| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Guenther
(This used to be commit 906d5f88aabf091ee273e0ed9c3d2947b22c5390)
|
|
implementation does
not exactly match what you would expect.
XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.
Volker
(This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
|
|
Guenther
(This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
|
|
Currently we cannot store more then 15 password history entries (windows
NT4 allows to store 24) in ldapsam. When choosing more then "15" with
pdbedit -P "password history", we fail to initialize the password
history upon password change and overwrite the history, effectively
using a password history of "1". We do already decrease any
history-policy larger then 15 to 15 while storing the password history
list attribute in ldap.
Guenther
(This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
|
|
smb.conf-parameter for samba's "algorithmic rid base" in ldapsam are
identical.
It tried to get the value of LDAP_ATTR_ALGORITHMIC_RID_BASE via
get_userattr_key2string() for a very long time now. This just can not
work because LDAP_ATTR_ALGORITHMIC_RID_BASE is neither in attrib_map_v22
nor in attrib_map_v30. Instead, get it directly from dominfo_attr_list.
Ldapsam will now correctly refuse to initialize when admins tried
manually to have differing values for "algorithmic rid base" in ldap and
smb.conf. idmap_ldap is another story...
Guenther
(This used to be commit c5b8bc6c2e9a3f789f41742438b31152721c0bf4)
|
|
supports it. This might be a fix for bugs 1823 and 1545, notifying both.
Also ignore object class violation errors from the extended operation. We
don't have the userPassword field in sambaSamAccount, and if we have such
broken setup with user in /etc/passwd and only samba attribs in ldap, we fail
this :-)
Volker
(This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
|
|
Jeremy.
(This used to be commit 0351bf8b03306246efc17e532ebe78ecdafb645d)
|
|
attributes to
delete.
Richard, IMHO this is the better solution to the problem you currently
have. Please review.
Thanks,
Volker
(This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
|
|
ldapsam_compat. Be robust against NULL attributes.
Jeremy.
(This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
|
|
logon hours attributes in an LDAP database.
Jeremy.
(This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
|
|
Jeremy.
(This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
|
|
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to
linearised pstring due to ordering issues. A few other changes to
fix race conditions. I will add the tdb backend code next. This code
compiles but has not yet been tested with password history policy
set to greater than zero. Targeted for 3.0.6.
Jeremy.
(This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
|
|
===================================================================
--- pdb_ldap.c (revision 1095)
+++ pdb_ldap.c (working copy)
@@ -1134,6 +1134,19 @@
return NT_STATUS_OK;
}
+static void append_attr(char ***attr_list, const char *new_attr)
+{
+ int i;
+
+ for (i=0; (*attr_list)[i] != NULL; i++)
+ ;
+
+ (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2));
+ SMB_ASSERT((*attr_list) != NULL);
+ (*attr_list)[i] = strdup(new_attr);
+ (*attr_list)[i+1] = NULL;
+}
+
/**********************************************************************
Get SAM_ACCOUNT entry from LDAP by username.
*********************************************************************/
@@ -1149,6 +1162,7 @@
int rc;
attr_list = get_userattr_list( ldap_state->schema_ver );
+ append_attr(&attr_list, MODIFY_TIMESTAMP_STRING);
rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list);
free_attr_list( attr_list );
@@ -1194,6 +1208,7 @@
switch ( ldap_state->schema_ver ) {
case SCHEMAVER_SAMBASAMACCOUNT:
attr_list = get_userattr_list(ldap_state->schema_ver);
+ append_attr(&attr_list, MODIFY_TIMESTAMP_STRING);
rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list);
free_attr_list( attr_list );
Index: login_cache.c
===================================================================
--- login_cache.c (revision 1095)
+++ login_cache.c (working copy)
@@ -95,10 +95,13 @@
&entry->bad_password_count,
&entry->bad_password_time) == -1) {
DEBUG(7, ("No cache entry found\n"));
+ SAFE_FREE(entry);
SAFE_FREE(databuf.dptr);
return NULL;
}
+ SAFE_FREE(databuf.dptr);
+
DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n",
(unsigned int)entry->entry_timestamp, entry->acct_ctrl,
entry->bad_password_count, (unsigned int)entry->bad_password_time));
(This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
|
|
Don't use non-consts in a structure initialization.
Jeremy.
