summaryrefslogtreecommitdiff
path: root/source3/passdb
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter2-19/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter3-366/+14
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison13-40/+40
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3974: - Fix assignment of a couple of fields in pdb_{mysql,pgsql}Jelmer Vernooij3-8/+9
- Use new DTD URL in pdb_xml (This used to be commit 99dc2f36d1f637906d47e98dbd4d5eb1f1cc4357)
2007-10-10r3948: Fix incorrect declaration. Bug #2083.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 05b905a28f349a2741e0963e41ad624a8f0b9fb8)
2007-10-10r3931: Fix all "may be used uninitialized" and "shadow" warnings.Jeremy Allison1-0/+3
Jeremy. (This used to be commit 8e979772a640bb4f00f4d72b6a9c837b8ef14333)
2007-10-10r3883: Fix error return -- thanks to rsharpeVolker Lendecke1-1/+1
(This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
2007-10-10r3875: Allow to look up at least or own sid in _lsa_lookup_sids.Günther Deschner2-0/+15
This fixes Bugzilla #1076 and Exchange 5.5 SP4 can then be finally installed on NT4 in a samba-controlled domain. Guenther (This used to be commit bb191c1098dea06bf2cd89276c74e32279fbb3d4)
2007-10-10r3871: Fix memleakVolker Lendecke1-1/+3
(This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
2007-10-10r3852: Fix the build...Volker Lendecke1-1/+1
(This used to be commit 3bd72b864f18f6fad0357c8aa632121f14e422ab)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke2-0/+143
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3704: Implement a cache get saves the result of a pdb_getsampwnam for laterVolker Lendecke1-1/+27
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls to LDAP during a typical XP login. XP does a lookupnames, then an openuser and some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all the subsequent ones make us call getsampwsid. This patch gets this down to one call to LDAP. Yes, a more "correct" way would be to stick the information to the open user handle, but this one is simpler and saves the LDAP roundtrip for the openuser call. Volker (This used to be commit 3d9758fa3c584bb25eca0b7ed04af4ddfeba315f)
2007-10-10r3628: A typo and a compile-warning.Günther Deschner2-2/+2
Guenther (This used to be commit 906d5f88aabf091ee273e0ed9c3d2947b22c5390)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke3-43/+60
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-0/+22
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r2923: Fix some obvious copy/paste leftover debug-messages.Günther Deschner1-8/+8
Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2007-10-10r2819: Make 'password history'-behaviour in ldapsam more consistent.Günther Deschner1-0/+3
Currently we cannot store more then 15 password history entries (windows NT4 allows to store 24) in ldapsam. When choosing more then "15" with pdbedit -P "password history", we fail to initialize the password history upon password change and overwrite the history, effectively using a password history of "1". We do already decrease any history-policy larger then 15 to 15 while storing the password history list attribute in ldap. Guenther (This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
2007-10-10r2752: Fix the paranoia-check to ensure the ldap-attribute and theGünther Deschner1-1/+1
smb.conf-parameter for samba's "algorithmic rid base" in ldapsam are identical. It tried to get the value of LDAP_ATTR_ALGORITHMIC_RID_BASE via get_userattr_key2string() for a very long time now. This just can not work because LDAP_ATTR_ALGORITHMIC_RID_BASE is neither in attrib_map_v22 nor in attrib_map_v30. Instead, get it directly from dominfo_attr_list. Ldapsam will now correctly refuse to initialize when admins tried manually to have differing values for "algorithmic rid base" in ldap and smb.conf. idmap_ldap is another story... Guenther (This used to be commit c5b8bc6c2e9a3f789f41742438b31152721c0bf4)
2007-10-10r2619: Only issue the ldap extended password change operation if the ldap serverVolker Lendecke1-0/+75
supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2007-10-10r2479: Stop attribute "modifyTimestamp" from being deleted.Jeremy Allison1-0/+5
Jeremy. (This used to be commit 0351bf8b03306246efc17e532ebe78ecdafb645d)
2007-10-10r2473: Convert internal data to UTF-8 before calling libxml2Jelmer Vernooij1-26/+47
(This used to be commit 8be3fa5bfa80b51f30f1c93a7fc9e95e2b1996a7)
2007-10-10r2444: Based on jmcd's patch, implement special lists for the ldap user ↵Volker Lendecke1-6/+27
attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2007-10-10r2374: Fix from Vince Brimhall vbrimhall@novell.com forJeremy Allison1-1/+6
ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2007-10-10r2317: Fixup error messages and reformat.Jeremy Allison1-903/+922
Jeremy. (This used to be commit 8ae10c74ec45f1493aa15ee812ff37b86c8fc439)
2007-10-10r2312: Fix for bugid #1667, smbpasswd file could be left locked onJeremy Allison1-0/+2
some error exits. Jeremy. (This used to be commit e2b0b9fb72559a9629b116a7e063de08a12e9eb1)
2007-10-10r1906: Revert lukeh's change for primary uid/gid change. This creates a ↵Volker Lendecke1-19/+7
recursion loop between uid_to_sid -> getsampwnam -> uid_to_sid. It needs further inspection. Volker (This used to be commit 67d8bc48531dd1a7d9b5db93f7d71f920a27e8fb)
2007-10-10r1871: Patch from Luke Howard <lukeh@PADL.COM> to correctly useJeremy Allison1-7/+19
