summaryrefslogtreecommitdiff
path: root/source3/sam
AgeCommit message (Collapse)AuthorFilesLines
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter3-1/+32
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07fix some compile problems. Can't get IDMAP_OBJ our of proto.hGerald Carter1-1/+2
just yet. ` (This used to be commit 6f0b5d474a051db512db2f73a8097c80964ec513)
2003-07-07Cleaning up linking issues. sam/idmap*.c only links inGerald Carter2-279/+1
winbindd now. Also removing an unused file. (This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
2003-07-07and so it begins....Gerald Carter1-110/+27
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-06This changes our Unix primary GID behaviour back to what most people expect:Andrew Bartlett1-3/+4
Samba will now use the user's UNIX primary group, as the primary group when dealing with the filesystem. The NT primary group is ignored in unix. For the NT_TOKEN, the primary group is the NT priamry group, and the unix primary group is added to the NT_TOKEN as a supplementary group. This should fix bug #109, but will need to be revisited when we get a full NT group database. Also in this commit: - Fix debug statements in service.c - Make idmap_ldap show if it's adding, or modifying an existing DN - Make idmap_ldap show both the error message and error string (This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-2/+4
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+11
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05Allow modification of an existing entry.Andrew Bartlett1-15/+36
We still have a lot of work to do to allow this in quite the same way as we have in the TDB, but it certainly is getting closer. Andrew Bartlett (This used to be commit b9ef4e138843e3a9d1157e197de0964daf29f0dd)
2003-07-04Don't allow RIDs (in our domain) below 1000 (or algorithmic rid base) to beAndrew Bartlett1-0/+5
mapped with the rid algorithm. Instead, a uid/gid from the UID/GID range will be allocated for this RID. Andrew Bartlett (This used to be commit 68245e9cfae9a8cb663503301c21498dd9a3a560)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett2-593/+269
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-02Fix for idmap startup bug with remote ldap backend.Jeremy Allison1-21/+47
Jeremy. (This used to be commit 16a5461dd36f138a1bb1e3a2b70d4000bba0c980)
2003-07-01Don't set a mapping that is already there.Volker Lendecke1-0/+15
Volker (This used to be commit 9d317fb533c5236bef1701d322abd537beea02d5)
2003-06-30Merge of Volkers patch to make the logic clearer (with my mod).Jeremy Allison1-44/+45
Jeremy. (This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30Fix missing ret = found by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba112bb3fdb4e81d8f6ab1ccc4a68960f71ccb23)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison3-59/+75
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-26Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLYJeremy Allison3-13/+33
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes for multi-process access. Jeremy. (This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-26As has been pointed out, ordering here doesn't matter so use normalJeremy Allison1-2/+2
add. Jeremy. (This used to be commit 030b35ca0fc9fe49610084c6c1be95241157564b)
2003-06-26Fix immediate bug where the idmap can't tell the difference between an entryJeremy Allison2-17/+32
not being present (and so allocate another) and an entry that is present but of the wrong type. This code still has major problems... Jeremy. (This used to be commit a304bc5ff134df118754d9e8d2b2680b4101e438)
2003-06-25Ensure idmap backends are added in the correct order (DLIST_ADD putsJeremy Allison3-8/+26
things at the *front* of the list). Add more debug. Still broken.. :-(. Jeremy. (This used to be commit dd9251e6f51f229ca1fab23d9b06f5bb68644fab)
2003-06-25Fix a warning in a DEBUGVolker Lendecke1-12/+12
Clean up the init a little bit, less nested if-statements. Agreed upon with Simo. Volker (This used to be commit fdcfefd7f1be55307ccd59290efd249981198e1e)
2003-06-25Tought I already done.Simo Sorce2-32/+22
Set back 3.0 to use only winbindd_idmap.tdb as idmap database as told on samba-technical. Tested and working so far. (This used to be commit e154e50fed8968567f75fcd581de2b41914ea2c1)
2003-06-25More debugs for this... (these should have been here already !).Jeremy Allison1-1/+8
Jeremy. (This used to be commit a118648d9505d54850ffad1e9ce7a2c3d279df9f)
2003-06-25More instrumentation tracking down this bug...Jeremy Allison1-1/+5
Jeremy. (This used to be commit 705915d9f71504f8ae04444352c80811c5a6f1ac)
2003-06-25Start to instrument this code as I try and track down a nasty bug thatJeremy Allison1-3/+34
causes mapping to dissapear... Jeremy. (This used to be commit bdffc81c9d1eeab26e4dba017a99bb9cc9131493)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce2-14/+14
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21This patch fixes some issues with idmap_tdb as raised by bug #181Andrew Bartlett1-91/+115
