Age | Commit message (Collapse) | Author | Files | Lines |
|
We really need idmap_ldap to have a good solution with ldapsam, porting
it from the prvious code is beeing made, the code is really simple to do
so I am confident it is not a problem to commit this code in.
Not committing it would have been worst.
I really would have been able to finish also the group code, maybe we can
put it into a followin release after 3.0.0 even if it may be an upgrade
problem.
The code has been tested and seem to work right, more testing is needed for
corner cases.
Currently winbind pdc (working only for users and not for groups) is
disabled as I was not able to make a complete group code replacement that
works somewhat in a week (I have a complete patch, but there are bugs)
Simo.
(This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
|
|
lp_workgroup(), for all other server this is global_myname().
This is the name of the domain for accounts on *this* system, and getting
this wrong caused interesting bugs with 'take ownership' on member servers
and standalone servers at Snap.
(They lookup the username that they got, then convert that to a SID - but
becouse the domain out of the smbpasswd entry was wrong, we would fail the
lookup).
Andrew Bartlett
(This used to be commit 5fc78eba20411f3f5a8ccadfcba5c4ab73180dba)
|
|
function. Patch by metze with some minor modifications.
(This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d)
|
|
This patch removes 'non unix account range' (same as idra's change in HEAD),
and uses the winbind uid range instead.
More importanly, this patch changes the LDAP schema to use 'ntSid' instead
of 'rid' as the primary attribute. This makes it in common with the group
mapping code, and should allow it to be used closely with a future idmap_ldap.
Existing installations can use the existing functionality by using the
ldapsam_compat backend, and users who compile with --with-ldapsam will get
this by default.
More importantly, this patch adds a 'sambaDomain' object to our schema -
which contains 2 'next rid' attributes, the domain name and the domain sid.
Yes, there are *2* next rid attributes. The problem is that we don't 'own'
the entire RID space - we can only allocate RIDs that could be 'algorithmic'
RIDs. Therefore, we use the fact that UIDs in 'winbind uid' range will be
mapped by IDMAP, not the algorithm.
Andrew Bartlett
(This used to be commit 3e07406ade81e136f67439d4f8fd7fe1dbb6db14)
|
|
(This used to be commit 1755d5f66221a910863cfc8a197f8d792e6b6e3d)
|
|
- pdb_guest (including change defaults)
- 'default' passdb actions (instead of 'not implemented' stubs in each module)
- net_rpc_samsync no longer assumes pdb_unix
Andrew Bartlett
(This used to be commit 4bec53c8c81019f0f06a93c4df0800bbf7281dd6)
|
|
- change auth_sam to use the initialisation flags to determine if
the password attributes are set
- add const to secrets.c, cliconnect.c
- passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd
- SAMR: add debugs to show what fails for group enum.
Andrew Bartlett
(This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
|
|
support from HEAD -> 3.0
Andrew Bartlett
(This used to be commit 89d8ebd520e2a441e6d5b6b8adb6c483b0131adc)
|
|
The work here includes:
- metze' set/changed patch, which avoids making changes to ldap on unmodified
attributes.
- volker's group mapping in passdb patch
- volker's samsync stuff
- volkers SAMR changes.
- mezte's connection caching patch
- my recent changes (fix magic root check, ldap ssl)
Andrew Bartlett
(This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
|
|
(This used to be commit ee9cbf58071adb627a49a94c6340aaba330486b5)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
|
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
should chose the next available RID. For smbpasswd it just means using the algorithm, but other backends can do somthing more useful.
Andrew Bartlett
(This used to be commit 0f0f87e6c31b468368c5a4729db892622e616cac)
|
|
we still need to free gid<->rid mapping and few other stuff
(This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
|
|
(This used to be commit 724390a8daabbecd236960562e0a50f62c6904f1)
|
|
without a unix account.
(This used to be commit 2fdd601f2efaf3515f0e4c30fa176651eb4bb387)
|
|
The main change here is to move ldap into the new pluggable passdb subsystem
and to take the LDAP location as a 'location' paramter on the 'passdb backend'
line in the smb.conf. This is an LDAP URL, parsed by OpenLDAP where supported,
and by hand where it isn't.