uid_to_sid() and gid_to_sid() in pdb_set_sam_sids(). Jeremy. (This used to be commit dae084d7134ae3f532861210907cd252d0001c9b)
2007-10-10r1869: Rename "fallback_XXXX" mapping to "algorithmic_XXX" asJeremy Allison2-36/+29
that's what it actually does, and "fallback_" is just confusing. Jeremy. (This used to be commit f44b4ba38147e353716c02c899bd45beaf71e6ad)
2007-10-10r1810: Patch from Richard Renard <rrenard@idealx.com> to storeJeremy Allison2-2/+72
logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2007-10-10r1733: Fix hashed password history for LDAP backends.Jeremy Allison1-10/+26
Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2007-10-10r1661: Changed the password history format so that each history entryJeremy Allison2-15/+36
consists of a 16 byte salt, followed by the 16 byte MD5 hash of the concatination of the salt plus the NThash of the historical password. Allows these to be exposed in LDAP without security issues. Jeremy. (This used to be commit 82e4036aaa2d283534a5bd8149857320fcf0d0dc)
2007-10-10r1610: Patch from Richard Renard <rrenard@idealx.com>. Ensure weJeremy Allison1-10/+4
save the password as it is being changed into the password history list. Jeremy. (This used to be commit 4fd619d7e16b5f759e6dc8360ad192457b3c90b9)
2007-10-10r1539: If a account was locked out by an admin (and has a bad password count ↵Jeremy Allison1-6/+19
of zero) leave it locked out until an admin unlocks it (but log a message). Jeremy. (This used to be commit 14bd2a9ffc30d55d9737b4819797db8c38b46c66)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett2-32/+30
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1412: Fix password history list in tdbsam. Fix some memory leaks. AddJeremy Allison2-4/+22
my (C) to a header file that was at least 50% mine :-). Jeremy. (This used to be commit 8ee6060977ec8e65082f3ad09e1e1ccf5b4672ed)
2007-10-10r1394: Const fix.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 9ac4945012e0bd54519b8c81d4c36e88cea28fce)
2007-10-10r1392: Added password history code to tdbsam backend. Not yet tested (ie. mayJeremy Allison2-386/+387
core dump) but compiles and links correctly. I will run the full set of tests on the ldap sam and the tdb sam for password history tomorrow. Jeremy. (This used to be commit ac846420d0ef2c60d2dc71319b24401c73699249)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison3-12/+151
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r1108: Index: pdb_ldap.cVolker Lendecke2-0/+18
=================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2007-10-10r989: Calling sid_to_gid from within winbind makes no sense, as this callsVolker Lendecke1-0/+1
winbind_sid_to_gid. For the consistency check, local_sid_to_gid must set the name_type it found. Volker (This used to be commit 5070c1b68f2add16916ba3135984f6e70bbe42cf)
2007-10-10r936: Fix a rather weird error that crippled my site, when we upgraded toAndrew Bartlett1-7/+4
Samba 3.0.4. If we fail a query for the members of the 'administrators' group (and we may well just have the IDL wrong), this destroys later parts of the domain logon process. For reasons I can't understand, the client-side 'heck, what happened' bailout causes the connection to the DC to be dropped, and causes the mandetory profile not to be loaded. (This also only occours after a reboot) Return the members of 'administrators', and it all works fine. The reason we hit this is because we run winbindd (to support pam_winbind) on our DC, and the winbindd lookup in sid_to_gid was messing things up. As we don't care what type of thing this is, provided it exists in the group mapping db, we should not bother winbindd here. Andrew Bartlett (This used to be commit d626b5c6d401e72296cf570e50f324c145fd70e0)
2007-10-10r910: Fix for bug #1385 found by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-3/+7
Don't use non-consts in a structure initialization. Jeremy. (This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
2007-10-10r801: Fix from "Jianliang Lu" <j.lu@tiesse.com> to return correct groupJeremy Allison2-10/+10
types. Jeremy. (This used to be commit d97b9146a137d43278f3125bafe8a453da82f4ce)
2007-10-10r788: Inspired by patch from "Jianliang Lu" <j.lu@tiesse.com>. CorrectJeremy Allison1-10/+17
sid type is WKN_GROUP, not alias. Added some more known types. Jeremy. (This used to be commit 538b66f4e97e5e7b989e5533080f601d5b04c75e)
2007-10-10r505: Break out algorithmic_gid_to_sid so that those of us who need it can ↵Richard Sharpe1-3/+19
use it. (This used to be commit 5d7ee320cca80558a4b71295ef8b7de02f21554a)
2007-10-10r501: Fix a small cut-n-pasteo ...Richard Sharpe1-1/+1
(This used to be commit b1825184d313b97c7fa232990f60962aa86e7e17)
2007-10-10r340: fix a segfault in the login_cache code...Stefan Metzmacher1-1/+3
metze (This used to be commit 908d8a412559997256f51caa30da254f0768f114)
2007-10-10r316: Fix split_domain_name. This defaulted to get_myname() instead ofVolker Lendecke1-13/+0
get_global_sam_name(). Error case: Adding a domain user to a XP local group did a lsalookupname on the user without domain prefix, and this then failed. Jerry: This is a must-fix before 3.0.3. Volker (This used to be commit f35e353454b6825da1de138a3f0d8106787e938b)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-13/+13
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r145: pdb_create_alias now returns NTSTATUS. More of this to follow.Volker Lendecke1-4/+3
Volker (This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26)