| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(This used to be commit 84b62f6d96a77ccbc1b4475ab0780a4e4c9d4875)
|
|
found an unecessary parameter to ldapsam_search_one_user.
Volker
(This used to be commit a085670c7e3a0ca82df749592fd5c6a86def1d53)
|
|
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
(This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
|
|
(This used to be commit c8e32d485bf205b6965579f94063effd86777f3f)
|
|
a 3.0 based PDC.
Change defaults to use SSL, so that this also matches.
Andrew Bartlett
(This used to be commit 36c2a3820faa1d90cd331881720be0e61ab93460)
|
|
only the interface has been fully moved to NTSTATUS
not all the plugins make full use of it, but have been all converted.
My testings passed completely, however a bit of more testing is welcome
Simo.
(This used to be commit 102a26e06591928a03b49cd312a65811ed46314f)
|
|
pdb_ldap and adds a 'ldap passwd sync' option.
The idea with this option is to do allow an ldap backend to do all the fancy
password hashing etc - and to tell smbd no to try and double-up. Using 'ldap
passwd sync = only' will do this, but is not recommended unless such a backend
is in place...
Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd
sync = yes' and having both PAM and pam_ldap correctly configured for 'magic
root' behaviour, but only using ldap connection, and one set of credentials.
This also gets us closer to allowing ldap to say 'password too short' etc,
which might assist in maintaining a consistant password policy.
Andrew Bartlett
(This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
|
|
else we can't add to OpenLDAP 2.1
(This used to be commit d9a91a41441c156223760cb356fa997ea7bdbc1a)
|
|
Andrew Bartlett
(This used to be commit 0e420878f26bdd19b5defb78a5fe4c31662ec941)
|
|
Andrew Bartlett
(This used to be commit 8405bccd4e7a5315e58890ffa5d481031636f88a)
|
|
Andrew Bartlett
(This used to be commit 082c0324cde38fadd70934a10849c7d40a34e3b1)
|
|
I've still not tested this, but I didn't test the last lot and I'm pretty
sure I stuffed it up - but at least this rebind procedure matches the
function prototype.
It should also be fine on OpenLDAP 2.1 if I'm lucky.
Andrew Bartlett
(This used to be commit 064f269508d05cc833cf7bfd5613e4fe389f32dc)
|
|
(This used to be commit a6725d4ce95ca8807ccefe4ce033b45d0635da6d)
|
|
(This used to be commit 290a304d2c1b70d20129236e20a0ff664179023e)
|
|
they will get a const string and return a (t)alloced epanded one.
also modified passdb/* stuff to use this one.
(This used to be commit d378ac1e2efb0efc9a0f983d69cf678ca6255fd5)
|
|
Just set it directly.
Andrew Bartlett
(This used to be commit 202202bc475f3b8500423b1a9ccf0adc80a4dc49)
|
|
(This used to be commit f32980c807adf8287436be0d5a223b9b1ce399b8)
|
|
(This used to be commit dab26f8891a77640ce382ce1785ca5dd22d43c22)
|
|
code
(This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
|
|
(This used to be commit 5c754cef19c9580e2cb1e23152a1097d11ca8c60)
|
|
All passdb modules need to include a 'magic' macro that creates simple
'return my version number' function.
(from metze and jelmer)
Also fix up the dir_drive autosubsitute code to correctly use lp_logon_drive().
(from metze)
Andrew Bartlett
(This used to be commit 4a57c445dd4354034fc41b132a484afe6ab66e16)
|
|
already.
Andrew Bartlett
(This used to be commit a5d5b4cf2555b9bbded31b556d4fc74c00c6c490)
|
|
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
(This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
|
|
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions.
srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one.
(This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
|
|
the whole record which could include things like photos's etc.
Andrew Bartlett
(This used to be commit bbc69545516f29cc4e05ba6238b03eb504f28226)
|
|
from 2.2 format) and LDAP rebind support (untested, I don't have a setup
to match).
Andrew Bartlett
(This used to be commit 4f7ba78c9d50ac584497dcf1d78ce613112742d4)
|
|
this is a first step only passdb stuff has beein "classized".
- so what can you do?
set debug level to: 1 poasdb:10
that will make all the code run at debug level 1 except the code in
passdb/* files that will run at level 10
TODO: fix the man page
- also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5
will set every smbd to have a default log level of 3 while passdb stuff
will be at level 5
and so no..
minor cosmetic fix to pdbedit is there too
(This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
|
|
previous commit, and remove some unsued variables.
Main change: Make sure to fill in the username when making a non-unix
account from smbpasswd.
(This used to be commit 7019486eacb72ca44c42ce620b8696bb29f12292)
|
|
cleanup some of the code in net_rpc_join re const warnings and
fstrings.
Passdb:
Make the %u and %U substituions in passdb work.
This is done by declaring these paramters to be 'const' and doing
the substitution manually. I'm told this is us going full circle,
but I can't really see a better way.
Finally these things actually seem to work properly...
Make the lanman code use the pdb's recorded values for homedir etc
rather than the values from lp_*()
Add code to set the plaintext password in the passdb, where it can
decide how to store/set it. For use with a future 'ldap password
change' option, or somthing like that...
Add pdb_unix, so as to remove the 'not in passdb' special cases from the
local_lookup_*() code. Quite small, as it uses the new 'struct passwd ->
SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd)
Other:
Fix up the adding of [homes] at session setup time to actually pass
the right string, that is the unix homedir, not the UNC path.
Fix up [homes] so that for winbind users is picks the correct name.
