summaryrefslogtreecommitdiff
path: root/source3/passdb
AgeCommit message (Collapse)AuthorFilesLines
2002-11-04Allow 'normal' accounts in the non-unix-account range for smbpasswd - I hopeAndrew Bartlett1-19/+20
this will fix some of the problems on the build farm @ Compaq (where they have a *lot* of accounts...). (This used to be commit 2c97b7e6480c2731739ccc52af97bc62a6228cfe)
2002-11-04Fix debugAndrew Bartlett1-1/+1
(This used to be commit 5b5b8de70e46a15e9fb9b47c7af6cb0133f41217)
2002-11-03Extra little fix to vl's patch. Make sure the passdb and testparm messagesAndrew Bartlett1-3/+5
say exactly the same thing - in particular that we can algorithmic rid base == 1000, and use the BASE_RID macro to avoid the use of magic numbers. Andrew Bartlett (This used to be commit b70f2a8047ac549841bc103932b38951e9814186)
2002-11-03Force algorithmic rid base to sane values and talk about it.Volker Lendecke1-4/+25
Volker (This used to be commit ce5b2d991b42bbf6865ff75194f8ee4b46694841)
2002-11-02Clean up this a little - add comments describing a bit of what is going onAndrew Bartlett1-5/+6
here. (This used to be commit 88455313f6551a75eff4df2f0ba91430948c1c78)
2002-11-02Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccountAndrew Bartlett1-33/+92
attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)
2002-11-02Return the result code, not false (0 == success) on error...Andrew Bartlett1-1/+1
(This used to be commit f91c363bc05d1c82ad8a99a5c0d59b46cf820aac)
2002-11-02Fixes for pdb_ldap:Andrew Bartlett1-111/+103
- Default is now for start-tls, on the ldap (not ldaps) port - We check for 'I am currently root' in the right place now, and don't accidentily use a cached connection. - We don't loop on failure to be root, or some other errors. - A bit cleaner error reporting for add/modify. - Both the OpenLDAP and manual URI parsing tested. Andrew Bartlett (This used to be commit cfa1e459d727764feddcfdd8c9c0404282e2d0e8)
2002-10-26One more step towards to better PDC.Andrew Bartlett1-208/+330
This patch, from "Stefan (metze) Metzmacher" <metze@metzemix.de> implements an LDAP connection cache. This removes the quite silly situation where every single passdb operation involved a new LDAP connection. The hope is that this will give us a decent performance boost in some usrmgr related activities, and in the sid->name/sid->uid code. The remaining things I think are 'todo' for pdb_ldap (in the near term) are: - intergrate volker's next_rid patch for NUA accounts, - add a 'trust ldap ids' option (remove Get_Pwnam() hit on enumerations). - put the group mapping actually into ldap - Schema fixes and do utf8 conversion - server failover (try a second server for the rebind on fail) - ensure we block between an 'add' and the ldap master replicating to our local slave (mezte found this issue, kills domain joins) Andrew Bartlett (This used to be commit 3418da16456511490beb0d1045fff24576b48273)
2002-10-25Fix memory leak (patch by Steve Langasek)Jelmer Vernooij1-0/+14
(This used to be commit 06362586cb754bd6bc89b50b966737958286ca2e)
2002-10-25Only run free_private_data when it's specified (reported by Steve Langasek ↵Jelmer Vernooij1-1/+2
aka vorlon) (This used to be commit 9efa98b4a65a38df922ce3b83f5fde631cb70844)
2002-10-21pdb_unix.c did not really expect group RIDs dictated by a PDC and lookingVolker Lendecke1-2/+4
like user RIDs. Volker (This used to be commit 872c7d40454545108ec9e7eee12894af77b4adc3)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke7-11/+453
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-18Start to merge the new ACL mapping code from Andreas Gruenbacher ↵Jeremy Allison1-10/+38
<agruen@suse.de>. Jeremy. (This used to be commit f6103f866a5e698ab55fdab1444a14e3d8da16bb)
2002-10-17Revert changesVolker Lendecke1-1/+1
(This used to be commit 975fd17f8af0f03f43995deb3fdd9bd5995a1c92)
2002-10-17Revert changesVolker Lendecke1-24/+22
(This used to be commit 84b62f6d96a77ccbc1b4475ab0780a4e4c9d4875)
2002-10-16No functional change. I'm trying to understand pdb_ldap.c andVolker Lendecke1-22/+24
found an unecessary parameter to ldapsam_search_one_user. Volker (This used to be commit a085670c7e3a0ca82df749592fd5c6a86def1d53)
