summaryrefslogtreecommitdiff
path: root/source3/passdb
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke2-0/+143
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3704: Implement a cache get saves the result of a pdb_getsampwnam for laterVolker Lendecke1-1/+27
retrieval by pdb_getsampwsid. This solves our problem that we do lots of calls to LDAP during a typical XP login. XP does a lookupnames, then an openuser and some queryinfo stuff. Lookupnames triggers the initial getsampwnam, and all the subsequent ones make us call getsampwsid. This patch gets this down to one call to LDAP. Yes, a more "correct" way would be to stick the information to the open user handle, but this one is simpler and saves the LDAP roundtrip for the openuser call. Volker (This used to be commit 3d9758fa3c584bb25eca0b7ed04af4ddfeba315f)
2007-10-10r3628: A typo and a compile-warning.Günther Deschner2-2/+2
Guenther (This used to be commit 906d5f88aabf091ee273e0ed9c3d2947b22c5390)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke3-43/+60
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-0/+22
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r2923: Fix some obvious copy/paste leftover debug-messages.Günther Deschner1-8/+8
Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2007-10-10r2819: Make 'password history'-behaviour in ldapsam more consistent.Günther Deschner1-0/+3
Currently we cannot store more then 15 password history entries (windows NT4 allows to store 24) in ldapsam. When choosing more then "15" with pdbedit -P "password history", we fail to initialize the password history upon password change and overwrite the history, effectively using a password history of "1". We do already decrease any history-policy larger then 15 to 15 while storing the password history list attribute in ldap. Guenther (This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
2007-10-10r2752: Fix the paranoia-check to ensure the ldap-attribute and theGünther Deschner1-1/+1
smb.conf-parameter for samba's "algorithmic rid base" in ldapsam are identical. It tried to get the value of LDAP_ATTR_ALGORITHMIC_RID_BASE via get_userattr_key2string() for a very long time now. This just can not work because LDAP_ATTR_ALGORITHMIC_RID_BASE is neither in attrib_map_v22 nor in attrib_map_v30. Instead, get it directly from dominfo_attr_list. Ldapsam will now correctly refuse to initialize when admins tried manually to have differing values for "algorithmic rid base" in ldap and smb.conf. idmap_ldap is another story... Guenther (This used to be commit c5b8bc6c2e9a3f789f41742438b31152721c0bf4)
2007-10-10r2619: Only issue the ldap extended password change operation if the ldap serverVolker Lendecke1-0/+75
supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2007-10-10r2479: Stop attribute "modifyTimestamp" from being deleted.Jeremy Allison1-0/+5
Jeremy. (This used to be commit 0351bf8b03306246efc17e532ebe78ecdafb645d)
2007-10-10r2473: Convert internal data to UTF-8 before calling libxml2Jelmer Vernooij1-26/+47
(This used to be commit 8be3fa5bfa80b51f30f1c93a7fc9e95e2b1996a7)
2007-10-10r2444: Based on jmcd's patch, implement special lists for the ldap user ↵Volker Lendecke1-6/+27
attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2007-10-10r2374: Fix from Vince Brimhall vbrimhall@novell.com forJeremy Allison1-1/+6
ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2007-10-10r2317: Fixup error messages and reformat.Jeremy Allison1-903/+922
Jeremy. (This used to be commit 8ae10c74ec45f1493aa15ee812ff37b86c8fc439)
2007-10-10r2312: Fix for bugid #1667, smbpasswd file could be left locked onJeremy Allison1-0/+2
some error exits. Jeremy. (This used to be commit e2b0b9fb72559a9629b116a7e063de08a12e9eb1)
2007-10-10r1906: Revert lukeh's change for primary uid/gid change. This creates a ↵Volker Lendecke1-19/+7
recursion loop between uid_to_sid -> getsampwnam -> uid_to_sid. It needs further inspection. Volker (This used to be commit 67d8bc48531dd1a7d9b5db93f7d71f920a27e8fb)
2007-10-10r1871: Patch from Luke Howard <lukeh@PADL.COM> to correctly useJeremy Allison1-7/+19
uid_to_sid() and gid_to_sid() in pdb_set_sam_sids(). Jeremy. (This used to be commit dae084d7134ae3f532861210907cd252d0001c9b)
2007-10-10r1869: Rename "fallback_XXXX" mapping to "algorithmic_XXX" asJeremy Allison2-36/+29
that's what it actually does, and "fallback_" is just confusing. Jeremy. (This used to be commit f44b4ba38147e353716c02c899bd45beaf71e6ad)
2007-10-10r1810: Patch from Richard Renard <rrenard@idealx.com> to storeJeremy Allison2-2/+72
logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2007-10-10r1733: Fix hashed password history for LDAP backends.Jeremy Allison1-10/+26
Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2007-10-10r1661: Changed the password history format so that each history entryJeremy Allison2-15/+36
consists of a 16 byte salt, followed by the 16 byte MD5 hash of the concatination of the salt plus the NThash of the historical password. Allows these to be exposed in LDAP without security issues. Jeremy. (This used to be commit 82e4036aaa2d283534a5bd8149857320fcf0d0dc)
2007-10-10r1610: Patch from Richard Renard <rrenard@idealx.com>. Ensure weJeremy Allison1-10/+4
save the password as it is being changed into the password history list. Jeremy. (This used to be commit 4fd619d7e16b5f759e6dc8360ad192457b3c90b9)
2007-10-10r1539: If a account was locked out by an admin (and has a bad password count ↵Jeremy Allison1-6/+19
of zero) leave it locked out until an admin unlocks it (but log a message). Jeremy. (This used to be commit 14bd2a9ffc30d55d9737b4819797db8c38b46c66)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett2-32/+30
