From fe667b2b9a8ac3233e1f3cc41810aa68c3c3c554 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 22:25:50 +0000 Subject: Fix typo. (This used to be commit 931ef8777eb86b5cd0ce7550484b2416ed6ae991) --- docs/docbook/projdoc/SWAT.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index ad43fd7b8a..359264d26c 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -29,11 +29,11 @@ will be lost from the smb.conf file. Additionally, the parameters will be writte internal ordering. - + So before using SWAT please be warned - SWAT will completely replace your smb.conf with a fully optimised file that has been stripped of all comments you might have placed there and only non-default settings will be written to the file. - + SWAT should be installed to run via the network super daemon. Depending on which system -- cgit From f99d40198b77259b3f71d81ab91a7034c8473238 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 22:39:00 +0000 Subject: Add note from "Roylance, Stephen D." about Solaris9 and winbind (This used to be commit a9e978ba42fa7193dc45f1a4ed97f03637be3147) --- docs/docbook/projdoc/Portability.sgml | 13 +++++++++++++ docs/docbook/projdoc/winbind.sgml | 2 ++ 2 files changed, 15 insertions(+) diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index 39ed37585f..cc21ecf255 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -189,6 +189,9 @@ samba performance significally. Solaris + +Locking improvements + Some people have been experiencing problems with F_SETLKW64/fcntl when running samba on solaris. The built in file locking mechanism was not scalable. Performance would degrade to the point where processes would @@ -216,6 +219,16 @@ and rebuild samba. Thanks to Joe Meslovich for reporting + + + + +Winbind on Solaris 9 + +Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior +is fixed by Sun in patch 113476-05 which as of March 2003 is not in any +roll-up packages. + diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 460038aea9..1f65e7a8b7 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -786,6 +786,8 @@ stop() { Solaris +Winbind doesn't work on solaris 9, see the Portability chapter for details. + On solaris, you need to modify the /etc/init.d/samba.server startup script. It usually only starts smbd and nmbd but should now start winbindd too. If you -- cgit From f1019b512d1be6aac0837ba6558e91fda676b9d3 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 22:40:57 +0000 Subject: I hate typos! (This used to be commit 585907f3245cf53813888b4b3d121c40ffb9edff) --- docs/docbook/projdoc/samba-doc.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 6048d60e5f..3b5d054cad 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -31,7 +31,7 @@ on the "Documentation" page. Please send updates to The Samba-Team would like to express sincere thanks to the many people who have with -or without their knwoledge contributed to this update. The size and scope of this +or without their knowledge contributed to this update. The size and scope of this project would not have been possible without significant community contribution. A not insignificant number of ideas for inclusion (if not content itself) has been obtained from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. -- cgit From 8d5d0947260e260433f97dad71f640b04a3187b0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 23:05:06 +0000 Subject: Adding more updates - maybe last one for today. (This used to be commit 042427c1f81b53403d9a97c5d4306051ed13d5bf) --- docs/docbook/projdoc/SWAT.sgml | 61 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 59 insertions(+), 2 deletions(-) diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 359264d26c..763872d567 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -42,14 +42,71 @@ your Unix/Linux system has you will have either an inetd or -The nature and location of the network super +The nature and location of the network super-daemon varies with the operating system +implementation. The control file (or files) can be located in the file +/etc/inetd.conf or in the directory /etc/[x]inet.d +or similar. + + + +The control entry for the older style file might be: + + + + # swat is the Samba Web Administration Tool + swat stream tcp nowait.400 root /usr/sbin/swat swat + + + +A control file for the newer style xinetd could be: + + + + + # default: off + # description: SWAT is the Samba Web Admin Tool. Use swat \ + # to configure your Samba server. To use SWAT, \ + # connect to port 901 with your favorite web browser. + service swat + { + port = 901 + socket_type = stream + wait = no + only_from = localhost + user = root + server = /usr/sbin/swat + log_on_failure += USERID + disable = yes + } + + + + +Both the above examples assume that the swat binary has been +located in the /usr/sbin directory. In addition to the above +SWAT will use a directory access point from which it will load all it's help files, +as well as other control information. The default location for this on most Linux +systems is in the directory /usr/share/samba/swat. + + + +Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user +the only permission allowed is to view certain aspects of configuration as well as +access to the password change facility. + + + +So long as you log onto SWAT as the user root you should obtain +full change and commit ability. The SWAT Home Page -Blah blah here. +The SWAT title page provides access to the latest Samba documentation. The manual page for +each samba component is accessible from this page as are the Samba-HOWTO-Collection (this +document) as well as the O'Reilly book "Using Samba". -- cgit From 6fc28bceb715039ec893861860b536b3cb201f88 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 22 Apr 2003 01:12:54 +0000 Subject: Tidyups of some dubious logic discovered whilst trying to track down a strange oplock related issue on the PSA. Jeremy. (This used to be commit f8021af2a7b790e739a7ecc67c908289b0a9b719) --- source3/smbd/close.c | 2 +- source3/smbd/oplock.c | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/source3/smbd/close.c b/source3/smbd/close.c index 9cb191c4e2..5cca85500f 100644 --- a/source3/smbd/close.c +++ b/source3/smbd/close.c @@ -201,7 +201,7 @@ with error %s\n", fsp->fsp_name, strerror(errno) )); unlock_share_entry_fsp(fsp); - if(EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) + if(fsp->oplock_type) release_file_oplock(fsp); locking_close_file(fsp); diff --git a/source3/smbd/oplock.c b/source3/smbd/oplock.c index d6c44893d6..632dfe9e29 100644 --- a/source3/smbd/oplock.c +++ b/source3/smbd/oplock.c @@ -226,12 +226,12 @@ tv_sec = %x, tv_usec = %x\n", void release_file_oplock(files_struct *fsp) { - if (koplocks) + if ((fsp->oplock_type != NO_OPLOCK) && koplocks) koplocks->release_oplock(fsp); if (fsp->oplock_type == LEVEL_II_OPLOCK) level_II_oplocks_open--; - else + else if (fsp->oplock_type) exclusive_oplocks_open--; fsp->oplock_type = NO_OPLOCK; @@ -270,7 +270,7 @@ BOOL remove_oplock(files_struct *fsp, BOOL break_to_none) if (lock_share_entry_fsp(fsp) == False) { DEBUG(0,("remove_oplock: failed to lock share entry for file %s\n", fsp->fsp_name )); - ret = False; + return False; } if (fsp->sent_oplock_break == EXCLUSIVE_BREAK_SENT || break_to_none) { @@ -626,12 +626,11 @@ BOOL oplock_break_level2(files_struct *fsp, BOOL local_request, int token) DEBUG(0,("oplock_break_level2: unable to remove level II oplock for file %s\n", fsp->fsp_name )); } + release_file_oplock(fsp); + if (!local_request && got_lock) unlock_share_entry_fsp(fsp); - fsp->oplock_type = NO_OPLOCK; - level_II_oplocks_open--; - if(level_II_oplocks_open < 0) { DEBUG(0,("oplock_break_level2: level_II_oplocks_open < 0 (%d). PANIC ERROR\n", level_II_oplocks_open)); -- cgit From aa00cc19120f7360039a0f5fc1fcc0f6cc2a4473 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Tue, 22 Apr 2003 01:57:21 +0000 Subject: More infrastructure for storing registry (This used to be commit de337632c99080f4be73a6e49839d424b49c8cc3) --- source3/utils/editreg.c | 80 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 63 insertions(+), 17 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index c00d9c22cb..8af54ed58a 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -594,7 +594,26 @@ typedef struct sk_map_s { KEY_SEC_DESC *key_sec_desc; } SK_MAP; -struct regf_struct_s { +/* + * This structure keeps track of the output format of the registry + */ +#define REG_OUTBLK_HDR 1 +#define REG_OUTBLK_HBIN 2 + +typedef struct hbin_blk_s { + int type, size; + struct hbin_blk_s *next; + char *data; /* The data block */ + unsigned int file_offset; /* Offset in file */ + unsigned int free_space; /* Amount of free space in block */ + unsigned int fsp_off; /* Start of free space in block */ + int complete, stored; +} HBIN_BLK; + +/* + * This structure keeps all the registry stuff in one place + */ +typedef struct regf_struct_s { int reg_type; char *regfile_name, *outfile_name; int fd; @@ -607,9 +626,12 @@ struct regf_struct_s { SK_MAP *sk_map; char *owner_sid_str; SEC_DESC *def_sec_desc; -}; - -typedef struct regf_struct_s REGF; + /* + * These next pointers point to the blocks used to contain the + * keys when we are preparing to write them to a file + */ + HBIN_BLK *blk_head, *blk_tail, *free_space; +} REGF; /* * An API for accessing/creating/destroying items above @@ -2407,17 +2429,6 @@ int nt_load_registry(REGF *regf) return 1; } -/* - * These structures keep track of the output format of the registry - */ -typedef struct hbin_blk_s { - struct hbin_blk_s *next; - unsigned int file_offset; /* Offset in file */ - unsigned int free_space; /* Amount of free space in block */ - unsigned int fsp_off; /* Start of free space in block */ - int complete, stored; -} HBIN_BLK; - /* * Allocate a new hbin block and link it to the others. */ @@ -2427,11 +2438,23 @@ int nt_create_hbin_blk(REGF *regf) return 0; } +/* + * Allocate a unit of space ... + */ +void *nt_alloc_regf_space(REGF *regf, int size) +{ + + return NULL; +} + /* * Store a KEY in the file ... * * We store this depth first, and defer storing the lf struct until * all the sub-keys have been stored. + * + * We store the NK hdr, any SK header, class name, and VK structure, then + * recurse down the LF structures ... */ int nt_store_reg_key(REGF *regf, REG_KEY *key) { @@ -2442,10 +2465,30 @@ int nt_store_reg_key(REGF *regf, REG_KEY *key) /* * Store the registry header ... + * We actually create the registry header block and link it to the chain + * of output blocks. */ -int nt_store_reg_header(REGF *regf){ +REGF_HDR *nt_get_reg_header(REGF *regf) +{ + HBIN_BLK *tmp = NULL; + + tmp = (HBIN_BLK *)malloc(sizeof(HBIN_BLK)); + if (!tmp) return 0; - return 0; + bzero(tmp, sizeof(HBIN_BLK)); + tmp->type = REG_OUTBLK_HDR; + tmp->size = REGF_HDR_BLKSIZ; + tmp->data = malloc(REGF_HDR_BLKSIZ); + if (!tmp->data) goto error; + + bzero(tmp->data, REGF_HDR_BLKSIZ); /* Make it pristine, unlike Windows */ + regf->blk_head = regf->blk_tail = tmp; + + return (REGF_HDR *)tmp->data; + + error: + if (tmp) free(tmp); + return NULL; } /* @@ -2461,6 +2504,9 @@ int nt_store_reg_header(REGF *regf){ */ int nt_store_registry(REGF *regf) { + REGF_HDR *reg; + + reg = nt_get_reg_header(regf); return 1; } -- cgit From 790b852c121e4f167b0f451dd9f34c307f211c0d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 02:54:41 +0000 Subject: merging fixes from SAMBA_3_0 (This used to be commit 8c3be38f6acbc85454f2c9bb74c358c99ee5d22a) --- source3/utils/net_groupmap.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index e248cd84f9..a9f47172fe 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -200,6 +200,13 @@ int net_groupmap_add(int argc, const char **argv) return -1; } } + else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) { + fstrcpy( string_sid, get_string_param( argv[i] ) ); + if ( !string_sid[0] ) { + d_printf("must supply a SID\n"); + return -1; + } + } else if ( !StrnCaseCmp(argv[i], "comment", strlen("comment")) ) { fstrcpy( ntcomment, get_string_param( argv[i] ) ); if ( !ntcomment[0] ) { @@ -230,14 +237,17 @@ int net_groupmap_add(int argc, const char **argv) } } - if ( !ntgroup[0] || !rid || sid_type==SID_NAME_UNKNOWN ) { - d_printf("Usage: net groupmap add rid= name= type= [comment=]\n"); + if ( !ntgroup[0] || (!rid && !string_sid[0]) || sid_type==SID_NAME_UNKNOWN ) { + d_printf("Usage: net groupmap add {rid=|sid=} name=| type= [comment=]\n"); return -1; } - sid_copy(&sid, get_global_sam_sid()); - sid_append_rid(&sid, rid); - sid_to_string(string_sid, &sid); + /* append the rid to our own domain/machine SID if we don't have a full SID */ + if ( !string_sid[0] ) { + sid_copy(&sid, get_global_sam_sid()); + sid_append_rid(&sid, rid); + sid_to_string(string_sid, &sid); + } if (ntcomment[0]) fstrcpy(ntcomment, "Local Unix group"); -- cgit From 9d16dac3d14b11f327f2898e3fe45f1b390bead4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 03:16:18 +0000 Subject: wrap pdb_enum_group_mapping() in [un]become_root() so LDAP queries can get the credentials from secrets.tdb (This used to be commit cf6af44a2464cf1d9bea909dbc0e20829bdc2665) --- source3/rpc_server/srv_samr_nt.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 6e1b6f2160..5a8a16b256 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -300,11 +300,16 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) DEBUG(10,("load_group_domain_entries: already in memory\n")); return NT_STATUS_OK; } + + + become_root(); if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } + + unbecome_root(); info->disp_info.num_group_account=group_entries; -- cgit From 86ece43f7a0cc927e4b354959f9204d9779d5f50 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 04:54:21 +0000 Subject: another lost merge from 3.0; my fault (This used to be commit 2e5e68617345beca4d1cab27d64944ebd42e899b) --- source3/smbd/vfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c index 06aca51322..75bcb09917 100644 --- a/source3/smbd/vfs.c +++ b/source3/smbd/vfs.c @@ -322,8 +322,8 @@ BOOL smbd_vfs_init(connection_struct *conn) vfs_init_default(conn); vfs_objects = lp_vfsobj(SNUM(conn)); - /* Override VFS functions if 'vfs object' was specified*/ - if (!vfs_objects) + /* Override VFS functions if 'vfs object' was not specified*/ + if (!vfs_objects || !vfs_objects[0]) return True; for(i=0; i Date: Tue, 22 Apr 2003 05:14:41 +0000 Subject: support referencing group by sid in all operations; allow group name to be changed (This used to be commit 00dfaa7c2c9227a082ca17ed14aefc19d9087a57) --- source3/utils/net_groupmap.c | 73 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 60 insertions(+), 13 deletions(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index a9f47172fe..3cb132c2f9 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -176,6 +176,7 @@ int net_groupmap_add(int argc, const char **argv) PRIVILEGE_SET se_priv; DOM_SID sid; fstring ntgroup = ""; + fstring unixgrp = ""; fstring string_sid = ""; fstring type = ""; fstring ntcomment = ""; @@ -193,7 +194,14 @@ int net_groupmap_add(int argc, const char **argv) return -1; } } - else if ( !StrnCaseCmp(argv[i], "name", strlen("name")) ) { + else if ( !StrnCaseCmp(argv[i], "unixgroup", strlen("unixgroup")) ) { + fstrcpy( unixgrp, get_string_param( argv[i] ) ); + if ( !unixgrp[0] ) { + d_printf("must supply a name\n"); + return -1; + } + } + else if ( !StrnCaseCmp(argv[i], "ntgroup", strlen("ntgroup")) ) { fstrcpy( ntgroup, get_string_param( argv[i] ) ); if ( !ntgroup[0] ) { d_printf("must supply a name\n"); @@ -237,8 +245,8 @@ int net_groupmap_add(int argc, const char **argv) } } - if ( !ntgroup[0] || (!rid && !string_sid[0]) || sid_type==SID_NAME_UNKNOWN ) { - d_printf("Usage: net groupmap add {rid=|sid=} name=| type= [comment=]\n"); + if ( !unixgrp[0] || (!rid && !string_sid[0]) || sid_type==SID_NAME_UNKNOWN ) { + d_printf("Usage: net groupmap add {rid=|sid=} unixgroup= type= [ntgroup=] [comment=]\n"); return -1; } @@ -252,11 +260,15 @@ int net_groupmap_add(int argc, const char **argv) if (ntcomment[0]) fstrcpy(ntcomment, "Local Unix group"); - if ( !