summaryrefslogtreecommitdiff
path: root/source3/passdb
AgeCommit message (Collapse)AuthorFilesLines
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett2-388/+394
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison2-15/+15
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-02Uppercase first letter of debug level 0 statements.Tim Potter1-2/+2
(This used to be commit 05679968e207f795237bbee7b6564f365415d02f)
2003-07-01removing nisplussamGerald Carter1-1524/+0
(This used to be commit f75683995cf0d17df55a70dacd72ab2d6cd17989)
2003-07-01fix compile problem with nisplussamGerald Carter1-13/+18
(This used to be commit 2f7051e2bcaaa45a7315208fc9b5812e6ed657d9)
2003-07-01Different fix for memleak just committed. This belongs intoVolker Lendecke1-2/+0
tdb_search_list_free. Volker (This used to be commit 0f3822c8e71426983b960ad49511efa8707159f9)
2003-07-01Fix two memory leaks. tdb_search_keys allocates space for the keyVolker Lendecke1-0/+2
strings. Running 'net cache list' or secrets_get_trusted_domains through valgrind gives a *huge* amount of invalid reads of one byte beyond the indicated string length in libc's strncpy. Annoying... Volker (This used to be commit 0f8933ae778064ff58cdc832ce52c843631435bb)
2003-07-01* revert change to get_global_sam_name()Gerald Carter1-2/+23
* add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter1-4/+7
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30Add the 'guest' passdb backend automatically ifVolker Lendecke1-0/+25
guest account != "" Volker (This used to be commit 21d330af107f744af9569b5577afc6e7ba6a269c)
2003-06-25large change:Gerald Carter2-3/+2
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-718/+8
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-24Fix pdb_ldap segfaults, and wrong default values for ldapsam_compat.Andrew Bartlett1-4/+3
Reviewed by vl, metze. Andrew Bartlett (This used to be commit 9804ad458ad35c9ea7de3e2e86bf8b2f85ae6533)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce3-4/+4
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21Fix memory leak. secrets_fetch allocates memory.Volker Lendecke1-0/+2
Volker (This used to be commit 2ec8d1ff88d3984a317a4a53ca3a299e8a68a9d7)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-261/+359
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-20Fix bug #136: "passdb backend = " caused smbd to segfault.Jim McDonough1-0/+5
Instead, spit out an error message. (This used to be commit 22f083b227a6f03ae42b985e45e9c384982c6ed2)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce3-31/+26
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18And some more memory leaks in mapping.c and pdb_tdb.c. tdb_nextkeyVolker Lendecke1-2/+13
mallocs its key, so we should free it after use. Volker (This used to be commit 9750799ba2e1aaa59fa255f23880c9c618195c3d)
2003-06-18Better panic cleanly than segfault later when no sid can be found and created.Volker Lendecke1-2/+3
Everybody who calls get_global_sam_sid expects this to return non-NULL, and there are way too many places where this is called. Volker (This used to be commit 2dfa896e6fdd52aa0eebe7d811c7b4072fe98be3)
2003-06-17Fix a memory leak in pdb_tdb.c.Volker Lendecke1-0/+2
Simo, I remember you complaining about a memleak there, could it be this one, or did you resolve it at that time? Volker (This used to be commit c660595deda2ce836c0a191da0236f850004ba0d)
2003-06-17Make static (patch from metze)Jelmer Vernooij2-2/+2
(This used to be commit 908b16cc2a8b6c5c67aae0e1af9d51f57fe31212)
2003-06-17The return value of init_module functions is NTSTATUS, not intJelmer Vernooij2-6/+4
(This used to be commit f09df852ac0b25470fb9435c79a4a417e06e9b75)
2003-06-16Update link to DTDJelmer Vernooij1-1/+1
(This used to be commit 2737518b2571fecf60fcbcd99575dd6cf5bd0bdb)
2003-06-16Quieten another debug message.Tim Potter1-1/+1
(This used to be commit 2c47893c7542889d9e2ee097897a1df248b1a5e2)
