Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
|
|
used to be commit b8d39651fb90ef170055735412417239a63afc5d)
|
|
The idea here is to allow invalid LM passwords in otherwise valid accounts.
This happens when we create an account without a password, for example.
Previously we would stop at the LM password, and not read things like the
account flags correctly. Now we process the record, and just set the password
to NULL.
(Note, 'no password for access' is decided only on the basis of the Account
Control bits, not on the 'NULL' value of the password feild.).
Andrew Bartlett
(This used to be commit c590e0c970b5babf370924cef51530e5e215eaf2)
|
|
LM password isn't anything special. All the users check the ACB nowadays,
and this allows us to correctly return flags set via usermgr.
Andrew Bartlett
(This used to be commit 89eb765d398de7654ba6bac7c51df727830c2591)
|
|
Just set it directly.
Andrew Bartlett
(This used to be commit 202202bc475f3b8500423b1a9ccf0adc80a4dc49)
|
|
(This used to be commit f32980c807adf8287436be0d5a223b9b1ce399b8)
|
|
*.o) and implment new enum_dom_users code in the SAMR RPC subsystem.
Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the
eventual hope that we might one day support muliple domains off a single
passdb. To extract the RID, we use sid_peek_check_rid(), and supply an
'expected' domain SID.
The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to
srv_samr_util.c, to ease linking in passdb users.
Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in
pdb_compat.c
Andrew Bartlett
(This used to be commit 5a2a6f1ba316489d118a8bdd9551b155226de94f)
|
|
(This used to be commit dab26f8891a77640ce382ce1785ca5dd22d43c22)
|
|
code
(This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
|
|
(This used to be commit 5c754cef19c9580e2cb1e23152a1097d11ca8c60)
|
|
All passdb modules need to include a 'magic' macro that creates simple
'return my version number' function.
(from metze and jelmer)
Also fix up the dir_drive autosubsitute code to correctly use lp_logon_drive().
(from metze)
Andrew Bartlett
(This used to be commit 4a57c445dd4354034fc41b132a484afe6ab66e16)
|
|
(This used to be commit 29874f4b8fecdc7cbd84d656dafce54cca49e0b1)
|
|
The aim of this execise is to give the 'security>=user' code a straight paper
path. Security=share will sill call authorise_login(), but otherwise we avoid
that mess.
This allow *much* more accurate error code reporting, beocuse we don't start
pretending that we can use the (nonexistant) password etc.
Also in this patch is code to create the 'homes' share at session setup time
(as we have done in the past - been broken recently) and to record this on
the user's vuser struct for later reference. The changes here should also
allow for much better use of %H (some more changes to come here).
The service.c changes move a lot of code around, but are not as drastric
as they look...
(Also included is a fix to srv_srvsvc_nt.c where 'total_entries' not
'*total_entries' was compared).
This code is needs testing, but passes my basic tests.
I expect we have lost some functionality, but the stuff I had expected
to loose was already broken before I started. In particular, we don't 'fall
back' to guest if the user cannot access a share (for security=user). If you
want this kind of stuff then you really want security=share anyway.
Andrew Bartlett
(This used to be commit 4c0cbcaed95231f8cf11edb43f6adbec9a0d0b5c)
|
|
and renamed to str_list_* as it is a better name.
Elrond should be satisfied now :)
(This used to be commit 4ae260adb9505384fcccfb4c9929cb60a45f2e84)
|
|
already.
Andrew Bartlett
(This used to be commit a5d5b4cf2555b9bbded31b556d4fc74c00c6c490)
|
|
of implementing it twice inline.
This code is complex - but occasionally I get the feeling that people made
it more complext than it really needed to be...
Andrew Bartlett
(This used to be commit 273d518e52a83eca466c134531dd12825fe3cbdb)
|
|
(invalid passdb backends smb.conf entry) we picked up a few things :-).
Andrew Bartlett
(This used to be commit dfa98ae0ac195956490ca2f4140a8eff1566095e)
|
|
the passdb backends fail to load (is this the right way? - I think so).
Also, I've added some more comments, cleaned up some style etc.
(This used to be commit c8c490bcb84df43be38bdcb48067fec12331e358)
|
|
(This used to be commit 27e34d4e63adc6d6ad63857d2a17595b7cff52db)
|
|
(for use in passdb modules like pdb_xml or a new pdb_ldap that stores sids etc.)
