summaryrefslogtreecommitdiff
path: root/source3/passdb/passdb.c
AgeCommit message (Collapse)AuthorFilesLines
2004-02-20handle both 0 and -1 as disabling reset count and lockout durationJim McDonough1-4/+4
(This used to be commit 84fe24e64ee405bb25878c1e5fdf50592eb75f73)
2004-02-19Clean up bad pw count and autolock flag update fn()sJim McDonough1-79/+95
(This used to be commit 9a79f9fbcb43085e419dbccd670a54256d01cb4b)
2004-02-19Add bad pw count and autolock flag update fn()sJim McDonough1-2/+127
(This used to be commit 600fcd534b6e101b6a12774946b0e9814c6f54a8)
2004-02-19Add functions to get/set bad password timeJim McDonough1-1/+2
(This used to be commit 557f598c63f64c1c5b982a9057c0eea2a2ff2ee5)
2004-02-13Move tdbsam versioning/upgrade code into 3.0Jim McDonough1-15/+445
(This used to be commit 730c07cac2166812f4a2da5cfba7152d168b2bdd)
2004-02-12More sync between passdb on 3.0 and HEAD.Jim McDonough1-6/+6
Replace unknown_3 with fields_present. Also causes rpc_samr structure field changes. (This used to be commit 1976843345efb6ca4f9cebd964a61acd8ae11d41)
2004-02-12Start of merging HEAD changes. Right now, just move one fn() to eliminateJim McDonough1-67/+63
the prototype at the beginning, and change some comments so diffs to HEAD aren't filled with useless info. (This used to be commit 7b40f6c464ecbd40ab3fdf32b53da1e61475d2e7)
2004-02-09And another build fix.Volker Lendecke1-2/+2
Volker (This used to be commit 6c78a096a5c4a8ae21e846505f6ac2df826d5cbd)
2004-02-09Fix the build & get rid of a compiler warning.Volker Lendecke1-0/+3
Volker (This used to be commit 38c9b775ce029e1d480d89d4adb0d1bd45a28fe6)
2004-02-08Add static, and assert that we will never overflow the static fstringAndrew Bartlett1-1/+4
in pdb_encode_acct_ctrl() (All current callers are fine) Andrew Bartlett (This used to be commit 01be89eb438567cfe0a002a247fe2d314b01f9da)
2004-01-07Typo fix.Rafal Szczesniak1-1/+1
rafal (This used to be commit 5d7f81eea2f3d9ba59eb549a45de030b0a277263)
2004-01-02JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett1-1/+1
his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
2003-12-11Fix uninitialized variable in passdb code. Reported by Andy Polyakov ↵Alexander Bokovoy1-1/+1
<appro@fy.chalmers.se> (This used to be commit ac7a60abf2c465b518a3eb7502fa8eee767c8b22)
2003-12-10more group lookup access fixes on the neverending bug 281Gerald Carter1-6/+16
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
2003-11-24more access fixes for group enumeration in LDAP; bug 281Gerald Carter1-3/+14
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
2003-11-17* make sure we only enumerate group mapping entriesGerald Carter1-14/+0
(not /etc/group) even when doing local aliases * remove "hide local users" parameter; we have this behavior built into 3.0 (This used to be commit a7685a069766ac720f0b26fe01b0e17fc388fca3)
2003-10-10Match Samba 2.2, and make ACB_NORMAL the default ACB value.Andrew Bartlett1-0/+7
(Samba 2.2 did this in the LDAP code, but it fits better as a generic thing) Andrew Bartlett (This used to be commit dfd6bef580525cf719988c3a6eaaf47c46542de5)
2003-10-03Typo in error message.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 8996c51770845d60b41c2c967b030ff30eef1001)
2003-09-18The "unknown_5" 32 bit field in the user structs is actually 2 16-bitJeremy Allison1-7/+13
fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-18Oops. Proper fix for #470.Jeremy Allison1-18/+20
Jeremy. (This used to be commit 82f98b066d345fdac40a584078a19453bda53d5b)
2003-09-18Fix for #470 - unable to display SIDs in ACLs.Jeremy Allison1-2/+11
Jeremy. (This used to be commit 56df89eff38e4c89defa5fd56bbb6c9d2012f82d)
2003-09-11remove getpwnam() calls from init_sam_from_xxx().Gerald Carter1-29/+8
This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-08-21fix for BUG 245; make sure we set the sid type when falling back to the rid ↵Gerald Carter1-1/+7
