summaryrefslogtreecommitdiff
path: root/source3/passdb/passdb.c
AgeCommit message (Collapse)AuthorFilesLines
2003-05-18port fixes from 3.0Simo Sorce1-8/+2
(This used to be commit 0d098df8b5db02c73b859aea136d01c9ca42b17a)
2003-05-16Merge get_global_sam_name() from 3.0 to fix compile breakage.Tim Potter1-0/+8
(This used to be commit bc71d7a4ab70339cfd815a57448cbd8762d5ce38)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 249a6974702d050644d6d61f33f0034ce2a689ee)
2003-05-02shouldn't wellknown group be well.. ..WKN_GRP ?Simo Sorce1-2/+1
make a new sam_Account contain our domain by default, windows will complain on logon otherwise. fix stupid typo in idmap_util.c (This used to be commit 21701876dc6c59ebfc51be708a98226a00a764e0)
2003-05-01proper wellknown sids initialization at startupSimo Sorce1-3/+3
(This used to be commit 568feee8977ee1be210344c8ab1896512894cba2)
2003-05-01*id_to_*id call reshape to return NTSTATUS errorsSimo Sorce1-5/+3
plus internal fixes 1st stage (This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
2003-04-30correctly initiazlize idmap tdb when creationg newSimo Sorce1-53/+0
few fixes to *id_to_*id functions, we don't set the mapping for algoritmic RIDs, they are resolved in the classic way eliminate getpw* calls from tdbsam (This used to be commit 6a7689cf74cd4d5f29e0b12f4bf8ac3051d49157)
2003-04-29This is a nice rewrite:Simo Sorce1-7/+3
SAM_ACCOUNT does not have anymore uid and gid fields all the code that used them has been fixed to use the proper idmap calls fix to idmap_tdb for first time idmap.tdb initialization. auth_serversupplied_info structure has now an uid and gid field few other fixes to make the system behave correctly with idmap tested only with tdbsam, but smbpasswd and nisplus should be ok have not tested ldap ! (This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
2003-04-29Some passdb backends really don't like having no primary group - so alwaysAndrew Bartlett1-34/+25
set one - new accounts -> domain users, unless otherwise specified. This moves that logic from pdb_set_sam_sids() into pdb_init_sam_new(), which is called by all the 'new account' creators. (pdb_set_sam_sids() now only deals with the mapping from an existing account) Andrew Bartlett (This used to be commit 2c7b3d9fd5bb327bdbd34ec27b36eb59cbc481af)
2003-04-29Merge 3.0's change to how we add users onto HEAD, including a few other bitsAndrew Bartlett1-25/+36
of sync-up for the rpc_server/srv_samr_nt.c Andrew Bartlett (This used to be commit 3c867aedd9abc29389f5d049dbc94ada6738d1b0)
2003-04-29ok next_rid out as well local_*id_to*id functionsSimo Sorce1-296/+52
reverted user making function, did not pass the abartlet test :-) idmap is now fully integrated, we only miss user creation and removal of uid and gid from SAM_ACCOUNT (This used to be commit 67af8c26586c4829166795813a373bf9be27b753)
2003-04-28new helper functions to create usersSimo Sorce1-1/+154
(This used to be commit 74826e7ebb62ab09df68bb00fbd6097852ec5b6d)
2003-04-16Adjust comment to respect change to no longer use unixsam by default...Andrew Bartlett1-3/+2
(This used to be commit 87f491d6a63e0818ada4ed21dd1f4905b20f846c)
2003-02-22Fix comment - the other bits of code don't call this any more.Andrew Bartlett1-4/+1
(This used to be commit 523d1429b1072c999d376d2b4e13a1c08349990a)
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-3/+3
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2003-01-02We already have one function to move unistr2 -> multibyte-static, so weAndrew Bartlett1-19/+0
don't need a second just for pdb. Also, remove magic 'is lp_guest_account' test - the magic RID should be up to the passdb backend to set. Andrew Bartlett (This used to be commit f71c8338d35a2e8c73c3d8006ea6858cb522c715)
2003-01-02BIG patch...Andrew Bartlett1-2/+2
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-1/+1
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-8/+6
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-07when doing a 'net rpc vampire' a pdb_init_sam_pw() is used to create aAndrew Tridgell1-0/+3
sam account object, then pdb_update_sam_account() can be used to update an account. This code path could lead to the methods element of the account being used when uninitialised (leading to a segv) Easiest fix is to always make that that when creating a sam_account object we initialise the methods to null, so that the passdb code knows that it needs to be filled in. (This used to be commit fb79fa5a31c2fa8ebdcddbc49b1d9c1aa3059691)
2002-11-03Extra little fix to vl's patch. Make sure the passdb and testparm messagesAndrew Bartlett1-3/+5
say exactly the same thing - in particular that we can algorithmic rid base == 1000, and use the BASE_RID macro to avoid the use of magic numbers. Andrew Bartlett (This used to be commit b70f2a8047ac549841bc103932b38951e9814186)
2002-11-03Force algorithmic rid base to sane values and talk about it.Volker Lendecke1-4/+25
Volker (This used to be commit ce5b2d991b42bbf6865ff75194f8ee4b46694841)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-7/+7
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-17Revert changesVolker Lendecke1-1/+1
