summaryrefslogtreecommitdiff
path: root/source3/sam
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4870: Make multi-domain-mode in idmap_rid accessible from outside (can beGünther Deschner1-8/+20
compiled with -DIDMAP_RID_SUPPORT_TRUSTED_DOMAINS) as requested by Lars Mueller <lmuelle-at-suse.de>. Allow to map ID's for a local SAM and add some more debugging-information. Guenther (This used to be commit 4d8e7c9ff00417b2ebae0c5faccfe9c2c9c44f2e)
2007-10-10r4221: when in the multi-mapping mode of idmap_rid:Günther Deschner1-4/+10
allow BUILTIN domain-mapping. Guenther (This used to be commit e3b067ee99e304aa9e165dae5fcb0546cec711e2)
2007-10-10r4216: fix segfault in idmap_ridGünther Deschner1-2/+2
(only ever shows up when the somewhat hidden IDMAP_RID_SUPPORT_TRUSTED_DOMAINS - define is set). Thanks to Stephan Martin <sm@suse.de> for reporting this bug. Guenther (This used to be commit e7b81d679b487734e12a948f30f0ad88240f17f1)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison2-2/+2
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3758: Increase a debug level. This error condition can actually happen in ↵Volker Lendecke1-1/+1
real life if you have several competing winbinds that might get a lag due to replication. Volker (This used to be commit 1c3f194ab7ab63aeb2284d7e5c7e183340740ceb)
2007-10-10r3498: Optimisation of idmap_rid init: Avoid calling a DC for the domain-sidGünther Deschner1-28/+42
when trusted domains are disabled anyway. Guenther (This used to be commit cd30a0b14adf1e58c19bcbfec385a5794d4ca112)
2007-10-10r3221: Remove check for allow-trusted-domains so that this thing does not ↵John Terpstra1-1/+1
throw-up. (This used to be commit 3d8e19468b8dda3bc84f0bc9174944c8275ed024)
2007-10-10r3151: Add the "no warranty"-section in the licence header.Günther Deschner1-0/+10
Guenther (This used to be commit c9a7bc10b7aa5e1cb7d37ba9b1a8ddb9b0b2dd5e)
2007-10-10r3146: Some cleanup for idmap_rid:Günther Deschner1-155/+150
- fix several memleaks found by valgrind - turn off support for trusted domains (can be reenabled with #define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 1) - improve readability Guenther (This used to be commit 351a1227e80db5d87b71e17cd1443c11ea6ace4e)
2007-10-10r3145: Add experimental idmap_rid-Plugin.Günther Deschner1-0/+513
Written by Sumit Bose <sbose@suse.de> and myself a while ago. idmap_rid does a direct, static mapping between RIDs and UIDs/GIDs using the idmap-range as offset. It does thus allow to have a unified mapping over several winbindd-systems without having the need of a central LDAP-Server (and all related dependencies and problems this solution can bring). Compile: ./configure --with-shared-modules=idmap_rid Usage: idmap backend = idmap_rid idmp_rid does even allow you to have multiple mappings (for trusted domains). This is a rather problemtic feature and will be turned off by default rather soon. The problem is that ranges can quickly overlap when not measured with caution. idmap backend = idmap_rid:"MYDOMAIN=1000-9999 OTHER=10000-19999" Will valgrind idmap_rid later today and fix a couple of things. Guenther (This used to be commit 49a238bd37105bf1a33d4a230ca594c4cf304dd3)
2007-10-10r3137: Do not simply ignore failing idmap-module init for remotemaps.Günther Deschner1-1/+4
(in preparation of adding idmap_rid) Guenther (This used to be commit e7691f4862da141f530a8e8b1364b9c02e8dc732)
2007-10-10r2691: Increase a debug level for a quite frequent operation.Volker Lendecke1-0/+27
Optimization for 'idmap backend = ldap': When asking sid2id for the wrong type, don't ask ldap when we have the opposite mapping in the local tdb. Volker (This used to be commit c91cff3bd38c1a8e23628b032f09829f9abf792d)
2007-10-10r1430: Although prepared for only one remote backend, make the 'idmap backend'Volker Lendecke1-3/+4
parameter a list instead of a string. This makes idmap backend = ldap:"ldap://localhost/ ldap://fallback/" possible. Volker (This used to be commit ea718347937ec0e5640b29e0e9edf6eda2b45e34)
2007-10-10r1297: Yes, it does survive valgrind for my tests :-)Volker Lendecke1-0/+29
Check in the 'winbind proxy only' mode -- no new parameter required :-) If you don't set idmap uid or idmap gid, winbind will not do idmap stuff, it will only proxy the netlogon request and thus speed up the authentication of domain users. Volker (This used to be commit 29235f0c69035376ad7ac27b08a59069fa151102)
2007-10-10r916: Memory leak fix from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-2/+6
Jeremy. (This used to be commit c336ccf4e8a6340f8d786219fbc7e4e5a7877e4e)
2004-03-11Get MungedDial actually working with full TS strings in it for pdb_ldap.Jim McDonough1-8/+8
I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-02-23Janitor for tpot...bugzilla #1098, msleep already exists on aixJim McDonough1-1/+1
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
2004-01-06isolate ldap debug messages to the common smbldap_XXX() functionsGerald Carter1-5/+0
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
2003-11-14fix more memory leaks in the LDAP backend code; patches from metzeGerald Carter1-4/+14
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-11-07fix for bug 680 (heads up). This gist is to map theGerald Carter1-355/+129
UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
2003-09-10Ensure we consistantly translate to/from utf8 for talking to LDAP.Jeremy Allison1-33/+31
