summaryrefslogtreecommitdiff
path: root/source3
AgeCommit message (Collapse)AuthorFilesLines
2003-07-04Don't allow RIDs (in our domain) below 1000 (or algorithmic rid base) to beAndrew Bartlett1-0/+5
mapped with the rid algorithm. Instead, a uid/gid from the UID/GID range will be allocated for this RID. Andrew Bartlett (This used to be commit 68245e9cfae9a8cb663503301c21498dd9a3a560)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett8-990/+724
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-07-04Fix memleak in groupdb. Spotted by MetzeAlexander Bokovoy1-1/+1
(This used to be commit 5280c6953195c2664628ecaab59ea82b4863e8f7)
2003-07-04Display libraries detected by configure but before configureTim Potter1-0/+12
summary as suggested by abartlet. (This used to be commit 7b2c6181b17a0d62043569ffa49cdf6c5b0b6859)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison56-280/+268
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03Fix for bug #199 (xp driver uploads). Needed to supportGerald Carter1-6/+14
the "OSVersion" print server data value. (This used to be commit 02bc7be1ac6b75bf6559ea684bbc89ab3e19402e)
2003-07-03fix for bug #200. flush connections if the machine trsut accountGerald Carter1-1/+31
changed underneath us. (This used to be commit 6a1ad1ded1d619394ed4ca9e05fdffaa3b902b3b)
2003-07-03Missed this in the previous patch - we now have a seperate idea of theAndrew Bartlett1-1/+1
'unix username' from the NT username, in the auth subsystem at least. Andrew Bartlett (This used to be commit df1aa2a669edc9f26007595411720742d7dff5d9)
2003-07-03This patch takes the work the jerry did for beta2, and generalises it:Andrew Bartlett11-64/+97
- The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
2003-07-03Some fixes for ads printer publish:Tim Potter1-6/+26
- check error return for cli_full_connection() when trying to obtain printer data - check error return on ads_find_machine_acct() - Minor reformatting to separate fetching printer data from publishing it (This used to be commit 94fe3b2cdfa67c9d74edc00a436b5eacbf3e0dc4)
2003-07-03Implemented 'net ads printer search' which searches the directory forTim Potter2-1/+46
published printers. At the moment we don't search using any parameters but this can be fixed by changing the LDAP search string. Also we should contact the global catalog at SRV _gc._tcp instead of the ldap server we get back from ads_startup(). (This used to be commit 814519c5de7f962623163b732c8589abd355d845)
2003-07-03fix bug #190; WINS server was getting marked as dead when it was not.Gerald Carter1-2/+14
(This used to be commit fa354f3ceefe53bdfd4f543559041d337b75613f)
2003-07-03Fix bug in doxygen comments for ads search functions.Tim Potter1-4/+4
(This used to be commit ae6c05ea726da13fc1a18398d1ffe56f34e1edb9)
2003-07-03well this was easy...Gerald Carter2-4/+19
When winbindd is running on a PDC the SAM_ACCOUNT for a trusted user has a username of DOMAIN\user. Make sure to trim the domain part from the username when filling in the net_sam_logon reply. This fixes the browsing issues i was seen across domain trusts. (This used to be commit 62e36e6ede067ace23f5473d04917c7eeedf07e2)
2003-07-02Fix for idmap startup bug with remote ldap backend.Jeremy Allison1-21/+47
Jeremy. (This used to be commit 16a5461dd36f138a1bb1e3a2b70d4000bba0c980)
2003-07-02Fixing problems in the iconv discovery stuff in configure.in.Richard Sharpe2-1/+2
This is the first part of the fix that at least allows configure to walk the list of supplied locations where libiconv etc might be found. aclocal.m4 also needs a fix, as does a later test. (This used to be commit 20786543139c546d112f8f6b6d4d796ee7fed609)
2003-07-02Added fix for Japanese case names in statcache - these can changeJeremy Allison3-4/+82
size on upper casing. Based on patch from monyo@home.monyo.com. Jeremy. (This used to be commit 72e382e99b92666acdaf50a040b14aa16d48b80d)
2003-07-02SAMBA_3_0 will now become beta3Gerald Carter1-1/+1
beta2 is captured in the release branch (This used to be commit 4b3a15917dd6935353d8998e918c750a6c090671)
2003-07-02Fix poptOption definition for --no-pass and --kerberos options. The 'value'Tim Potter1-2/+2
field for an option should be set to an identifier to use in a switch statement or zero if the the arg field is to be updated only. This fixes smbclient -k always prompting for a password which we don't need. (This used to be commit 0744e2dad372904a554019146ff6f6e31ca1b2d2)
2003-07-02Suggest the user runs kinit if smbclient -k returns ↵Tim Potter1-0/+4
NT_STATUS_MORE_PROCESSING_REQUIRED. (This used to be commit 66c4beb28672ef335ff4d6d6a3447e4c2c337f76)
2003-07-02Uppercase first letter of debug level 0 statements.Tim Potter1-2/+2
(This used to be commit 05679968e207f795237bbee7b6564f365415d02f)
2003-07-02#ifdef out apparently unused function.Tim Potter1-0/+4
(This used to be commit 9324703066cfdcb65208420a12e4ab8f358ccc09)
