| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
mapped with the rid algorithm.
Instead, a uid/gid from the UID/GID range will be allocated for this RID.
Andrew Bartlett
(This used to be commit 68245e9cfae9a8cb663503301c21498dd9a3a560)
|
|
We now always read the Domain SID out of LDAP. If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP. We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap). If we fail to read/add the domain entry, we just
fallback to the old behaviour.
We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available. This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added. Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.
The code now allows modifications to the ID mapping in many cases.
Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).
The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'. This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.
On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.
We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate. Instead, we just start at the bottom
of the range, and increment again if the user already exists. The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.
Thanks to metze and AB for double-checking parts of this.
Andrew Bartlett
(This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
|
|
Jeremy.
(This used to be commit 16a5461dd36f138a1bb1e3a2b70d4000bba0c980)
|
|
Volker
(This used to be commit 9d317fb533c5236bef1701d322abd537beea02d5)
|
|
Jeremy.
(This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
|
|
Jeremy.
(This used to be commit ba112bb3fdb4e81d8f6ab1ccc4a68960f71ccb23)
|
|
idmap backend is specified cause smbd to ask winbindd (use winbindd if
you want a consistant remote backend solution).
Should work well enough for next beta now...
Jeremy.
(This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
|
|
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes
for multi-process access.
Jeremy.
(This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
|
|
add.
Jeremy.
(This used to be commit 030b35ca0fc9fe49610084c6c1be95241157564b)
|
|
not being present (and so allocate another) and an entry that is present but
of the wrong type. This code still has major problems...
Jeremy.
(This used to be commit a304bc5ff134df118754d9e8d2b2680b4101e438)
|
|
things at the *front* of the list). Add more debug. Still broken.. :-(.
Jeremy.
(This used to be commit dd9251e6f51f229ca1fab23d9b06f5bb68644fab)
|
|
Clean up the init a little bit, less nested if-statements.
Agreed upon with Simo.
Volker
(This used to be commit fdcfefd7f1be55307ccd59290efd249981198e1e)
|
|
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on
samba-technical.
Tested and working so far.
(This used to be commit e154e50fed8968567f75fcd581de2b41914ea2c1)
|
|
Jeremy.
(This used to be commit a118648d9505d54850ffad1e9ce7a2c3d279df9f)
|
|
Jeremy.
(This used to be commit 705915d9f71504f8ae04444352c80811c5a6f1ac)
|
|
causes mapping to dissapear...
Jeremy.
(This used to be commit bdffc81c9d1eeab26e4dba017a99bb9cc9131493)
|
|
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK
This patch will cure the problem.
Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is
used correctly, but I'm not 100% sure, coders should check the use of
NT_STATUS_IS_ERR() in samba is ok now.
Simo.
(This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
|
|
The idea here is to eliminate the need to *set* the 'HWM' (High Water
Mark) in the tdb. Instead, each caller wanting to add an item to the
TDB uses the fact that an insert will *fail* if entry already exists.
More importantly, this means that we don't need to know the value of the
idmap uid/gid values when setting arbitrary entries, which can occur on
an smb.conf without such values specified.
Then all we need to do is loop until we get an id that will insert.
This means that the HWM does not need to be accurate, and we can have
IDs allocates safely above the HWM.
Setting the HWM to an arbitrary value was racy in the past - now we
don't even do it.
This patch also adds paranoia in reading the tdb - both the entry, and
it's reverse entry must be present. This means that we don't need to
'clean up' after an abnormal failure (which would probably fail too),
instead we rely on readers to ignore the half-completed entry. The way
this is done will allow SIDs to then allocated an ID when things are
normal again.
Andrew Bartlett
(This used to be commit 74709e159cdcd4dbcf138428a85067b38c4ebe64)
|
|
and pdb_ldap.
So far, it's just a function rename, so that the next patch can be a very
simple matter of copying functions, without worrying about what changed
in the process.
Also removes the 'static' pointers for the rebind procedures, replacing them
with a linked list of value/key lookups. (Only needed on older LDAP client
libs)
Andrew Bartlett
(This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
|
|
The code was nice, but put in the wrong place (group mapping) and not
supported by most of the code, thus useless.
We will put back most of the code when our infrastructure will be changed
so that privileges actually really make sense to be set.
This is a first patch of a set to enhance all our mapping code cleaness and
stability towards a sane next beta for 3.0 code base
Simo.
(This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
|
|
0644 as the other databases.
