a18207ccdf)
|
|
o sed 's/pdb_clear_sam/pdb_free_sam/g'
o add pdb_reset_sam()
o password changing should be ok now as well.
(This used to be commit 96d0e7c3301ad990f6c83b9c216720cb32661fb5)
|
|
I did some basic tests but I have probably broken something. Notably the
password changing. So don't cry ;-)
J.F.
(This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
|