summaryrefslogtreecommitdiff
path: root/source3/passdb
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6277: This implements a new caching API for enumerating the pdb elements. It isVolker Lendecke1-0/+358
modeled after query_displayinfo and should hide the differences between users, groups and aliases while allowing a cache analog load_sampw_entries: struct pdb_search *pdb_search_users(uint16 acct_flags); struct pdb_search *pdb_search_groups(void); struct pdb_search *pdb_search_aliases(const DOM_SID *sid); uint32 pdb_search_entries(struct pdb_search *search, uint32 start_idx, uint32 max_entries, struct samr_displayentry **result); void pdb_search_destroy(struct pdb_search *search); Why this API? Eventually we will need to apply the work gd has started on enumerating users with paged ldap searches to groups and aliases. Before doing that I want to clean up the search routines we have. The sample application (more to follow) is 'net maxrid'. Volker (This used to be commit 8b4f67a1e9d459145cde10b1064781d58d62b805)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke3-13/+1
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-1/+2
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison1-2/+2
to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke2-25/+31
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough2-15/+327
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5957: BUGS 2478, 2093: compiler warning patches from Jason MaderGerald Carter1-6/+7
(This used to be commit b0f43460822eb5175c854959181de05307d73415)
2007-10-10r5951: gotta love that SGI compiler :-) (thanks Jason)Gerald Carter2-4/+4
(This used to be commit e84d070275464de43107b6b5910e25ccc3339302)
2007-10-10r5927: Fix ldapsam trusted enum_group_members. We were searching in the userJim McDonough1-1/+1
suffix instead of the group suffix. Thanks to John Janosik (jpjanosi@us.ibm.com). (This used to be commit bf3ce651ff3f654938bc98c604ad56214760a05e)
2007-10-10r5817: Patch from Vince Brimhall <vbrimhall@novell.com> to change the way ↵Jeremy Allison1-16/+20
pdb_nds handles users with no Universal or Simple Password. Bug #2453. Jeremy. (This used to be commit 0976793e3022254c31bda0fe3c49f864514c8d4c)
2007-10-10r5767: Get rid of some compiler warningsVolker Lendecke1-14/+5
(This used to be commit 66471de977a56cbe58921f61da28cc7dcbc6e93e)
2007-10-10r5746: remove unneeded header that caused problems on rh73Gerald Carter1-1/+0
(This used to be commit 68fe1f194a49e7900aba1f201c949f5deb21df87)
2007-10-10r5733: Don't crash when the SID column contains NULL (Fixes #2316)Jelmer Vernooij1-5/+10
Patch by Justin Ossevoort (This used to be commit a281148168624dcab24e12f1cc7b0f6c7caf0185)
2007-10-10r5718: Don't update fields that haven't changed (fixes #1957)Jelmer Vernooij1-27/+57
(This used to be commit 5c682c665dbf517280deef0d6cec7dadc737a2bc)
2007-10-10r5708: BUG 2424: patch from Vince Brimhall <vbrimhall@novell.com> to ensure ↵Gerald Carter1-5/+5
that uidNumber and gidNumber use match the rfc2307 schema (This used to be commit c1727dc9e01f960c1eedf023b4de49ad6f418b18)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison3-55/+1054
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5481: Fix a memleakVolker Lendecke1-0/+2
(This used to be commit 36bcfc5dae99868fc94ca01f902fec3d19926f5e)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke2-0/+354
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5428: Apply some const. LDAP attribs should now be declared const char ↵Volker Lendecke1-21/+22
*attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2007-10-10r5421: Fix a memleakVolker Lendecke1-1/+3
(This used to be commit a7df3b5f06085d55cbf1e491aa606312b87e0448)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner4-331/+14
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r5337: BUG 1439: make sure to initialize pointer to prevent invalide ↵Gerald Carter1-42/+42
free()'s on exit (This used to be commit a882a349df1488a4d64c892dbd1ec1ee3624ea42)
2007-10-10r5166: From James Peach - remove minor C99-isms.Jeremy Allison1-6/+12
Jeremy. (This used to be commit 54ac409d4fd3b6e8e2bd338dabed446a92507811)
2007-10-10r5058: Due to the fragileness how windows reacts on unmapped sids sometimes,Günther Deschner1-0/+6
don't leave administator-sid unmapped. Simply return "Administrator" Guenther (This used to be commit 168ddf31d1af49d52d17dd09c9653d3deafb9442)