Andrew Bartlett
(This used to be commit c70b2c4fb72f251a14e0fc88b6520d69a0889bc2)
|
|
rather than a string when configuring mulitple backends.
Also adjust some of the users of get_global_sam_sid() to cope with the fact
that it just might not exist (uninitialised, can't access secrets.tdb).
More places need conversion.
Add some const and remove silly casts.
Andrew Bartlett
(This used to be commit c264bf2ec93037d2a9927c00295fa60c88b7219d)
|
|
Andrew Bartlett
(This used to be commit 29490f214750acd44cee6c4ab1354722d82d853a)
|
|
to using SIDs instead of RIDs.
The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.
The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.
Andrew Bartlett
(This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
|
|
(This used to be commit 1996bcbe6acae49e191363ee122b30e4e5d5e8a9)
|
|
initialising function. This patch thanks to the work of
"Stefan (metze) Metzmacher" <metze@metzemix.de>
This is partly to enable the transition to SIDs in the the passdb.
Andrew Bartlett
(This used to be commit 96afea638e15d4cbadc57023a511094a770c6adc)
|
|
a file that is linked with the passdb.
This is to avoid linking insanity when this global becomes a self-initing
function.
(This used to be commit 743afd96cb54b4966e3afad11ea987f968b98651)
|
|
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions.
srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one.
(This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
|
|
the whole record which could include things like photos's etc.
Andrew Bartlett
(This used to be commit bbc69545516f29cc4e05ba6238b03eb504f28226)
|
|
structs.
Andrew Bartlett
(This used to be commit 57097bf1ba10566389266a4863899a7f25cdbb43)
|
|
- convert net to popt
- convert status to popt
- adapt examples/pdb/ to multiple passdb system
- add dynamic debug class example to examples/pdb/
and some reformatting to better match the samba coding style.
Andrew Bartlett
(This used to be commit 2498bc69d4e5c38ec385f640489daa94c508c726)
|
|
pointer.
(This used to be commit 38012edaca4c181f3d3a9e9df4fc434bba78f9dc)
|
|
BOOL const secrets_init(...)
Broke AIX build.
(This used to be commit 37b6bf3aae4fd8ee3af7e5947b3e549dcef754cf)
|
|
from 2.2 format) and LDAP rebind support (untested, I don't have a setup
to match).
Andrew Bartlett
(This used to be commit 4f7ba78c9d50ac584497dcf1d78ce613112742d4)
|
|
this is a first step only passdb stuff has beein "classized".
- so what can you do?
set debug level to: 1 poasdb:10
that will make all the code run at debug level 1 except the code in
passdb/* files that will run at level 10
TODO: fix the man page
- also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5
will set every smbd to have a default log level of 3 while passdb stuff
will be at level 5
and so no..
minor cosmetic fix to pdbedit is there too
(This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
|
|
previous commit, and remove some unsued variables.
Main change: Make sure to fill in the username when making a non-unix
account from smbpasswd.
(This used to be commit 7019486eacb72ca44c42ce620b8696bb29f12292)
|
|
Kill off the silly code that attempts to do NT -> Unix username mapping.
This is done well before here, no need to repeat it.
Add some small fixes and extra debugs, trying to track down current build
farm failures.
pdb_unix:
When 'updating' a pdb_unix account, instead add it to the default passdb.
This means that you don't need to specify '-a' to smbpasswd any more when
messing with an existing unix user, the account is simply 'upgraded'.
The idea here is that these accounts are just as 'real' as any other, they
just don't have the extra attributes an smbpasswd file does.
I'm open for debate on the pdb_unix issue, and will remove it if given
good reason. (without this, an attempt to add an account already in
pdb_unix to smbpasswd would fail, as it would fail to update pdb_unix).
rpc_server/srv_netlog_nt.c
Change a couple of things around, so as to show the client workstation etc.
WRONG_PASSWORD is certainly not the right default error. Try ACCESS_DENIED
for now.
Andrew Bartlett
(This used to be commit d78b74b338df9accd9ad84c56a49fa4f787425e2)
|
|
cleanup some of the code in net_rpc_join re const warnings and
fstrings.
Passdb:
Make the %u and %U substituions in passdb work.
This is done by declaring these paramters to be 'const' and doing
the substitution manually. I'm told this is us going full circle,
but I can't really see a better way.
Finally these things actually seem to work properly...
