summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_smbpasswd.c
AgeCommit message (Collapse)AuthorFilesLines
2003-05-28Merge of uint32/uid_t mismatch from 3.0Tim Potter1-2/+2
(This used to be commit a9f0e69dbefdaf8daee3943782817bcc536d2fb3)
2003-05-18port fixes from 3.0Simo Sorce1-1/+1
(This used to be commit 0d098df8b5db02c73b859aea136d01c9ca42b17a)
2003-04-29This is a nice rewrite:Simo Sorce1-16/+11
SAM_ACCOUNT does not have anymore uid and gid fields all the code that used them has been fixed to use the proper idmap calls fix to idmap_tdb for first time idmap.tdb initialization. auth_serversupplied_info structure has now an uid and gid field few other fixes to make the system behave correctly with idmap tested only with tdbsam, but smbpasswd and nisplus should be ok have not tested ldap ! (This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
2003-04-29Change order of parameters to smb_register_passdb()Jelmer Vernooij1-1/+1
(This used to be commit 63cf5637c16dc770f0ab2f73ff00577c7cd426ee)
2003-04-29ok next_rid out as well local_*id_to*id functionsSimo Sorce1-1/+0
reverted user making function, did not pass the abartlet test :-) idmap is now fully integrated, we only miss user creation and removal of uid and gid from SAM_ACCOUNT (This used to be commit 67af8c26586c4829166795813a373bf9be27b753)
2003-04-27prepare to get _nua out of the door (but back in from the window ;-)Simo Sorce1-22/+3
(This used to be commit 09eb02cba0747ae47aa4a76f4fac69af293a774a)
2003-03-20Use True, not TRUE and False, not FALSEJelmer Vernooij1-1/+1
(This used to be commit 44e9bf88cc2bbb2aa34711354258c3abb319cb9b)
2003-03-19Put in the new modules system. It's now used by passdb and rpc. I willJelmer Vernooij1-0/+7
put a doc about it in dev-doc later today. (This used to be commit af7bfee0c6902c07fdb8d3abccf4c8d6bab00b5a)
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-70/+15
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2002-11-08Make smbpasswd use the group mapping, and fix spelling in ldapsam.Andrew Bartlett1-16/+24
This gets user mangler for doamins working again. Andrew Bartlett (This used to be commit 205209f77f154a2a5d5f7a255194d7953860a4db)
2002-11-04Allow 'normal' accounts in the non-unix-account range for smbpasswd - I hopeAndrew Bartlett1-19/+20
this will fix some of the problems on the build farm @ Compaq (where they have a *lot* of accounts...). (This used to be commit 2c97b7e6480c2731739ccc52af97bc62a6228cfe)
2002-11-04Fix debugAndrew Bartlett1-1/+1
(This used to be commit 5b5b8de70e46a15e9fb9b47c7af6cb0133f41217)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-0/+51
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-12Nice *big* patch from metze.Andrew Bartlett1-10/+10
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-09-26move all the passdb internal interface to NTSTATUSSimo Sorce1-31/+40
only the interface has been fully moved to NTSTATUS not all the plugins make full use of it, but have been all converted. My testings passed completely, however a bit of more testing is welcome Simo. (This used to be commit 102a26e06591928a03b49cd312a65811ed46314f)
2002-08-21More hacks for 'guest account' to get it to show up with the right rid...Andrew Bartlett1-1/+12
Andrew Bartlett (This used to be commit 2795d92268d23063faf5a661279a91f7703d8aac)
2002-08-17Quick hack to get around the inadequacy of pdb_smbpasswd. This should make theAndrew Bartlett1-1/+1
build farm happy again, and allow the 'guest account' to be added to smbpasswd. Andrew Bartlett (This used to be commit 5e5cd2874527dd9a213c4bfcf98a425c39f3f2e2)
2002-08-07Add const to a pile of const to *DOM_SID paramaters.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit fd0ebf976eb6e5fc25bc75ff471c69c3f3761e32)
2002-07-14Fix up a botched prevoius commit.Andrew Bartlett1-11/+10
The idea here is to allow invalid LM passwords in otherwise valid accounts. This happens when we create an account without a password, for example. Previously we would stop at the LM password, and not read things like the account flags correctly. Now we process the record, and just set the password to NULL. (Note, 'no password for access' is decided only on the basis of the Account Control bits, not on the 'NULL' value of the password feild.). Andrew Bartlett (This used to be commit c590e0c970b5babf370924cef51530e5e215eaf2)
2002-07-13Make smbpasswd behave like all the other backends, where a NULL or invalidAndrew Bartlett1-7/+4
