Age | Commit message (Collapse) | Author | Files | Lines |
|
pdb_ldap and adds a 'ldap passwd sync' option.
The idea with this option is to do allow an ldap backend to do all the fancy
password hashing etc - and to tell smbd no to try and double-up. Using 'ldap
passwd sync = only' will do this, but is not recommended unless such a backend
is in place...
Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd
sync = yes' and having both PAM and pam_ldap correctly configured for 'magic
root' behaviour, but only using ldap connection, and one set of credentials.
This also gets us closer to allowing ldap to say 'password too short' etc,
which might assist in maintaining a consistant password policy.
Andrew Bartlett
(This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
|
|
else we can't add to OpenLDAP 2.1
(This used to be commit d9a91a41441c156223760cb356fa997ea7bdbc1a)
|
|
were no longer locking the secrets entry. I saw this on a live system.
Jeremy.
(This used to be commit 660dafcbb2d1029831212a32d995891626a0344c)
|
|
be traversals being attempted. Yes, this was from bitter experience (and
an out of control server :-). Also allow callers to break out of a tdb_chainlock
with sigalarm if desired.
Jeremy.
(This used to be commit a7781f91d8c1177210bffc199cd2f3b7ff993eaf)
|
|
(This used to be commit dfa85f9c48aa3c8d93775df6b6ad2dec9a1692d7)
|
|
accounts added first to /etc/passwd will be honered correctly. Also, users
'upgraded' to smbpasswd will have the right flags.
Andrew Bartlett
(This used to be commit 474cc910c73e5567313bac438c7324a80e2e90d8)
|
|
make lp_sam_backend() a list
(This used to be commit 06eb3138ab14ff450bbc44f5fa539867ce67a7dd)
|
|
(This used to be commit 3146b243e0b143e1038c97d9f919aba494cc46f7)
|
|
might be ugly, etc - please don't blame me for anything but instead try to fix
the code :-). Compiling of the new sam system can be enabled with the
configure option --with-sam
Removing passdb/passgrp.c as it's unused
fix typo in utils/testparm.c
(This used to be commit 4b7de5ee236c043e6169f137992baf09a95c6f2c)
|
|
Andrew Bartlett
(This used to be commit 2795d92268d23063faf5a661279a91f7703d8aac)
|
|
pdbedit failed to initialize global_myworkgroup, wo we could end up
having a SID for SECRETS/SID/ in secrets.tdb.
Volker
(This used to be commit 8c96ab4bc05e55e119c1b44779fe14d3ab6c5f35)
|
|
- don't use lp_passwd_file() to retrieve NIS domain name, but use location
instead
- some cleanups
(This used to be commit 16f4568f35c753ec0ab0a0dda2b264668f5ac5ab)
|
|
uid for -1.
Andrew Bartlett
(This used to be commit 2fc12864ae78ea08d8cb4e3b1c7e341ca4a854e6)
|
|
(This used to be commit 72e9a5cd340d6a912e274dc0d6f2a22a922d4b03)
|
|
build farm happy again, and allow the 'guest account' to be added to smbpasswd.
Andrew Bartlett
(This used to be commit 5e5cd2874527dd9a213c4bfcf98a425c39f3f2e2)
|
|
This moves it right into the passdb subsystem, where we can do this in
just one (or 2) places. Due to the fact that this code can be in a tight loop,
I've had to make 'guest account' a 'const' paramater, where % macros cannot be
used. In any case, if the 'guest account' varies, we are in for some nasty
cases in the other code, so it's useful anyway.
Andrew Bartlett
(This used to be commit 8718e5e7b2651edad15f52a4262dc745df7ad70f)
|
|
Andrew Bartlett
(This used to be commit 4725d7d04936335cbd85bd6ac5096c50fed93671)
|
|
Only does it for PDCs.
