summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2002-07-10If we get a SID from group mapping, no need to check it's prefix.Andrew Bartlett1-6/+6
Just set it directly. Andrew Bartlett (This used to be commit 202202bc475f3b8500423b1a9ccf0adc80a4dc49)
2002-07-05Fix debug comment.Andrew Bartlett1-1/+1
(This used to be commit f32980c807adf8287436be0d5a223b9b1ce399b8)
2002-07-03Fix the spelling in the LDAP attributesAndrew Bartlett1-2/+2
(This used to be commit dab26f8891a77640ce382ce1785ca5dd22d43c22)
2002-07-01used findstatic.pl to make some variables static and remove some deadAndrew Tridgell1-1/+1
code (This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
2002-06-26Another bug fix from metze.Andrew Bartlett1-1/+1
(This used to be commit 5c754cef19c9580e2cb1e23152a1097d11ca8c60)
2002-06-22Add module versioning to the passdb module systemAndrew Bartlett1-1/+1
All passdb modules need to include a 'magic' macro that creates simple 'return my version number' function. (from metze and jelmer) Also fix up the dir_drive autosubsitute code to correctly use lp_logon_drive(). (from metze) Andrew Bartlett (This used to be commit 4a57c445dd4354034fc41b132a484afe6ab66e16)
2002-06-14Allow non unix accounts to be added to an ldap directory without NUA accountsAndrew Bartlett1-0/+4
already. Andrew Bartlett (This used to be commit a5d5b4cf2555b9bbded31b556d4fc74c00c6c490)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-4/+6
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-05-26change: pdb_getsampwrid() ->pdb_getsampwsid()Simo Sorce1-1/+8
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions. srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one. (This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
2002-05-25Only reterive the attributes we are actually going to use - rather thanAndrew Bartlett1-3/+14
the whole record which could include things like photos's etc. Andrew Bartlett (This used to be commit bbc69545516f29cc4e05ba6238b03eb504f28226)
2002-05-22Updates for sane storage of ldap root DN passwords (tested, with upgradeAndrew Bartlett1-30/+102
from 2.2 format) and LDAP rebind support (untested, I don't have a setup to match). Andrew Bartlett (This used to be commit 4f7ba78c9d50ac584497dcf1d78ce613112742d4)
2002-05-18so here it is the code to introduce seriously debugggging classes.Simo Sorce1-0/+3
this is a first step only passdb stuff has beein "classized". - so what can you do? set debug level to: 1 poasdb:10 that will make all the code run at debug level 1 except the code in passdb/* files that will run at level 10 TODO: fix the man page - also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5 will set every smbd to have a default log level of 3 while passdb stuff will be at level 5 and so no.. minor cosmetic fix to pdbedit is there too (This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
2002-05-18Remove const from some functions to match the changed prototype in aAndrew Bartlett1-3/+3
previous commit, and remove some unsued variables. Main change: Make sure to fill in the username when making a non-unix account from smbpasswd. (This used to be commit 7019486eacb72ca44c42ce620b8696bb29f12292)
2002-05-18A few things in this commit:Andrew Bartlett1-22/+28
cleanup some of the code in net_rpc_join re const warnings and fstrings. Passdb: Make the %u and %U substituions in passdb work. This is done by declaring these paramters to be 'const' and doing the substitution manually. I'm told this is us going full circle, but I can't really see a better way. Finally these things actually seem to work properly... Make the lanman code use the pdb's recorded values for homedir etc rather than the values from lp_*() Add code to set the plaintext password in the passdb, where it can decide how to store/set it. For use with a future 'ldap password change' option, or somthing like that... Add pdb_unix, so as to remove the 'not in passdb' special cases from the local_lookup_*() code. Quite small, as it uses the new 'struct passwd -> SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd) Other: Fix up the adding of [homes] at session setup time to actually pass the right string, that is the unix homedir, not the UNC path. Fix up [homes] so that for winbind users is picks the correct name. (bad interactions with the default domain code previously) Change the rpc_server/srv_lsa_nt.c code to match NT when for the SATUS_NONE_MAPPED reply: This was only being triggered on no queries, now it is on the 'no mappings' (ie all mappings failed). Checked against Win2k. Policy Question: Should SID -> unix_user.234/unix_group.364 be considered a mapping or not? Currently it isn't. Andrew Bartlett (This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
2002-05-17Make --with-ldapsam 'go away'. This is now a standard, stable, featureAndrew Bartlett1-3/+3
and there is no real reason for it to depend on more than the abilty to compile the code. (This used to be commit 64aaec137e39595e6e61b55eb525615683a1393c)
2002-04-23Spelling fixes from vanceAndrew Bartlett1-6/+6
(This used to be commit 70c6f5fc6d3ec3121b29d1e46e7fd3933fbcce6b)
2002-04-13Fix the compile-bug in pdb_ldap from my last patch.Andrew Bartlett1-4/+4
Andrew Bartlett (This used to be commit 81eaa7924b7bd3a13d049bce7fe7a16ab9174364)
2002-04-13Better handling of uid/gid -> RID and RID -> uid/gid code.Andrew Bartlett1-22/+4
All uids and gids must create valid RIDs, becouse other code expects this, and can't handle the failure case. (ACL code in particular) Allow admins to adjust the base of the RID algorithm, so avoid clashes with users brought in from NT (for example). Put all the algorithm code back in one place, so that this change is global. Better coping with NULL sid pointers - but it still breaks a lot of stuff. BONUS: manpage entry for new paramater :-) counter based rids for normal users in tdbsam is disabled for the timebeing, idra and I will work out some things here soon I hope. Andrew Bartlett (This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