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1412: Fix password history list in tdbsam. Fix some memory leaks. AddJeremy Allison2-4/+22
my (C) to a header file that was at least 50% mine :-). Jeremy. (This used to be commit 8ee6060977ec8e65082f3ad09e1e1ccf5b4672ed)
2007-10-10r1394: Const fix.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 9ac4945012e0bd54519b8c81d4c36e88cea28fce)
2007-10-10r1392: Added password history code to tdbsam backend. Not yet tested (ie. mayJeremy Allison2-386/+387
core dump) but compiles and links correctly. I will run the full set of tests on the ldap sam and the tdb sam for password history tomorrow. Jeremy. (This used to be commit ac846420d0ef2c60d2dc71319b24401c73699249)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison3-12/+151
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r1108: Index: pdb_ldap.cVolker Lendecke2-0/+18
=================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2007-10-10r989: Calling sid_to_gid from within winbind makes no sense, as this callsVolker Lendecke1-0/+1
winbind_sid_to_gid. For the consistency check, local_sid_to_gid must set the name_type it found. Volker (This used to be commit 5070c1b68f2add16916ba3135984f6e70bbe42cf)
2007-10-10r936: Fix a rather weird error that crippled my site, when we upgraded toAndrew Bartlett1-7/+4
Samba 3.0.4. If we fail a query for the members of the 'administrators' group (and we may well just have the IDL wrong), this destroys later parts of the domain logon process. For reasons I can't understand, the client-side 'heck, what happened' bailout causes the connection to the DC to be dropped, and causes the mandetory profile not to be loaded. (This also only occours after a reboot) Return the members of 'administrators', and it all works fine. The reason we hit this is because we run winbindd (to support pam_winbind) on our DC, and the winbindd lookup in sid_to_gid was messing things up. As we don't care what type of thing this is, provided it exists in the group mapping db, we should not bother winbindd here. Andrew Bartlett (This used to be commit d626b5c6d401e72296cf570e50f324c145fd70e0)
2007-10-10r910: Fix for bug #1385 found by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-3/+7
Don't use non-consts in a structure initialization. Jeremy. (This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
2007-10-10r801: Fix from "Jianliang Lu" <j.lu@tiesse.com> to return correct groupJeremy Allison2-10/+10
types. Jeremy. (This used to be commit d97b9146a137d43278f3125bafe8a453da82f4ce)
2007-10-10r788: Inspired by patch from "Jianliang Lu" <j.lu@tiesse.com>. CorrectJeremy Allison1-10/+17
sid type is WKN_GROUP, not alias. Added some more known types. Jeremy. (This used to be commit 538b66f4e97e5e7b989e5533080f601d5b04c75e)
2007-10-10r505: Break out algorithmic_gid_to_sid so that those of us who need it can ↵Richard Sharpe1-3/+19
use it. (This used to be commit 5d7ee320cca80558a4b71295ef8b7de02f21554a)
2007-10-10r501: Fix a small cut-n-pasteo ...Richard Sharpe1-1/+1
(This used to be commit b1825184d313b97c7fa232990f60962aa86e7e17)
2007-10-10r340: fix a segfault in the login_cache code...Stefan Metzmacher1-1/+3
metze (This used to be commit 908d8a412559997256f51caa30da254f0768f114)
2007-10-10r316: Fix split_domain_name. This defaulted to get_myname() instead ofVolker Lendecke1-13/+0
get_global_sam_name(). Error case: Adding a domain user to a XP local group did a lsalookupname on the user without domain prefix, and this then failed. Jerry: This is a must-fix before 3.0.3. Volker (This used to be commit f35e353454b6825da1de138a3f0d8106787e938b)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-13/+13
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r145: pdb_create_alias now returns NTSTATUS. More of this to follow.Volker Lendecke1-4/+3
Volker (This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter3-2/+599
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10r53: Remove modifyTimestamp from list of our attributes. We just check it forJim McDonough1-5/+4
cache entry time comparisons in password lockout. Fixes problems where pdb_ldap tries to delete the operational attribute modifyTimestamp when deleting a user account. (This used to be commit 5ebcb9081e435d54c39d4d3a1ef1d7b651ccb53f)
2007-10-10r48: Fix types for debug message parameters.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 85d9c92fd53a65fccca3720a3b06d69ef28f9981)
2007-10-10r39: * importing .cvsignore filesGerald Carter1-2/+0
* updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
2004-03-31Apply some constVolker Lendecke2-2/+2
(This used to be commit aa220cffa7b3507452ffed51c048333c7cde0ca2)
2004-03-31Remove some unused codeVolker Lendecke1-22/+0
(This used to be commit 2b757b6adf0b4e5c799cc8943e8fd96cc94c24bc)
2004-03-25Use timegm, or our already existing replacement instead of timezone, asJim McDonough1-1/+1
some platforms (FreeBSD in this case) don't define timezone according to posix. This is what I wanted to do anyway. Spotted by Andrzej Tobola <san@iem.pw.edu.pl> (This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
2004-03-19Fix gcc warnings. Fix mkproto with new type.Jeremy Allison1-10/+11
Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-18Password lockout for LDAP backend. Caches autolock flag, bad count, andJim McDonough2-1/+294
bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-11Get MungedDial actually working with full TS strings in it for pdb_ldap.Jim McDonough1-35/+35
I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)