LM password isn't anything special. All the users check the ACB nowadays, and this allows us to correctly return flags set via usermgr. Andrew Bartlett (This used to be commit 89eb765d398de7654ba6bac7c51df727830c2591)
2002-06-14Patch from ctrlsoft to use the pdb_sethexpwd function in smbpasswd - insteadAndrew Bartlett1-48/+7
of implementing it twice inline. This code is complex - but occasionally I get the feeling that people made it more complext than it really needed to be... Andrew Bartlett (This used to be commit 273d518e52a83eca466c134531dd12825fe3cbdb)
2002-06-14It looks like we never tested the 'cleanup' code, so when I triggered itAndrew Bartlett1-3/+10
(invalid passdb backends smb.conf entry) we picked up a few things :-). Andrew Bartlett (This used to be commit dfa98ae0ac195956490ca2f4140a8eff1566095e)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-3/+4
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-05-26change: pdb_getsampwrid() ->pdb_getsampwsid()Simo Sorce1-2/+8
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions. srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one. (This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
2002-05-18so here it is the code to introduce seriously debugggging classes.Simo Sorce1-0/+2
this is a first step only passdb stuff has beein "classized". - so what can you do? set debug level to: 1 poasdb:10 that will make all the code run at debug level 1 except the code in passdb/* files that will run at level 10 TODO: fix the man page - also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5 will set every smbd to have a default log level of 3 while passdb stuff will be at level 5 and so no.. minor cosmetic fix to pdbedit is there too (This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
2002-05-18Remove const from some functions to match the changed prototype in aAndrew Bartlett1-7/+5
previous commit, and remove some unsued variables. Main change: Make sure to fill in the username when making a non-unix account from smbpasswd. (This used to be commit 7019486eacb72ca44c42ce620b8696bb29f12292)
2002-05-18Passdb:Andrew Bartlett1-26/+18
Kill off the silly code that attempts to do NT -> Unix username mapping. This is done well before here, no need to repeat it. Add some small fixes and extra debugs, trying to track down current build farm failures. pdb_unix: When 'updating' a pdb_unix account, instead add it to the default passdb. This means that you don't need to specify '-a' to smbpasswd any more when messing with an existing unix user, the account is simply 'upgraded'. The idea here is that these accounts are just as 'real' as any other, they just don't have the extra attributes an smbpasswd file does. I'm open for debate on the pdb_unix issue, and will remove it if given good reason. (without this, an attempt to add an account already in pdb_unix to smbpasswd would fail, as it would fail to update pdb_unix). rpc_server/srv_netlog_nt.c Change a couple of things around, so as to show the client workstation etc. WRONG_PASSWORD is certainly not the right default error. Try ACCESS_DENIED for now. Andrew Bartlett (This used to be commit d78b74b338df9accd9ad84c56a49fa4f787425e2)
2002-05-18A few things in this commit:Andrew Bartlett1-51/+4
cleanup some of the code in net_rpc_join re const warnings and fstrings. Passdb: Make the %u and %U substituions in passdb work. This is done by declaring these paramters to be 'const' and doing the substitution manually. I'm told this is us going full circle, but I can't really see a better way. Finally these things actually seem to work properly... Make the lanman code use the pdb's recorded values for homedir etc rather than the values from lp_*() Add code to set the plaintext password in the passdb, where it can decide how to store/set it. For use with a future 'ldap password change' option, or somthing like that... Add pdb_unix, so as to remove the 'not in passdb' special cases from the local_lookup_*() code. Quite small, as it uses the new 'struct passwd -> SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd) Other: Fix up the adding of [homes] at session setup time to actually pass the right string, that is the unix homedir, not the UNC path. Fix up [homes] so that for winbind users is picks the correct name. (bad interactions with the default domain code previously) Change the rpc_server/srv_lsa_nt.c code to match NT when for the SATUS_NONE_MAPPED reply: This was only being triggered on no queries, now it is on the 'no mappings' (ie all mappings failed). Checked against Win2k. Policy Question: Should SID -> unix_user.234/unix_group.364 be considered a mapping or not? Currently it isn't. Andrew Bartlett (This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