2002-10-16Create group mappings on the fly.Volker Lendecke1-1/+1
Volker (This used to be commit e2fc1de34aaf875a7003f9d15d5f8ecf159130fb)
2002-10-12Nice *big* patch from metze.Andrew Bartlett7-370/+465
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-10-12We already set LDAPv3 at connect time, no need to set it again.Andrew Bartlett1-8/+0
(This used to be commit c8e32d485bf205b6965579f94063effd86777f3f)
2002-10-04Add a timeout to tdb_lock_bystring(). Ensure we never have more thanJeremy Allison1-49/+11
MAX_PRINT_JOBS in a queue. Jeremy. (This used to be commit bb58a08af459b4abae9d53ab98c15f40638ce52b)
2002-09-28Add const.Andrew Bartlett1-1/+1
(This used to be commit f7dd66e88dba947a167d9a14c96810854dfc5c9d)
2002-09-27Minor updates:Andrew Bartlett1-4/+4
Add const to some more functions, and reintroduce 'net rpc join oldstyle' as *only* trying an old-style join. This means that we can rely on it not prompting for a password on the build farm. Andrew Bartlett (This used to be commit 31bdbeef0ea6f30247cd3b30cfea57b34102abe6)
2002-09-27Readd the 2.2 --with-ldapsam paramaters so as to allow a smooth upgrade path toAndrew Bartlett1-4/+19
a 3.0 based PDC. Change defaults to use SSL, so that this also matches. Andrew Bartlett (This used to be commit 36c2a3820faa1d90cd331881720be0e61ab93460)
2002-09-26Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> to do a *much*Andrew Bartlett1-1/+1
better job of working with usrmgr. Previously we were blanking out entires, and all sort of mischif. The new patch (which I've now had a chance to test/modify) also takes care not to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to store \\server\user back) and to correctly notice 'not set' compared to 'null string' etc. Andrew Bartlett (This used to be commit ab878b6cc4132594fc33f78aeebf0d8b7266c150)
2002-09-26move all the passdb internal interface to NTSTATUSSimo Sorce6-256/+307
only the interface has been fully moved to NTSTATUS not all the plugins make full use of it, but have been all converted. My testings passed completely, however a bit of more testing is welcome Simo. (This used to be commit 102a26e06591928a03b49cd312a65811ed46314f)
2002-09-25Make it clear what this if statement applies to, and what it doesn'tAndrew Bartlett1-0/+1
(This used to be commit 6b78e554c3dd3c98bff7dbd1d3715a9b7e405b8d)
2002-09-25Whenever we deal with adding machine/trusted domain accounts, always reset theAndrew Bartlett1-20/+23
flag to what we expect. This handles the 'upgrade' from unixsam beter (where all $ terminated accounts are machines). Andrew Bartlett (This used to be commit a198940ea6f7b7f3cba38c5a9f695e0731204583)
2002-09-25Don't crash when a backend doesn't have a setsampwent function available - ↵Jelmer Vernooij1-2/+2
bug reported by metze (This used to be commit 4aea951102a6e82612560e6a59931fde433ee6ea)
2002-09-25This patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> cleans upAndrew Bartlett3-123/+204
pdb_ldap and adds a 'ldap passwd sync' option. The idea with this option is to do allow an ldap backend to do all the fancy password hashing etc - and to tell smbd no to try and double-up. Using 'ldap passwd sync = only' will do this, but is not recommended unless such a backend is in place... Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd sync = yes' and having both PAM and pam_ldap correctly configured for 'magic root' behaviour, but only using ldap connection, and one set of credentials. This also gets us closer to allowing ldap to say 'password too short' etc, which might assist in maintaining a consistant password policy. Andrew Bartlett (This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
2002-09-25If adding a user to ldap, make sure we have the 'account' structural class, orAndrew Bartlett1-0/+1
else we can't add to OpenLDAP 2.1 (This used to be commit d9a91a41441c156223760cb356fa997ea7bdbc1a)
2002-09-18We had a race condition when changing a machine acount password as weJeremy Allison1-1/+21
were no longer locking the secrets entry. I saw this on a live system. Jeremy. (This used to be commit 660dafcbb2d1029831212a32d995891626a0344c)