(gid = nametogid(ntgroup)) ) { + if ( !(gid = nametogid(unixgrp)) ) { d_printf("Can't lookup UNIX group %s\n", ntgroup); return -1; } + if ( !ntgroup[0] ) + fstrcpy( ntgroup, unixgrp ); + + init_privilege(&se_priv); #if 0 if (privilege!=NULL) @@ -282,18 +294,26 @@ int net_groupmap_modify(int argc, const char **argv) fstring ntcomment = ""; fstring type = ""; fstring ntgroup = ""; + fstring sid_string = ""; enum SID_NAME_USE sid_type = SID_NAME_UNKNOWN; int i; /* get the options */ for ( i=0; i [comment=] [type=\n"); + if ( !ntgroup[0] && !sid_string[0] ) { + d_printf("Usage: net groupmap modify {ntgroup=|sid=} [comment=] [type=\n"); return -1; } - - if (!get_sid_from_input(&sid, ntgroup)) { - return -1; + + /* give preference to the SID; if both the ntgroup name and SID + are defined, use the SID and assume that the group name could be a + new name */ + + if ( sid_string[0] ) { + if (!get_sid_from_input(&sid, sid_string)) { + return -1; + } } + else { + if (!get_sid_from_input(&sid, ntgroup)) { + return -1; + } + } /* Get the current mapping from the database */ if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) { @@ -358,6 +389,9 @@ int net_groupmap_modify(int argc, const char **argv) /* Change comment if new one */ if ( ntcomment[0] ) fstrcpy( map.comment, ntcomment ); + + if ( ntgroup[0] ) + fstrcpy( map.nt_name, ntgroup ); #if 0 /* Change the privilege if new one */ @@ -382,28 +416,41 @@ int net_groupmap_delete(int argc, const char **argv) { DOM_SID sid; fstring ntgroup = ""; + fstring sid_string = ""; int i; /* get the options */ for ( i=0; i\n"); + if ( !ntgroup[0] && !sid_string[0]) { + d_printf("Usage: net groupmap delete {ntgroup=|sid=}\n"); return -1; } + /* give preference to the SID if we have that */ + + if ( sid_string[0] ) + fstrcpy( ntgroup, sid_string ); + if ( !get_sid_from_input(&sid, ntgroup) ) { d_printf("Unable to resolve group %s to a SID\n", ntgroup); return -1; -- cgit From db8ff4ae56d7ce16cf68f7c712a207b062defc68 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 Apr 2003 05:34:43 +0000 Subject: Merge from 3.0 - fix domain joins not to always join as BDC. (This used to be commit 09bc2dd51c8407536b68aaeaeba4546f93256ec2) --- source3/utils/net_ads.c | 7 +------ source3/utils/net_rpc_join.c | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 91f82a5dbe..203d849786 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -648,7 +648,7 @@ int net_ads_join(int argc, const char **argv) void *res; DOM_SID dom_sid; char *ou_str; - uint32 sec_channel_type; + uint32 sec_channel_type = SEC_CHAN_WKSTA; uint32 account_type = UF_WORKSTATION_TRUST_ACCOUNT; if (argc > 0) org_unit = argv[0]; @@ -658,11 +658,6 @@ int net_ads_join(int argc, const char **argv) return -1; } - /* check what type of join - TODO: make this variable like RPC - */ - account_type = UF_WORKSTATION_TRUST_ACCOUNT; - tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); password = strdup(tmp_password); diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 35564b1e10..e389cf8ef8 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -143,11 +143,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) switch (sec_channel_type) { case SEC_CHAN_WKSTA: acb_info = ACB_WSTRUST; + break; case SEC_CHAN_BDC: acb_info = ACB_SVRTRUST; + break; #if 0 case SEC_CHAN_DOMAIN: acb_info = ACB_DOMTRUST; + break; #endif } -- cgit From 813386cbd73575b4ef4c1a0f642deb03cfca2a48 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 05:58:07 +0000 Subject: default new groups to domain groups (This used to be commit f0c7d9def78db31b0f7f1e97a4cb6dac3382e217) --- source3/utils/net_groupmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 3cb132c2f9..2436fffc6d 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -180,7 +180,7 @@ int net_groupmap_add(int argc, const char **argv) fstring string_sid = ""; fstring type = ""; fstring ntcomment = ""; - enum SID_NAME_USE sid_type = SID_NAME_UNKNOWN; + enum SID_NAME_USE sid_type = SID_NAME_DOM_GRP; uint32 rid = 0; gid_t gid; int i; @@ -245,8 +245,8 @@ int net_groupmap_add(int argc, const char **argv) } } - if ( !unixgrp[0] || (!rid && !string_sid[0]) || sid_type==SID_NAME_UNKNOWN ) { - d_printf("Usage: net groupmap add {rid=|sid=} unixgroup= type= [ntgroup=] [comment=]\n"); + if ( !unixgrp[0] || (!rid && !string_sid[0]) ) { + d_printf("Usage: net groupmap add {rid=|sid=} unixgroup= [type=] [ntgroup=] [comment=]\n"); return -1; } -- cgit From 6e6497318fd4b21ee7a13c74abedd0e51f7ab638 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Tue, 22 Apr 2003 06:19:39 +0000 Subject: Commit more code dealing with allocating space in the HBIN blocks ... (This used to be commit cfa67f23e3e2ba4c7abd40405227b0a8b1b76fc8) --- source3/utils/editreg.c | 108 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 101 insertions(+), 7 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index 8af54ed58a..0229395176 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -91,11 +91,16 @@ multiple of 8. Nigel If the size field is negative (bit 31 set), the corresponding block is free and has a size of -blocksize! -That does not seem to be true. All block lengths seem to be negative! (Richard Sharpe) +That does not seem to be true. All block lengths seem to be negative! +(Richard Sharpe) The data is stored as one record per block. Block size is a multiple of 4 and the last block reaches the next hbin-block, leaving no room. +(That also seems incorrect, in that the block size if a multiple of 8. +That is, the block, including the 4 byte header, is always a multiple of +8 bytes. Richard Sharpe.) + Records in the hbin-blocks ========================== @@ -1574,6 +1579,7 @@ int data_to_ascii(unsigned char *datap, int len, int type, char *ascii, int asci switch (type) { case REG_TYPE_REGSZ: if (verbose) fprintf(stderr, "Len: %d\n", len); + /* FIXME. This has to be fixed. It has to be UNICODE */ return uni_to_ascii(datap, ascii, len, ascii_max); break; @@ -2052,7 +2058,13 @@ VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size) char *dat_ptr = LOCN(regf->base, dat_off); bcopy(dat_ptr, dtmp, dat_len); } - else { /* The data is in the offset */ + else { /* The data is in the offset or type */ + /* + * FIXME. + * Some registry files seem to have wierd fields. If top bit is set, + * but len is 0, the type seems to be the value ... + * Not sure how to handle this last type for the moment ... + */ dat_len = dat_len & 0x7FFFFFFF; bcopy(&dat_off, dtmp, dat_len); } @@ -2430,19 +2442,95 @@ int nt_load_registry(REGF *regf) } /* - * Allocate a new hbin block and link it to the others. + * Allocate a new hbin block, set up the header for the block etc */ -int nt_create_hbin_blk(REGF *regf) +HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) { + HBIN_BLK *tmp; - return 0; + if (!regf || !size) return NULL; + + /* Round size up to multiple of REGF_HDR_BLKSIZ */ + + size = (size + (REGF_HDR_BLKSIZ - 1)) & ~(REGF_HDR_BLKSIZ - 1); + + tmp = (HBIN_BLK *)malloc(sizeof(HBIN_BLK)); + bzero(tmp, sizeof(HBIN_BLK)); + + tmp->data = malloc(size); + if (!tmp->data) goto error; + + bzero(tmp->data, size); /* Make it pristine */ + + tmp->size = size; + tmp->file_offset = regf->blk_tail->file_offset + regf->blk_tail->size; + + tmp->free_space = size - (sizeof(HBIN_HDR) - sizeof(HBIN_SUB_HDR)); + tmp->fsp_off = size - tmp->free_space; + + /* + * Now link it in + */ + + regf->blk_tail->next = tmp; + regf->blk_tail = tmp; + if (!regf->free_space) regf->free_space = tmp; + + return tmp; + error: + if (tmp) free(tmp); + return NULL; } /* - * Allocate a unit of space ... + * Allocate a unit of space ... and return a pointer as function param + * and the block's offset as a side effect */ -void *nt_alloc_regf_space(REGF *regf, int size) +void *nt_alloc_regf_space(REGF *regf, int size, int *off) { + int tmp = 0; + void *ret = NULL; + HBIN_BLK *blk; + + if (!regf || !size || !off) return NULL; + + assert(regf->blk_head != NULL); + + /* + * round up size to include header and then to 8-byte boundary + */ + size = (size + 4 + 7) & ~7; + + /* + * Check if there is space, if none, grab a block + */ + if (!regf->free_space) { + if (!nt_create_hbin_blk(regf, REGF_HDR_BLKSIZ)) + return NULL; + } + + /* + * Now, chain down the list of blocks looking for free space + */ + + for (blk = regf->free_space; blk != NULL; blk = blk->next) { + if (blk->free_space <= size) { + tmp = blk->file_offset + blk->fsp_off; + ret = blk->data + blk->fsp_off; + blk->free_space -= size; + blk->fsp_off += size; + + /* + * Fix up the free space ptr + */ + } + + } + + /* + * If we got here, we need to add another block, which might be + * larger than one block -- deal with that later + */ return NULL; } @@ -2505,9 +2593,15 @@ REGF_HDR *nt_get_reg_header(REGF *regf) int nt_store_registry(REGF *regf) { REGF_HDR *reg; + NK_HDR *fkey; + /* + * Get a header ... and partially fill it in ... + */ reg = nt_get_reg_header(regf); + + return 1; } -- cgit From 186824a96777e9998fbb82c58e8e0ad848a9353a Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Tue, 22 Apr 2003 06:35:44 +0000 Subject: Complete the space allocation code for HBIN blocks ... (This used to be commit ae5f8e4b5f7b8880293cc94c9bbe0df81a56959e) --- source3/utils/editreg.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index 0229395176..bdfb3dc832 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -2522,15 +2522,39 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) /* * Fix up the free space ptr + * If it is NULL, we fix it up next time */ - } + if (!blk->free_space) + regf->free_space = blk->next; + + *off = tmp; + return ret; + } } /* * If we got here, we need to add another block, which might be * larger than one block -- deal with that later */ + if (nt_create_hbin_blk(regf, REGF_HDR_BLKSIZ)) { + blk = regf->free_space; + tmp = blk->file_offset + blk->fsp_off; + ret = blk->data + blk->fsp_off; + blk->free_space -= size; + blk->fsp_off += size; + + /* + * Fix up the free space ptr + * If it is NULL, we fix it up next time + */ + + if (!blk->free_space) + regf->free_space = blk->next; + + *off = tmp; + return ret; + } return NULL; } -- cgit From cf86f85b088be7c6ddb8d060e93a7f3040efe342 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 Apr 2003 07:30:38 +0000 Subject: Bail out early when we fail on the rw_torture test. Andrew Bartlett (This used to be commit 65855d2ce920053a43882919a6ae509bbd86e54b) --- source3/torture/torture.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/source3/torture/torture.c b/source3/torture/torture.c index e4af6e9fcf..f85569b2af 100644 --- a/source3/torture/torture.c +++ b/source3/torture/torture.c @@ -499,18 +499,21 @@ static BOOL rw_torture2(struct cli_state *c1, struct cli_state *c2) if (cli_write(c1, fnum1, 0, buf, 0, buf_size) != buf_size) { printf("write failed (%s)\n", cli_errstr(c1)); correct = False; + break; } if ((bytes_read = cli_read(c2, fnum2, buf_rd, 0, buf_size)) != buf_size) { printf("read failed (%s)\n", cli_errstr(c2)); printf("read %d, expected %d\n", bytes_read, buf_size); correct = False; + break; } if (memcmp(buf_rd, buf, buf_size) != 0) { printf("read/write compare failed\n"); correct = False; + break; } } @@ -547,8 +550,10 @@ static BOOL run_readwritetest(int dummy) test1 = rw_torture2(cli1, cli2); printf("Passed readwritetest v1: %s\n", BOOLSTR(test1)); - test2 = rw_torture2(cli1, cli1); - printf("Passed readwritetest v2: %s\n", BOOLSTR(test2)); + if (test1) { + test2 = rw_torture2(cli1, cli1); + printf("Passed readwritetest v2: %s\n", BOOLSTR(test2)); + } if (!torture_close_connection(cli1)) { test1 = False; -- cgit From c2e997d6a754945284687c99c0ef67acb94c4a37 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 Apr 2003 07:45:16 +0000 Subject: Merge from 3.0 - try harder to get our real DNS domain name, and send this to the client when it asks for our DNS name and forest name. (needed for win2k to trust us as a trusted domain). Andrew Bartlett (This used to be commit 2a1015eb57da7b69caafd1221b871b6bff1af2fb) --- source3/lib/util.c | 27 +++++++++++++++++++++------ source3/rpc_server/srv_lsa_nt.c | 12 ++++++++++-- 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index 1adda85354..e58f5274df 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1012,6 +1012,7 @@ BOOL get_mydomname(fstring my_domname) { pstring hostname; char *p; + struct hostent *hp; *hostname = 0; /* get my host name */ @@ -1023,17 +1024,31 @@ BOOL get_mydomname(fstring my_domname) /* Ensure null termination. */ hostname[sizeof(hostname)-1] = '\0'; + p = strchr_m(hostname, '.'); - if (!p) - return False; + if (p) { + p++; + + if (my_domname) + fstrcpy(my_domname, p); + } - p++; + if (!(hp = sys_gethostbyname(hostname))) { + return False; + } - if (my_domname) - fstrcpy(my_domname, p); + p = strchr_m(hp->h_name, '.'); - return True; + if (p) { + p++; + + if (my_domname) + fstrcpy(my_domname, p); + return True; + } + + return False; } /**************************************************************************** diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index fb6538db39..3581be0181 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1222,6 +1222,7 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I char *forest_name = NULL; DOM_SID *sid = NULL; GUID guid; + fstring dnsdomname; ZERO_STRUCT(guid); r_u->status = NT_STATUS_OK; @@ -1241,8 +1242,15 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I case ROLE_DOMAIN_BDC: nb_name = lp_workgroup(); /* ugly temp hack for these next two */ - dns_name = lp_realm(); - forest_name = lp_realm(); + + /* This should be a 'netbios domain -> DNS domain' mapping */ + dnsdomname[0] = '\0'; + get_mydomname(dnsdomname); + strlower(dnsdomname); + + dns_name = dnsdomname; + forest_name = dnsdomname; + sid = get_global_sam_sid(); secrets_fetch_domain_guid(lp_workgroup(), &guid); break; -- cgit From a85e84118860f85eba0c7859d8bdaf96a6595dee Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 22 Apr 2003 11:25:21 +0000 Subject: Setting the credentials for the netsec netlogon pipe connect upon each samlogon call certainly breaks the credential chain. Do it once during the bind response. Volker (This used to be commit 616b6dd60fe621a968fef34e66550f86b7b735bc) --- source3/rpc_server/srv_netlog_nt.c | 8 -------- source3/rpc_server/srv_pipe.c | 5 +++++ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 76c1d98dab..aa573b8154 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -548,14 +548,6 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return NT_STATUS_ACCESS_DENIED; } - if (p->netsec_auth_validated) { - /* The client opens a second RPC NETLOGON pipe without - doing a auth2. The session key for the schannel is - re-used from the auth2 the client did before. */ - extern struct dcinfo last_dcinfo; - p->dc = last_dcinfo; - } - /* checks and updates credentials. creates reply credentials */ if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->sam_id.client.cred, &srv_cred))) return NT_STATUS_INVALID_HANDLE; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index df99c15777..b09058629a 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -1088,6 +1088,11 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) RPC_AUTH_VERIFIER auth_verifier; uint32 flags; + /* The client opens a second RPC NETLOGON pipe without + doing a auth2. The credentials for the schannel are + re-used from the auth2 the client did before. */ + p->dc = last_dcinfo; + init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, NETSEC_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1); if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) { DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n")); -- cgit From bc238b9d67614b3f6d2c43b8deb724eef2d1a5f7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 Apr 2003 12:56:14 +0000 Subject: Make the mangleing code actually use a common prefix, not just the same name for many files. Also report complete failure to create a filename as a failure of the test. Andrew Bartlett (This used to be commit ce572df77f941c3c3f445be2c9708c096a9186ef) --- source3/torture/mangle_test.