(This used to be commit 975fd17f8af0f03f43995deb3fdd9bd5995a1c92)
2002-10-16Create group mappings on the fly.Volker Lendecke1-1/+1
Volker (This used to be commit e2fc1de34aaf875a7003f9d15d5f8ecf159130fb)
2002-10-12Nice *big* patch from metze.Andrew Bartlett1-28/+27
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-09-26Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> to do a *much*Andrew Bartlett1-1/+1
better job of working with usrmgr. Previously we were blanking out entires, and all sort of mischif. The new patch (which I've now had a chance to test/modify) also takes care not to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to store \\server\user back) and to correctly notice 'not set' compared to 'null string' etc. Andrew Bartlett (This used to be commit ab878b6cc4132594fc33f78aeebf0d8b7266c150)
2002-09-25Whenever we deal with adding machine/trusted domain accounts, always reset theAndrew Bartlett1-20/+23
flag to what we expect. This handles the 'upgrade' from unixsam beter (where all $ terminated accounts are machines). Andrew Bartlett (This used to be commit a198940ea6f7b7f3cba38c5a9f695e0731204583)
2002-09-25This patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> cleans upAndrew Bartlett1-1/+10
pdb_ldap and adds a 'ldap passwd sync' option. The idea with this option is to do allow an ldap backend to do all the fancy password hashing etc - and to tell smbd no to try and double-up. Using 'ldap passwd sync = only' will do this, but is not recommended unless such a backend is in place... Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd sync = yes' and having both PAM and pam_ldap correctly configured for 'magic root' behaviour, but only using ldap connection, and one set of credentials. This also gets us closer to allowing ldap to say 'password too short' etc, which might assist in maintaining a consistant password policy. Andrew Bartlett (This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
2002-09-04Set default ACB attributes on 'unixsam' accounts. This means that machineAndrew Bartlett1-0/+9
accounts added first to /etc/passwd will be honered correctly. Also, users 'upgraded' to smbpasswd will have the right flags. Andrew Bartlett (This used to be commit 474cc910c73e5567313bac438c7324a80e2e90d8)
2002-08-21Use the 'init' flag to determine if the UID is set, rather than testing theAndrew Bartlett1-2/+5
uid for -1. Andrew Bartlett (This used to be commit 2fc12864ae78ea08d8cb4e3b1c7e341ca4a854e6)
2002-08-17Rework the 'guest account get's RID 501' code again...Andrew Bartlett1-39/+37
This moves it right into the passdb subsystem, where we can do this in just one (or 2) places. Due to the fact that this code can be in a tight loop, I've had to make 'guest account' a 'const' paramater, where % macros cannot be used. In any case, if the 'guest account' varies, we are in for some nasty cases in the other code, so it's useful anyway. Andrew Bartlett (This used to be commit 8718e5e7b2651edad15f52a4262dc745df7ad70f)
2002-08-16Make the 'guest account' always have a RID of DOMAIN_USER_RID_GUEST.Andrew Bartlett1-6/+20
Andrew Bartlett (This used to be commit 4725d7d04936335cbd85bd6ac5096c50fed93671)
2002-08-07Add const to a pile of const to *DOM_SID paramaters.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit fd0ebf976eb6e5fc25bc75ff471c69c3f3761e32)
2002-07-31Don't accidenity mess with the wrong domain's sids.Andrew Bartlett1-2/+2
(This used to be commit 0e2207c9c1ce573098f764e85a65c17cc1f1d284)
2002-07-30Update a pile of Samba's SID lookup code to ensure:Andrew Bartlett1-40/+53
- That we never call winbind recursivly - That we never use an 'algorithmic' RID when we have a fixed uid or gid mapping in either the passdb or the group mapping db. Also, remove restrictions that say 'this domain only'. If we have a mapping configured, allow it to be returned. If we later decide certian mappings are invalid, then we sould put that in the code that actually does the map. Allow 'sid->name' transtations on the fixed 'well known' groups for NT, even if they are not represented by Unix groups yet. Andrew Bartlett (This used to be commit d5bafb224337e393420c2ce9c0a787405314713c)
2002-07-26Clarify this comment.Andrew Bartlett1-0/+3
(This used to be commit d2b4e669aeada9c3498c3a9e49360270def5ad99)
2002-07-14addedd new (t)alloc_sub_* functionsSimo Sorce1-4/+4
they will get a const string and return a (t)alloced epanded one. also modified passdb/* stuff to use this one. (This used to be commit d378ac1e2efb0efc9a0f983d69cf678ca6255fd5)
2002-07-03Break up the passdb objects (to allow RPC clients to link without brining inAndrew Bartlett1-116/+0
*.o) and implment new enum_dom_users code in the SAMR RPC subsystem. Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the eventual hope that we might one day support muliple domains off a single passdb. To extract the RID, we use sid_peek_check_rid(), and supply an 'expected' domain SID. The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to srv_samr_util.c, to ease linking in passdb users. Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in pdb_compat.c Andrew Bartlett (This used to be commit 5a2a6f1ba316489d118a8bdd9551b155226de94f)