It also adds the ldap user suffix and ldap machine suffix smb.conf options,
so that machines added to the LDAP dir don't get mixed in with people.
Non-unix account support is also added. This means that machines don't need to
be in /etc/passwd or in nss_ldap's scope.
This code has stood up well under my production environment, so it relitivly
well tested.
I'm commiting this now becouse others have shown interest in using it, and
there is no point 'hording' the code :-).
Andrew Bartlett
(This used to be commit cd5234d7dd7309d88944b83d807c1f1c2ca0460a)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
Modules now name themselves, which should allow for sane behaviour when we get
an 'extern' passdb module (which in turn loads a .so).
Fix up tdbsam for non-unix-accounts. Not sure if this fixes idra's bug, but
its a start...
Andrew Bartlett
(This used to be commit 7d576d89d7b4a7b95e87a844568d7d7cd89f0542)
|
|
Samba now features a pluggable passdb interface, along the same lines as the
one in use in the auth subsystem. In this case, only one backend may be active
at a time by the 'normal' interface, and only one backend per passdb_context is
permitted outside that.
This pluggable interface is designed to allow any number of passdb backends to
be compiled in, with the selection at runtime. The 'passdb backend' paramater
has been created (and documented!) to support this.
As such, configure has been modfied to allow (for example) --with-ldap and the
old smbpasswd to be selected at the same time.
This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua.
These two backends accept 'non unix accounts', where the user does *not* exist
in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to
avoid conflicts in the algroitmic mapping of RIDs, they use the values
specified in the 'non unix account range' paramter - in the same way as the
winbind ranges are specifed.
While I was at it, I cleaned up some of the code in pdb_tdb (code copied
directly from smbpasswd and not really considered properly). Most of this was
to do with % macro expansion on stored data. It isn't easy to get the macros
into the tdb, and the first password change will 'expand' them. tdbsam needs
to use a similar system to pdb_ldap in this regard.
This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I
don't have the test facilities for these. I plan to incoroprate at least
pdb_ldap into this scheme after consultation with Jerry.
Each (converted) passdb module now no longer has any 'static' variables, and
only exports 1 init function outside its .c file.
The non-unix-account support in this patch has been proven! It is now possible
to join a win2k machine to a Samba PDC without an account in /etc/passwd!
Other changes:
Minor interface adjustments:
pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*.
pdb_update_sam_account() no longer takes the 'override' argument that was being
ignored so often (every other passdb backend). Extra checks have been added in
some places.
Minor code changes:
smbpasswd no longer attempts to initialise the passdb at startup, this is
now done on first use.
pdbedit has lost some of its 'machine account' logic, as this behaviour is now
controlled by the passdb subsystem directly.
The samr subsystem no longer calls 'local password change', but does the pdb
interactions directly. This allow the ACB_ flags specifed to be transferred
direct to the backend, without interference.
Doco:
I've updated the doco to reflect some of the changes, and removed some paramters
no longer applicable to HEAD.
(This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
|
|
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps
them around for a long time - often past the next call...
This adds a getpwnam_alloc and a getpwuid_alloc to the collection.
These function as expected, returning a malloced structure that can be
free()ed with passwd_free(&passwd).
This patch also cuts down on the number of calls to getpwnam - mostly by
taking advantage of the fact that the passdb interface is already
case-insensiteve.
With this patch most of the recursive cases have been removed (that I know
of) and the problems are reduced further by not using the sys_ interface
in the new code. This means that pointers to the cache won't be affected.
(This is a tempoary HACK, I intend to kill the password cache entirly).
The only change I'm a little worried about is the change to
rpc_server/srv_samr_nt.c for private groups. In this case we are getting
groups from the new group mapping DB. Do we still need to check for private
groups? I've toned down the check to a case sensitve match with the new code,
but we might be able to kill it entirly.
I've also added a make_modifyable_passwd() function, that copies a passwd
struct into the form that the old sys_getpw* code provided. As far as I can
tell this is only actually used in the pass_check.c crazies, where I moved
the final 'special case' for shadow passwords (out of _Get_Pwnam()).
The matching case for getpwent() is dealt with already, in lib/util_getent.c
Also included in here is a small change to register the [homes] share at vuid
creation rather than just in one varient of the session setup. (This picks
up the SPNEGO cases). The home directory is now stored on the vuid, and I
am hoping this might provide a saner way to do %H substitions.
TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change
the remaining sys_getpwnam() callers to use getpwnam_alloc() and move
Get_Pwnam to return an allocated struct.
Andrew Bartlett
(This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
|
|
but it will take more time as I don't want to loose any fixes that
are only in HEAD.
(This used to be commit efcde5d9d8ce44c0613764504d797be54ba21473)
|
|
(This used to be commit 54cbfc7ebcdf1bd2094407b689b0050f0abfa46f)
|
|
members (such as uid and gid). This way we will be able to
keep ourselves from writing out default smb.conf settings when
the admin doesn't want to, That part is not done yet.
Tested compiles with ldap/tdb/smbpasswd. Tested connection with smbpasswd
backend.
oh...and smbpasswd doesn'y automatically expire accounts after 21 days
from the last password change either now. Just ifdef'd out that code
in build_sam_account().
Will merge updates into 2.2 as they are necessary.
jerry
(This used to be commit f0d43791157d8f04a13a07d029f203ad4384d317)
|
|
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the
definition of standard_sub_basic() to cope with that.
- removed the smb.conf: 'domain admin group' and 'domain guest group'
parameters ! We're not playing anymore with the user's group RIDs !
- in get_domain_user_groups(), if the user's gid is a group, put it first
in the group RID list.
I just have to write an HOWTO now ;-)
J.F.
(This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50)
|
|
not the privileges. Usually we don't need them, so the memory is free
early.
lib/util_sid.c: added some helper functions to check an SID.
passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !
rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.
J.F.
(This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
|
|
and cleanup and comments in passdb/passdb.c
J.F.
(This used to be commit 6533339887832ca6dd42d99385c615db7bee3d43)
|
|
(This used to be commit 8712ac84995f8454619245ca111575d4b9769b43)
|
|
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
|
|
code.
In particular this assists tpot in some of his work, becouse it provides the
connection between the authenticaion and the vuid generation.
Major Changes:
- Fully malloc'ed structures.
- Massive rework of the code so that all structures are made and destroyed
using malloc and free, rather than hanging around on the stack.
- SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them
to be declared 'invalid' without the chance that people might get ROOT by
default.
- kill off some of the "DOMAIN\user" lookups. These can be readded at a more
appropriate place (probably domain_client_validate.c) in the future. They
don't belong in session setups.
- Massive introduction of DATA_BLOB structures, particularly for passwords.
- Use NTLMSSP flags to tell the backend what its getting, rather than magic
lenghths.
- Fix winbind back up again, but tpot is redoing this soon anyway.
- Abstract much of the work in srv_netlog_nt back into auth helper functions.
This is a LARGE change, and any assistance is testing it is appriciated.
Domain logons are still broken (as far as I can tell) but other functionality
seems
intact.
Needs testing with a wide variety of MS clients.
Andrew Bartlett
(This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
|
|
In particular this commit focuses on:
Actually adding the 'const' to the passdb interface, and the flow-on changes.
Also kill off the 'disp_info' stuff, as its no longer used.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes introduces a large dose of 'const' to the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
---
This finishes this line of commits off, your tree should now compile again :-)
Andrew Bartlett
(This used to be commit c95f5aeb9327347674589ae313b75bee3bf8e317)
|
|
In particular this commit focuses on:
The guts of the moving about inside passdb.
While these changes have been mildly tested, and are pretty small, any
assistance in this is appreciated.
----
These changes allow for the introduction of a large dose of 'const' to
the Samba tree.
There are a number of good reasons to do this:
- I want to allow the SAM_ACCOUNT structure to move from wasteful
pstrings and fstrings to allocated strings. We can't do that if
people are modifying these outputs, as they may well make
assumptions about getting pstrings and fstrings
- I want --with-pam_smbpass to compile with a slightly sane
volume of warnings, currently its pretty bad, even in 2.2
where is compiles at all.
- Tridge assures me that he no longer opposes 'const religion'
based on the ability to #define const the problem away.
- Changed Get_Pwnam(x,y) into two variants (so that the const
parameter can work correctly): - Get_Pwnam(const x) and
Get_Pwnam_Modify(x).