(bad interactions with the default domain code previously)
Change the rpc_server/srv_lsa_nt.c code to match NT when for the
SATUS_NONE_MAPPED reply: This was only being triggered on
no queries, now it is on the 'no mappings' (ie all mappings failed).
Checked against Win2k.
Policy Question: Should SID -> unix_user.234/unix_group.364 be
considered a mapping or not? Currently it isn't.
Andrew Bartlett
(This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
|
|
and there is no real reason for it to depend on more than the abilty
to compile the code.
(This used to be commit 64aaec137e39595e6e61b55eb525615683a1393c)
|
|
(This used to be commit 70c6f5fc6d3ec3121b29d1e46e7fd3933fbcce6b)
|
|
Andrew Bartlett
(This used to be commit 81eaa7924b7bd3a13d049bce7fe7a16ab9174364)
|
|
All uids and gids must create valid RIDs, becouse other code expects this, and
can't handle the failure case. (ACL code in particular)
Allow admins to adjust the base of the RID algorithm, so avoid clashes with
users brought in from NT (for example).
Put all the algorithm code back in one place, so that this change is global.
Better coping with NULL sid pointers - but it still breaks a lot of stuff.
BONUS: manpage entry for new paramater :-)
counter based rids for normal users in tdbsam is disabled for the timebeing,
idra and I will work out some things here soon I hope.
Andrew Bartlett
(This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
|
|
<jelmer@nl.linux.org>.
This patch also includes major rework of pdbedit to use popt, and the addition
of -i paramter (allowing the user to specify which PDBs is being
operated on) and -e to export a pdb - useful for backup and testing etc.
Use of -i and -e gets us pdb2pdb functionality for transition between backends,
much like the sam2sam in TNG.
Andrew Bartlett
(This used to be commit c10def37f506d3f2bab442418ac08fdb62659b02)
|
|
WARNING: if you relied on these logic flaws, you will need to manually
edit your ldap backend (for things like account expries etc).
Now correctly retunes the information needed for 'must change at next login'
support.
(This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
|
|
- Fix warnings in loadparm.c
- Remove the unused 'passdb modules path' paramater
- Make pdb_ldap use $ termination rather than the workstation trust account
flag becouse some 'machine' accounts appear as normal accounts at creation
time. Also covers domains etc.
Andrew Bartlett
(This used to be commit 8c82a3daf777bcd4cd4388d30222e370fe800819)
|
|
(This used to be commit 520c8626dc238a1e338635981d1b41950f2219b6)
|
|
we still need to free gid<->rid mapping and few other stuff
(This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
|
|
(This used to be commit 724390a8daabbecd236960562e0a50f62c6904f1)
|
|
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.
It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.
Non-unix account support is also added. This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.
This code has stood up well under my production environment, so it relitivly
well tested.
I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).
Andrew Bartlett
(This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
|
|
(This used to be commit 5b28a7c59c392c6352cb8915a13806ca772d8cac)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
idra has promised not to revert these this time :-)
(This used to be commit f556ad67e82518f5a024ffe9184ff9430ab5c541)
|
|
same reason as per pdb_tdb.c
there isn't (and will never be probably) another call to any getpw* fn,
let's use getpwnam_alloc only when needed.
(This used to be commit f12361b1327306e6a3fcf8ff138413ad9a6c69a3)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps
them around for a long time - often past the next call...
This adds a getpwnam_alloc and a getpwuid_alloc to the collection.
These function as expected, returning a malloced structure that can be
free()ed with passwd_free(&passwd).
This patch also cuts down on the number of calls to getpwnam - mostly by
taking advantage of the fact that the passdb interface is already
case-insensiteve.
With this patch most of the recursive cases have been removed (that I know
of) and the problems are reduced further by not using the sys_ interface
in the new code. This means that pointers to the cache won't be affected.
(This is a tempoary HACK, I intend to kill the password cache entirly).
The only change I'm a little worried about is the change to
rpc_server/srv_samr_nt.c for private groups. In this case we are getting
groups from the new group mapping DB. Do we still need to check for private
groups? I've toned down the check to a case sensitve match with the new code,
but we might be able to kill it entirly.
I've also added a make_modifyable_passwd() function, that copies a passwd
struct into the form that the old sys_getpw* code provided. As far as I can
tell this is only actually used in the pass_check.c crazies, where I moved
the final 'special case' for shadow passwords (out of _Get_Pwnam()).
The matching case for getpwent() is dealt with already, in lib/util_getent.c
Also included in here is a small change to register the [homes] share at vuid
creation rather than just in one varient of the session setup. (This picks
up the SPNEGO cases). The home directory is now stored on the vuid, and I
am hoping this might provide a saner way to do %H substitions.
TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change
the remaining sys_getpwnam() callers to use getpwnam_alloc() and move
Get_Pwnam to return an allocated struct.
Andrew Bartlett
(This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
|
|
(This used to be commit 999a2f5c847c6a4336df60807e2fb546a2a4894f)
|
|
Thou shalt not reference SAM_ACCOUNT members directly - always use
pdb_get/pdb_set.
This is achived by making the whole of SAM_ACCOUNT have a .private member,
where the real members live. This caught a pile of examples, and these have
beeen fixed.
The pdb_get..() functions are 'const' (have been for some time) and this
required a few small changes to constify other functions.
I've also added some debugs to the pdb get and set, they can be removed if
requested.
I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb
interface, but I need the flags info to do it properly.
The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such
I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result.
Finally, any and all testing is always appriciated - but the basics seem to
work.
Andrew Bartlett
(This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
|
|
(This used to be commit a5f4559b2aade54f1c0f717eea21881f482faff2)
|
|
but it will take more time as I don't want to loose any fixes that
are only in HEAD.
(This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
|
