summaryrefslogtreecommitdiff
path: root/source3/passdb/passdb.c
AgeCommit message (Collapse)AuthorFilesLines
2003-07-25More printf portability fixes. Got caught out by some gcc'isms lastTim Potter1-2/+2
time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
2003-07-24More printf fixes - size_t is long on some architectures.Tim Potter1-1/+1
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-3/+3
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-6/+0
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15make sure to fallback to rid algoruthm for users not in smbpasswd (e.g. ↵Gerald Carter1-7/+17
force user = foo) (This used to be commit 399799c68cbc91cb3908b0d83ee4f51fa3bf3023)
2003-07-13use the specific funtion we have to check if a SID belong to our domainSimo Sorce1-12/+6
(This used to be commit a926959391676d69bd7cbaf4ce0be0d3cb715418)
2003-07-13Argl. Thinking twice and looking at the rest of callers of sid_compare_domainVolker Lendecke1-1/+6
proved the last patch wrong. Sorry. Volker (This used to be commit d8695eccc7acdee69ca0d0593b56a417f1f89167)
2003-07-13We have an API to compare the domain parts of two SIDs, so use it.Volker Lendecke1-6/+1
Volker (This used to be commit 39308ff138da88c1a4c0958cd4c7a9090261d3d5)
2003-07-11fix sid_to_[uid|gid] (spotted by Volker).Gerald Carter1-1/+1
Still testing this, but I'm checking it in so Volker can test it as well. Should be right. (This used to be commit 8edf193722f699cc33baed410917a78a5e28d0a4)
2003-07-11moving more code around.Gerald Carter1-145/+26
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Fix up become_root/unbecome_root pairs needed around local passdbJeremy Allison1-3/+17
lookups. Jeremy. (This used to be commit 6bd47884030c9c124c4bba1f0d57cb8dd916530d)
2003-07-08Moved SAM_ACCOUNT marshall/unmarshall functions to make them externallyJeremy Allison1-0/+435
available. Removed extra auth_init (thanks metze). Jeremy. (This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae)
2003-07-07Cleaning up linking issues. sam/idmap*.c only links inGerald Carter1-0/+114
winbindd now. Also removing an unused file. (This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
2003-07-07Fixed a couple of const issues with the new code.Jeremy Allison1-2/+2
Jeremy. (This used to be commit e9fb6e45086a6170b6f6d5d3295398708ab1af58)
2003-07-07and so it begins....Gerald Carter1-4/+198
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+4
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+1
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-01* revert change to get_global_sam_name()Gerald Carter1-2/+23
* add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-4/+7
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-1/+1
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-4/+4
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-13Restore a number of fixes that idra removed when he merged hisAndrew Bartlett1-8/+2
idmap-and-the-rest from HEAD. These are correctness fixes that were already in 3.0, and a memory leak fix. The pdb_ldap changes are held back at jerry's request (he is also playing with pdb_ldap ATM). Andrew Bartlett (This used to be commit c7d5e336bd91514a02974044742b058be387e490)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-238/+84
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-07Fix irritating typo - non arg functions should be fn(void).Jeremy Allison1-1/+1
Jeremy. (This used to be commit 395dfd196cf4bcd432a4895d3dd09fefd46cd6d8)
2003-05-07Set our 'global sam name' in one place. For domain controllers, this isAndrew Bartlett1-6/+8
lp_workgroup(), for all other server this is global_myname(). This is the name of the domain for accounts on *this* system, and getting this wrong caused interesting bugs with 'take ownership' on member servers and standalone servers at Snap. (They lookup the username that they got, then convert that to a SID - but becouse the domain out of the smbpasswd entry was wrong, we would fail the lookup). Andrew Bartlett (This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
2003-04-29Use a common function to create the SAM_ACCOUNT being used to add accountsAndrew Bartlett1-25/+36