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/source3/torture/mangle_test.c b/source3/torture/mangle_test.c index d1475eb64e..e4ccfc1b83 100644 --- a/source3/torture/mangle_test.c +++ b/source3/torture/mangle_test.c @@ -107,7 +107,7 @@ static BOOL test_one(struct cli_state *cli, const char *name) static void gen_name(char *name) { - const char *chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._-$~..."; + const char *chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._-$~... "; unsigned max_idx = strlen(chars); unsigned len; int i; @@ -135,7 +135,12 @@ static void gen_name(char *name) /* and a medium probability of a common lead string */ if (random() % 10 == 0) { - strncpy(p, "ABCDE", 6); + if (strlen(p) <= 5) { + fstrcpy(p, "ABCDE"); + } else { + /* try not to kill off the null termination */ + memcpy(p, "ABCDE", 5); + } } /* and a high probability of a good extension length */ @@ -153,6 +158,7 @@ BOOL torture_mangle(int dummy) extern int torture_numops; static struct cli_state *cli; int i; + BOOL ret = True; printf("starting mangle test\n"); @@ -177,10 +183,12 @@ BOOL torture_mangle(int dummy) for (i=0;i Date: Tue, 22 Apr 2003 12:57:30 +0000 Subject: Always initialise this, to assist callers doing loops over this call. Andrew Bartlett (This used to be commit 6da9fd157b4e61fe72f569e4657166ca9d9ab6dc) --- source3/rpc_client/cli_samr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index 9d0b48796c..fa4c662e04 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -571,6 +571,9 @@ NTSTATUS cli_samr_enum_dom_users(struct cli_state *cli, TALLOC_CTX *mem_ctx, ZERO_STRUCT(q); ZERO_STRUCT(r); + /* always init this */ + *num_dom_users = 0; + /* Initialise parse structures */ prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); -- cgit From de690f13362f909c151f4b7e92d7a61f576b3685 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 22 Apr 2003 14:57:20 +0000 Subject: Update. (This used to be commit 0f8f94b6adc477a8e7ccae7444e2b7f4670ef071) --- docs/docbook/global.ent | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index dcef1084d6..2c7f55aa3a 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -7,6 +7,7 @@ + -- cgit From 0865120fca988a8016f3dd9480f171794212e436 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 22 Apr 2003 15:55:07 +0000 Subject: parse_string is only used for the authentication negotiators. It can itself determine the length of the string it has to transfer. Andrew B., could you take a look at the length calculation? Is that safe? Thanks, Volker (This used to be commit d5f1082753f84f0e3a22739055b6b9cbde29faa9) --- source3/rpc_parse/parse_prs.c | 8 +++++++- source3/rpc_parse/parse_rpc.c | 16 ++++++---------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 696142905b..e0a75d7382 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -1159,10 +1159,16 @@ BOOL prs_unistr(const char *name, prs_struct *ps, int depth, UNISTR *str) not include the null-termination character. ********************************************************************/ -BOOL prs_string(const char *name, prs_struct *ps, int depth, char *str, int len, int max_buf_size) +BOOL prs_string(const char *name, prs_struct *ps, int depth, char *str, int max_buf_size) { char *q; int i; + int len; + + if (UNMARSHALLING(ps)) + len = strlen(&ps->data_p[ps->data_offset]); + else + len = strlen(str); len = MIN(len, (max_buf_size-1)); diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index dd75ea1f55..be3a04e31c 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -691,7 +691,7 @@ BOOL smb_io_rpc_auth_verifier(const char *desc, RPC_AUTH_VERIFIER *rav, prs_stru depth++; /* "NTLMSSP" */ - if(!prs_string("signature", ps, depth, rav->signature, strlen("NTLMSSP"), + if(!prs_string("signature", ps, depth, rav->signature, sizeof(rav->signature))) return False; if(!prs_uint32("msg_type ", ps, depth, &rav->msg_type)) /* NTLMSSP_MESSAGE_TYPE */ @@ -701,7 +701,7 @@ BOOL smb_io_rpc_auth_verifier(const char *desc, RPC_AUTH_VERIFIER *rav, prs_stru } /******************************************************************* - This parses an RPC_AUTH_VERIFIER for NETLOGON schannel. I thing + This parses an RPC_AUTH_VERIFIER for NETLOGON schannel. I think assuming "NTLMSSP" in sm_io_rpc_auth_verifier is somewhat wrong. I have to look at that later... ********************************************************************/ @@ -714,11 +714,9 @@ BOOL smb_io_rpc_netsec_verifier(const char *desc, RPC_AUTH_VERIFIER *rav, prs_st prs_debug(ps, depth, desc, "smb_io_rpc_auth_verifier"); depth++; - /* "NTLMSSP" */ - if(!prs_string("signature", ps, depth, rav->signature, strlen(rav->signature), - sizeof(rav->signature))) + if(!prs_string("signature", ps, depth, rav->signature, sizeof(rav->signature))) return False; - if(!prs_uint32("msg_type ", ps, depth, &rav->msg_type)) /* NTLMSSP_MESSAGE_TYPE */ + if(!prs_uint32("msg_type ", ps, depth, &rav->msg_type)) return False; return True; @@ -1170,11 +1168,9 @@ BOOL smb_io_rpc_auth_netsec_neg(const char *desc, RPC_AUTH_NETSEC_NEG *neg, return False; if(!prs_uint32("type2", ps, depth, &neg->type2)) return False; - if(!prs_string("domain ", ps, depth, neg->domain, - strlen(neg->domain), sizeof(neg->domain))) + if(!prs_string("domain ", ps, depth, neg->domain, sizeof(neg->domain))) return False; - if(!prs_string("myname ", ps, depth, neg->myname, - strlen(neg->myname), sizeof(neg->myname))) + if(!prs_string("myname ", ps, depth, neg->myname, sizeof(neg->myname))) return False; return True; -- cgit From c95840b76f172a78e00cc4d4d750fb0a992d9120 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 22 Apr 2003 17:31:22 +0000 Subject: Add runtime tests for "impossible" case with -DDEVELOPER. Trying to catch logic error on Linux. Jeremy. (This used to be commit 5d2b2b5607faa4bf2c418987776c1ee327b098c6) --- source3/smbd/open.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 6b3dcbe71b..5e4f3caca7 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -532,6 +532,29 @@ existing desired access (0x%x).\n", fname, (unsigned int)desired_access, (unsign return True; } + +#if defined(DEVELOPER) +static void validate_my_share_entries(share_mode_entry *share_entry) +{ + files_struct *fsp; + + if (share_entry->pid != sys_getpid()) + return; + + fsp = file_find_dif(share_entry->dev, share_entry->inode, share_entry->share_file_id); + if (!fsp) { + smb_panic("validate_my_share_entries: Cannot match a share entry with an open file\n"); + } + + if (((uint16)fsp->oplock_type) != share_entry->op_type) { + pstring str; + slprintf(str, sizeof(str)-1, "validate_my_share_entries: file %s, oplock_type = 0x%x, op_type = 0x%x\n", + fsp->fsp_name, (unsigned int)fsp->oplock_type, (unsigned int)share_entry->op_type ); + smb_panic(str); + } +} +#endif + /**************************************************************************** Deal with open deny mode and oplock break processing. Invarient: Share mode must be locked on entry and exit. @@ -572,6 +595,10 @@ static int open_mode_check(connection_struct *conn, const char *fname, SMB_DEV_T for(i = 0; i < num_share_modes; i++) { share_mode_entry *share_entry = &old_shares[i]; +#if defined(DEVELOPER) + validate_my_share_entries(share_entry); +#endif + /* * By observation of NetBench, oplocks are broken *before* share * modes are checked. This allows a file to be closed by the client -- cgit From f2f1df690571513dfed521f147ee2110281262a4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 17:32:24 +0000 Subject: update copyright notice that is written to the logs (This used to be commit 5f1fe04a87a407297eb9d4ad0e5c6bb35b33c067) --- source3/nsswitch/winbindd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index eb8a36af55..ff21a4644f 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -854,7 +854,7 @@ int main(int argc, char **argv) reopen_logs(); DEBUG(1, ("winbindd version %s started.\n", VERSION ) ); - DEBUGADD( 1, ( "Copyright The Samba Team 2000-2001\n" ) ); + DEBUGADD( 1, ( "Copyright The Samba Team 2000-2003\n" ) ); if (!reload_services_file(False)) { DEBUG(0, ("error opening config file\n")); -- cgit From 3130622e81da37ac4d193781ba41dee1b5836381 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Apr 2003 18:05:13 +0000 Subject: don't reset the group type unless specified (This used to be commit cb852a047413a3499fde68a353011afdcaa92ef2) --- source3/utils/net_groupmap.c | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 2436fffc6d..63e69fa7cf 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -370,20 +370,14 @@ int net_groupmap_modify(int argc, const char **argv) * Allow changing of group type only between domain and local * We disallow changing Builtin groups !!! (SID problem) */ - if (sid_type==SID_NAME_ALIAS - || sid_type==SID_NAME_DOM_GRP - || sid_type==SID_NAME_UNKNOWN) - { - if (map.sid_name_use==SID_NAME_ALIAS - || map.sid_name_use==SID_NAME_DOM_GRP - || map.sid_name_use==SID_NAME_UNKNOWN) - { - map.sid_name_use=sid_type; - } else { - printf("cannot change group type to builtin\n"); - }; - } else { - printf("cannot change group type from builtin\n"); + if ( sid_type != SID_NAME_UNKNOWN ) + { + if ( map.sid_name_use == SID_NAME_WKN_GRP ) { + d_printf("You can only change between domain and local groups.\n"); + return -1; + } + + map.sid_name_use=sid_type; } /* Change comment if new one */ -- cgit From 0ecfcd3319909a61806cb6e37f7dedca6743ce38 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 22 Apr 2003 20:27:56 +0000 Subject: Added jCIFS to projects. (This used to be commit ef0f6b8957f3d8b46fdffa8c655c1906c9698254) --- docs/docbook/projdoc/IntroSMB.sgml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/docbook/projdoc/IntroSMB.sgml b/docs/docbook/projdoc/IntroSMB.sgml index c1c0ae3293..4fd96ee87e 100644 --- a/docs/docbook/projdoc/IntroSMB.sgml +++ b/docs/docbook/projdoc/IntroSMB.sgml @@ -163,6 +163,10 @@ client file systems for Linux, both available in the Linux kernel itself. Winbind (nsswitch) integration. + + jCIFS (Java implementation of CIFS) is an active project headed by Chris Hertel. + + -- cgit From c91cb3098ed9fd365fc9f551fc6099fb97d88852 Mon Sep 17 00:00:00 2001 From: "Christopher R. Hertel" Date: Tue, 22 Apr 2003 21:09:29 +0000 Subject: Merged the changes I made in the 3.0 doc tree (wrong place) and fiddled the entry for jCIFS (thanks, John!). (This used to be commit 43c1ba0ab2aa538d0defad4cdec385561d3563df) --- docs/docbook/projdoc/IntroSMB.sgml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/docbook/projdoc/IntroSMB.sgml b/docs/docbook/projdoc/IntroSMB.sgml index 4fd96ee87e..32b18cc8fc 100644 --- a/docs/docbook/projdoc/IntroSMB.sgml +++ b/docs/docbook/projdoc/IntroSMB.sgml @@ -141,8 +141,8 @@ http://www.samba.org). Optionally, you could just search mailing.unix.samba at Related Projects -Currently, there are two projects that are directly related to Samba: SMBFS and CIFS network -client file systems for Linux, both available in the Linux kernel itself. +There are currently two network filesystem client projects for Linux that are directly +related to Samba: SMBFS and CIFS VFS. These are both available in the Linux kernel itself. @@ -155,18 +155,14 @@ client file systems for Linux, both available in the Linux kernel itself. - CIFS (Common Internet File System) is the successor to SMB, and is actively being worked - on in the upcoming version of the Linux kernel. The intent of this module is to - provide advanced network file system functionality including support for dfs (heirarchical + CIFS VFS (Common Internet File System Virtual File System) is the successor to SMBFS, and + is being actively developed for the upcoming version of the Linux kernel. The intent of this module + is to provide advanced network file system functionality including support for dfs (heirarchical name space), secure per-user session establishment, safe distributed caching (oplock), optional packet signing, Unicode and other internationalization improvements, and optional Winbind (nsswitch) integration. - - - - jCIFS (Java implementation of CIFS) is an active project headed by Chris Hertel. - - + + @@ -174,6 +170,12 @@ Again, it's important to note that these are implementations for client filesyst nothing to do with acting as a file and print server for SMB/CIFS clients. + +There are other Open Source CIFS client implementations, such as the jCIFS project +(jcifs.samba.org) which provides an SMB client toolkit written in Java. + + + -- cgit From 08c2e81a18798a5d66d37e75207816e5934941a7 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 22 Apr 2003 23:27:57 +0000 Subject: Added Stephen Roylance's patch to add buttons to start/stop/restart all three daemons. (This used to be commit 2172e558fbb75937592583e81355da4471897032) --- source3/web/statuspage.c | 47 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c index 8e41d62cb0..ddbe658a6c 100644 --- a/source3/web/statuspage.c +++ b/source3/web/statuspage.c @@ -220,45 +220,46 @@ void status_page(void) int autorefresh=0; int refresh_interval=30; TDB_CONTEXT *tdb; + int nr_running=0; smbd_pid = pidfile_pid("smbd"); - if (cgi_variable("smbd_restart")) { + if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { stop_smbd(); start_smbd(); } - if (cgi_variable("smbd_start")) { + if (cgi_variable("smbd_start") || cgi_variable("all_start")) { start_smbd(); } - if (cgi_variable("smbd_stop")) { + if (cgi_variable("smbd_stop") || cgi_variable("all_stop")) { stop_smbd(); } - if (cgi_variable("nmbd_restart")) { + if (cgi_variable("nmbd_restart") || cgi_variable("all_restart")) { stop_nmbd(); start_nmbd(); } - if (cgi_variable("nmbd_start")) { + if (cgi_variable("nmbd_start") || cgi_variable("all_start")) { start_nmbd(); } - if (cgi_variable("nmbd_stop")) { + if (cgi_variable("nmbd_stop")|| cgi_variable("all_stop")) { stop_nmbd(); } #ifdef WITH_WINBIND - if (cgi_variable("winbindd_restart")) { + if (cgi_variable("winbindd_restart") || cgi_variable("all_restart")) { stop_winbindd(); start_winbindd(); } - if (cgi_variable("winbindd_start")) { + if (cgi_variable("winbindd_start") || cgi_variable("all_start")) { start_winbindd(); } - if (cgi_variable("winbindd_stop")) { + if (cgi_variable("winbindd_stop") || cgi_variable("all_stop")) { stop_winbindd(); } #endif @@ -314,6 +315,7 @@ void status_page(void) d_printf("%s%s\n", _("smbd:"), smbd_running()?