Age | Commit message (Collapse) | Author | Files | Lines |
|
This implements some kind of improved AFS support for Samba on Linux with
OpenAFS 1.2.10. ./configure --with-fake-kaserver assumes that you have
OpenAFS on your machine. To use this, you have to put the AFS server's KeyFile
into secrets.tdb with 'net afskey'. If this is done, on each tree connect
smbd creates a Kerberos V4 ticket suitable for use by the AFS client and
gives it to the kernel via the AFS syscall. This is meant to be very
light-weight, so I did not link in a whole lot of libraries to be more
platform-independent using the ka_SetToken function call.
Volker
(This used to be commit 5775690ee8e17d3e98355b5147e4aed47e8dc213)
|
|
(This used to be commit 9a603f6f077a2e1ddc41849cca3641421ecbaf11)
|
|
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db)
|
|
(This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
|
|
pam_smbpass.so will load ok. Had to move some functions around to work
around dependency problems (hence the new passdb/lookup_sid.c)
Also make sure that libsmbclient.a is built and installed when
we support shared libraries.
(This used to be commit 780055f4422f11fb0524ac1f003cdc5f317f8b19)
|
|
algorithm stuff
(This used to be commit f6363aa31aa3479a9566328752ecb4aeadde10b7)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
* bug #280 (my fault) - initialize sambaNextUserRid and
sambaNextGroupRid
* Unix users shared vis LDAP or NIS between a samba domain member
of a Samba domain are not seen as domain users on the member servers.
not as local users.
(This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
|
|
(This used to be commit f6a01f51159ccd822c6e764b7243fff375f22747)
|
|
(This used to be commit 575483a1efe18a90055490117ba6894512ae568a)
|
|
(This used to be commit 4c36ef65e5101899f730adaeacf754f5f3647d89)
|
|
username instead of making up unix_user.##
(This used to be commit b947fc3eed464d7a64914f3965964d29be031614)
|
|
time. )-:
(This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
|
|
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
(This used to be commit b8394a107d3448434f1a34076eaab8e6dd9a8a9d)
|
|
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings
on some of the 64-bit build farm machines as well as help us out when 64-bit
uid/gid/pid values come along.
(This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
|
|
An extra message notifying that needed file didn't exist is displayed.
There's still a little catch with tdb backend, but it's better than it was,
from end-user's point of view.
This fixes #198
rafal
(This used to be commit b0be700605c289ce8e9dd3abe49d78ac77256911)
|
|
(This used to be commit defc71d4cb9bb1efcb39157bad2806f73b3cc3f5)
|
|
Whoever put the private.backend_private_data_free_fn thingy into
SAM_ACCOUNT, could you please revisit my change to pdb_get_set.c and
comment on my comment there?
Thanks,
Volker
(This used to be commit 922ec277d1c80b5532f5cac0ee99ae7cd20f83f1)
|
|
(This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
|
|
(This used to be commit 09e00970d4b3ec80467a4a292c39650d6c945847)
|
|
and migrate an NT4 domain and still logon from domain members
(tested logon scripts, system policies, profiles, & home directories)
(passdb backend = tdbsam)
removed call to idmap_init_wellknown_sids() from winbindd.c
since the local domain should be handled by the guest passdb backend
(and you don't really always want the Administrator account to be root)
...and we didn't pay attention to this anyways now.
(This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
|
|
(This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
|
|
force user = foo)
(This used to be commit 399799c68cbc91cb3908b0d83ee4f51fa3bf3023)
|
|
(This used to be commit a926959391676d69bd7cbaf4ce0be0d3cb715418)
|
|
proved the last patch wrong.
Sorry.
Volker
(This used to be commit d8695eccc7acdee69ca0d0593b56a417f1f89167)
|
|
Volker
(This used to be commit 39308ff138da88c1a4c0958cd4c7a9090261d3d5)
|
|
Still testing this, but I'm checking it in
so Volker can test it as well. Should be right.
(This used to be commit 8edf193722f699cc33baed410917a78a5e28d0a4)
|
|
(This used to be commit 5efa0d7cc28d903c1986b8e40072ae49e9532a88)
|
|
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
|
|
fix the confusion when we tdb_lock_bystring() but
we retrieve an entry using tdb_fetch_by_string.
It's now always tdb.*bystring()
(This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
|
|
lookups.
Jeremy.
(This used to be commit 6bd47884030c9c124c4bba1f0d57cb8dd916530d)
|
|
available. Removed extra auth_init (thanks metze).
Jeremy.
(This used to be commit 88135fbc4998c266052647f8b8e437ac01cf50ae)
|
|
winbindd now. Also removing an unused file.
(This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
|
|
Jeremy.
(This used to be commit e9fb6e45086a6170b6f6d5d3295398708ab1af58)
|
|
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
|
|
is no such user...
Thanks to jerry for spotting this.
Also clean up the function a bit, to avoid this happening again...
Andrew Bartlett
(This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
|
|
(This used to be commit f7bf48114cec83a3f3107cce2b413221276a486d)
|
|
down failures.
Add a 'auto-add on modify' feature to guestsam
Fix some segfault bugs on no-op idmap modifications, and on new idmappings that
do not have a DN to tack onto.
Make the 'private data' a bit more robust.
Andrew Bartlett
(This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
|
|
- Try better to add the appropriate mapping between UID and SIDs, based
on Get_Pwnam()
- Look for previous users (lookup by SID) and correctly modify the existing
entry in that case
- Map the root user to the Admin SID as a 'well known user'
- Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update'
call on that user. This means that VL's very nice work on atomic LDAP
updates now really gets used properly!
- This also means that we know the right DN to update, without the extra
round-trips to the server.
Andrew Bartlett
(This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
|
|
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
(This used to be commit 05679968e207f795237bbee7b6564f365415d02f)
|
|
(This used to be commit f75683995cf0d17df55a70dacd72ab2d6cd17989)
|
|
(This used to be commit 2f7051e2bcaaa45a7315208fc9b5812e6ed657d9)
|
|
tdb_search_list_free.
Volker
(This used to be commit 0f3822c8e71426983b960ad49511efa8707159f9)
|
|
strings.
Running 'net cache list' or secrets_get_trusted_domains through
valgrind gives a *huge* amount of invalid reads of one byte beyond the
indicated string length in libc's strncpy. Annoying...
Volker
(This used to be commit 0f8933ae778064ff58cdc832ce52c843631435bb)
|
|
* add get_default_sam_name() to be used by make_user_info_map()
* add comments describing get_*_sam_name()
(This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
|
|
* is_trusted_domain() is broken without winbind. Still working on this.
* get_global_sam_name() should return the workgroup name unless we
are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
if 'user' exists in the local list of accounts (on domain members w/o
winbind)
Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.
notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd. disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
|