2002-06-14Debug fixes from ctrlsoftAndrew Bartlett1-2/+2
(This used to be commit 27e34d4e63adc6d6ad63857d2a17595b7cff52db)
2002-06-14Patch from ctrlsoft to make the pluggable passdb subsystem use an lp_listAndrew Bartlett1-1/+1
rather than a string when configuring mulitple backends. Also adjust some of the users of get_global_sam_sid() to cope with the fact that it just might not exist (uninitialised, can't access secrets.tdb). More places need conversion. Add some const and remove silly casts. Andrew Bartlett (This used to be commit c264bf2ec93037d2a9927c00295fa60c88b7219d)
2002-06-14Add const, kill of useless casts and therefore eliminate warnings.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 29490f214750acd44cee6c4ab1354722d82d853a)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-49/+29
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-06-07Globally replace 'global_sam_sid' with get_global_sam_sid(), a selfAndrew Bartlett1-11/+5
initialising function. This patch thanks to the work of "Stefan (metze) Metzmacher" <metze@metzemix.de> This is partly to enable the transition to SIDs in the the passdb. Andrew Bartlett (This used to be commit 96afea638e15d4cbadc57023a511094a770c6adc)
2002-05-26change: pdb_getsampwrid() ->pdb_getsampwsid()Simo Sorce1-2/+2
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions. srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one. (This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
2002-05-18so here it is the code to introduce seriously debugggging classes.Simo Sorce1-0/+3
this is a first step only passdb stuff has beein "classized". - so what can you do? set debug level to: 1 poasdb:10 that will make all the code run at debug level 1 except the code in passdb/* files that will run at level 10 TODO: fix the man page - also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5 will set every smbd to have a default log level of 3 while passdb stuff will be at level 5 and so no.. minor cosmetic fix to pdbedit is there too (This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
2002-05-18A few things in this commit:Andrew Bartlett1-141/+169
cleanup some of the code in net_rpc_join re const warnings and fstrings. Passdb: Make the %u and %U substituions in passdb work. This is done by declaring these paramters to be 'const' and doing the substitution manually. I'm told this is us going full circle, but I can't really see a better way. Finally these things actually seem to work properly... Make the lanman code use the pdb's recorded values for homedir etc rather than the values from lp_*() Add code to set the plaintext password in the passdb, where it can decide how to store/set it. For use with a future 'ldap password change' option, or somthing like that... Add pdb_unix, so as to remove the 'not in passdb' special cases from the local_lookup_*() code. Quite small, as it uses the new 'struct passwd -> SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd) Other: Fix up the adding of [homes] at session setup time to actually pass the right string, that is the unix homedir, not the UNC path. Fix up [homes] so that for winbind users is picks the correct name. (bad interactions with the default domain code previously) Change the rpc_server/srv_lsa_nt.c code to match NT when for the SATUS_NONE_MAPPED reply: This was only being triggered on no queries, now it is on the 'no mappings' (ie all mappings failed). Checked against Win2k. Policy Question: Should SID -> unix_user.234/unix_group.364 be considered a mapping or not? Currently it isn't. Andrew Bartlett (This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
2002-04-13Better handling of uid/gid -> RID and RID -> uid/gid code.Andrew Bartlett1-21/+23
All uids and gids must create valid RIDs, becouse other code expects this, and can't handle the failure case. (ACL code in particular) Allow admins to adjust the base of the RID algorithm, so avoid clashes with users brought in from NT (for example). Put all the algorithm code back in one place, so that this change is global. Better coping with NULL sid pointers - but it still breaks a lot of stuff. BONUS: manpage entry for new paramater :-) counter based rids for normal users in tdbsam is disabled for the timebeing, idra and I will work out some things here soon I hope. Andrew Bartlett (This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
2002-04-11Much better support for both non-algorithic RIDs (where the RID is stored inAndrew Bartlett1-135/+130
the passdb) and RIDs not in the passdb, due to being NIS users etc. The main fix here is to add become_root()/unbecome_root() at critical places. This (finally) fixes the bug where you could not see local users's names in a file's security properties as non-root. Tested. The similar bug in uid_to_sid is also fixed, but is not (yet) Tested. Andrew Bartlett (This used to be commit 79327a305e20d78ab5ca21d01c39b5f49dc0d632)
2002-04-05Fixed up admin user / guest user lookup.Jeremy Allison1-5/+8
Jeremy. (This used to be commit 28ef07424f19652fdfa4ee79f1c69e0004fa39fe)