Volker
(This used to be commit 5849053930474b1e735f3232995813ef5126ad00)
|
|
Volker
(This used to be commit 2392f460aeb11f32759e84faf1e7ace73c5db281)
|
|
Volker
(This used to be commit dcdb6683a7c9d675c23cc2c0295cefec81f469a7)
|
|
from the output of 'net idmap dump'.
'net idmap dump' now also prints the USER/GROUP HWM.
Volker
(This used to be commit c0575be936572bb091a77c58361bd3a4fe9549ff)
|
|
tested.
Incrementing HWW_USER while allocating a GROUPID looked somewhat wrong.
Volker
(This used to be commit d1eac2c75856f8f1dec8d429feb24a5f05fa6ca8)
|
|
(This used to be commit df0df941d84386a7de5c97149c6c06d01a8720d0)
|
|
Jeremy.
(This used to be commit 6a07d19b6342e28a4827c16fcc379952bb1808b4)
|
|
* remove 'winbind uid' and 'winbind gid' parameters (replaced
by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
(parameters are passed to idmap init() function
(This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
|
|
Includes sambaUnixIdPool objectclass
Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
|
|
(This used to be commit eafd53a7e7b54ccf2089dc5841ea4291a891ea91)
|
|
used to be commit 7a85a963251c3b26187adbf9ff1b241bc9fbafa2)
|
|
(This used to be commit 69c84ad06b759da2246b3c00155a43e90f45a7f6)
|
|
The correct prototype in C is function(void).
Please remember this !
Jeremy.
(This used to be commit b6b844a1a23532927b1177b652191ddfa92437e0)
|
|
(This used to be commit 7e352f5c62c4889bdf2662dded1e74a354890dc7)
|
|
SIDs
(This used to be commit b24c0efc4b363cb0d4ed71588e9617d668c16be9)
|
|
(This used to be commit a1326ea34831bf49942f7bcb954999091c3ea820)
|
|
New objectclass named sambaSamAccount which uses attribute
prefaced with the phrase 'samba' to prevent future name clashes.
Change in functionality of the 'ldap filter' parameter. This always
defaults to "(uid=%u)" now and is and'd with the approriate objectclass
depending on whether you are using ldapsam_compat or ldapsam
conversion script for migrating from sambaAccount to
sambaSamAccount will come next.
(This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
|
|
Jeremy.
(This used to be commit e12934c67b6aea9e3e449009e159ce6814dcbd11)
|
|
Jeremy.
(This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
|
|
used to be commit f1e59906577a59269f1821d9e438fc56278b9dbe)
|
|
add winbindd_passdb backend
this makes it possible to have nua accounts on security = user servers to
show up in unic through nss_winbind.so
the problem is that we do not have group support, so nss group support is
not very good at this time (read: totally absent)
we NEED group support in passdb
(This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1)
|
|
make a new sam_Account contain our domain by default, windows will complain
on logon otherwise.
fix stupid typo in idmap_util.c
(This used to be commit 21701876dc6c59ebfc51be708a98226a00a764e0)
|
|
correctly handle allocated rids in tdbsam
(This used to be commit 7ae6162e1dd668897628c4f7edff508616644d21)
|
|
add group mapping mappings to idmap at startup
(This used to be commit 62365023db61d5a4fa32845af3db73bce6cb94ea)
|
|
(This used to be commit 568feee8977ee1be210344c8ab1896512894cba2)
|
|
used to be commit a1ffe2a29c0e6be54af09d6647b7f54369d75a1e)
|
|
plus internal fixes
1st stage
(This used to be commit 6d036761e565bc93964bb3c939d5b7d78d5778a3)
|
|
few fixes to *id_to_*id functions, we don't set the mapping for algoritmic
RIDs, they are resolved in the classic way
eliminate getpw* calls from tdbsam
(This used to be commit 6a7689cf74cd4d5f29e0b12f4bf8ac3051d49157)
|
|
(This used to be commit db571a9fd7fbce1c13ed652616ad9725db00b49f)
|
|
SAM_ACCOUNT does not have anymore uid and gid fields
all the code that used them has been fixed to use the proper idmap calls
fix to idmap_tdb for first time idmap.tdb initialization.
auth_serversupplied_info structure has now an uid and gid field
few other fixes to make the system behave correctly with idmap
tested only with tdbsam, but smbpasswd and nisplus should be ok
have not tested ldap !
(This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
|