(This used to be commit 3543f92c39a80c8b6eb7ca3188b87f0f15896f33)
|
|
Andrew Bartlett
(This used to be commit fd0ebf976eb6e5fc25bc75ff471c69c3f3761e32)
|
|
Andrew Bartlett
(This used to be commit 0e420878f26bdd19b5defb78a5fe4c31662ec941)
|
|
Andrew Bartlett
(This used to be commit ce6c8a647ca56dcbb60ff898d77c2df297c1fe79)
|
|
Andrew Bartlett
(This used to be commit 8405bccd4e7a5315e58890ffa5d481031636f88a)
|
|
(This used to be commit 0e2207c9c1ce573098f764e85a65c17cc1f1d284)
|
|
(This used to be commit 9f9e0cbd2c9920b730286f8bf560dc3415c29aa6)
|
|
is netbios and dns domain info. Also add code to set/fetch the domain GUID
from secrets.tdb (although set is not yet called by anyone).
(This used to be commit 31d7168530ccce2c5e9e7f96464b47f4d9771a25)
|
|
- That we never call winbind recursivly
- That we never use an 'algorithmic' RID when we have a fixed uid or gid mapping
in either the passdb or the group mapping db.
Also, remove restrictions that say 'this domain only'. If we have a mapping
configured, allow it to be returned. If we later decide certian mappings are
invalid, then we sould put that in the code that actually does the map.
Allow 'sid->name' transtations on the fixed 'well known' groups for NT, even
if they are not represented by Unix groups yet.
Andrew Bartlett
(This used to be commit d5bafb224337e393420c2ce9c0a787405314713c)
|
|
Andrew Bartlett
(This used to be commit 082c0324cde38fadd70934a10849c7d40a34e3b1)
|
|
null before close
this one fixes swat not working with browsers that set more then one language.
along the way implemented language priority in web/neg_lang.c with bubble sort
also changet str_list_make to be able to use a different separator string
Simo.
(This used to be commit 69765e4faa8aaae74c97afc917891fc72d80703d)
|
|
I've still not tested this, but I didn't test the last lot and I'm pretty
sure I stuffed it up - but at least this rebind procedure matches the
function prototype.
It should also be fine on OpenLDAP 2.1 if I'm lucky.
Andrew Bartlett
(This used to be commit 064f269508d05cc833cf7bfd5613e4fe389f32dc)
|
|
(This used to be commit a6725d4ce95ca8807ccefe4ce033b45d0635da6d)
|
|
Add some debugging info to the secrets code.
We might review what debug level that should be at, but it's fine for now.
Andrew Bartlett
(This used to be commit 2b6a318d686ac0b08a30844bf2960703b06d5c90)
|
|
patches:
Andrew Bartlett
From his e-mail:
Below I attach the following patches as a result of my work
on trusted domains support:
1) srv_samr_nt.c.diff
This fixes a bug which caused to return null string as
the first entry of enumerated accounts list (no matter what
entry, it was always null string and rid) and possibly
spoiled further names, depeding on their length.
I found that while testing my 'net rpc trustdom list'
against nt servers and samba server.
2) libsmb.diff
Now, fallback to anonymous connection works correctly.
3) smbpasswd.c.diff
Just a little fix which actually allows one to create
a trusting domain account using smbpasswd
4) typos.diff
As the name suggests, it's just a few typos fix :)
(This used to be commit 888d595fab4f6b28318b743f47378cb7ca35d479)
|
|
(This used to be commit d2b4e669aeada9c3498c3a9e49360270def5ad99)
|
|
Andrew Bartlett
(This used to be commit a7b0a2334cd8e7234c5bcb284e4c6de7a8e45f98)
|
|
(This used to be commit 290a304d2c1b70d20129236e20a0ff664179023e)
|
|
Andrew Bartlett
(This used to be commit 21b0e8f560849be77bde463cf006ea0de54211e9)
|
|
(and yes, some of these are real bugs)
In particular, the samr code was doing an &foo of various types, to a function
that assumed uint32. If time_t isn't 32 bits long, that broke.
