summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_interface.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14855: Various fixes:Gerald Carter1-10/+8
* depreacte 'acl group control' after discussion with Jeremy and implement functionality as part of 'dos filemode' * fix winbindd on a non-member server to expand local groups * prevent code previously only used by smbd from blindly turning _NO_WINBINDD back on (This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)
2007-10-10r14696: make pdb_find_backend_entry public (for use by an external "multi" ↵Jelmer Vernooij1-3/+1
pdb backend) (This used to be commit c149421ef7aca8763e21e6c7d467e94944c30e8b)
2007-10-10r14634: Many bug fixes thanks to train rides and overnight stays in airportsGerald Carter1-9/+77
* Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
2007-10-10r14577: BUG Fixes:Gerald Carter1-3/+3
* Add back in the import/export support to pdbedit * Fix segv in pam_smbpass * Cleanup some error paths in pdb_tdb and pdb_interface (This used to be commit df53d64910fbb96eb810102e986b3c337d54c463)
2007-10-10r14457: Add a few more special cases for RID 513 in the samr code.Gerald Carter1-2/+20
Now that I know what all the requirements for this group are I can generalize the code some more and make it cleaner. But at least this is working with lusrmgr.msc on XP and 2k now. (This used to be commit d2c1842978cd50485849bfc4fb6d94767d96cab0)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-14/+7
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13756: use samu_new() rather than calling talloc() directly.Gerald Carter1-1/+1
(This used to be commit c13af58f6322104a45d0e620cc26f522a47af2ab)
2007-10-10r13727: Fix a segfaultVolker Lendecke1-1/+5
(This used to be commit 76c100834d125b889d29d0fc38934bed4cc77e19)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner1-3/+3
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13704: Janitor for tpot.Jeremy Allison1-50/+55
Jeremy ------------- Slightly smaller version of pdb_get_methods() patch. Turns out that callers to initialize_password_db() use the reload parameter so this has turned in to a smaller cleanup than I thought. (This used to be commit 7e243104eb57d656adf7b5a322fc8dde9e3c2868)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-14/+17
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new()Gerald Carter1-21/+17
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f)
2007-10-10r13576: This is the beginnings of moving the SAM_ACCOUNT data structureGerald Carter1-45/+45
to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-2/+2
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13545: A patch which I think it's time has come. VOlker, we can talk aboutGerald Carter1-22/+38
this more but it gets around the primary group issue. * don't map a SID to a name from the group mapping code if the map doesn't have a valid gid. This is only an issue in a tdb setup * Always allow S-1-$DOMAIN-513 to resolve (just like Windows) * if we cannot resolve a users primary GID to a SID, then set it to S-1-$DOMAIN-513 * Ignore the primary group SID inside pdb_enum_group_memberships(). Only look at the Unix group membersip. Jeremy, this fixes a fresh install startup for smbd as far as my tests are concerned. (This used to be commit f79f4dc4c58a6172bf69d37469fdd8de05a812df)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-19/+493
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13493: module_name and module_location are the same string. Fix a valgrindVolker Lendecke1-1/+3
error. Volker (This used to be commit 5a92df31d69ff7b0f2de6564d644949c2906c8f1)
2007-10-10r13460: by popular demand....Gerald Carter1-1075/+218
* remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-56/+388
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12163: Change lookup_sid and lookup_name to return const char * instead of ↵Volker Lendecke1-3/+3
char *, use a temporary talloc_ctx for clarity. Volker (This used to be commit b15815c804bf3e558ed6357b5e9a6e3e0fac777f)
2007-10-10r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke1-14/+102
build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10r11923: Add samr_lookup_rids for the builtin domain. Doing it this way feels ↵Volker Lendecke1-11/+26
a bit wrong, but so far we don't have proper multi-domain support in passdb yet... Volker (This used to be commit c917cfc320f0250d23fda3525a7632bc01643707)
2007-10-10r11922: Looks bigger than it is: There's no point in allocating arrays inVolker Lendecke1-24/+14
samr_lookup_rids twice. It was done in the srv_samr_nt.c code as well as in the pdb module. Remove the latter, this might happen more often. Volker (This used to be commit 57f0cf8cdd6928f4759036e5dd53d41736aa910d)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-60/+59
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10911: part of #2861: add rename support for usrmgr.exe when using tdbsamJim McDonough1-0/+58
This gets it working before replacing tdb with the samba4 version. (This used to be commit 8210b0503a050e12ee1b4335fa6e50d10ad06577)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-17/+117
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7882: Looks like a large patch - but what it actually does is make SambaJeremy Allison1-5/+5
safe for using our headers and linking with C++ modules. Stops us from using C++ reserved keywords in our code. Jeremy (This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
2007-10-10r6367: Slim down pdb_interface.c a bit. next_entry and search_end are functionVolker Lendecke1-185/+60
pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-153/+248
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6277: This implements a new caching API for enumerating the pdb elements. It isVolker Lendecke1-0/+358
modeled after query_displayinfo and should hide the differences between users, groups and aliases while allowing a cache analog load_sampw_entries: struct pdb_search *pdb_search_users(uint16 acct_flags); struct pdb_search *pdb_search_groups(void); struct pdb_search *pdb_search_aliases(const DOM_SID *sid); uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx, uint32 max_entries, struct samr_displayentry **result); void pdb_search_destroy(struct pdb_search *search); Why this API? Eventually we will need to apply the work gd has started on enumerating users with paged ldap searches to groups and aliases. Before doing that I want to clean up the search routines we have. The sample application (more to follow) is 'net maxrid'. Volker (This used to be commit 8b4f67a1e9d459145cde10b1064781d58d62b805)
2007-10-10r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison1-2/+2
to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-9/+16
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough1-0/+98
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5951: gotta love that SGI compiler :-) (thanks Jason)Gerald Carter1-3/+3
(This used to be commit e84d070275464de43107b6b5910e25ccc3339302)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison1-0/+36
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-0/+146
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner1-68/+0
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r4996: sync up copytights with trunkGerald Carter1-0/+1
(This used to be commit 8946efe102f7a8a9b5a8059a80666b782159e7b8)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-0/+68
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-6/+6
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-3/+3
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-0/+35
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3704: Implement a cache get saves the result of a pdb_getsampwnam for laterVolker Lendecke1-1/+27
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls to LDAP during a typical XP login. XP does a lookupnames, then an openuser and some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all the subsequent ones make us call getsampwsid. This patch gets this down to one call to LDAP. Yes, a more "correct" way would be to stick the information to the open user handle, but this one is simpler and saves the LDAP roundtrip for the openuser call. Volker (This used to be commit 3d9758fa3c584bb25eca0b7ed04af4ddfeba315f)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-5/+7
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r145: pdb_create_alias now returns NTSTATUS. More of this to follow.Volker Lendecke1-4/+3
Volker (This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-0/+300
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-02-26And another little constVolker Lendecke1-1/+1
(This used to be commit f6bb3304fc5ef298a921b9ee5ad2f6444b0e72bc)
2004-02-12abartlet's pdb_set/changed flag fix for NULL passwordsGerald Carter1-6/+4
(This used to be commit cfe80f0df7ecfa6c689b03b9bed80ea80701a4c1)
2004-02-12stupid cut-n=paste error; my faultGerald Carter1-2/+2
(This used to be commit ee8f142b874a5bd365e59f68fb48ff3fec82fcda)
2004-02-04move disabling code to context functions instead of backwards compatible ↵Gerald Carter1-28/+28
wrappers (This used to be commit e62ef2ba2d73f492d879af4d06b223f8e739dc6c)