summaryrefslogtreecommitdiff
path: root/source3/utils
AgeCommit message (Collapse)AuthorFilesLines
2003-07-16fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter1-25/+12
and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
2003-07-15Fix memleakVolker Lendecke1-0/+2
(This used to be commit 517bb4d0df4cd120ef0ffc3cd879897971f0982e)
2003-07-15Add support for MSG_SMB_CONF_UPDATED and MSG_SHUTDOWN to all daemons (smbd, ↵Alexander Bokovoy1-0/+11
nmbd, winbindd). Reviewed by jerry and tridge. (This used to be commit 02c5e2fc6f0721ebd82a9e6a2b34190607de55fe)
2003-07-15Jim, could you please look at this? smbpasswd -a <username> was brokenVolker Lendecke1-2/+2
for me without this patch. I'm not sure if I interpreted your patch to this code right. Thanks, Volker (This used to be commit 46ec022f873416d2258fc8d84430b17319dce70f)
2003-07-11Doesn't re-prompt for password when it is specified on the cmdlineJim McDonough1-2/+2
(This used to be commit 6ebe87d318658f28ad9b9f8169fc4400856d5812)
2003-07-11moving more code around.Gerald Carter2-2/+4
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-10Just a few formatting fixed caught while testing.Rafal Szczesniak1-1/+1
rafal (This used to be commit 156554738cf4e4ffa5a811d9979acd19418e7908)
2003-07-10pdbedit should not call idmap anymore. Otherwise pdbedit -L wouldVolker Lendecke1-13/+2
allocate id's. Volker (This used to be commit 0358cc76757e7ef06dada94ec3a73cd90a525ba9)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-4/+11
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-09more compile fixes for become/unbecome_root()Gerald Carter3-0/+45
(This used to be commit f005f1cf12b839f3985ab00315da63c584ce803e)
2003-07-07and so it begins....Gerald Carter2-22/+22
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-0/+6
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-37/+44
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-0/+6
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison4-11/+11
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03Some fixes for ads printer publish:Tim Potter1-6/+26
- check error return for cli_full_connection() when trying to obtain printer data - check error return on ads_find_machine_acct() - Minor reformatting to separate fetching printer data from publishing it (This used to be commit 94fe3b2cdfa67c9d74edc00a436b5eacbf3e0dc4)
2003-07-03Implemented 'net ads printer search' which searches the directory forTim Potter1-0/+32
published printers. At the moment we don't search using any parameters but this can be fixed by changing the LDAP search string. Also we should contact the global catalog at SRV _gc._tcp instead of the ldap server we get back from ads_startup(). (This used to be commit 814519c5de7f962623163b732c8589abd355d845)
2003-07-02#ifdef out apparently unused function.Tim Potter1-0/+4
(This used to be commit 9324703066cfdcb65208420a12e4ab8f358ccc09)
2003-06-30Yet more shadow variable warnings.Tim Potter1-3/+3
(This used to be commit b401e78b6eb7efa2af74a7e645c3b34091041769)
2003-06-27Some const correctness. Stop tdb being used as a remote backend. If anJeremy Allison3-27/+26
idmap backend is specified cause smbd to ask winbindd (use winbindd if you want a consistant remote backend solution). Should work well enough for next beta now... Jeremy. (This used to be commit 8f830c509af5976d988a30f0b0aee4ec61dd97a3)
2003-06-25large change:Gerald Carter3-13/+11
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-24Fixes from Martin Dorey <mdorey@bluearc.com> to only ask for and changeJeremy Allison1-7/+6
the requested parts of the ACL. Jeremy. (This used to be commit c35a88201c619f0ebbaf38adbd0ec2af77e23981)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-2/+2
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21(fixing bug in my last commit)Andrew Bartlett1-6/+6
This isn't C++ - start your code *after* all the variables are declared... Andrew Bartlett (This used to be commit b7760faedc2181538ffc325e727808e6df8f943f)
2003-06-21This removes the StrCaseCmp() stuff from 'net idmap' and 'netAndrew Bartlett4-178/+202
groupmap'. The correct way to implement this stuff is via a function table, as exampled in all the other parts of 'net'. This also moves the idmap code into a new file. Volker, is this your code? You might want to put your name on it. Andrew Bartlett (This used to be commit 477f2d9e390bb18d4f08d1cac9c981b73d628c4f)
2003-06-20Fix bug #136. Add message about erroneous empty "passdb backend" parameter.Jim McDonough1-0/+4
(This used to be commit 897125a9dbbd3f921d944e7bb7c5694a130c5173)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce4-44/+13
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-16Replace all use of bzero with memset ...Richard Sharpe1-15/+15
(This used to be commit e21aab516b33b01536dd9ea067a16b94a38ff4b1)
2003-06-16This glosses over John's problem at SambaXP 2003. When we want to joinVolker Lendecke1-3/+17