Make the lanman code use the pdb's recorded values for homedir etc
rather than the values from lp_*()
Add code to set the plaintext password in the passdb, where it can
decide how to store/set it. For use with a future 'ldap password
change' option, or somthing like that...
Add pdb_unix, so as to remove the 'not in passdb' special cases from the
local_lookup_*() code. Quite small, as it uses the new 'struct passwd ->
SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd)
Other:
Fix up the adding of [homes] at session setup time to actually pass
the right string, that is the unix homedir, not the UNC path.
Fix up [homes] so that for winbind users is picks the correct name.
(bad interactions with the default domain code previously)
Change the rpc_server/srv_lsa_nt.c code to match NT when for the
SATUS_NONE_MAPPED reply: This was only being triggered on
no queries, now it is on the 'no mappings' (ie all mappings failed).
Checked against Win2k.
Policy Question: Should SID -> unix_user.234/unix_group.364 be
considered a mapping or not? Currently it isn't.
Andrew Bartlett
(This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
|
|
and there is no real reason for it to depend on more than the abilty
to compile the code.
(This used to be commit 64aaec137e39595e6e61b55eb525615683a1393c)
|
|
I think we may still need to look at our server enumeration code, but
other than that, its much better in the tree than out.
Andrew Bartlett
(This used to be commit d57a1b4629d12a0374cc6d74dfc6f5d4793fcef8)
|
|
(This used to be commit 70c6f5fc6d3ec3121b29d1e46e7fd3933fbcce6b)
|
|
<mimir@diament.ists.pwr.wroc.pl>) this patch allows samba to correctly
enumerate its trusted domains - by exaimining the keys in the secrets.tdb file.
This patch has been tested with both NT4 and rpcclient/wbinfo, and adds
some extra functionality to talloc and rpc_parse to allow it to deal with
already unicode strings.
Finally, this cleans up some const warnings that were in net_rpc.c by pushing
another dash of const into the rpc client code.
Andrew Bartlett
(This used to be commit 0bdd94cb992b40942aaf2e5e0efd2868b4686296)
|
|
Andrew Bartlett
(This used to be commit 81eaa7924b7bd3a13d049bce7fe7a16ab9174364)
|
|
All uids and gids must create valid RIDs, becouse other code expects this, and
can't handle the failure case. (ACL code in particular)
Allow admins to adjust the base of the RID algorithm, so avoid clashes with
users brought in from NT (for example).
Put all the algorithm code back in one place, so that this change is global.
Better coping with NULL sid pointers - but it still breaks a lot of stuff.
BONUS: manpage entry for new paramater :-)
counter based rids for normal users in tdbsam is disabled for the timebeing,
idra and I will work out some things here soon I hope.
Andrew Bartlett
(This used to be commit 5275c94cdf0c64f347d4282f47088d084b1a7ea5)
|
|
<jelmer@nl.linux.org>.
This patch also includes major rework of pdbedit to use popt, and the addition
of -i paramter (allowing the user to specify which PDBs is being
operated on) and -e to export a pdb - useful for backup and testing etc.
Use of -i and -e gets us pdb2pdb functionality for transition between backends,
much like the sam2sam in TNG.
Andrew Bartlett
(This used to be commit c10def37f506d3f2bab442418ac08fdb62659b02)
|
|
(This used to be commit 97eb3a121d33200ee7559b2413d6252efc04ebaf)
|
|
the passdb) and RIDs not in the passdb, due to being NIS users etc.
The main fix here is to add become_root()/unbecome_root() at critical places.
This (finally) fixes the bug where you could not see local users's names
in a file's security properties as non-root. Tested.
The similar bug in uid_to_sid is also fixed, but is not (yet) Tested.
Andrew Bartlett
(This used to be commit 79327a305e20d78ab5ca21d01c39b5f49dc0d632)
|
|
WARNING: if you relied on these logic flaws, you will need to manually
edit your ldap backend (for things like account expries etc).
Now correctly retunes the information needed for 'must change at next login'
support.
(This used to be commit 26842f1ac051b030c1295b68244a1f9007d4eefb)
|
|
Jeremy.
(This used to be commit 28ef07424f19652fdfa4ee79f1c69e0004fa39fe)
|
|
Some reformatting and spelling fixes.
(This used to be commit a0f7bbad11a0c0f1ecd930626289c5ff493b0f1d)
|
|
overwriting an old MACHINE.SID sid.
Jeremy.
(This used to be commit 896d4fac98460778f72378b084a76d5aab11462e)
|