_("running"):_("not running")); if (geteuid() == 0) { if (smbd_running()) { + nr_running++; d_printf("\n", _("Stop smbd")); } else { d_printf("\n", _("Start smbd")); @@ -326,11 +328,25 @@ void status_page(void) d_printf("%s%s\n", _("nmbd:"), nmbd_running()?_("running"):_("not running")); if (geteuid() == 0) { if (nmbd_running()) { + nr_running++; d_printf("\n", _("Stop nmbd")); } else { d_printf("\n", _("Start nmbd")); } d_printf("\n", _("Restart nmbd")); +#ifndef WITH_WINBIND + if (nr_running >= 1) { + /* stop, restart all */ + d_printf("\n"); + d_printf("\n", _("Stop All")); + d_printf("\n", _("Restart All")); + } + else if (nr_running == 0) { + /* start all */ + d_printf("\n"); + d_printf("\n", _("Start All")); + } +#endif } d_printf("\n"); @@ -339,11 +355,24 @@ void status_page(void) d_printf("%s%s\n", _("winbindd:"), winbindd_running()?_("running"):_("not running")); if (geteuid() == 0) { if (winbindd_running()) { + nr_running++; d_printf("\n", _("Stop winbindd")); } else { d_printf("\n", _("Start winbindd")); } d_printf("\n", _("Restart winbindd")); + if (nr_running >= 1) { + /* stop, restart all */ + d_printf("\n"); + d_printf("\n", _("Stop All")); + d_printf("\n", _("Restart All")); + } + else if (nr_running == 0) { + /* start all */ + d_printf("\n"); + d_printf("\n", _("Start All")); + } + } d_printf("\n"); #endif -- cgit From c057f9faff14614f24165290bfbf53965063199d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Apr 2003 00:19:16 +0000 Subject: Limit the number of outstanding print notify messages for a process to 1000. Jeremy. (This used to be commit aabaac05c6adbb510ed27f87115de3e83e27158c) --- source3/lib/messages.c | 31 +++++++++++++++++++++++++++++++ source3/printing/notify.c | 9 ++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/source3/lib/messages.c b/source3/lib/messages.c index 0615cc1883..8706ede706 100644 --- a/source3/lib/messages.c +++ b/source3/lib/messages.c @@ -303,6 +303,37 @@ BOOL message_send_pid_with_timeout(pid_t pid, int msg_type, const void *buf, siz return message_send_pid_internal(pid, msg_type, buf, len, duplicates_allowed, timeout); } +/**************************************************************************** + Count the messages pending for a particular pid. Expensive.... +****************************************************************************/ + +unsigned int messages_pending_for_pid(pid_t pid) +{ + TDB_DATA kbuf; + TDB_DATA dbuf; + char *buf; + unsigned int message_count = 0; + + kbuf = message_key_pid(sys_getpid()); + + dbuf = tdb_fetch(tdb, kbuf); + if (dbuf.dptr == NULL || dbuf.dsize == 0) { + SAFE_FREE(dbuf.dptr); + return 0; + } + + for (buf = dbuf.dptr; dbuf.dsize > sizeof(struct message_rec);) { + struct message_rec rec; + memcpy(&rec, buf, sizeof(rec)); + buf += (sizeof(rec) + rec.len); + dbuf.dsize -= (sizeof(rec) + rec.len); + message_count++; + } + + SAFE_FREE(dbuf.dptr); + return message_count; +} + /**************************************************************************** Retrieve all messages for the current process. ****************************************************************************/ diff --git a/source3/printing/notify.c b/source3/printing/notify.c index 428eb54ce4..ee973da211 100644 --- a/source3/printing/notify.c +++ b/source3/printing/notify.c @@ -174,8 +174,15 @@ static void print_notify_send_messages_to_printer(const char *printer, unsigned if (!print_notify_pid_list(printer, send_ctx, &num_pids, &pid_list)) return; - for (i = 0; i < num_pids; i++) + for (i = 0; i < num_pids; i++) { + unsigned int q_len = messages_pending_for_pid(pid_list[i]); + if (q_len > 1000) { + DEBUG(5, ("print_notify_send_messages_to_printer: discarding notify to printer %s as queue length = %u\n", + printer, q_len )); + continue; + } message_send_pid_with_timeout(pid_list[i], MSG_PRINTER_NOTIFY2, buf, offset, True, timeout); + } } /******************************************************************* -- cgit From 1da530956da685c85997f34cbdea29a58a7756b3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Apr 2003 00:34:59 +0000 Subject: allow the unix group in a mapping to be changed; doesn't work with LDAP right now but should be ok with tdb's (This used to be commit 039e77e1d5b6e68cf85bdcc71ff309ebe6528728) --- source3/utils/net_groupmap.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 63e69fa7cf..2b88183f22 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -294,9 +294,11 @@ int net_groupmap_modify(int argc, const char **argv) fstring ntcomment = ""; fstring type = ""; fstring ntgroup = ""; + fstring unixgrp = ""; fstring sid_string = ""; enum SID_NAME_USE sid_type = SID_NAME_UNKNOWN; int i; + gid_t gid; /* get the options */ for ( i=0; i|sid=} [comment=] [type=\n"); + d_printf("Usage: net groupmap modify {ntgroup=|sid=} [comment=] [unixgroup=] [type=]\n"); return -1; } @@ -386,6 +395,17 @@ int net_groupmap_modify(int argc, const char **argv) if ( ntgroup[0] ) fstrcpy( map.nt_name, ntgroup ); + + if ( unixgrp[0] ) { + gid = nametogid( unixgrp ); + if ( gid == -1 ) { + d_printf("Unable to lookup UNIX group %s. Make sure the group exists.\n", + unixgrp); + return -1; + } + + map.gid = gid; + } #if 0 /* Change the privilege if new one */ -- cgit From d315de898bedcaf64e6a27ffb8ab29223a123f10 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 23 Apr 2003 04:39:34 +0000 Subject: Update - closed off for now (This used to be commit 8511042ff6f664eb2f5cc80a59859fb004f5be13) --- docs/docbook/projdoc/SWAT.sgml | 212 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 199 insertions(+), 13 deletions(-) diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 763872d567..751138f138 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -35,6 +35,9 @@ a fully optimised file that has been stripped of all comments you might have pla and only non-default settings will be written to the file. + +Enabling SWAT for use + SWAT should be installed to run via the network super daemon. Depending on which system your Unix/Linux system has you will have either an inetd or @@ -79,27 +82,80 @@ A control file for the newer style xinetd could be: disable = yes } + Both the above examples assume that the swat binary has been located in the /usr/sbin directory. In addition to the above -SWAT will use a directory access point from which it will load all it's help files, +SWAT will use a directory access point from which it will load it's help files as well as other control information. The default location for this on most Linux -systems is in the directory /usr/share/samba/swat. +systems is in the directory /usr/share/samba/swat. The default +location using samba defaults will be /usr/local/samba/swat. Access to SWAT will prompt for a logon. If you log onto SWAT as any non-root user the only permission allowed is to view certain aspects of configuration as well as -access to the password change facility. +access to the password change facility. The buttons that will be exposed to the non-root +user are: HOME, STATUS, VIEW, PASSWORD. The only page that allows +change capability in this case is PASSWORD. So long as you log onto SWAT as the user root you should obtain -full change and commit ability. +full change and commit ability. The buttons that will be exposed includes: +HOME, GLOBALS, SHARES, PRINTERS, WIZARD, STATUS, VIEW, PASSWORD. + + + + + +Securing SWAT through SSL + + +Lots of people have asked about how to setup SWAT with SSL to allow for secure remote +administration of Samba. Here is a method that works, courtesy of Markus Krieger + + + +Modifications to the swat setup are as following: + + + + + install OpenSSL + + + + generate certificate and private key + + + root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \ + /usr/share/doc/packages/stunnel/stunnel.cnf \ + -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem + + + + remove swat-entry from [x]inetd + + + + start stunnel + + + root# stunnel -p /etc/stunnel/stunnel.pem -d 901 \ + -l /usr/local/samba/bin/swat swat + + + + +afterwards simply contact to swat by using the URL "https://myhost:901", accept the certificate +and the SSL connection is up. + + The SWAT Home Page @@ -109,46 +165,163 @@ each samba component is accessible from this page as are the Samba-HOWTO-Collect document) as well as the O'Reilly book "Using Samba". + +Administrators who wish to validate their samba configuration may obtain useful information +from the man pages for the diganostic utilities. These are available from the SWAT home page +also. One diagnostic tool that is NOT mentioned on this page, but that is particularly +useful is ethereal, available from +http://www.ethereal.com. + + + +SWAT can be configured to run in demo mode. This is NOT recommended +as it runs SWAT without authentication and with full administrative ability. ie: Allows +changes to smb.conf as well as general operation with root privilidges. The option that +creates this ability is the -a flag to swat. DO NOT USE THIS IN ANY +PRODUCTION ENVIRONMENT - you have been warned! + + + Global Settings -Document steps right here! +The Globals button will expose a page that allows configuration of the global parameters +in smb.conf. There are three levels of exposure of the parameters: + + + Basic - exposes common configuration options. + + + + Advanced - exposes configuration options needed in more + complex environments. + + + + Developer - exposes configuration options that only the brave + will want to tamper with. + + + + +To switch to other than Basic editing ability click on either the +Advanced or the Developer dial, then click the +Commit Changes button. + + + +After making any changes to configuration parameters make sure that you click on the +Commit Changes button before moving to another area otherwise +your changes will be immediately lost. + + + +SWAT has context sensitive help. To find out what each parameter is for simply click the +Help link to the left of the configurartion parameter. + + + -The SWAT Wizard +Share Settings -Lots of blah blah here. +To affect a currenly configured share, simple click on the pull down button between the +Choose Share and the Delete Share buttons, +select the share you wish to operation on, then to edit the settings click on the +Choose Share button, to delete the share simply press the +Delete Share button. + + + +To create a new share, next to the button labelled Create Share enter +into the text field the name of the share to be created, then click on the +Create Share button. -Share Settings +Printers Settings + + +To affect a currenly configured printer, simple click on the pull down button between the +Choose Printer and the Delete Printer buttons, +select the printer you wish to operation on, then to edit the settings click on the +Choose Printer button, to delete the share simply press the +Delete Printer button. + -Document steps right here! +To create a new printer, next to the button labelled Create Printer enter +into the text field the name of the share to be created, then click on the +Create Printer button. -Printing Settings +The SWAT Wizard + + +The purpose if the SWAT Wizard is to help the Microsoft knowledgable network administrator +to configure Samba with a minimum of effort. + + + +The Wizard page provides a tool for rewiting the smb.conf file in fully optimised format. +This will also happen if you press the commit button. The two differ in the the rewrite button +ignores any changes that may have been made, while the Commit button causes all changes to be +affected. + + + +The Edit button permits the editing (setting) of the minimal set of +options that may be necessary to create a working samba server. + -Document steps right here! +Finally, there are a limited set of options that will determine what type of server samba +will be configured for, whether it will be a WINS server, participate as a WINS client, or +operate with no WINS support. By clicking on one button you can elect to epose (or not) user +home directories. + The Status Page -Document steps right here! +The status page serves a limited purpose. Firstly, it allows control of the samba daemons. +The key daemons that create the samba server environment are: smbd, nmbd, winbindd. + + + +The daemons may be controlled individually or as a total group. Additionally, you may set +an automatic screen refresh timing. As MS Windows clients interact with Samba new smbd processes +will be continually spawned. The auto-refresh facility will allow you to track the changing +conditions with minimal effort. + + + +Lastly, the Status page may be used to terminate specific smbd client connections in order to +free files that may be locked. + + + + + +The View Page + + +This page allows the administrator to view the optimised smb.conf file and if you are +particularly massochistic will permit you also to see all possible global configuration +parameters and their settings. @@ -157,7 +330,20 @@ Document steps right here! The Password Change Page -Document steps right here! +The Password Change page is a popular tool. This tool allows to creation, deletion, deactivation +and reactivation of MS Windows networking users on the local machine. Alternatively, you can use +this tool to change a local password for a user account. + + + +When logged in as a non-root account the user will have to provide the old password as well as +the new password (twice). When logged in as root only the new password is +required. + + + +One popular use for this tool is to change user passwords across a range of remote MS Windows +servers. -- cgit From f3f78bb9b47d77cecb2861c797d2d3b358014211 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Wed, 23 Apr 2003 06:36:34 +0000 Subject: Add more code to store keys and other records ... still more to go (This used to be commit 39f298fd395b91a0cf4bcadf3938b58a9a14c95f) --- source3/utils/editreg.c | 102 +++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 92 insertions(+), 10 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index bdfb3dc832..eb796d43b6 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -381,6 +381,7 @@ typedef struct reg_key_s { struct key_list_s *sub_keys; struct val_list_s *values; KEY_SEC_DESC *security; + unsigned int offset; /* Offset of the record in the file */ } REG_KEY; /* @@ -443,11 +444,12 @@ struct key_sec_desc_s { struct key_sec_desc_s *prev, *next; int ref_cnt; int state; + int offset, stored; SEC_DESC *sec_desc; }; /* - * All of the structures below actually have a four-byte lenght before them + * All of the structures below actually have a four-byte length before them * which always seems to be negative. The following macro retrieves that * size as an integer */ @@ -483,8 +485,8 @@ typedef struct hbin_sub_struct { typedef struct hbin_struct { DWORD HBIN_ID; /* hbin */ - DWORD prev_off; - DWORD next_off; + DWORD off_from_first; + DWORD off_to_next; DWORD uk1; DWORD uk2; DWORD uk3; @@ -1319,6 +1321,7 @@ KEY_SEC_DESC *nt_create_init_sec(REGF *regf) tsec->ref_cnt = 1; tsec->state = SEC_DESC_NBK; + tsec->stored = tsec->offset = 0; tsec->sec_desc = regf->def_sec_desc; @@ -1795,6 +1798,7 @@ KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off) if (!tmp) { return NULL; } + bzero(tmp, sizeof(KEY_SEC_DESC)); tmp->state = SEC_DESC_RES; if (!alloc_sk_map_entry(regf, tmp, sk_off)) { return NULL; @@ -2416,7 +2420,7 @@ int nt_load_registry(REGF *regf) IVAL(®f_hdr->dblk_size)); if (verbose) fprintf(stdout, "Offset to next hbin block: %0X\n", - IVAL(&hbin_hdr->next_off)); + IVAL(&hbin_hdr->off_to_next)); if (verbose) fprintf(stdout, "HBIN block size: %0X\n", IVAL(&hbin_hdr->blk_size)); @@ -2447,6 +2451,7 @@ int nt_load_registry(REGF *regf) HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) { HBIN_BLK *tmp; + HBIN_HDR *hdr; if (!regf || !size) return NULL; @@ -2468,6 +2473,15 @@ HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) tmp->free_space = size - (sizeof(HBIN_HDR) - sizeof(HBIN_SUB_HDR)); tmp->fsp_off = size - tmp->free_space; + /* + * Now, build the header in the data block + */ + hdr = (HBIN_HDR *)tmp->data; + hdr->HBIN_ID = REG_HBIN_ID; + hdr->off_from_first = tmp->file_offset - REGF_HDR_BLKSIZ; + hdr->off_to_next = tmp->size; + hdr->blk_size = tmp->size; + /* * Now link it in */ @@ -2515,11 +2529,14 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) for (blk = regf->free_space; blk != NULL; blk = blk->next) { if (blk->free_space <= size) { - tmp = blk->file_offset + blk->fsp_off; + tmp = blk->file_offset + blk->fsp_off - REGF_HDR_BLKSIZ; ret = blk->data + blk->fsp_off; blk->free_space -= size; blk->fsp_off += size; + /* Insert the header */ + ((HBIN_SUB_HDR *)ret)->dblocksize = -size; + /* * Fix up the free space ptr * If it is NULL, we fix it up next time @@ -2529,7 +2546,7 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) regf->free_space = blk->next; *off = tmp; - return ret; + return (((char *)ret)+4);/* The pointer needs to be to the data struct */ } } @@ -2539,11 +2556,14 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) */ if (nt_create_hbin_blk(regf, REGF_HDR_BLKSIZ)) { blk = regf->free_space; - tmp = blk->file_offset + blk->fsp_off; + tmp = blk->file_offset + blk->fsp_off - REGF_HDR_BLKSIZ; ret = blk->data + blk->fsp_off; blk->free_space -= size; blk->fsp_off += size; + /* Insert the header */ + ((HBIN_SUB_HDR *)ret)->dblocksize = -size; + /* * Fix up the free space ptr * If it is NULL, we fix it up next time @@ -2553,12 +2573,26 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) regf->free_space = blk->next; *off = tmp; - return ret; + return (((char *)ret) + 4);/* The pointer needs to be to the data struct */ } return NULL; } +/* + * Store the security information + * + * If it has already been stored, just get its offset from record + * otherwise, store it and record its offset + */ + +unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) +{ + + return 0; + +} + /* * Store a KEY in the file ... * @@ -2567,11 +2601,56 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) * * We store the NK hdr, any SK header, class name, and VK structure, then * recurse down the LF structures ... + * + * We return the offset of the NK struct */ int nt_store_reg_key(REGF *regf, REG_KEY *key) { NK_HDR *nk_hdr; + unsigned int nk_off, sk_off, val_off, clsnam_off, size; + + if (!regf || !key) return 0; + + size = sizeof(NK_HDR) + strlen(key->name) - 1; + nk_hdr = nt_alloc_regf_space(regf, size, &nk_off); + if (!nk_hdr) goto error; + + key->offset = nk_off; /* We will need this later */ + /* + * Now fill in each field etc ... + */ + + nk_hdr->NK_ID = REG_NK_ID; + if (key->type == REG_ROOT_KEY) + nk_hdr->type = 0x2C; + else + nk_hdr->type = 0x20; + + /* FIXME: Fill in the time of last update */ + + if (key->type != REG_ROOT_KEY) + nk_hdr->own_off = key->owner->offset; + + if (key->sub_keys) + nk_hdr->subk_num = key->sub_keys->key_count; + + /* + * Now, process the Sec Desc and then store its offset + */ + + sk_off = nt_store_security(regf, key->security); + + /* + * Then, store the val list and store its offset + */ + + + /* + * Finally, store the subkeys, and their offsets + */ + + error: return 0; } @@ -2617,14 +2696,17 @@ REGF_HDR *nt_get_reg_header(REGF *regf) int nt_store_registry(REGF *regf) { REGF_HDR *reg; - NK_HDR *fkey; + int fkey; /* * Get a header ... and partially fill it in ... */ reg = nt_get_reg_header(regf); - + /* + * Store the first key + */ + fkey = nt_store_reg_key(regf, regf->root); return 1; } -- cgit From 1fe7ec8b4bf8141ab5778215e43a3ca19e04d7b9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 23 Apr 2003 07:10:28 +0000 Subject: Patch from waider to set exit code of last executed command specified as an argument to -c. (This used to be commit 048aeefcdc12d93bc728d104bbf38ea8becfb16c) --- source3/rpcclient/rpcclient.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index bf016e94c7..0411212e8c 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -628,13 +628,15 @@ out_free: if (cmdstr && cmdstr[0]) { char *cmd; char *p = cmdstr; + int result = 0; while((cmd=next_command(&p)) != NULL) { - process_cmd(cli, cmd); + NTSTATUS cmd_result = process_cmd(cli, cmd); + result = NT_STATUS_IS_ERR(cmd_result); } cli_shutdown(cli); - return 0; + return result; } /* Loop around accepting commands */ -- cgit From c95a50cce5b3dbe6eaca819f9477d6f7275762d6 Mon Sep 17 00:00:00 2001 From: Paul Green Date: Wed, 23 Apr 2003 11:11:55 +0000 Subject: Move build farm template files to their own subdirectory so that their names can be shortened to 30 characters. Helps Stratus VOS, which has a 32-character file name limit. (This used to be commit 58a4be041ee92434672959b9df888cf1366bb02e) --- testsuite/build_farm/basicsmb.fns | 7 +++- .../basicsmb.smb.conf.hostsequiv.template | 3 -- .../basicsmb.smb.conf.invalidusers.template | 1 - .../build_farm/basicsmb.smb.conf.preexec.template | 1 - .../basicsmb.smb.conf.preexec_cl_fail.template | 2 - .../basicsmb.smb.conf.preexec_close.template | 2 - testsuite/build_farm/basicsmb.smb.conf.template | 49 ---------------------- .../basicsmb.smb.conf.validusers.template | 1 - testsuite/build_farm/preexec.template | 2 - testsuite/build_farm/template/basicsmb.smb.conf | 49 ++++++++++++++++++++++ .../template/basicsmb.smb.conf.hostsequiv | 3 ++ .../template/basicsmb.smb.conf.invalidusers | 1 + .../build_farm/template/basicsmb.smb.conf.preexec | 1 + .../template/basicsmb.smb.conf.preexec_cl_fl | 2 + .../template/basicsmb.smb.conf.preexec_close | 2 + .../template/basicsmb.smb.conf.validusers | 1 + testsuite/build_farm/template/preexec | 2 + 17 files changed, 66 insertions(+), 63 deletions(-) delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.hostsequiv.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.invalidusers.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.preexec.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.preexec_close.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.template delete mode 100644 testsuite/build_farm/basicsmb.smb.conf.validusers.template delete mode 100644 testsuite/build_farm/preexec.template create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.hostsequiv create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.invalidusers create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.preexec create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.preexec_cl_fl create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.preexec_close create mode 100644 testsuite/build_farm/template/basicsmb.smb.conf.validusers create mode 100644 testsuite/build_farm/template/preexec diff --git a/testsuite/build_farm/basicsmb.fns b/testsuite/build_farm/basicsmb.fns index bb177704ef..4410feff3a 100644 --- a/testsuite/build_farm/basicsmb.fns +++ b/testsuite/build_farm/basicsmb.fns @@ -22,7 +22,7 @@ # says it's not done consistently. template_setup() { - cat $1.template | \ + cat template/$1 | \ sed "s|PREFIX|$prefix|g" | \ sed "s|BUILD_FARM|$test_root|g" | \ sed "s|WHOAMI|$whoami|g" | \ @@ -52,13 +52,16 @@ test_smb_conf_setup() { exit 1 esac +# Please keep these names under 15 characters, +# so that the final name is 31 characters or fewer. + template_smb_conf_setup template_smb_conf_setup .hostsequiv template_smb_conf_setup .validusers template_smb_conf_setup .invalidusers template_smb_conf_setup .preexec template_smb_conf_setup .preexec_close - template_smb_conf_setup .preexec_cl_fail + template_smb_conf_setup .preexec_cl_fl template_setup preexec lib/preexec diff --git a/testsuite/build_farm/basicsmb.smb.conf.hostsequiv.template b/testsuite/build_farm/basicsmb.smb.conf.hostsequiv.template deleted file mode 100644 index 750af74f59..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.hostsequiv.template +++ /dev/null @@ -1,3 +0,0 @@ - hostname lookups = no - hosts equiv=PREFIX/lib/hosts.equiv - auth methods = hostsequiv diff --git a/testsuite/build_farm/basicsmb.smb.conf.invalidusers.template b/testsuite/build_farm/basicsmb.smb.conf.invalidusers.template deleted file mode 100644 index a96a316db9..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.invalidusers.template +++ /dev/null @@ -1 +0,0 @@ - invalid users = WHOAMI diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec.template b/testsuite/build_farm/basicsmb.smb.conf.preexec.template deleted file mode 100644 index cc34872c5d..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.preexec.template +++ /dev/null @@ -1 +0,0 @@ -preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template b/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template deleted file mode 100644 index 4a6fae57bc..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.preexec_cl_fail.template +++ /dev/null @@ -1,2 +0,0 @@ -preexec close = yes -preexec = PREFIX/lib/preexec_does_not_exist diff --git a/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template b/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template deleted file mode 100644 index 3aac6998bf..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.preexec_close.template +++ /dev/null @@ -1,2 +0,0 @@ -preexec close = yes -preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/basicsmb.smb.conf.template b/testsuite/build_farm/basicsmb.smb.conf.template deleted file mode 100644 index 9b8483db16..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.template +++ /dev/null @@ -1,49 +0,0 @@ -[global] - netbios name = BUILDFARM - workgroup = TESTWG - log level = LOGLEVEL - debug timestamp = no - encrypt passwords = yes - server string = Samba %v Build Farm Tests - name resolve order = lmhosts - guest account = WHOAMI - domain logons = yes - - strict locking = yes - - include = PREFIX/lib/smb.conf.%L - - add machine script = useradd %u -d /dev/null -s /bin/false - - panic action = /bin/sh BUILD_FARM/samba/testsuite/build_farm/backtrace %d - - passdb backend = smbpasswd_nua - - non unix account range = 10000-200000 - map hidden = yes - create mask = 0777 - -[test] - path = PREFIX/testdir - read only = no - -[samba] - path = BUILD_FARM/samba - read only = yes - comment = Samba HEAD Sources - -[samba_2_2] - path = BUILD_FARM/samba_2_2 - read only = yes - comment = Samba 2.2. Sources - -[rsync] - path = BUILD_FARM/rsync - read only = yes - comment = Rsync Sources - -[guest_share] - path = PREFIX - guest ok = yes - read only = yes - comment = Unauthenticated share for use in share level test diff --git a/testsuite/build_farm/basicsmb.smb.conf.validusers.template b/testsuite/build_farm/basicsmb.smb.conf.validusers.template deleted file mode 100644 index d4a85e0a02..0000000000 --- a/testsuite/build_farm/basicsmb.smb.conf.validusers.template +++ /dev/null @@ -1 +0,0 @@ - valid users = WHOAMI diff --git a/testsuite/build_farm/preexec.template b/testsuite/build_farm/preexec.template deleted file mode 100644 index e417d6a017..0000000000 --- a/testsuite/build_farm/preexec.template +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -echo "Test worked" > PREFIX/testdir/preexec_touch diff --git a/testsuite/build_farm/template/basicsmb.smb.conf b/testsuite/build_farm/template/basicsmb.smb.conf new file mode 100644 index 0000000000..9b8483db16 --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf @@ -0,0 +1,49 @@ +[global] + netbios name = BUILDFARM + workgroup = TESTWG + log level = LOGLEVEL + debug timestamp = no + encrypt passwords = yes + server string = Samba %v Build Farm Tests + name resolve order = lmhosts + guest account = WHOAMI + domain logons = yes + + strict locking = yes + + include = PREFIX/lib/smb.conf.%L + + add machine script = useradd %u -d /dev/null -s /bin/false + + panic action = /bin/sh BUILD_FARM/samba/testsuite/build_farm/backtrace %d + + passdb backend = smbpasswd_nua + + non unix account range = 10000-200000 + map hidden = yes + create mask = 0777 + +[test] + path = PREFIX/testdir + read only = no + +[samba] + path = BUILD_FARM/samba + read only = yes + comment = Samba HEAD Sources + +[samba_2_2] + path = BUILD_FARM/samba_2_2 + read only = yes + comment = Samba 2.2. Sources + +[rsync] + path = BUILD_FARM/rsync + read only = yes + comment = Rsync Sources + +[guest_share] + path = PREFIX + guest ok = yes + read only = yes + comment = Unauthenticated share for use in share level test diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.hostsequiv b/testsuite/build_farm/template/basicsmb.smb.conf.hostsequiv new file mode 100644 index 0000000000..750af74f59 --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.hostsequiv @@ -0,0 +1,3 @@ + hostname lookups = no + hosts equiv=PREFIX/lib/hosts.equiv + auth methods = hostsequiv diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.invalidusers b/testsuite/build_farm/template/basicsmb.smb.conf.invalidusers new file mode 100644 index 0000000000..a96a316db9 --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.invalidusers @@ -0,0 +1 @@ + invalid users = WHOAMI diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.preexec b/testsuite/build_farm/template/basicsmb.smb.conf.preexec new file mode 100644 index 0000000000..cc34872c5d --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.preexec @@ -0,0 +1 @@ +preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.preexec_cl_fl b/testsuite/build_farm/template/basicsmb.smb.conf.preexec_cl_fl new file mode 100644 index 0000000000..4a6fae57bc --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.preexec_cl_fl @@ -0,0 +1,2 @@ +preexec close = yes +preexec = PREFIX/lib/preexec_does_not_exist diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.preexec_close b/testsuite/build_farm/template/basicsmb.smb.conf.preexec_close new file mode 100644 index 0000000000..3aac6998bf --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.preexec_close @@ -0,0 +1,2 @@ +preexec close = yes +preexec = /bin/sh PREFIX/lib/preexec diff --git a/testsuite/build_farm/template/basicsmb.smb.conf.validusers b/testsuite/build_farm/template/basicsmb.smb.conf.validusers new file mode 100644 index 0000000000..d4a85e0a02 --- /dev/null +++ b/testsuite/build_farm/template/basicsmb.smb.conf.validusers @@ -0,0 +1 @@ + valid users = WHOAMI diff --git a/testsuite/build_farm/template/preexec b/testsuite/build_farm/template/preexec new file mode 100644 index 0000000000..e417d6a017 --- /dev/null +++ b/testsuite/build_farm/template/preexec @@ -0,0 +1,2 @@ +#!/bin/sh +echo "Test worked" > PREFIX/testdir/preexec_touch -- cgit From 075986b00d85fdcfe8674bd84f1c32828908475f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 11:38:35 +0000 Subject: Merge case handling table changes from 3.0 to HEAD. (This used to be commit 263407e132dcb1f7fc85cded9842e60918f8ef4b) --- source3/lib/util_unistr.