algorithm stuff (This used to be commit f6363aa31aa3479a9566328752ecb4aeadde10b7)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis1-2/+2
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-132 fixesGerald Carter1-0/+48
* bug #280 (my fault) - initialize sambaNextUserRid and sambaNextGroupRid * Unix users shared vis LDAP or NIS between a samba domain member of a Samba domain are not seen as domain users on the member servers. not as local users. (This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
2003-08-11fix bug #281 by surrounding pdb_getgrgid() with become/unbecome_root()Gerald Carter1-1/+8
(This used to be commit f6a01f51159ccd822c6e764b7243fff375f22747)
2003-08-06fix bug #208; have to get the gid of the user's primary group for %GGerald Carter1-0/+7
(This used to be commit 575483a1efe18a90055490117ba6894512ae568a)
2003-08-06oops; fix typo. Noticed by gcc warningGerald Carter1-2/+2
(This used to be commit 4c36ef65e5101899f730adaeacf754f5f3647d89)
2003-08-05fix bug #245; local_lookupsid() needed to make a getpwuid() call to get the ↵Gerald Carter1-9/+20
username instead of making up unix_user.## (This used to be commit b947fc3eed464d7a64914f3965964d29be031614)
2003-07-25More printf portability fixes. Got caught out by some gcc'isms lastTim Potter1-2/+2
time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
2003-07-24More printf fixes - size_t is long on some architectures.Tim Potter1-1/+1
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-3/+3
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-6/+0
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15make sure to fallback to rid algoruthm for users not in smbpasswd (e.g. ↵Gerald Carter1-7/+17
force user = foo) (This used to be commit 399799c68cbc91cb3908b0d83ee4f51fa3bf3023)
2003-07-13use the specific funtion we have to check if a SID belong to our domainSimo Sorce1-12/+6
(This used to be commit a926959391676d69bd7cbaf4ce0be0d3cb715418)
2003-07-13Argl. Thinking twice and looking at the rest of callers of sid_compare_domainVolker Lendecke1-1/+6
proved the last patch wrong. Sorry. Volker (This used to be commit d8695eccc7acdee69ca0d0593b56a417f1f89167)
2003-07-13We have an API to compare the domain parts of two SIDs, so use it.Volker Lendecke1-6/+1
Volker (This used to be commit 39308ff138da88c1a4c0958cd4c7a9090261d3d5)
2003-07-11fix sid_to_[uid|gid] (spotted by Volker).Gerald Carter1-1/+1
Still testing this, but I'm checking it in so Volker can test it as well. Should be right. (This used to be commit 8edf193722f699cc33baed410917a78a5e28d0a4)
2003-07-11moving more code around.Gerald Carter1-145/+26
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Fix up become_root/unbecome_root pairs needed around local passdbJeremy Allison1-3/+17
lookups. Jeremy. (This used to be commit 6bd47884030c9c124c4bba1f0d57cb8dd916530d)
2003-07-08Moved SAM_ACCOUNT marshall/unmarshall functions to make them externallyJeremy Allison1-0/+435
available. Removed extra auth_init (thanks metze). Jeremy. (This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae)
2003-07-07Cleaning up linking issues. sam/idmap*.c only links inGerald Carter1-0/+114
winbindd now. Also removing an unused file. (This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
2003-07-07Fixed a couple of const issues with the new code.Jeremy Allison1-2/+2
Jeremy. (This used to be commit e9fb6e45086a6170b6f6d5d3295398708ab1af58)
2003-07-07and so it begins....Gerald Carter1-4/+198
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+4
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+1
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-01* revert change to get_global_sam_name()Gerald Carter1-2/+23
* add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-4/+7
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-1/+1
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-4/+4
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)