a NT4 domain as a BDC with an existing workstation account (existing bdc is fine), we fail. Print a friendly error message in this case. The correct solution would probably be to delete the account and try again. But even this makes us better than NT: NT4 fails in this situation with an empty warning message box and an unusable BDC. It has unsuccessfully tried to suck down the domain database, and thus has no administrator account to log in after reboot.... Volker (This used to be commit 1ddeea2179b11cedccf205c7ffea523ee6750b24)
2003-06-16Fix misleading debug message.Volker Lendecke1-1/+1
Volker (This used to be commit a4f76f2520515d820eb4a320036b998c88c596a8)
2003-06-16Make net rpc vampire return an error if the sam sync RPC returns an error.Tim Potter1-9/+29
E.g if we are pointing at a win2k native mode domain we are returned an NT_STATUS_NOT_SUPPORTED error. (This used to be commit 6053c30f26cdf60f2bbfa6fb58ced6f7bcbd2e83)
2003-06-16another improved debug statementAndrew Tridgell1-1/+1
(This used to be commit ac69b9c83cde306f89143fe43038adff876dd0b0)
2003-06-14Add 'net idmap restore'. This restores a broken idmap fileVolker Lendecke2-0/+73
from the output of 'net idmap dump'. 'net idmap dump' now also prints the USER/GROUP HWM. Volker (This used to be commit c0575be936572bb091a77c58361bd3a4fe9549ff)
2003-06-14This patch modifies 'net rpc vampire' to add new and existing users to bothAndrew Bartlett2-20/+43
the idmap and the SAM. The basic idea is this: Lookup the user with GetPwnam(), and if they exist then use that uid. This is what people expect. If the user does not exist, try and run the right script. This is also what people expect from previous Samba 3.0 behaviour, where the Get_Pwnam() was at runtime. If the idmap entry for this SID isn't valid, or isn't the right value, modify the idmap to account for this mapping. Also, the same logic is applied to the primary gid - if it has changed, update the user's primary unix group. This patch allows users to be added without a mapping - this is fine for machine accounts, for example. I've given it a quick test against my Win2k DC, and I *think* it's sane. Andrew Bartlett (This used to be commit d2a70bfff182352da50cd6c23ddfa80fe1b353c7)
2003-06-13Trivial extension to 'net' to dump current local idmap.Volker Lendecke2-0/+62
(This used to be commit 18f3a5efea7c60d764d5ed82f3a83e1608f8c34e)
2003-06-12Fix for bug#3. Show comments when doing 'net group -l'.Volker Lendecke1-16/+80
Volker (This used to be commit e5664adc07307a066c5312d9224cef2c69a40f77)
2003-06-12Working on bug#3. We want all of the aliases, so start with 0.Volker Lendecke1-0/+2
Volker (This used to be commit ec1a58d09e08583288b18747a0c82e5cf8139b63)
2003-06-10More updates on editreg.c to bring it better in line with the Samba source.Richard Sharpe1-21/+21
(This used to be commit dc69a638b9e12726f050d79b63f92f816c35fe8f)
2003-06-10use lp_realm() to find the default realm for 'net ads password'Andrew Tridgell1-10/+24
(This used to be commit 21d92802781ac224f569a990df3ec1070f0da434)
2003-06-08Make sure that we use schannel (if configured) when checking for a validAndrew Bartlett1-12/+13
join to the DC. Andrew Bartlett (This used to be commit af526fa9b39ab1f8483d5cee66321bc12f78ac05)
2003-05-30Fix bug #137: krb5_set_password is already defined in MIT 1.3 libs, soJim McDonough1-1/+2
we wouldn't build. (This used to be commit 0e9836c4e9e71494b10d71a5f3d5f7da2888c5ef)
2003-05-29Setting account policy values is done using -C, not -V. Fixes bug #120Jelmer Vernooij1-1/+1
(This used to be commit daf443757b62bd3c254a303d638bfd030b4acd2a)
2003-05-20Fix bug #96: Use DNS decompression to properly parse cldap netlogonJim McDonough1-110/+132
packets, otherwise repeated components will not decode correctly. Thanks to aliguori@us.ibm.com for the fix, and lukeh@padl.com for pointing us to the right docs. (This used to be commit a8d5d74cf80c6cae3eac1daa3f88d56373789560)
2003-05-15Patch from "Alex Deiter" <tiamat@komi.mts.ru> to fix incorrect error check.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 43ca4b8a8425b97a6bea08b91420bac6cde807b3)
2003-05-12Fix obvious compiler warnings.Jeremy Allison2-2/+1
Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
2003-05-12And finally IDMAP in 3_0Simo Sorce2-37/+27
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12Re-enable secure channel for net rpc vampire.Tim Potter1-8/+13
Jump out of sam entry processing loop if the return value from cli_netlogon_sam_sync() isn't OK or STATUS_MORE_ENTRIES. (This used to be commit 47d8ee3679292ece5d86df11bc56c9b4d71f3d11)
2003-05-12Fix up a bit of my sloppy C.Andrew Bartlett1-3/+2
(This used to be commit f67cc24acf37a9f46427c993574ecf261d7aec1a)
2003-05-12Give up on the idea of avoiding lp_load() in ntlm_auth....Andrew Bartlett1-8/+18
Also, we might be given a 0 length challenge, so don't smb_panic() for smb_xmalloc() of zero size. Andrew Bartlett (This used to be commit 4842de04cf2e1528e726dfad070dfe3a82f46fa2)
2003-05-12Make it possible to actually use --user-SID and --group-SID on a standard ↵Andrew Bartlett1-2/+2
command line. Andrew Bartlett (This used to be commit dd14da756640ba36834a05b9da4759a809c0bb37)