They are assignment compatible however, so use that and an intermediate
variable.
Andrew Bartlett
(This used to be commit 30d0998c8c1a1d4de38ef0fbc83c2b763e05a3e6)
|
|
they will get a const string and return a (t)alloced epanded one.
also modified passdb/* stuff to use this one.
(This used to be commit d378ac1e2efb0efc9a0f983d69cf678ca6255fd5)
|
|
The idea here is to allow invalid LM passwords in otherwise valid accounts.
This happens when we create an account without a password, for example.
Previously we would stop at the LM password, and not read things like the
account flags correctly. Now we process the record, and just set the password
to NULL.
(Note, 'no password for access' is decided only on the basis of the Account
Control bits, not on the 'NULL' value of the password feild.).
Andrew Bartlett
(This used to be commit c590e0c970b5babf370924cef51530e5e215eaf2)
|
|
LM password isn't anything special. All the users check the ACB nowadays,
and this allows us to correctly return flags set via usermgr.
Andrew Bartlett
(This used to be commit 89eb765d398de7654ba6bac7c51df727830c2591)
|
|
Just set it directly.
Andrew Bartlett
(This used to be commit 202202bc475f3b8500423b1a9ccf0adc80a4dc49)
|
|
(This used to be commit f32980c807adf8287436be0d5a223b9b1ce399b8)
|
|
*.o) and implment new enum_dom_users code in the SAMR RPC subsystem.
Incresingly, we are using the pdb_get_{user,group}_sid() functions, in the
eventual hope that we might one day support muliple domains off a single
passdb. To extract the RID, we use sid_peek_check_rid(), and supply an
'expected' domain SID.
The id21 -> SAM_ACCOUNT and id23 -> SAM_ACCOUNT code has been moved to
srv_samr_util.c, to ease linking in passdb users.
Compatiblity code that uses 'get_global_sam_sid()' for the 'expected' sid is in
pdb_compat.c
Andrew Bartlett
(This used to be commit 5a2a6f1ba316489d118a8bdd9551b155226de94f)
|
|
(This used to be commit dab26f8891a77640ce382ce1785ca5dd22d43c22)
|
|
code
(This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
|
|
(This used to be commit 5c754cef19c9580e2cb1e23152a1097d11ca8c60)
|
|
All passdb modules need to include a 'magic' macro that creates simple
'return my version number' function.
(from metze and jelmer)
Also fix up the dir_drive autosubsitute code to correctly use lp_logon_drive().
(from metze)
Andrew Bartlett
(This used to be commit 4a57c445dd4354034fc41b132a484afe6ab66e16)
|
|
(This used to be commit 29874f4b8fecdc7cbd84d656dafce54cca49e0b1)
|
|
The aim of this execise is to give the 'security>=user' code a straight paper
path. Security=share will sill call authorise_login(), but otherwise we avoid
that mess.
This allow *much* more accurate error code reporting, beocuse we don't start
pretending that we can use the (nonexistant) password etc.
Also in this patch is code to create the 'homes' share at session setup time
(as we have done in the past - been broken recently) and to record this on
the user's vuser struct for later reference. The changes here should also
allow for much better use of %H (some more changes to come here).
The service.c changes move a lot of code around, but are not as drastric
as they look...
(Also included is a fix to srv_srvsvc_nt.c where 'total_entries' not
'*total_entries' was compared).
This code is needs testing, but passes my basic tests.
I expect we have lost some functionality, but the stuff I had expected
to loose was already broken before I started. In particular, we don't 'fall
back' to guest if the user cannot access a share (for security=user). If you
want this kind of stuff then you really want security=share anyway.
Andrew Bartlett
(This used to be commit 4c0cbcaed95231f8cf11edb43f6adbec9a0d0b5c)
|
|
and renamed to str_list_* as it is a better name.
Elrond should be satisfied now :)
(This used to be commit 4ae260adb9505384fcccfb4c9929cb60a45f2e84)
|