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/source3/lib/util_unistr.c b/source3/lib/util_unistr.c index 812859000a..08bb03986f 100644 --- a/source3/lib/util_unistr.c +++ b/source3/lib/util_unistr.c @@ -40,9 +40,12 @@ static uint8 *valid_table; static uint8 doschar_table[8192]; /* 65536 characters / 8 bits/byte */ -/******************************************************************* -load the case handling tables -********************************************************************/ +/** + * Load or generate the case handling tables. + * + * The case tables are defined in UCS2 and don't depend on any + * configured parameters, so they never need to be reloaded. + **/ void load_case_tables(void) { static int initialised; @@ -91,14 +94,9 @@ void load_case_tables(void) see if a ucs2 character can be mapped correctly to a dos character and mapped back to the same character in ucs2 */ -static int check_dos_char(smb_ucs2_t c) +int check_dos_char(smb_ucs2_t c) { - static int initialized = False; - - if (!initialized) { - initialized = True; - init_doschar_table(); - } + lazy_initialize_conv(); /* Find the right byte, and right bit within the byte; return * 1 or 0 */ -- cgit From 78bc883162f83adc436244ac8f4a98a0b4158e23 Mon Sep 17 00:00:00 2001 From: Paul Green Date: Wed, 23 Apr 2003 17:57:08 +0000 Subject: Missed two references to a renamed file. (This used to be commit cf69c69594797032d1427de3266af86d12b15cb2) --- testsuite/build_farm/basicsmb-preexec.test | 2 +- testsuite/build_farm/basicsmb.fns | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/testsuite/build_farm/basicsmb-preexec.test b/testsuite/build_farm/basicsmb-preexec.test index bc87723700..fc072e5fdb 100644 --- a/testsuite/build_farm/basicsmb-preexec.test +++ b/testsuite/build_farm/basicsmb-preexec.test @@ -23,6 +23,6 @@ else exit 1; fi -mode=PREEXEC_cl_fail +mode=PREEXEC_cl_fl (test_listfilesauth_should_deny $mode) || exit 1 diff --git a/testsuite/build_farm/basicsmb.fns b/testsuite/build_farm/basicsmb.fns index 4410feff3a..f5143cc4d8 100644 --- a/testsuite/build_farm/basicsmb.fns +++ b/testsuite/build_farm/basicsmb.fns @@ -76,7 +76,7 @@ test_smb_conf_setup() { echo "127.0.0.7 INVALIDUSERS">>$prefix/lib/lmhosts echo "127.0.0.7 PREEXEC">>$prefix/lib/lmhosts echo "127.0.0.7 PREEXEC_CLOSE">>$prefix/lib/lmhosts - echo "127.0.0.7 PREEXEC_CL_FAIL">>$prefix/lib/lmhosts + echo "127.0.0.7 PREEXEC_CL_FL">>$prefix/lib/lmhosts echo "127.0.0.1" > $prefix/lib/hosts.equiv -- cgit From e1d936f95c6cfead846f0a2175e938c53c941b38 Mon Sep 17 00:00:00 2001 From: Shirish Kalele Date: Wed, 23 Apr 2003 19:05:47 +0000 Subject: For deep referrals, track consumed path using a counter, and calculate the consumed count only if and when it is needed. Check into HEAD. (This used to be commit 11281c39209b501a69f4e6f32ea2081d15947f0a) --- source3/msdfs/msdfs.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/source3/msdfs/msdfs.c b/source3/msdfs/msdfs.c index fa6617cb52..69a315d4e4 100644 --- a/source3/msdfs/msdfs.c +++ b/source3/msdfs/msdfs.c @@ -212,10 +212,9 @@ static BOOL resolve_dfs_path(char* dfspath, struct dfs_path* dp, BOOL* self_referralp, int* consumedcntp) { fstring localpath; - + int consumed_level = 1; char *p; fstring reqpath; - pstring consumedbuf; if (!dp || !conn) { DEBUG(1,("resolve_dfs_path: NULL dfs_path* or NULL connection_struct*!\n")); @@ -248,9 +247,6 @@ static BOOL resolve_dfs_path(char* dfspath, struct dfs_path* dp, } } - pstrcpy(consumedbuf, dfspath); - trim_string(consumedbuf, NULL, "\\"); - /* redirect if any component in the path is a link */ fstrcpy(reqpath, dp->reqpath); p = strrchr(reqpath, '/'); @@ -269,16 +265,21 @@ static BOOL resolve_dfs_path(char* dfspath, struct dfs_path* dp, */ if (consumedcntp) { char *q; - q = strrchr(consumedbuf, '\\'); - if (q) - *q = '\0'; - *consumedcntp = strlen(consumedbuf); - DEBUG(10, ("resolve_dfs_path: Path consumed: %d\n", *consumedcntp)); + pstring buf; + pstrcpy(buf, dfspath); + trim_string(buf, NULL, "\\"); + for (; consumed_level; consumed_level--) { + q = strrchr(buf, '\\'); + if (q) *q = 0; + } + *consumedcntp = strlen(buf); + DEBUG(10, ("resolve_dfs_path: Path consumed: %s (%d)\n", buf, *consumedcntp)); } return True; } p = strrchr(reqpath, '/'); + consumed_level++; } return False; -- cgit From 203795681cfef4a19887be2b79a28c5031c0ce7d Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 23 Apr 2003 23:22:16 +0000 Subject: More updates. (This used to be commit 6678c325d77f18fb4b63a0cd436b6024f83366f3) --- docs/docbook/projdoc/VFS.sgml | 25 ++- docs/docbook/projdoc/locking.sgml | 440 +++++++++++++++++++++++++++++++++----- 2 files changed, 409 insertions(+), 56 deletions(-) diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml index 0a88543c6e..666eb4f62f 100644 --- a/docs/docbook/projdoc/VFS.sgml +++ b/docs/docbook/projdoc/VFS.sgml @@ -72,11 +72,28 @@ facility. The following operations are logged: This module is identical with the audit module above except that it sends audit logs to both syslog as well as the smbd log file/s. The -loglevel for this module is set in the smb.conf file. At loglevel = 0, only file -and directory deletions and directory and file creations are logged. At loglevel = 1 -file opens are renames and permission changes are logged , while at loglevel = 2 file -open and close calls are logged also. +loglevel for this module is set in the smb.conf file. + + +The logging information that will be written to the smbd log file is controlled by +the log level parameter in smb.conf. The +following information will be recorded: + + +Extended Auditing Log Information + + Log LevelLog Details - File and Directory Operations + + + 0Creation / Deletion + 1Create / Delete / Rename / Permission Changes + 2Create / Delete / Rename / Perm Change / Open / Close + + +

+ diff --git a/docs/docbook/projdoc/locking.sgml b/docs/docbook/projdoc/locking.sgml index ef65c16e2c..facaef551f 100644 --- a/docs/docbook/projdoc/locking.sgml +++ b/docs/docbook/projdoc/locking.sgml @@ -2,59 +2,395 @@ &author.jeremy; &author.jelmer; + &author.jht; +File and Record Locking -Locking - -One area which sometimes causes trouble is locking. - -There are two types of locking which need to be -performed by a SMB server. The first is "record locking" -which allows a client to lock a range of bytes in a open file. -The second is the "deny modes" that are specified when a file -is open. - -Record locking semantics under Unix is very -different from record locking under Windows. Versions -of Samba before 2.2 have tried to use the native -fcntl() unix system call to implement proper record -locking between different Samba clients. This can not -be fully correct due to several reasons. The simplest -is the fact that a Windows client is allowed to lock a -byte range up to 2^32 or 2^64, depending on the client -OS. The unix locking only supports byte ranges up to -2^31. So it is not possible to correctly satisfy a -lock request above 2^31. There are many more -differences, too many to be listed here. - -Samba 2.2 and above implements record locking -completely independent of the underlying unix -system. If a byte range lock that the client requests -happens to fall into the range 0-2^31, Samba hands -this request down to the Unix system. All other locks -can not be seen by unix anyway. - -Strictly a SMB server should check for locks before -every read and write call on a file. Unfortunately with the -way fcntl() works this can be slow and may overstress the -rpc.lockd. It is also almost always unnecessary as clients -are supposed to independently make locking calls before reads -and writes anyway if locking is important to them. By default -Samba only makes locking calls when explicitly asked -to by a client, but if you set "strict locking = yes" then it will -make lock checking calls on every read and write. - -You can also disable by range locking completely -using "locking = no". This is useful for those shares that -don't support locking or don't need it (such as cdroms). In -this case Samba fakes the return codes of locking calls to -tell clients that everything is OK. - -The second class of locking is the "deny modes". These -are set by an application when it opens a file to determine -what types of access should be allowed simultaneously with -its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE -or DENY_ALL. There are also special compatibility modes called -DENY_FCB and DENY_DOS. + +Discussion + +One area which sometimes causes trouble is locking. + + + +There are two types of locking which need to be performed by a SMB server. +The first is record locking which allows a client to lock +a range of bytes in a open file. The second is the deny modes +that are specified when a file is open. + + + +Record locking semantics under Unix is very different from record locking under +Windows. Versions of Samba before 2.2 have tried to use the native fcntl() unix +system call to implement proper record locking between different Samba clients. +This can not be fully correct due to several reasons. The simplest is the fact +that a Windows client is allowed to lock a byte range up to 2^32 or 2^64, +depending on the client OS. The unix locking only supports byte ranges up to 2^31. +So it is not possible to correctly satisfy a lock request above 2^31. There are +many more differences, too many to be listed here. + + + +Samba 2.2 and above implements record locking completely independent of the +underlying unix system. If a byte range lock that the client requests happens +to fall into the range 0-2^31, Samba hands this request down to the Unix system. +All other locks can not be seen by unix anyway. + + + +Strictly a SMB server should check for locks before every read and write call on +a file. Unfortunately with the way fcntl() works this can be slow and may overstress +the rpc.lockd. It is also almost always unnecessary as clients are supposed to +independently make locking calls before reads and writes anyway if locking is +important to them. By default Samba only makes locking calls when explicitly asked +to by a client, but if you set strict locking = yes then it +will make lock checking calls on every read and write. + + + +You can also disable by range locking completely using locking = no. +This is useful for those shares that don't support locking or don't need it +(such as cdroms). In this case Samba fakes the return codes of locking calls to +tell clients that everything is OK. + + + +The second class of locking is the deny modes. These +are set by an application when it opens a file to determine what types of +access should be allowed simultaneously with its open. A client may ask for +DENY_NONE, DENY_READ, DENY_WRITE or DENY_ALL. There are also special compatibility +modes called DENY_FCB and DENY_DOS. + + + + +Samba Opportunistic Locking Control + + +Opportunistic locking essentially means that the client is allowed to download and cache +a file on their hard drive while making changes; if a second client wants to access the +file, the first client receives a break and must synchronise the file back to the server. +This can give significant performance gains in some cases; some programs insist on +synchronising the contents of the entire file back to the server for a single change. + + + +Level1 Oplocks (aka just plain "oplocks") is another term for opportunistic locking. + + + +Level2 Oplocks provids opportunistic locking for a file that will be treated as +read only. Typically this is used on files that are read-only or +on files that the client has no initial intention to write to at time of opening the file. + + + +Kernel Oplocks are essentially a method that allows the Linux kernel to co-exist with +Samba's oplocked files, although this has provided better integration of MS Windows network +file locking with the under lying OS, SGI IRIX and Linux are the only two OS's that are +oplock aware at this time. + + + +Unless your system supports kernel oplocks, you should disable oplocks if you are +accessing the same files from both Unix/Linux and SMB clients. Regardless, oplocks should +always be disabled if you are sharing a database file (e.g., Microsoft Access) between +multiple clients, as any break the first client receives will affect synchronisation of +the entire file (not just the single record), which will result in a noticable performance +impairment and, more likely, problems accessing the database in the first place. Notably, +Microsoft Outlook's personal folders (*.pst) react very badly to oplocks. If in doubt, +disable oplocks and tune your system from that point. + + + +If client-side caching is desirable and reliable on your network, you will benefit from +turning on oplocks. If your network is slow and/or unreliable, or you are sharing your +files among other file sharing mechanisms (e.g., NFS) or across a WAN, or multiple people +will be accessing the same files frequently, you probably will not benefit from the overhead +of your client sending oplock breaks and will instead want to disable oplocks for the share. + + + +Another factor to consider is the perceived performance of file access. If oplocks provide no +measurable speed benefit on your network, it might not be worth the hassle of dealing with them. + + + +You can disable oplocks on a per-share basis with the following: + + + oplocks = False + level2 oplocks = False + + +Alternately, you could disable oplocks on a per-file basis within the share: + + + veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ + + + + +If you are experiencing problems with oplocks as apparent from Samba's log entries, +you may want to play it safe and disable oplocks and level2 oplocks. + + + + + +MS Windows Opportunistic Locking and Caching Controls + + +There is a known issue when running applications (like Norton Anti-Virus) on a Windows 2000/ XP +workstation computer that can affect any application attempting to access shared database files +across a network. This is a result of a default setting configured in the Windows 2000/XP +operating system known as Opportunistic Locking. When a workstation +attempts to access shared data files located on another Windows 2000/XP computer, +the Windows 2000/XP operating system will attempt to increase performance by locking the +files and caching information locally. When this occurs, the application is unable to +properly function, which results in an Access Denied + error message being displayed during network operations. + + + +All Windows operating systems in the NT family that act as database servers for data files +(meaning that data files are stored there and accessed by other Windows PCs) may need to +have opportunistic locking disabled in order to minimize the risk of data file corruption. +This includes Windows 9x/Me, Windows NT, Windows 200x and Windows XP. + + + +If you are using a Windows NT family workstation in place of a server, you must also +disable opportunistic locking (oplocks) on that workstation. For example, if you use a +PC with the Windows NT Workstation operating system instead of Windows NT Server, and you +have data files located on it that are accessed from other Windows PCs, you may need to +disable oplocks on that system. + + + +The major difference is the location in the Windows registry where the values for disabling +oplocks are entered. Instead of the LanManServer location, the LanManWorkstation location +may be used. + + + +You can verify (or change or add, if necessary) this