2002-04-13Better handling of uid/gid -> RID and RID -> uid/gid code.Andrew Bartlett1-23/+5
All uids and gids must create valid RIDs, becouse other code expects this, and can't handle the failure case. (ACL code in particular) Allow admins to adjust the base of the RID algorithm, so avoid clashes with users brought in from NT (for example). Put all the algorithm code back in one place, so that this change is global. Better coping with NULL sid pointers - but it still breaks a lot of stuff. BONUS: manpage entry for new paramater :-) counter based rids for normal users in tdbsam is disabled for the timebeing, idra and I will work out some things here soon I hope. Andrew Bartlett (This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
2002-04-13This is the 'multiple pdb backends' patch from ctrlsoft, aka Jelmer VernooijAndrew Bartlett1-17/+17
<jelmer@nl.linux.org>. This patch also includes major rework of pdbedit to use popt, and the addition of -i paramter (allowing the user to specify which PDBs is being operated on) and -e to export a pdb - useful for backup and testing etc. Use of -i and -e gets us pdb2pdb functionality for transition between backends, much like the sam2sam in TNG. Andrew Bartlett (This used to be commit c10def37f506d3f2bab442418ac08fdb62659b02)
2002-03-20Allow a zero rid in pdb_smbpasswd. When given a zero rid the pdb backendAndrew Bartlett1-1/+3
should chose the next available RID. For smbpasswd it just means using the algorithm, but other backends can do somthing more useful. Andrew Bartlett (This used to be commit 0f0f87e6c31b468368c5a4729db892622e616cac)
2002-03-19second step to gain free uid<->rid mappingSimo Sorce1-21/+18
we still need to free gid<->rid mapping and few other stuff (This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
2002-03-18Start to switch away from the alghorithmic uid->rid mapping modelSimo Sorce1-0/+21
(This used to be commit 724390a8daabbecd236960562e0a50f62c6904f1)
2002-03-06Fix SIGSEGV on error message when trying to add a user to smbpasswd file ↵Jim McDonough1-1/+1
without a unix account. (This used to be commit 2fdd601f2efaf3515f0e4c30fa176651eb4bb387)
2002-03-02This patch merges my private LDAP tree into HEAD.Andrew Bartlett1-1/+1
The main change here is to move ldap into the new pluggable passdb subsystem and to take the LDAP location as a 'location' paramter on the 'passdb backend' line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported, and by hand where it isn't. It also adds the ldap user suffix and ldap machine suffix smb.conf options, so that machines added to the LDAP dir don't get mixed in with people. Non-unix account support is also added. This means that machines don't need to be in /etc/passwd or in nss_ldap's scope. This code has stood up well under my production environment, so it relitivly well tested. I'm commiting this now becouse others have shown interest in using it, and there is no point 'hording' the code :-). Andrew Bartlett (This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
2002-01-30Removed version number from file header.Tim Potter1-2/+2
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-25Passdb changes:Andrew Bartlett1-1/+4
Modules now name themselves, which should allow for sane behaviour when we get an 'extern' passdb module (which in turn loads a .so). Fix up tdbsam for non-unix-accounts. Not sure if this fixes idra's bug, but its a start... Andrew Bartlett (This used to be commit 7d576d89d7b4a7b95e87a844568d7d7cd89f0542)
2002-01-20This is another *BIG* change...Andrew Bartlett1-201/+331
Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-3/+5
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2001-12-31some merges from 2.2. Still need to merge in changes from pdb_tdb.cGerald Carter1-7/+7
but it will take more time as I don't want to loose any fixes that are only in HEAD. (This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
2001-12-30pdb_getsampwnuid() merge from 2.2Gerald Carter1-42/+0
(This used to be commit 54cbfc7ebcdf1bd2094407b689b0050f0abfa46f)
2001-12-27moving SAM_ACCOUNT to include a bit field for initializedGerald Carter1-10/+12