to the system. This means that we always run Get_Pwnam(), and can never add FOO when foo exists on the system (the idea is to instead add foo into the passdb, using it's full name, RID etc). Andrew Bartlett (This used to be commit bb79b127e02cefae13c822fd0fd165f1f214b740)
2003-04-28The RID must be 'SET', not 'DEFAULT' or we won't set it into LDAP, and tryAndrew Bartlett1-2/+2
to make it up from the algorithm... Andrew Bartlett (This used to be commit 0d8e4066a3bfbe89b464a90fc9f16a7dd1539573)
2003-04-22Remove ldapsam_search_one_user_by_uid from pdb_ldap.Andrew Bartlett1-3/+2
sambaAccount requires the rid to be present, and doing this fallback is quite dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite often not the case. Also finish of vl's work on 'use a function pointer, not embedded logic' to tell lower levels that they should/should not attempt to set the user's password into LDAP with the extended operation. Andrew Bartlett (This used to be commit 715d0bd804b6bff4c0b365f98ca196d41ed9c5c4)
2003-02-24Merge doxygen, signed/unsigned, const and other small fixes from HEAD to 3.0.Andrew Bartlett1-7/+4
Andrew Bartlett (This used to be commit 9ef0d40c3f8aef52ab321dc065264c42065bc876)
2003-01-04Merge from HEAD - we already have one function for converting a unistr2 to aAndrew Bartlett1-17/+0
static 'unix' string, so we don't need a second pdb specific version. Andrew Bartlett (This used to be commit 91ca4771c6b834747b06fff21822a14e929de2c1)
2003-01-04Merge from HEAD - don't base RID on a name being the lp_guest_account(), letAndrew Bartlett1-2/+0
the actual passdb modules decide that. Andrew Bartlett (This used to be commit f3432869b9c761a029fd804d244d0ea26b26173d)
2003-01-03Merge from HEAD - make Samba compile with -Wwrite-strings without additionalAndrew Bartlett1-2/+2
warnings. (Adds a lot of const). Andrew Bartlett (This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-1/+1
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-8/+6
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-07Jeremy the janitor again... keeping 3.0 in sync with tridge's changes thisJeremy Allison1-0/+3
time. Jeremy. (This used to be commit 3803324d3d49f81ef0a82c4a9fedae70d32cb409)
2002-11-05Merge vl's 'algorithmic rid base' patch, and my changes to pdb_smbpasswd's NUAAndrew Bartlett1-4/+27
support from HEAD -> 3.0 Andrew Bartlett (This used to be commit 89d8ebd520e2a441e6d5b6b8adb6c483b0131adc)
2002-11-02Merge passdb from HEAD -> 3.0Andrew Bartlett1-35/+34
The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-09-26sync with HEADGerald Carter1-1/+1
(This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-23/+47
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-65/+93
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-311/+202
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-04-12merged the mangling test and passdb bugfixes into SAMBA_3_0Andrew Tridgell1-135/+130
(This used to be commit 97eb3a121d33200ee7559b2413d6252efc04ebaf)
2002-04-05Fixed up admin user / guest user lookup.Jeremy Allison1-5/+8
Jeremy. (This used to be commit 28ef07424f19652fdfa4ee79f1c69e0004fa39fe)
2002-03-21Don't leak memory on failure.Andrew Bartlett1-1/+3
(This used to be commit 438f028fc45ee6c5b12fa960beabea4b5fdcff38)
2002-03-21Make sure to initaliase SAM_ACCOUNT pointers to NULL, otherwise pdb_init_sam()Andrew Bartlett1-3/+3
fails. Andrew Bartlett (This used to be commit 56009ffbaa00259d15f286248a7ab73c55371819)
2002-03-19second step to gain free uid<->rid mappingSimo Sorce1-7/+42
we still need to free gid<->rid mapping and few other stuff (This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
2002-03-18Start to switch away from the alghorithmic uid->rid mapping modelSimo Sorce1-7/+7
(This used to be commit 724390a8daabbecd236960562e0a50f62c6904f1)
2002-03-02This patch merges my private LDAP tree into HEAD.Andrew Bartlett1-10/+12
The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-01-30Back out herb's changes (to allow smbpasswd -x to work on accounts outsideAndrew Bartlett1-10/+9
/etc/passwd) and replace them with a version that works. Unfortunetly HEAD and 2.2 have different passdb interfaces and different local_password_change functions... Andrew Bartlett (This used to be commit 86d5326d0dc6a070dfeb24a5306a2b4404bfc0f1)