2003-07-02Whitespace reformat before applying a patch.Jeremy Allison1-184/+187
Jeremy. (This used to be commit bbe1276b516e1803a4a9285691674784b989b72f)
2003-07-01Fix for bug 189 from MORIYAMA Masayuki <msyk@mtg.biglobe.ne.jp>. IncorrectJeremy Allison1-1/+1
call for Japanese characters. Jeremy. (This used to be commit c6de5df01d470c2dab48cdd6298f450fa94f9a8e)
2003-07-01Adding jcmd's share ACL on XP patch. Thanks Jim !Jeremy Allison3-4/+27
Jeremy. (This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
2003-07-01removing nisplussamGerald Carter3-1538/+2
(This used to be commit f75683995cf0d17df55a70dacd72ab2d6cd17989)
2003-07-01* fixed volker's wbinfo -a lockup again. This one was my fault.Gerald Carter2-61/+63
It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc)
2003-07-01fix compile problem with nisplussamGerald Carter2-13/+20
(This used to be commit 2f7051e2bcaaa45a7315208fc9b5812e6ed657d9)
2003-07-01Different fix for memleak just committed. This belongs intoVolker Lendecke3-4/+1
tdb_search_list_free. Volker (This used to be commit 0f3822c8e71426983b960ad49511efa8707159f9)
2003-07-01Fix two memory leaks. tdb_search_keys allocates space for the keyVolker Lendecke2-0/+4
strings. Running 'net cache list' or secrets_get_trusted_domains through valgrind gives a *huge* amount of invalid reads of one byte beyond the indicated string length in libc's strncpy. Annoying... Volker (This used to be commit 0f8933ae778064ff58cdc832ce52c843631435bb)
2003-07-01Fix a segfault found by metze & valgrind...Volker Lendecke1-3/+5
Don't overwrite past the end of a string. Volker (This used to be commit f036368efdcbe576552ea85a78e5e6199a2b2c6d)
2003-07-01Don't set a mapping that is already there.Volker Lendecke1-0/+15
Volker (This used to be commit 9d317fb533c5236bef1701d322abd537beea02d5)
2003-07-01fix typos in log messages and comments.Gerald Carter2-3/+3
(This used to be commit fd24183ec30688f3699e466bd4d908b24918e328)
2003-07-01* revert change to get_global_sam_name()Gerald Carter2-11/+28
* add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1)
2003-07-01* fix the trustdom_cache to work when winbindd is not running.Gerald Carter6-39/+250
smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
2003-07-01Fixed the latest complaint from jcmd :-). We were storing -1 for theJeremy Allison1-6/+10
CREATOR_OWNER/CREATOR_GROUP uid/gid entries in the SAMBA_PAI attribute. Creator Owner and Creator group now show up as inherited correctly (I think :-). Jim please test. Jeremy. (This used to be commit dbbd8dd15582f95fb9c160c6c42ce9f0971ac4b7)
2003-06-30Merge of Volkers patch to make the logic clearer (with my mod).Jeremy Allison2-45/+45
Jeremy. (This used to be commit 1714eb6bef627ebcfb6db03e58fdd02ea502c6e1)
2003-06-30Fix missing ret = found by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba112bb3fdb4e81d8f6ab1ccc4a68960f71ccb23)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter8-306/+167
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30Valgrind found a bug (subtracting a pointer from a length rather than theJeremy Allison1-1/+1
length of what the pointer points to). Jeremy. (This used to be commit 492a96e9922c1ef96b967f2965f8bba1f5bc8f23)
2003-06-30Finally ! Fixed the ACL ordering bug reported by jcmd. I realised we wereJeremy Allison2-27/+125
not sorting returned ACE's correctly w.r.t. W2K - implemented the correct algorithm. Jeremy. (This used to be commit fa23a4158ec23c0b8dbdc6c53f29958243107dee)
2003-06-30removing old codeGerald Carter1-172/+0
(This used to be commit 80df684b72f273f9efc0c00646f26d17f1b4bc70)
2003-06-30* rename samstrict auth method to samGerald Carter6-137/+132
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-30fix for platforms that don't have unsetenv().Gerald Carter2-5/+9
we now have to check the value for _NO_WINBINDD. "1" enables, and != "1" disables (use "0" by convention). (This used to be commit 11eccaef1dc61d80a7db8d0fb4bc5a47d71a4390)
2003-06-30Add the 'guest' passdb backend automatically ifVolker Lendecke2-2/+27
guest account != "" Volker (This used to be commit 21d330af107f744af9569b5577afc6e7ba6a269c)
2003-06-30Yet more shadow variable warnings.Tim Potter1-3/+3
(This used to be commit b401e78b6eb7efa2af74a7e645c3b34091041769)
2003-06-30Fix more shadow variable warnings.Tim Potter1-20/+20
(This used to be commit 10c51bbef83dabd99f129fc7ff0e3fe47c393c67)
2003-06-30Fix shadow variable warnings.Tim Potter1-8/+8
(This used to be commit 5ffb8e0920be2da19ac3f442b9bf56c159011822)
2003-06-30- added LOCALE patch from vorlon@debian.org (Steve Langasek) (bug #122)Andrew Tridgell4-3/+42
- changed --enable-developer debug to use -gstabs as it makes the samba binaries about 10x smaller and is still quite functional for samba debugging (This used to be commit 53bfcd478a193d4def8da872e92d7ed8f46aa4b9)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter9-28/+108
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)