- Reworked smbd/chgpasswd.c to work with these mods, passing
around a 'struct passwd' rather than the modified username
passdb/
- Kill off disp_info stuff, it isn't used any more - Kill off
support for writing to the old smbpasswd format, it isn't relevent
to Samba 3.0
- Move around and modify the pdb_...() helper functions, adding
one that sets the last changed time to 'now' and that sets the
must change time appropriately.
- Remove the ugly forced update of the LCT- value in
pdb_smbpasswd. - Remove the implicit modification of the ACB
flags when both NT and LM passwords are set.
- Removed substation in pdb_getsampwnam output, as a single
password change will render them inoperable in any case (they
will be substituted and stored)
- Added a default RID to the init_sam_from_pw() function, based on
our rid algorithm.
- Added checks that an smbpasswd stored user has a uid-based RID.
- Fail to store tdb based users without a RID
lib/
- Change the substituion code to use global_myname if there is
no connection (and therefore no called name) at the present time.
(This used to be commit 8f607810eb24ed1157bbd2e896c2c167bc34d986)
|
|
change these timestamp settings without good reason.
Remove CLEAR_IF_FIRST flag is tdb is read-only.
Jeremy.
(This used to be commit a71d9d98b013a6c30fd85524b7cdc929bdbd9bcb)
|
|
other access. Problem was max time was being set to 0xffffffff, instead of
0x7fffffff.
Jeremy.
(This used to be commit 94403d841710391ec26539e4b4157439d5778ff7)
|
|
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
|
|
- move the arbitrary 21 day timeout to local.h
(This used to be commit 11075f543470c3283accce0246d0b2983420695a)
|
|
Jeremy.
(This used to be commit 611bf806d569b70edabbc04a2f5408142370a550)
|
|
(This used to be commit 64d35e94fe6f7e56353b286162f670c8595a90e6)
|
|
lib/smbpasswd.c which will contain routines related to manipulating
smbpasswd entries.
- renamed and moved pdb_{get,set}hexpwd() functions
- renamed and moved pdb_{decode,encode}acct_ctrl() functions
- started hiding references to the cruftalicious
NEW_PW_FORMAT_SPACE_PADDED_LEN constant
- started gradual rename of references to acct_ctrl to acb_info which is
the nomenclature used in MSDN and header files
There's still more work to be done. Currently there are several places
where smbpasswd entries are iterated etc. Ideally this should all happen
through the passdb system.
(This used to be commit 4a01e240305fb6fead973beef4937a016b15d744)
|
|
(This used to be commit 97b5499def99016b4baf97343597f1b218a69399)
|
|
(This used to be commit ef01739708479c43f529c646dd136ee5670b08f9)
|
|
can't redefine them. damn.
(This used to be commit c41fc06376d1a2b83690612304e85010b5e5f3cf)
|
|
I did some basic tests but I have probably broken something. Notably the
password changing. So don't cry ;-)
J.F.
(This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
|
|
(This used to be commit 0feaac00a1847af41464d4ce35821ff851cded9c)
|
|
for memory allocation. This fixes a long standing seg fault
(i knew i would get around to it one day :) )
Tested with NT4 and Win2k. Needs a little more testing with the
"create the machine account on the fly" code for NT4.
Simo, this is probably going to break the tdb passdb code.
Can you look at that when you get a chance and see what you think?
(This used to be commit 1c13110873e456748dc09fd51749f664643fe888)
|
|
(This used to be commit f52a5014ee325f9d91f266f88eac51b6136a75b9)
|
|
(This used to be commit af62692e623429ca861905a0ac050b00a3bffdb0)
|
|
system header files...
Jeremy.
(This used to be commit 31e0ce310ec38b3a3a05b344d6450d442c6be471)
|
|
Currently does exactly the same thing (returns ACLs the same way). This
code is written to try and get a POSIX ACL via the abstract sys_XX interface,
then fall back to providing a UNIX based ACL if the calls fail. Seems to
work. Next step is to add a --with-posix-acls to configure.in and then
check on a POSIX ACL system that a complex ACL is returned correctly
as an NT ACL. Note that the ACL set (a more complex problem) is not
addressed yet.
Jeremy.
(This used to be commit 4339e20202a876dbadc07980b731f711463b7299)
|