members (such as uid and gid). This way we will be able to keep ourselves from writing out default smb.conf settings when the admin doesn't want to, That part is not done yet. Tested compiles with ldap/tdb/smbpasswd. Tested connection with smbpasswd backend. oh...and smbpasswd doesn'y automatically expire accounts after 21 days from the last password change either now. Just ifdef'd out that code in build_sam_account(). Will merge updates into 2.2 as they are necessary. jerry (This used to be commit f0d43791157d8f04a13a07d029f203ad4384d317)
2001-12-06again an intrusive patch:Jean-François Micouleau1-15/+5
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the definition of standard_sub_basic() to cope with that. - removed the smb.conf: 'domain admin group' and 'domain guest group' parameters ! We're not playing anymore with the user's group RIDs ! - in get_domain_user_groups(), if the user's gid is a group, put it first in the group RID list. I just have to write an HOWTO now ;-) J.F. (This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50)
2001-12-04added a boolean to the group mapping functions to specify if we need orJean-François Micouleau1-2/+1
not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
2001-12-02added mapping of primary gid to rid thru the group mapping code.Jean-François Micouleau1-3/+28
and cleanup and comments in passdb/passdb.c J.F. (This used to be commit 6533339887832ca6dd42d99385c615db7bee3d43)
2001-11-27unable to open smbpasswd on initial create should only be a warningAndrew Tridgell1-1/+1
(This used to be commit 8712ac84995f8454619245ca111575d4b9769b43)
2001-11-24This is another rather major change to the samba authenticaionAndrew Bartlett1-1/+1
subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
2001-10-31This is a farily large patch (3300 lines) and reworks most of the AuthRewriteAndrew Bartlett1-6/+17
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
2001-10-29This commit is number 4 of 4.Andrew Bartlett1-8/+8
In particular this commit focuses on: Actually adding the 'const' to the passdb interface, and the flow-on changes. Also kill off the 'disp_info' stuff, as its no longer used. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes introduces a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username --- This finishes this line of commits off, your tree should now compile again :-) Andrew Bartlett (This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
2001-10-29This commit is number 2 of 4.Andrew Bartlett1-42/+42
In particular this commit focuses on: The guts of the moving about inside passdb. While these changes have been mildly tested, and are pretty small, any assistance in this is appreciated. ---- These changes allow for the introduction of a large dose of 'const' to the Samba tree. There are a number of good reasons to do this: - I want to allow the SAM_ACCOUNT structure to move from wasteful pstrings and fstrings to allocated strings. We can't do that if people are modifying these outputs, as they may well make assumptions about getting pstrings and fstrings - I want --with-pam_smbpass to compile with a slightly sane volume of warnings, currently its pretty bad, even in 2.2 where is compiles at all. - Tridge assures me that he no longer opposes 'const religion' based on the ability to #define const the problem away. - Changed Get_Pwnam(x,y) into two variants (so that the const parameter can work correctly): - Get_Pwnam(const x) and Get_Pwnam_Modify(x). - Reworked smbd/chgpasswd.c to work with these mods, passing around a 'struct passwd' rather than the modified username passdb/ - Kill off disp_info stuff, it isn't used any more - Kill off support for writing to the old smbpasswd format, it isn't relevent to Samba 3.0 - Move around and modify the pdb_...() helper functions, adding one that sets the last changed time to 'now' and that sets the must change time appropriately. - Remove the ugly forced update of the LCT- value in pdb_smbpasswd. - Remove the implicit modification of the ACB flags when both NT and LM passwords are set. - Removed substation in pdb_getsampwnam output, as a single password change will render them inoperable in any case (they will be substituted and stored) - Added a default RID to the init_sam_from_pw() function, based on our rid algorithm. - Added checks that an smbpasswd stored user has a uid-based RID. - Fail to store tdb based users without a RID lib/ - Change the substituion code to use global_myname if there is no connection (and therefore no called name) at the present time. (This used to be commit 8f607810eb24ed1157bbd2e896c2c167bc34d986)