2002-04-13This is the 'multiple pdb backends' patch from ctrlsoft, aka Jelmer VernooijAndrew Bartlett1-16/+16
<jelmer@nl.linux.org>. This patch also includes major rework of pdbedit to use popt, and the addition of -i paramter (allowing the user to specify which PDBs is being operated on) and -e to export a pdb - useful for backup and testing etc. Use of -i and -e gets us pdb2pdb functionality for transition between backends, much like the sam2sam in TNG. Andrew Bartlett (This used to be commit c10def37f506d3f2bab442418ac08fdb62659b02)
2002-04-08Fix up major logic reversal flaws in pdb_ldap.Andrew Bartlett1-36/+70
WARNING: if you relied on these logic flaws, you will need to manually edit your ldap backend (for things like account expries etc). Now correctly retunes the information needed for 'must change at next login' support. (This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
2002-03-23Minor fixes:Andrew Bartlett1-8/+13
- Fix warnings in loadparm.c - Remove the unused 'passdb modules path' paramater - Make pdb_ldap use $ termination rather than the workstation trust account flag becouse some 'machine' accounts appear as normal accounts at creation time. Also covers domains etc. Andrew Bartlett (This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
2002-03-20Make ldapsam compile again.Andrew Bartlett1-20/+0
(This used to be commit 520c8626dc238a1e338635981d1b41950f2219b6)
2002-03-19second step to gain free uid<->rid mappingSimo Sorce1-1/+18
we still need to free gid<->rid mapping and few other stuff (This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
2002-03-18Start to switch away from the alghorithmic uid->rid mapping modelSimo Sorce1-0/+20
(This used to be commit 724390a8daabbecd236960562e0a50f62c6904f1)
2002-03-02This patch merges my private LDAP tree into HEAD.Andrew Bartlett1-227/+642
The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-03-01merge from 2.2Gerald Carter1-2/+7
(This used to be commit 5b28a7c59c392c6352cb8915a13806ca772d8cac)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-23getpwnam -> getpwnam_alloc.Andrew Bartlett1-1/+3
idra has promised not to revert these this time :-) (This used to be commit f556ad67e82518f5a024ffe9184ff9430ab5c541)
2002-01-21getpwnam_alloc -> getpwnamSimo Sorce1-9/+8
same reason as per pdb_tdb.c there isn't (and will never be probably) another call to any getpw* fn, let's use getpwnam_alloc only when needed. (This used to be commit f12361b1327306e6a3fcf8ff138413ad9a6c69a3)
2002-01-20This is another *BIG* change...Andrew Bartlett1-3/+11
Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-3/+6
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2002-01-02fixing compile errorGerald Carter1-4/+4
(This used to be commit 999a2f5c847c6a4336df60807e2fb546a2a4894f)
2002-01-02Actually enforce the passdb API.Andrew Bartlett1-1/+1
Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
2001-12-31remove samlogon_userGerald Carter1-10/+1
(This used to be commit a5f4559b2aade54f1c0f717eea21881f482faff2)
2001-12-31some merges from 2.2. Still need to merge in changes from pdb_tdb.cGerald Carter1-111/+161
but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-30util_sid.c - respect a const variabile (addedd strdup)Simo Sorce1-1/+13
cli_reg.c - indentation pdb_ldap.c - some checks on init fns parameters pdb_tdb.c - some checks on init fns parameters + make sure we close the db on failure (This used to be commit 49f5cb7a3df6d673f86e6769319aa657e30d8380)
2001-12-30pdb_getsampwnuid() merge from 2.2Gerald Carter1-49/+0
(This used to be commit 54cbfc7ebcdf1bd2094407b689b0050f0abfa46f)
2001-12-27moving SAM_ACCOUNT to include a bit field for initializedGerald Carter1-5/+6
members (such as uid and gid). This way we will be able to keep ourselves from writing out default smb.conf settings when the admin doesn't want to, That part is not done yet. Tested compiles with ldap/tdb/smbpasswd. Tested connection with smbpasswd backend. oh...and smbpasswd doesn'y automatically expire accounts after 21 days from the last password change either now. Just ifdef'd out that code in build_sam_account(). Will merge updates into 2.2 as they are necessary. jerry (This used to be commit f0d43791157d8f04a13a07d029f203ad4384d317)
2001-12-04added a boolean to the group mapping functions to specify if we need orJean-François Micouleau1-2/+1
not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
2001-12-02added mapping of primary gid to rid thru the group mapping code.Jean-François Micouleau1-3/+12
and cleanup and comments in passdb/passdb.c J.F. (This used to be commit 6533339887832ca6dd42d99385c615db7bee3d43)
2001-11-09As pdb_ldap.c does not compile in HEAD anyway, a not-compiled mergeVolker Lendecke1-2/+6
from 2_2. Volker (This used to be commit 7d70b30dbdf06de126b78879fc89708ca335f91e)
2001-11-01Various post AuthRewrite cleanups, fixups and tidyups.Andrew Bartlett1-2/+2
Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a)
2001-10-29This commit is number 4 of 4.Andrew Bartlett1-6/+6
In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-10merge from 2.2Gerald Carter1-11/+32
(This used to be commit 96c9df577bcffeec1b7d516a5431e54e679bd6b4)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter1-2/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-09-25Fixup passdb stuff to add new nisplus and ldap backends.Jeremy Allison1-0/+1014
Jeremy. (This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)