Age | Commit message (Collapse) | Author | Files | Lines |
|
This matches the structure that new code is being written to,
and removes one more of the old-style named structures, and
the need to know that is is just an alias for struct dom_sid.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Well known rids don't really belong into an rpc header, just use the ones
defined in security.idl.
Guenther
|
|
If the call fails we would use the "domain users" sid anyway.
metze
|
|
local sam
Otherwise retry with pdb_gid_to_sid().
metze
|
|
Use the cached version gid_to_sid() instead
of pdb_gid_to_sid().
And also avoid the expensive lookup_sid() call
for wellkown domain groups.
metze
|
|
|
|
metze
|
|
|
|
This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...
The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.
This is part of the fix for bug #4347 .
Michael
|
|
|
|
|
|
|
|
if (current_history_len != pwHistLen) {
if (current_history_len < pwHistLen) {
}
}
The second "if" is a bit pointless here
|
|
|
|
|
|
|
|
Remove an indentation by the early return in
+ if (pwHistLen == 0) {
+ /* Set the history length to zero. */
+ pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+ return true;
+ }
|
|
No functional change, this just removes an indentation level by the early
"return True;" in
+ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+ /*
+ * No password history for non-user accounts
+ */
+ return true;
+ }
Volker
|
|
This is not strictly necessary, since this only leaks into the
struct samu, and this is not so long-lived in the code path that
changes the password, but it definitely correct and does not harm.
Michael
|
|
Guenther
|
|
This commit is mostly to cope with the removal of SamOemHash (replaced
by arcfour_crypt()) and other collisions (such as changed function
arguments compared to Samba3).
We still provide creds_hash3 until Samba3 uses the credentials code in
netlogon server
Andrew Bartlett
|
|
|
|
This makes pdb_get_unix_homedir unused. I wonder if that was ever really used...
(This used to be commit 36bfd32f1ff878e827db91e9bf233719ecca5b01)
|
|
Guenther
(This used to be commit 92fca97951bf7adf8caaeabdaff21682b18dd91f)
|
|
(This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09)
|
|
Jeremy.
(This used to be commit 15074de938539e7a9c527d9a6d81792adc2ac3d0)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|
|
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
|
|
Jeremy.
(This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
|
|
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
|
|
password at next logon" code. The "password last set time" of zero now
means "user must change password", because that's how windows seems to
use it. The "can change" and "must change" times are now calculated
based on the "last set" time and policies.
We use the "can change" field now to indicate that a user cannot change
a password by putting MAX_TIME_T in it (so long as "last set" time isn't
zero). Based on this, we set the password-can-change bit in the
faked secdesc.
(This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
|
|
calculated based on the last change time, policies, and acb flags.
Next step will be to not bother storing them. Right now I'm just trying to
get them reported correctly.
(This used to be commit fd5761c9e52cbf8f1f7e45e71693598b27ecbf57)
|
|
to ensure it finds the Unix user.
(This used to be commit 4cea9bfca1b84db31fae6f7a05ff3247a23fd409)
|
|
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
gen_ndr/ndr_security.c in SAMBA_4_0
The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
related fix.
Jeremy.
(This used to be commit 2e5a88147826113f78ee0d8845c704692942cebf)
|
|
Make 2 important changes. pdb_get_methods()
returning NULL is a *fatal* error. Don't try
and cope with it just call smb_panic. This
removes a *lot* of pointless "if (!pdb)" handling
code. Secondly, ensure that if samu_init()
fails we *always* back out of a function. That
way we are never in a situation where the pdb_XXX()
functions need to start with a "if (sampass)"
test - this was just bad design, not defensive
programming.
Jeremy.
(This used to be commit a0d368197d6ae6777b7c2c3c6e970ab8ae7ca2ae)
|
|
(This used to be commit b6904e0950a5e70ebb2ea8aa9e9afc220adbe211)
|
|
Jeremy.
(This used to be commit 1588ce8efe7fafd89561b55a98c498f947f4ada9)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
|
|
* Add a 'struct passwd *' to the struct samu for later reference
(I know this may be controversial but its easily reverted which is
is why I'm checking this is as a seaparate patch before I get
too deep).
* Remove unix_homedir from struct samu {} and update the pdb wrapper
functions associated with it.
(This used to be commit 92c251fdf0f1f566cfeca3c75ba2284b644aef5d)
|
|
to make full use of the new talloc() interface. Discussed with Volker
and Jeremy.
* remove the internal mem_ctx and simply use the talloc()
structure as the context.
* replace the internal free_fn() with a talloc_destructor() function
* remove the unnecessary private nested structure
* rename SAM_ACCOUNT to 'struct samu' to indicate the current an
upcoming changes. Groups will most likely be replaced with a
'struct samg' in the future.
Note that there are now passbd API changes. And for the most
part, the wrapper functions remain the same.
While this code has been tested on tdb and ldap based Samba PDC's
as well as Samba member servers, there are probably still
some bugs. The code also needs more testing under valgrind to
ensure it's not leaking memory.
But it's a start......
(This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
|
|
this more but it gets around the primary group issue.
* don't map a SID to a name from the group mapping code if
the map doesn't have a valid gid. This is only an issue
in a tdb setup
* Always allow S-1-$DOMAIN-513 to resolve (just like Windows)
* if we cannot resolve a users primary GID to a SID, then set
it to S-1-$DOMAIN-513
* Ignore the primary group SID inside pdb_enum_group_memberships().
Only look at the Unix group membersip.
Jeremy, this fixes a fresh install startup for smbd as far as my tests
are concerned.
(This used to be commit f79f4dc4c58a6172bf69d37469fdd8de05a812df)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
|
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
passdb in 3_0 (they are still in trunk).
Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
|