2007-10-10r5015: (based on abartlet's original patch to restrict password changes)Gerald Carter1-1/+1
* added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
2007-10-10r4996: sync up copytights with trunkGerald Carter1-0/+1
(This used to be commit 8946efe102f7a8a9b5a8059a80666b782159e7b8)
2007-10-10r4994: Patch from abartlet:Günther Deschner1-13/+26
When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2007-10-10r4988: After speaking with Jerry, remove old lp_admin_users toGünther Deschner1-14/+0
administrator-sid mapping completely. Guenther (This used to be commit 4cbe37ecd544b01c57c7fce5b3be28669f4ba6c3)
2007-10-10r4964: Fix our lsa lookupsid $OURDOMAINSID-500.Günther Deschner1-14/+15
Give the admin-user (rid 500) a chance to be found in passdb, not returning the (possibly obscure) first entry of "admin users" before that. Guenther (This used to be commit d319c0e189bc67a4552dafaff80113603b551eb3)
2007-10-10r4926: Use LDAP_SCOPE_ONELEVEL instead of OpenLDAP's LDAP_SCOPE_ONE-scope.Günther Deschner1-2/+2
Guenther (This used to be commit eee0bd806b4fd4558f9c48c09f7e85274e2b807f)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner4-14/+324
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the ↵Gerald Carter2-16/+27
profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2007-10-10r4851: Preleminary fix for ldapsam_enum_group_memberships whenGünther Deschner1-3/+3
ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner7-19/+34
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4840: * Add more generic root-dse inspection function to check for givenGünther Deschner1-58/+1
controls or extensions. * Check and remember if ldapsam's LDAP Server support paged results (in preparation of adding async paged-results to set|get|end-sampwent in ldapsam). Guenther (This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
2007-10-10r4802: Don't try to update a column with the name "NULL"Jelmer Vernooij1-1/+7
(This used to be commit ed38e6026494a2b58c70cc175c6e210bea454e5c)
2007-10-10r4788: Don't log mysql password at debug level 1.Jelmer Vernooij1-2/+1
(This used to be commit 760455875f78a29c3fedd7de3671d6ae537c1d1a)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter2-19/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter3-366/+14
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison13-40/+40
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3974: - Fix assignment of a couple of fields in pdb_{mysql,pgsql}Jelmer Vernooij3-8/+9
- Use new DTD URL in pdb_xml (This used to be commit 99dc2f36d1f637906d47e98dbd4d5eb1f1cc4357)
2007-10-10r3948: Fix incorrect declaration. Bug #2083.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 05b905a28f349a2741e0963e41ad624a8f0b9fb8)
2007-10-10r3931: Fix all "may be used uninitialized" and "shadow" warnings.Jeremy Allison1-0/+3
Jeremy. (This used to be commit 8e979772a640bb4f00f4d72b6a9c837b8ef14333)
2007-10-10r3883: Fix error return -- thanks to rsharpeVolker Lendecke1-1/+1
(This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
2007-10-10r3875: Allow to look up at least or own sid in _lsa_lookup_sids.Günther Deschner2-0/+15
This fixes Bugzilla #1076 and Exchange 5.5 SP4 can then be finally installed on NT4 in a samba-controlled domain. Guenther (This used to be commit bb191c1098dea06bf2cd89276c74e32279fbb3d4)
2007-10-10r3871: Fix memleakVolker Lendecke1-1/+3
(This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
2007-10-10r3852: Fix the build...Volker Lendecke1-1/+1
(This used to be commit 3bd72b864f18f6fad0357c8aa632121f14e422ab)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke2-0/+143
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3704: Implement a cache get saves the result of a pdb_getsampwnam for laterVolker Lendecke1-1/+27
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls to LDAP during a typical XP login. XP does a lookupnames, then an openuser and some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all the subsequent ones make us call getsampwsid. This patch gets this down to one call to LDAP. Yes, a more "correct" way would be to stick the information to the open user handle, but this one is simpler and saves the LDAP roundtrip for the openuser call. Volker (This used to be commit 3d9758fa3c584bb25eca0b7ed04af4ddfeba315f)