| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Guenther
(This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
|
|
preparation of adding the ability of renaming users via setuserinfo
level 7).
Guenther
(This used to be commit 6f34ed6c203fa11182640da97581075612d26c0e)
|
|
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
|
|
access mask check for _samr_lookup_domain() to work with Windows RAS server
(This used to be commit 2e7a5608ac6a11f4e9e8bda69abb984fb4f86eb8)
|
|
* define some const SE_PRIV structure for use when
you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
me forgetting the precedence of * vs. []
(This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
|
|
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).
Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.
Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.
Guenther
(This used to be commit 6394257cc721ca739bda0e320375f04506913533)
|
|
* rewrote the tdb layout of privilege records in account_pol.tdb
(allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
structure. The latter is now used for parsing routines mainly.
Still need to incorporate some client support into 'net' so
for setting privileges. And make use of the SeAddUserPrivilege
right.
(This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
|
|
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
|
|
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
|
|
unlocks) to be set and displayed in User Manager.
Guenther
(This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1)
|
|
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing
(This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
|
|
Guenther
(This used to be commit 5e6ce9a6e3d62190da5427ed7b5e2f2ac22a0c34)
|
|
set the value "forcibly disconnect remote users from server when logon
hours expire" to "no", instead take the value from our account-policy
storage.
Guenther
(This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
|
|
based on samba4-idl.
This saves us an enormous amount of totally unnecessary ldap-traffic
when several hundreds of winbind-daemons query a Samba3 DC just to get
the fake SAM-sequence-number (time(NULL)) by enumerating all users, all
groups and all aliases when query-dom-info level 2 is used.
Note that we apparently never get the sequence number right (we parse a
uint32, although it's a uint64, at least in samba4 idl). For the time
being, I would propose to stay with that behaviour.
Guenther
(This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
|
|
(This used to be commit 0f26ba5226fab5b86031a0df6fba16b8e6af6e7d)
|
|
comment string and not an unknown 12 byte structure...
Found after abartlet's smbtorture extended this string to
"Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET"
;-))
Volker
(This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
|
|
implementation does
not exactly match what you would expect.
XP workstations during login actually do this, so we should better become a
bit more correct. The LDAP query issued is not really fully optimal, but it is
a lot faster and more correct than what was there before. The change in
passdb.h makes it possible that queryuseraliases is done with a single ldap
query.
Volker
(This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
|
|
user is deleted first before deleting UNIX user (LDAP backend
needs this ordering).
Jeremy.
(This used to be commit 2815b31e013e517a58027ba74f118209caf4d85f)
|
|
relationships.
Jeremy.
(This used to be commit b910e530027c19c4e505314a91ffcb72f20d8f09)
|
|
(This used to be commit f836be323a233f3a28cbaa04c532e83ea98ead89)
|
|
Thanks to Jonas Olsson for the bug report & fix.
Volker
(This used to be commit de0eaf7be7d0c3aaf4e17b63653ca68b4332c982)
|
|
<j.lu@tiesse.com>.
Jeremy.
(This used to be commit d5fb5ba9df9fc0f9167e76402c59a971f52e1b1f)
|
|
Volker
(This used to be commit b4429d97439e511d40901f809e3923945cb52221)
|
|
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
|
|
Volker
(This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26)
|
|
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
|
|
(This used to be commit f0d99f318c67852ac5bf9b606faa115ad36a5f80)
|
|
(This used to be commit 832674c099a3ff9bb747dba6235e47d40a930abd)
|
|
srv_samr_nt.c: Correctly report that a user is not member of an alias.
Volker
(This used to be commit 540f625036871e7facd094fce49d7317f65f4ffd)
|
|
minutes, not seconds. Works from usrmgr.
(This used to be commit 98833a82facb0bc25d9ba6f4d4c1200627e98d6d)
|
|
(This used to be commit 700049d9efefc7f8952cc60bc46ba8aa790a28ba)
|
|
Volker
(This used to be commit 7a947ecdf56f2dd02811262372708f8a74bfedad)
|
|
you search in BUILTIN. Match that.
Volker
(This used to be commit 2863b21d8a5933c309c51edb09fbda4e669e4890)
|
|
Volker
(This used to be commit 04639e8862c360e89faac8b80c63197d514b7455)
|
|
(This used to be commit b60f6ec30d05e4e5bba9934a416ddc8bc089824f)
|
|
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
|
|
<j.lu@tiesse.com>
(This used to be commit 2fd2c07df42df42103e81f5eb39bd1778de6ca0a)
|
|
(This used to be commit 6202e0fa727a4307f51bf42f5ced401a7c7b8214)
|
|
This adds a configure test, that tries to find out if we have a working
cracklib installation, and tries to pick up the debian hints on where
the dictionary might be found. Default is per my Fedora Core 1 system -
I'm not sure how much it changes.
Andrew Bartlett
(This used to be commit bc770edb788f0b6f719011cda683f045b76b7ba5)
|
|
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
|
|
if this parameter is not an account type
Andrew Bartlett
(This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c)
|
|
his book.
This prompted me to look at the code that reads the unix group list. This
code did a lot of name -> uid -> name -> sid translations, which caused
problems. Instead, we now do just name->sid
I also cleaned up some interfaces, and client tools.
Andrew Bartlett
(This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
|
|
script; patch from Jianliang Lu <j.lu@tiesse.com>
(This used to be commit 19a8dd523a4ee50ba9066efd60a29cf3ba9ae419)
|
|
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
|
|
* don't fall back to unmapped UNIX group for
get_local_group_from_sid()
* remove an extra become/unbecome_root() pair
from group enumeration
(This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
|
|
account flags of 0.
Andrew Bartlett
(This used to be commit 601120f335b69e5b8a003038dfac00f3f234a5c1)
|
|
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
|
|
DES based krb5 logins).
Andrew Bartlett
(This used to be commit 240b0d178e1b4a3556207bdf2e342c70155f64ee)
|