The idea here is to eliminate the need to *set* the 'HWM' (High Water Mark) in the tdb. Instead, each caller wanting to add an item to the TDB uses the fact that an insert will *fail* if entry already exists. More importantly, this means that we don't need to know the value of the idmap uid/gid values when setting arbitrary entries, which can occur on an smb.conf without such values specified. Then all we need to do is loop until we get an id that will insert. This means that the HWM does not need to be accurate, and we can have IDs allocates safely above the HWM. Setting the HWM to an arbitrary value was racy in the past - now we don't even do it. This patch also adds paranoia in reading the tdb - both the entry, and it's reverse entry must be present. This means that we don't need to 'clean up' after an abnormal failure (which would probably fail too), instead we rely on readers to ignore the half-completed entry. The way this is done will allow SIDs to then allocated an ID when things are normal again. Andrew Bartlett (This used to be commit 74709e159cdcd4dbcf138428a85067b38c4ebe64)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-12/+12
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-1/+1
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-18There's nothing particularly secret in idmap.tdb, so create it withVolker Lendecke1-1/+1
0644 as the other databases. Volker (This used to be commit 5849053930474b1e735f3232995813ef5126ad00)
2003-06-17And more other memory leaks. One new (idmap) and one ancient (groupdb).Volker Lendecke1-0/+1
Volker (This used to be commit 2392f460aeb11f32759e84faf1e7ace73c5db281)
2003-06-17Fix memory leak in idmap. Valgrind is soooo cool.Volker Lendecke1-0/+2
Volker (This used to be commit dcdb6683a7c9d675c23cc2c0295cefec81f469a7)
2003-06-14Add 'net idmap restore'. This restores a broken idmap fileVolker Lendecke1-1/+42
from the output of 'net idmap dump'. 'net idmap dump' now also prints the USER/GROUP HWM. Volker (This used to be commit c0575be936572bb091a77c58361bd3a4fe9549ff)
2003-06-11Sorry idra for messing around with your stuff, but this was obviously notVolker Lendecke1-3/+3
tested. Incrementing HWW_USER while allocating a GROUPID looked somewhat wrong. Volker (This used to be commit d1eac2c75856f8f1dec8d429feb24a5f05fa6ca8)
2003-06-11avoid races in getting high watermarkSimo Sorce1-6/+32
(This used to be commit df0df941d84386a7de5c97149c6c06d01a8720d0)
2003-06-09Fix for crash bug noticed by Luke Howard | PADL Software Pty Ltd | www.padl.com.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 6a07d19b6342e28a4827c16fcc379952bb1808b4)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter4-84/+188
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-05working draft of the idmap_ldap code.Gerald Carter1-192/+254
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-06-03added idmap_ldap to wrong branch.Gerald Carter1-1/+0
(This used to be commit eafd53a7e7b54ccf2089dc5841ea4291a891ea91)
2003-06-03This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+838
used to be commit 7a85a963251c3b26187adbf9ff1b241bc9fbafa2)
2003-06-03initial version of idmap_ldap.c; lots of updates to comeGerald Carter1-0/+838
(This used to be commit 69c84ad06b759da2246b3c00155a43e90f45a7f6)
2003-05-29function() is *NOT* a valid C proto, but C++ only.Jeremy Allison1-1/+1
The correct prototype in C is function(void). Please remember this ! Jeremy. (This used to be commit b6b844a1a23532927b1177b652191ddfa92437e0)
2003-05-29Add smb_register_idmap(). Based on a patch from metzeJelmer Vernooij3-38/+64
(This used to be commit 7e352f5c62c4889bdf2662dded1e74a354890dc7)
2003-05-16add idmap_winbind unless I made a better way to solve SID type for domainSimo Sorce2-0/+156
SIDs (This used to be commit b24c0efc4b363cb0d4ed71588e9617d668c16be9)
2003-05-14syncing LDAP schema changes with Samba_3_0Gerald Carter1-4/+4
(This used to be commit a1326ea34831bf49942f7bcb954999091c3ea820)
2003-05-14*****LDAP schema changes*****Gerald Carter1-4/+4
New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-12Fix compiler warnings.Jeremy Allison1-2/+0
Jeremy. (This used to be commit e12934c67b6aea9e3e449009e159ce6814dcbd11)
2003-05-12Fix obvious compiler warnings.Jeremy Allison1-2/+0
Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
2003-05-03This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+377
used to be commit f1e59906577a59269f1821d9e438fc56278b9dbe)
2003-05-03fixes to *_util.c filesSimo Sorce1-13/+48
add winbindd_passdb backend this makes it possible to have nua accounts on security = user servers to show up in unic through nss_winbind.so the problem is that we do not have group support, so nss group support is not very good at this time (read: totally absent) we NEED group support in passdb (This used to be commit 921215cf4bfbd4d7457f81e181bb1a74a4531ca1)
2003-05-02shouldn't wellknown group be well.. ..WKN_GRP ?Simo Sorce1-1/+1
make a new sam_Account contain our domain by default, windows will complain on logon otherwise. fix stupid typo in idmap_util.c (This used to be commit 21701876dc6c59ebfc51be708a98226a00a764e0)