2003-06-16Quieten debug message.Tim Potter1-1/+1
(This used to be commit 02d12cc4b9b9c5cfb7a05a6c2cf71cc59144bec9)
2003-06-13Rename some uuid functions so as not to conflict with systemTim Potter1-1/+1
versions. Fixes bug #154. (This used to be commit 986eae40f7669d15dc75aed340e628aa7efafddc)
2003-06-07Try to fix memory leaks found by valgrind in pdb_ldap code.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-06support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1)Gerald Carter1-9/+21
(This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter1-128/+36
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-05working draft of the idmap_ldap code.Gerald Carter1-282/+3
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-05-27cut-n-paste errorGerald Carter1-1/+1
(This used to be commit eb567e803e2da3ce11174812a5162642d8ef342b)
2003-05-27fix bug 118; replace hard coded 'next[User|Group]Rid' attribute namesGerald Carter1-6/+8
(This used to be commit f7ebb3c9e5d38d86d48459b7962a3da6d4900285)
2003-05-27I'm pretty sure these uint32's should be uid_t's. Can the passdb guysTim Potter2-3/+3
please check this? (This used to be commit af4b1f869a7dca0d24391fb2cefef7e05cca2c04)
2003-05-22fix bug #108; sambaSambaAccount string attributes are case insensitive; ↵Gerald Carter1-2/+5
don't try to change a string that only differs in case (This used to be commit 01ef08352007487040edefcc0b99ca79823cbddf)
2003-05-16Well spotted typo by Marco Berger <MARCOB@voelcker.com>Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f16b0e025ea3112b4c231b67bc95f63418599f2e)
2003-05-16Fix from Alex Deiter <tiamat@komi.mts.ru>Simo Sorce1-1/+1
Reversed check. (This used to be commit 542ee1d3d6401c4d03770f07cfc907d016e166b4)
2003-05-16add metze's patch for smb_register functionsSimo Sorce1-1/+1
(This used to be commit 1480c7e8c7a84c34181118c449c50ca99fdcbc6b)
2003-05-14readding reverted changes during idmap merge (noticed by Andrew b.)Gerald Carter1-16/+33
(This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14fix group mapping in LDAP under new schemaGerald Carter1-35/+61
(This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14*****LDAP schema changes*****Gerald Carter1-292/+802
New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14Fix pointer return bug in get_unix_attributes()Tim Potter1-1/+1
(This used to be commit 7aa54f0a7f3bcfb5d9560ca3bb88e1549b7ce421)
2003-05-14spellingTim Potter2-3/+3
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 1b4f904277b5e9331cdf4491163f856aa78d0453)
2003-05-13Restore a number of fixes that idra removed when he merged hisAndrew Bartlett3-10/+4
idmap-and-the-rest from HEAD. These are correctness fixes that were already in 3.0, and a memory leak fix. The pdb_ldap changes are held back at jerry's request (he is also playing with pdb_ldap ATM). Andrew Bartlett (This used to be commit c7d5e336bd91514a02974044742b058be387e490)
2003-05-13Try to fix up some code in pdb_smbpasswd that assumed we still had a 'uid'.Andrew Bartlett1-12/+22
This is to get non-unix accounts going for the build farm. Andrew Bartlett (This used to be commit 3daf7cba2393af768b253c419152ea305204f3d8)
2003-05-12Fix obvious compiler warnings.Jeremy Allison3-3/+0
Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
2003-05-12And finally IDMAP in 3_0Simo Sorce8-637/+294
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12fixing typos in debug statementsGerald Carter1-1/+1
(This used to be commit f59bcb51cfe4e268ba43245d401d212aefdf2b72)
2003-05-11As discussed on samba-technical - move to 'primaryGroupSid' insted ofAndrew Bartlett1-17/+45
primaryGroupID (rid). This is consistant with the move from 'rid' to ntSid for the primary user identifier. Also cope with legacy installations where primaryGroupID might have been stored as 0. Andrew Bartlett (This used to be commit 0e432817cb927b41af7b49fb0b5081ffdb46f85e)