2002-09-17Never, *ever* hold a mutex lock in the message database where there mayJeremy Allison1-0/+66
be traversals being attempted. Yes, this was from bitter experience (and an out of control server :-). Also allow callers to break out of a tdb_chainlock with sigalarm if desired. Jeremy. (This used to be commit a7781f91d8c1177210bffc199cd2f3b7ff993eaf)
2002-09-17more const cleanupsAndrew Tridgell1-3/+3
(This used to be commit dfa85f9c48aa3c8d93775df6b6ad2dec9a1692d7)
2002-09-04Set default ACB attributes on 'unixsam' accounts. This means that machineAndrew Bartlett1-0/+9
accounts added first to /etc/passwd will be honered correctly. Also, users 'upgraded' to smbpasswd will have the right flags. Andrew Bartlett (This used to be commit 474cc910c73e5567313bac438c7324a80e2e90d8)
2002-08-29small fixesJelmer Vernooij1-1/+1
make lp_sam_backend() a list (This used to be commit 06eb3138ab14ff450bbc44f5fa539867ce67a7dd)
2002-08-29RTLD_GLOBAL is not necessaryJelmer Vernooij1-1/+1
(This used to be commit 3146b243e0b143e1038c97d9f919aba494cc46f7)
2002-08-28Put in intermediate version of new SAM system. It's not stable yet, codeJelmer Vernooij1-219/+0
might be ugly, etc - please don't blame me for anything but instead try to fix the code :-). Compiling of the new sam system can be enabled with the configure option --with-sam Removing passdb/passgrp.c as it's unused fix typo in utils/testparm.c (This used to be commit 4b7de5ee236c043e6169f137992baf09a95c6f2c)
2002-08-21More hacks for 'guest account' to get it to show up with the right rid...Andrew Bartlett1-1/+12
Andrew Bartlett (This used to be commit 2795d92268d23063faf5a661279a91f7703d8aac)
2002-08-21Replaced reference to global_myworkgroup by calls to lp_workgroup().Volker Lendecke1-6/+5
pdbedit failed to initialize global_myworkgroup, wo we could end up having a SID for SECRETS/SID/ in secrets.tdb. Volker (This used to be commit 8c96ab4bc05e55e119c1b44779fe14d3ab6c5f35)
2002-08-21Add changes suggested by abartlet:Jelmer Vernooij1-1124/+1205
- don't use lp_passwd_file() to retrieve NIS domain name, but use location instead - some cleanups (This used to be commit 16f4568f35c753ec0ab0a0dda2b264668f5ac5ab)
2002-08-21Use the 'init' flag to determine if the UID is set, rather than testing theAndrew Bartlett1-2/+5
uid for -1. Andrew Bartlett (This used to be commit 2fc12864ae78ea08d8cb4e3b1c7e341ca4a854e6)
2002-08-20pdb_nisplus converted to the new passdb system API'sJelmer Vernooij2-559/+586
(This used to be commit 72e9a5cd340d6a912e274dc0d6f2a22a922d4b03)
2002-08-17Quick hack to get around the inadequacy of pdb_smbpasswd. This should make theAndrew Bartlett1-1/+1
build farm happy again, and allow the 'guest account' to be added to smbpasswd. Andrew Bartlett (This used to be commit 5e5cd2874527dd9a213c4bfcf98a425c39f3f2e2)
2002-08-17Rework the 'guest account get's RID 501' code again...Andrew Bartlett2-46/+57
This moves it right into the passdb subsystem, where we can do this in just one (or 2) places. Due to the fact that this code can be in a tight loop, I've had to make 'guest account' a 'const' paramater, where % macros cannot be used. In any case, if the 'guest account' varies, we are in for some nasty cases in the other code, so it's useful anyway. Andrew Bartlett (This used to be commit 8718e5e7b2651edad15f52a4262dc745df7ad70f)
2002-08-16Make the 'guest account' always have a RID of DOMAIN_USER_RID_GUEST.Andrew Bartlett1-6/+20
Andrew Bartlett (This used to be commit 4725d7d04936335cbd85bd6ac5096c50fed93671)
2002-08-12Update secrets_fetch_domain_guid to generate and store it if it doesn't exist.Jim McDonough1-2/+11
Only does it for PDCs. (This used to be commit 3543f92c39a80c8b6eb7ca3188b87f0f15896f33)
2002-08-07Add const to a pile of const to *DOM_SID paramaters.Andrew Bartlett5-7/+7
Andrew Bartlett (This used to be commit fd0ebf976eb6e5fc25bc75ff471c69c3f3761e32)
2002-08-06Try to bind with LDAPv3 if possible.Andrew Bartlett1-7/+19
Andrew Bartlett (This used to be commit 0e420878f26bdd19b5defb78a5fe4c31662ec941)
2002-08-05I must have missed this when I was adding 'const' to these earlier...Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit ce6c8a647ca56dcbb60ff898d77c2df297c1fe79)