(This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
|
|
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
|
|
cache entry time comparisons in password lockout. Fixes problems where
pdb_ldap tries to delete the operational attribute modifyTimestamp when
deleting a user account.
(This used to be commit 5ebcb9081e435d54c39d4d3a1ef1d7b651ccb53f)
|
|
(This used to be commit 2b757b6adf0b4e5c799cc8943e8fd96cc94c24bc)
|
|
some platforms (FreeBSD in this case) don't define timezone according to
posix. This is what I wanted to do anyway.
Spotted by Andrzej Tobola <san@iem.pw.edu.pl>
(This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
|
|
Jeremy.
(This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
|
|
bad time locally, updating the directory only for hitting the policy limit
or resetting.
This needed to be done at the passdb level rather than auth, because some
of the functions need to be supported from tools such as pdbedit. It was
done at the LDAP backend level instead of generically after discussion,
because of the complexity of inserting it at a higher level.
The login cache read/write/delete is outside of the ldap backend, so it could
easily be called by other backends. tdbsam won't call it for obvious
reasons, and authors of other backends need to decide if they want to
implement it.
(This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
|
|
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring. There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
|
|
OK, what was happening here was that we would invalidate global_sam_sid
when we set the sid into secrets.tdb, to force a re-read.
The problem was, we would do *two* writes into the TDB, and the second one
(in the PDC/BDC case) would be of a NULL pointer. This caused smbd startups
to fail, on a blank TDB.
By using a local variable in the pdb_generate_sam_sid() code, we avoid this
particular trap.
I've also added better debugging for the case where this all matters, which
is particularly for LDAP, where it finds out a domain SID from the sambaDomain
object.
Andrew Bartlett
(This used to be commit 86ad04d26d3065a99b08afaaf2914968a9e701c5)
|
|
Jelmer, can you look at the sql and xml backends please to verify?
(This used to be commit b7706f7e258516d83646aca8c367508bc1c8f0dd)
|
|
(This used to be commit 7a36cc4ac0ff4d9c42eb9ddaf41bf33b4e8cd7c6)
|
|
rather than writing XXXXX
Andrew Bartlett
(This used to be commit ab7dd748a98361ac9c1c3ca52e9a97aee3f93e6f)
|
|
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
|
|
string_to_sid also needs to be less permissive on what it thinks are
valid sids...)
Andrew Bartlett
(This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
|
|
(For 'ldap password sync = yes')
Andrew Bartlett
(This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
|
|
(This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
|
|
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
|
|
on "result", don't free result first.
Jeremy.
(This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
|
|
<adegremont@idealx.com>
Jeremy.
(This used to be commit aa668a0206b027923a333417309cb483c5a64265)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
tested soon, but this fix is somewhat obvious.
Volker
(This used to be commit 227882d6f79fb5909998996e1be08df723c49e8e)
|
|
fields, bad_password_count and logon_count. Ensure this is stored/fetched
in the various SAMs. As it replaces the unknown_5 field this fits
exactly into the tdb SAM without any binary problems. It also is added
to the LDAP SAM as two extra attributes. It breaks compatibility with
the experimental SAMs xml and mysql. The maintainers of these SAMs must
fix them so upgrades like this can be done transparently. I will insist
on the "experimental" status until this is solved.
Jeremy.
(This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
|
|
This means that %u & %g will no longer expand, but %U
and %G still do. The payback is that winbindd local
accounts for users work with 'wbinfo -u' when winbind
is running on a PDC.
(This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
|
|
to/from utf8 for some calls. The libads code gets this right. Wonder why
the passdb code doesn't use it ?
Jeremy.
(This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
|
|
(This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
(This used to be commit 575483a1efe18a90055490117ba6894512ae568a)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
|
|
Whoever put the private.backend_private_data_free_fn thingy into
SAM_ACCOUNT, could you please revisit my change to pdb_get_set.c and
comment on my comment there?
Thanks,
Volker
(This used to be commit 922ec277d1c80b5532f5cac0ee99ae7cd20f83f1)
|
|
(This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
|
|
(This used to be commit 09e00970d4b3ec80467a4a292c39650d6c945847)
|
|
(This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
is no such user...
Thanks to jerry for spotting this.
Also clean up the function a bit, to avoid this happening again...
Andrew Bartlett
(This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
|
|
down failures.
Add a 'auto-add on modify' feature to guestsam
Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.
Make the 'private data' a bit more robust.
Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
|