Jeremy. (This used to be commit b5d953bc26de5c4e0e1a15f70ae56ea2dd2843f2)
2003-08-15get rid of more compiler warningsHerb Lewis2-4/+4
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-132 fixesGerald Carter3-168/+168
* bug #280 (my fault) - initialize sambaNextUserRid and sambaNextGroupRid * Unix users shared vis LDAP or NIS between a samba domain member of a Samba domain are not seen as domain users on the member servers. not as local users. (This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
2003-08-06rework winbindd_accountdb_init() to reduce error messages in the logGerald Carter1-14/+21
(This used to be commit d98a68e0ebaf2fbd360b826f5df472bc3f94285b)
2003-08-01Update my copyrights according to my agreement with IBMJim McDonough2-2/+2
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
2003-08-01Fix copyright statements for various pieces of Anthony Liguori's work.Jim McDonough3-3/+3
(This used to be commit 15d2bc47854df75f8b2644ccbc887d0357d9cd27)
2003-07-24Some more [ug]id_t printf fixes.Tim Potter1-4/+4
(This used to be commit 165d1ae55622ca1e89c94fc5e40bdf5cddbcab45)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-26/+19
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter4-31/+46
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-11moving more code around.Gerald Carter4-3/+450
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter3-1/+32
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07fix some compile problems. Can't get IDMAP_OBJ our of proto.hGerald Carter1-1/+2
just yet. ` (This used to be commit 6f0b5d474a051db512db2f73a8097c80964ec513)
2003-07-07Cleaning up linking issues. sam/idmap*.c only links inGerald Carter2-279/+1
winbindd now. Also removing an unused file. (This used to be commit 688369c23c604e9b6654fcf07190d2e27c1138cf)
2003-07-07and so it begins....Gerald Carter1-110/+27
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-06This changes our Unix primary GID behaviour back to what most people expect:Andrew Bartlett1-3/+4
Samba will now use the user's UNIX primary group, as the primary group when dealing with the filesystem. The NT primary group is ignored in unix. For the NT_TOKEN, the primary group is the NT priamry group, and the unix primary group is added to the NT_TOKEN as a supplementary group. This should fix bug #109, but will need to be revisited when we get a full NT group database. Also in this commit: - Fix debug statements in service.c - Make idmap_ldap show if it's adding, or modifying an existing DN - Make idmap_ldap show both the error message and error string (This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-2/+4
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+11
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-05Allow modification of an existing entry.Andrew Bartlett1-15/+36
We still have a lot of work to do to allow this in quite the same way as we have in the TDB, but it certainly is getting closer. Andrew Bartlett (This used to be commit b9ef4e138843e3a9d1157e197de0964daf29f0dd)
2003-07-04Don't allow RIDs (in our domain) below 1000 (or algorithmic rid base) to beAndrew Bartlett1-0/+5
mapped with the rid algorithm. Instead, a uid/gid from the UID/GID range will be allocated for this RID. Andrew Bartlett (This used to be commit 68245e9cfae9a8cb663503301c21498dd9a3a560)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett2-593/+269
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-02Fix for idmap startup bug with remote ldap backend.Jeremy Allison1-21/+47
Jeremy. (This used to be commit 16a5461dd36f138a1bb1e3a2b70d4000bba0c980)
2003-07-01Don't set a mapping that is already there.Volker Lendecke1-0/+15
Volker (This used to be commit 9d317fb533c5236bef1701d322abd537beea02d5)
2003-06-30Merge of Volkers patch to make the logic clearer (with my mod).Jeremy Allison1-44/+45
Jeremy. (This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30Fix missing ret = found by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba112bb3fdb4e81d8f6ab1ccc4a68960f71ccb23)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison3-59/+75
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-26Add include guards around idmap.h, change ID_NOMAP to ID_QUERY_ONLYJeremy Allison3-13/+33
and ID_CACHE to ID_CACHE_SAVE. Added locking around tdb writes & deletes for multi-process access. Jeremy. (This used to be commit 5b998cdc1d552234236862f6a2bbae703b0c146e)
2003-06-26As has been pointed out, ordering here doesn't matter so use normalJeremy Allison1-2/+2
add. Jeremy. (This used to be commit 030b35ca0fc9fe49610084c6c1be95241157564b)
2003-06-26Fix immediate bug where the idmap can't tell the difference between an entryJeremy Allison2-17/+32
not being present (and so allocate another) and an entry that is present but of the wrong type. This code still has major problems... Jeremy. (This used to be commit a304bc5ff134df118754d9e8d2b2680b4101e438)
2003-06-25Ensure idmap backends are added in the correct order (DLIST_ADD putsJeremy Allison3-8/+26
things at the *front* of the list). Add more debug. Still broken.. :-(. Jeremy. (This used to be commit dd9251e6f51f229ca1fab23d9b06f5bb68644fab)
2003-06-25Fix a warning in a DEBUGVolker Lendecke1-12/+12
Clean up the init a little bit, less nested if-statements. Agreed upon with Simo. Volker (This used to be commit fdcfefd7f1be55307ccd59290efd249981198e1e)