Registry value using the Windows +Registry Editor. When you change this registry value, you will have to reboot the PC +to ensure that the new setting goes into effect. + + + +The location of the client registry entry for opportunistic locking has changed in +Windows 2000 from the earlier location in Microsoft Windows NT. + + + +Windows 2000 will still respect the EnableOplocks registry value used to disable oplocks +in earlier versions of Windows. + + + +You can also deny the granting of opportunistic locks by changing the following registry entries: + + + + + HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MRXSmb\Parameters\ + + OplocksDisabled REG_DWORD 0 or 1 + Default: 0 (not disabled) + + + + +The OplocksDisabled registry value configures Windows clients to either request or not +request opportunistic locks on a remote file. To disable oplocks, the value of + OplocksDisabled must be set to 1. + + + + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (Enabled by Default) + + EnableOpLockForceClose REG_DWORD 0 or 1 + Default: 0 (Disabled by Default) + + + + +The EnableOplocks value configures Windows-based servers (including Workstations sharing +files) to allow or deny opportunistic locks on local files. + + + +To force closure of open oplocks on close or program exit EnableOpLockForceClose must be set to 1. + + + +An illustration of how level II oplocks work: + + + + + Station 1 opens the file, requesting oplock. + + + Since no other station has the file open, the server grants station 1 exclusive oplock. + + + Station 2 opens the file, requesting oplock. + + + Since station 1 has not yet written to the file, the server asks station 1 to Break + to Level II Oplock. + + + Station 1 complies by flushing locally buffered lock information to the server. + + + Station 1 informs the server that it has Broken to Level II Oplock (alternatively, + station 1 could have closed the file). + + + The server responds to station 2's open request, granting it level II oplock. + Other stations can likewise open the file and obtain level II oplock. + + + Station 2 (or any station that has the file open) sends a write request SMB. + The server returns the write response. + + + The server asks all stations that have the file open to Break to None, meaning no + station holds any oplock on the file. Because the workstations can have no cached + writes or locks at this point, they need not respond to the break-to-none advisory; + all they need do is invalidate locally cashed read-ahead data. + + + + +Workstation Service Entries + + + \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + + UseOpportunisticLocking REG_DWORD 0 or 1 + Default: 1 (true) + + + +Indicates whether the redirector should use opportunistic-locking (oplock) performance +enhancement. This parameter should be disabled only to isolate problems. + + + + +Server Service Entries + + + \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + + EnableOplocks REG_DWORD 0 or 1 + Default: 1 (true) + + + +Specifies whether the server allows clients to use oplocks on files. Oplocks are a +significant performance enhancement, but have the potential to cause lost cached +data on some networks, particularly wide-area networks. + + + + MinLinkThroughput REG_DWORD 0 to infinite bytes per second + Default: 0 + + + +Specifies the minimum link throughput allowed by the server before it disables +raw and opportunistic locks for this connection. + + + + MaxLinkDelay REG_DWORD 0 to 100,000 seconds + Default: 60 + + + +Specifies the maximum time allowed for a link delay. If delays exceed this number, +the server disables raw I/O and opportunistic locking for this connection. + + + + OplockBreakWait REG_DWORD 10 to 180 seconds + Default: 35 + + + +Specifies the time that the server waits for a client to respond to an oplock break +request. Smaller values can allow detection of crashed clients more quickly but can +potentially cause loss of cached data. + + + + + + +Persistent Data Corruption + + +If you have applied all of the settings discussed in this paper but data corruption problems +and other symptoms persist, here are some additional things to check out: + + + +We have credible reports from developers that faulty network hardware, such as a single +faulty network card, can cause symptoms similar to read caching and data corruption. +If you see persistent data corruption even after repeated reindexing, you may have to +rebuild the data files in question. This involves creating a new data file with the +same definition as the file to be rebuilt and transferring the data from the old file +to the new one. There are several known methods for doing this that can be found in +our Knowledge Base. + + + + + +Additional Reading + + +You may want to check for an updated version of this white paper on our Web site from +time to time. Many of our white papers are updated as information changes. For those papers, +the Last Edited date is always at the top of the paper. + + + +Section of the Microsoft MSDN Library on opportunistic locking: + + + +Opportunistic Locks, Microsoft Developer Network (MSDN), Windows Development > +Windows Base Services > Files and I/O > SDK Documentation > File Storage > File Systems +> About File Systems > Opportunistic Locks, Microsoft Corporation. +http://msdn.microsoft.com/library/en-us/fileio/storage_5yk3.asp + + + +Microsoft Knowledge Base Article Q224992 "Maintaining Transactional Integrity with OPLOCKS", +Microsoft Corporation, April 1999, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q224992. + + + +Microsoft Knowledge Base Article Q296264 "Configuring Opportunistic Locking in Windows 2000", +Microsoft Corporation, April 2001, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296264. + + + +Microsoft Knowledge Base Article Q129202 "PC Ext: Explanation of Opportunistic Locking on Windows NT", + Microsoft Corporation, April 1995, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q129202. + + + -- cgit From 665198ea2ffea3550b6c2fd53a0dfab3dcf05e71 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 00:46:28 +0000 Subject: More updates: Fix typo in VFS docs, added docs on pam_smbpass.so to PAM. (This used to be commit a1d6d56ba0af75282fb0d90db84ae8bbfa1836e0) --- .../projdoc/PAM-Authentication-And-Samba.sgml | 223 +++++++++++++++++++-- docs/docbook/projdoc/VFS.sgml | 2 +- 2 files changed, 203 insertions(+), 22 deletions(-) diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index ac9385f3de..a95baf0281 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -165,27 +165,7 @@ life though, every decision makes trade-offs, so you may want examine the PAM documentation for further helpful information. - - - -Distributed Authentication - - -The astute administrator will realize from this that the -combination of pam_smbpass.so, -winbindd, and a distributed -passdb backend, such as ldap, will allow the establishment of a -centrally managed, distributed -user/password database that can also be used by all -PAM (eg: Linux) aware programs and applications. This arrangement -can have particularly potent advantages compared with the -use of Microsoft Active Directory Service (ADS) in so far as -reduction of wide area network authentication traffic. - - - - - + PAM Configuration in smb.conf @@ -210,5 +190,206 @@ password encryption. Default: obey pam restrictions = no + + + +Password Synchronisation using pam_smbpass.so + + +pam_smbpass is a PAM module which can be used on conforming systems to +keep the smbpasswd (Samba password) database in sync with the unix +password file. PAM (Pluggable Authentication Modules) is an API supported +under some Unices, such as Solaris, HPUX and Linux, that provides a +generic interface to authentication mechanisms. + + + +For more information on PAM, see http://ftp.kernel.org/pub/linux/libs/pam/ + + + +This module authenticates a local smbpasswd user database. If you require +support for authenticating against a remote SMB server, or if you're +concerned about the presence of suid root binaries on your system, it is +recommended that you use one of the other two following modules + + + + pam_smb - http://www.csn.ul.ie/~airlied/pam_smb/ + authenticates against any remote SMB server + + pam_ntdom - ftp://ftp.samba.org/pub/samba/pam_ntdom/ + authenticates against an NT or Samba domain controller + +Options recognized by this module are as follows: + + debug - log more debugging info + audit - like debug, but also logs unknown usernames + use_first_pass - don't prompt the user for passwords; + take them from PAM_ items instead + try_first_pass - try to get the password from a previous + PAM module, fall back to prompting the user + use_authtok - like try_first_pass, but *fail* if the new + PAM_AUTHTOK has not been previously set. + (intended for stacking password modules only) + not_set_pass - don't make passwords used by this module + available to other modules. + nodelay - don't insert ~1 second delays on authentication + failure. + nullok - null passwords are allowed. + nonull - null passwords are not allowed. Used to + override the Samba configuration. + migrate - only meaningful in an "auth" context; + used to update smbpasswd file with a + password used for successful authentication. + smbconf=< file > - specify an alternate path to the smb.conf + file. + + + +Thanks go to the following people: + + * Andrew Morgan < morgan@transmeta.com >, for providing the Linux-PAM + framework, without which none of this would have happened + + * Christian Gafton < gafton@redhat.com > and Andrew Morgan again, for the + pam_pwdb module upon which pam_smbpass was originally based + + * Luke Leighton < lkcl@switchboard.net > for being receptive to the idea, + and for the occasional good-natured complaint about the project's status + that keep me working on it :) + + * and of course, all the other members of the Samba team + < http://www.samba.org/samba/team.html >, for creating a great product + and for giving this project a purpose + + --------------------- + Stephen Langasek < vorlon@netexpress.net > + + + +The following are examples of the use of pam_smbpass.so in the format of Linux +/etc/pam.d/ files structure. Those wishing to implement this +tool on other platforms will need to adapt this appropriately. + + + +Password Synchonisation Configuration + + +A sample PAM configuration that shows the use of pam_smbpass to make +sure private/smbpasswd is kept in sync when /etc/passwd (/etc/shadow) +is changed. Useful when an expired password might be changed by an +application (such as ssh). + + + + #%PAM-1.0 + # password-sync + # + auth requisite pam_nologin.so + auth required pam_unix.so + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password required pam_smbpass.so nullok use_authtok try_first_pass + session required pam_unix.so + + + + +Password Migration Configuration + + +A sample PAM configuration that shows the use of pam_smbpass to migrate +from plaintext to encrypted passwords for Samba. Unlike other methods, +this can be used for users who have never connected to Samba shares: +password migration takes place when users ftp in, login using ssh, pop +their mail, etc. + + + + #%PAM-1.0 + # password-migration + # + auth requisite pam_nologin.so + # pam_smbpass is called IFF pam_unix succeeds. + auth requisite pam_unix.so + auth optional pam_smbpass.so migrate + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password optional pam_smbpass.so nullok use_authtok try_first_pass + session required pam_unix.so + + + + +Mature Password Configuration + + +A sample PAM configuration for a 'mature' smbpasswd installation. +private/smbpasswd is fully populated, and we consider it an error if +the smbpasswd doesn't exist or doesn't match the Unix password. + + + + #%PAM-1.0 + # password-mature + # + auth requisite pam_nologin.so + auth required pam_unix.so + account required pam_unix.so + password requisite pam_cracklib.so retry=3 + password requisite pam_unix.so shadow md5 use_authtok try_first_pass + password required pam_smbpass.so use_authtok use_first_pass + session required pam_unix.so + + + + +Kerberos Password Integration Configuration + + +A sample PAM configuration that shows pam_smbpass used together with +pam_krb5. This could be useful on a Samba PDC that is also a member of +a Kerberos realm. + + + + #%PAM-1.0 + # kdc-pdc + # + auth requisite pam_nologin.so + auth requisite pam_krb5.so + auth optional pam_smbpass.so migrate + account required pam_krb5.so + password requisite pam_cracklib.so retry=3 + password optional pam_smbpass.so nullok use_authtok try_first_pass + password required pam_krb5.so use_authtok try_first_pass + session required pam_krb5.so + + + + + + +Distributed Authentication + + +The astute administrator will realize from this that the +combination of pam_smbpass.so, +winbindd, and a distributed +passdb backend, such as ldap, will allow the establishment of a +centrally managed, distributed +user/password database that can also be used by all +PAM (eg: Linux) aware programs and applications. This arrangement +can have particularly potent advantages compared with the +use of Microsoft Active Directory Service (ADS) in so far as +reduction of wide area network authentication traffic. + + + + diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml index 666eb4f62f..1f29a754b0 100644 --- a/docs/docbook/projdoc/VFS.sgml +++ b/docs/docbook/projdoc/VFS.sgml @@ -82,7 +82,7 @@ following information will be recorded: Extended Auditing Log Information - Log LevelLog Details - File and Directory Operations -- cgit From c073a6ed3f62c9c2784a5e67c67a3750aad5d147 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Apr 2003 01:07:44 +0000 Subject: fix SGML syntax errors (This used to be commit 43e169ce23a037b1df152b6e3fe6cfe55192b3d3) --- docs/docbook/projdoc/NT4Migration.sgml | 18 ++++++++++-------- docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml | 2 +- docs/docbook/projdoc/PolicyMgmt.sgml | 2 +- docs/docbook/projdoc/Portability.sgml | 1 + docs/docbook/projdoc/SWAT.sgml | 2 +- 5 files changed, 14 insertions(+), 11 deletions(-) diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 60d9f121f4..469215e32e 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -79,19 +79,19 @@ What are the features that Samba-3 can NOT provide? - Active Directory Server + Active Directory Server - Group Policy Objects (in Active Direcrtory) + Group Policy Objects (in Active Direcrtory) - Machine Policy objects + Machine Policy objects - Logon Scripts in Active Directorty + Logon Scripts in Active Directorty - Software Application and Access Controls in Active Directory + Software Application and Access Controls in Active Directory @@ -309,7 +309,7 @@ Samba-3 set up as a DC with netlogon share, profile share, etc. initGrps.sh DOMNAME - smbgroupedit -v + net groupmap list Now check that all groups are recognised @@ -469,7 +469,7 @@ Logon Scripts (Know how they work) User and Group mapping to Unix/Linux username map facility may be needed - Use smbgroupedit to connect NT4 groups to Unix groups + Use 'net groupmap' to connect NT4 groups to Unix groups Use pdbedit to set/change user configuration NOTE: If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP @@ -489,7 +489,7 @@ Migration Tools Profiles, Policies, Access Controls, Security Migration Tools - Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles + Samba: net, rpcclient, smbpasswd, pdbedit, profiles Windows: NT4 Domain User Manager, Server Manager (NEXUS) Authentication @@ -497,6 +497,8 @@ Authentication + + diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index a95baf0281..395bd71a27 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -244,7 +244,7 @@ Options recognized by this module are as follows: password used for successful authentication. smbconf=< file > - specify an alternate path to the smb.conf file. - + Thanks go to the following people: diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 7557d496a4..9ec9d452a7 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -310,7 +310,7 @@ Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC With a Samba Domain Controller, the new tools for managing of user account and policy information includes: -smbpasswd, pdbedit, smbgroupedit, net, rpcclient.. The administrator should read the +smbpasswd, pdbedit, net, rpcclient.. The administrator should read the man pages for these tools and become familiar with their use. diff --git a/docs/docbook/projdoc/Portability.sgml b/docs/docbook/projdoc/Portability.sgml index cc21ecf255..72c3d20547 100644 --- a/docs/docbook/projdoc/Portability.sgml +++ b/docs/docbook/projdoc/Portability.sgml @@ -229,6 +229,7 @@ Nsswitch on Solaris 9 refuses to use the winbind nss module. This behavior is fixed by Sun in patch 113476-05 which as of March 2003 is not in any roll-up packages. + diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 751138f138..0aea999b53 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -134,7 +134,7 @@ Modifications to the swat setup are as following: root# /usr/bin/openssl req -new -x509 -days 365 -nodes -config \ /usr/share/doc/packages/stunnel/stunnel.cnf \ -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem - + remove swat-entry from [x]inetd -- cgit From 6d385b59a0e0a600a973b05b00d52a1fc17f0bf4 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 01:24:24 +0000 Subject: Tidy up only. (This used to be commit b87ebad1ae15bf59466da3ca7c39a31c4631031b) --- docs/docbook/projdoc/winbind.sgml | 301 +++++++++++++++++++------------------- 1 file changed, 153 insertions(+), 148 deletions(-) diff --git a/docs/docbook/projdoc/winbind.sgml b/docs/docbook/projdoc/winbind.sgml index 1f65e7a8b7..05460e1a61 100644 --- a/docs/docbook/projdoc/winbind.sgml +++ b/docs/docbook/projdoc/winbind.sgml @@ -18,6 +18,7 @@ &author.jelmer; + &author.jht; 27 June 2002 @@ -643,12 +644,12 @@ your PDC. For example, I get the following response: -CEO+Administrator -CEO+burdell -CEO+Guest -CEO+jt-ad -CEO+krbtgt -CEO+TsInternetUser + CEO+Administrator + CEO+burdell + CEO+Guest + CEO+jt-ad + CEO+krbtgt + CEO+TsInternetUser @@ -663,15 +664,15 @@ the PDC: root# /usr/local/samba/bin/wbinfo -g -CEO+Domain Admins -CEO+Domain Users -CEO+Domain Guests -CEO+Domain Computers -CEO+Domain Controllers -CEO+Cert Publishers -CEO+Schema Admins -CEO+Enterprise Admins -CEO+Group Policy Creator Owners + CEO+Domain Admins + CEO+Domain Users + CEO+Domain Guests + CEO+Domain Computers + CEO+Domain Controllers + CEO+Cert Publishers + CEO+Schema Admins + CEO+Enterprise Admins + CEO+Group Policy Creator Owners @@ -710,7 +711,8 @@ The same thing can be done for groups with the command The winbindd daemon needs to start up after the smbd and nmbd daemons are running. -To accomplish this task, you need to modify the startup scripts of your system. They are located at /etc/init.d/smb in RedHat and +To accomplish this task, you need to modify the startup scripts of your system. +They are located at /etc/init.d/smb in RedHat and /etc/init.d/samba in Debian. script to add commands to invoke this daemon in the proper sequence. My startup script starts up smbd, @@ -736,8 +738,8 @@ start() { daemon /usr/local/samba/bin/winbindd RETVAL3=$? echo - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && touch /var/lock/subsys/smb || \ - RETVAL=1 + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + touch /var/lock/subsys/smb || RETVAL=1 return $RETVAL } @@ -776,7 +778,8 @@ stop() { echo -n $"Shutting down $KIND services: " killproc winbindd RETVAL3=$? - [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && rm -f /var/lock/subsys/smb + [ $RETVAL -eq 0 -a $RETVAL2 -eq 0 -a $RETVAL3 -eq 0 ] && \ + rm -f /var/lock/subsys/smb echo "" return $RETVAL } @@ -796,63 +799,64 @@ the file could contains something like this: -## -## samba.server -## - -if [ ! -d /usr/bin ] -then # /usr not mounted - exit -fi - -killproc() { # kill the named process(es) - pid=`/usr/bin/ps -e | - /usr/bin/grep -w $1 | - /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` - [ "$pid" != "" ] && kill $pid -} - -# Start/stop processes required for samba server - -case "$1" in - -'start') -# -# Edit these lines to suit your installation (paths, workgroup, host) -# -echo Starting SMBD - /usr/local/samba/bin/smbd -D -s \ - /usr/local/samba/smb.conf - -echo Starting NMBD - /usr/local/samba/bin/nmbd -D -l \ - /usr/local/samba/var/log -s /usr/local/samba/smb.conf - -echo Starting Winbind Daemon - /usr/local/samba/bin/winbindd - ;; - -'stop') - killproc nmbd - killproc smbd - killproc winbindd - ;; - -*) - echo "Usage: /etc/init.d/samba.server { start | stop }" - ;; -esac + ## + ## samba.server + ## + + if [ ! -d /usr/bin ] + then # /usr not mounted + exit + fi + + killproc() { # kill the named process(es) + pid=`/usr/bin/ps -e | + /usr/bin/grep -w $1 | + /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` + [ "$pid" != "" ] && kill $pid + } + + # Start/stop processes required for samba server + + case "$1" in + + 'start') + # + # Edit these lines to suit your installation (paths, workgroup, host) + # + echo Starting SMBD + /usr/local/samba/bin/smbd -D -s \ + /usr/local/samba/smb.conf + + echo Starting NMBD + /usr/local/samba/bin/nmbd -D -l \ + /usr/local/samba/var/log -s /usr/local/samba/smb.conf + + echo Starting Winbind Daemon + /usr/local/samba/bin/winbindd + ;; + + 'stop') + killproc nmbd + killproc smbd + killproc winbindd + ;; + + *) + echo "Usage: /etc/init.d/samba.server { start | stop }" + ;; + esac -Again, if you would like to run samba in dual daemon mode, replace + +Again, if you would like to run samba in dual daemon mode, replace - /usr/local/samba/bin/winbindd + /usr/local/samba/bin/winbindd in the script above with: - /usr/local/samba/bin/winbindd -B + /usr/local/samba/bin/winbindd -B @@ -912,8 +916,8 @@ just left this fileas it was: -auth required /lib/security/pam_stack.so service=system-auth -account required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_stack.so service=system-auth + account required /lib/security/pam_stack.so service=system-auth @@ -928,7 +932,7 @@ and /etc/xinetd.d/wu-ftp from -enable = no + enable = no @@ -936,7 +940,7 @@ to -enable = yes + enable = yes @@ -956,13 +960,14 @@ changed to look like this: -auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth sufficient /lib/security/pam_winbind.so -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_shells.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_listfile.so item=user sense=deny \ + file=/etc/ftpusers onerr=succeed + auth sufficient /lib/security/pam_winbind.so + auth required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_shells.so + account sufficient /lib/security/pam_winbind.so + account required /lib/security/pam_stack.so service=system-auth + session required /lib/security/pam_stack.so service=system-auth @@ -971,16 +976,16 @@ same way. It now looks like this: -auth required /lib/security/pam_securetty.so -auth sufficient /lib/security/pam_winbind.so -auth sufficient /lib/security/pam_unix.so use_first_pass -auth required /lib/security/pam_stack.so service=system-auth -auth required /lib/security/pam_nologin.so -account sufficient /lib/security/pam_winbind.so -account required /lib/security/pam_stack.so service=system-auth -password required /lib/security/pam_stack.so service=system-auth -session required /lib/security/pam_stack.so service=system-auth -session optional /lib/security/pam_console.so + auth required /lib/security/pam_securetty.so + auth sufficient /lib/security/pam_winbind.so + auth sufficient /lib/security/pam_unix.so use_first_pass + auth required /lib/security/pam_stack.so service=system-auth + auth required /lib/security/pam_nologin.so + account sufficient /lib/security/pam_winbind.so + account required /lib/security/pam_stack.so service=system-auth + password required /lib/security/pam_stack.so service=system-auth + session required /lib/security/pam_stack.so service=system-auth + session optional /lib/security/pam_console.so @@ -1006,65 +1011,65 @@ nearly impossible to boot. -# -#ident "@(#)pam.conf 1.14 99/09/16 SMI" -# -# Copyright (c) 1996-1999, Sun Microsystems, Inc. -# All Rights Reserved. -# -# PAM configuration -# -# Authentication management -# -login auth required /usr/lib/security/pam_winbind.so -login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass -# -rlogin auth sufficient /usr/lib/security/pam_winbind.so -rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -dtlogin auth sufficient /usr/lib/security/pam_winbind.so -dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 -other auth sufficient /usr/lib/security/pam_winbind.so -other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass -# -# Account management -# -login account sufficient /usr/lib/security/pam_winbind.so -login account requisite /usr/lib/security/$ISA/pam_roles.so.1 -login account required /usr/lib/security/$ISA/pam_unix.so.1 -# -dtlogin account sufficient /usr/lib/security/pam_winbind.so -dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 -dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 -# -other account sufficient /usr/lib/security/pam_winbind.so -other account requisite /usr/lib/security/$ISA/pam_roles.so.1 -other account required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Session management -# -other session required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Password management -# -#other password sufficient /usr/lib/security/pam_winbind.so -other password required /usr/lib/security/$ISA/pam_unix.so.1 -dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 -# -# Support for Kerberos V5 authentication (uncomment to use Kerberos) -# -#rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -#dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other account optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other session optional /usr/lib/security/$ISA/pam_krb5.so.1 -#other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + # + #ident "@(#)pam.conf 1.14 99/09/16 SMI" + # + # Copyright (c) 1996-1999, Sun Microsystems, Inc. + # All Rights Reserved. + # + # PAM configuration + # + # Authentication management + # + login auth required /usr/lib/security/pam_winbind.so + login auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + login auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 try_first_pass + # + rlogin auth sufficient /usr/lib/security/pam_winbind.so + rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1 + rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + dtlogin auth sufficient /usr/lib/security/pam_winbind.so + dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1 + other auth sufficient /usr/lib/security/pam_winbind.so + other auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass + # + # Account management + # + login account sufficient /usr/lib/security/pam_winbind.so + login account requisite /usr/lib/security/$ISA/pam_roles.so.1 + login account required /usr/lib/security/$ISA/pam_unix.so.1 + # + dtlogin account sufficient /usr/lib/security/pam_winbind.so + dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1 + dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 + # + other account sufficient /usr/lib/security/pam_winbind.so + other account requisite /usr/lib/security/$ISA/pam_roles.so.1 + other account required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Session management + # + other session required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Password management + # + #other password sufficient /usr/lib/security/pam_winbind.so + other password required /usr/lib/security/$ISA/pam_unix.so.1 + dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 + # + # Support for Kerberos V5 authentication (uncomment to use Kerberos) + # + #rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass + #dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other account optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other session optional /usr/lib/security/$ISA/pam_krb5.so.1 + #other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass -- cgit From 8bc3f10c1af0dd3f624c9e68ed299b57d03bd3a3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Apr 2003 01:59:53 +0000 Subject: updating group mapping HOWTO. (This used to be commit 4244e21971a21b8c8c80753e962eb2420fb1a1de) --- docs/docbook/global.ent | 1 + docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 93 +++++++++++++++++---------- 2 files changed, 60 insertions(+), 34 deletions(-) diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 2c7f55aa3a..d7c41ccbc6 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -385,6 +385,7 @@ an Active Directory environment. smbclient'> winbindd'> smbgroupedit'> +net'> diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index e037da4aeb..0d72487f54 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -3,27 +3,28 @@ Jean Fran�oisMicouleau + &person.jerry; Configuring Group Mapping - -Starting with Samba 3.0 alpha 2, a new group mapping function is available. The -current method (likely to change) to manage the groups is a new command called -&smbgroupedit;. + +Starting with Samba 3.0 alpha 2, new group mapping functionality +is available to create associations between Windows SIDs and UNIX +groups. The groupmap subcommand included with +the &net; tool can be used to manage these associations. -The first immediate reason to use the group mapping on a PDC, is that -the domain admin group of &smb.conf; is -now gone. This parameter was used to give the listed users local admin rights -on their workstations. It was some magic stuff that simply worked but didn't -scale very well for complex setups. +The first immediate reason to use the group mapping on a Samba PDC, is that +the domain admin group &smb.conf; has been removed. +This parameter was used to give the listed users membership in the "Domain Admins" +Windows group which gave local admin rights on their workstations (in +default configurations). -Let me explain how it works on NT/W2K, to have this magic fade away. When installing NT/W2K on a computer, the installer program creates some users and groups. Notably the 'Administrators' group, and gives to that group some privileges like the ability to change the date and time or to kill any process @@ -34,46 +35,70 @@ group privileges. If a 'joe' user is created and become a member of the -When a NT/W2K machine is joined to a domain, during that phase, the "Domain -Administrators' group of the PDC is added to the 'Administrators' group of the -workstation. Every members of the 'Domain Administrators' group 'inherit' the -rights of the 'Administrators' group when logging on the workstation. +When a NT/W2K machine is joined to a domain, the "Domain Adminis" group of the +PDC is added to the local 'Administrators' group of the workstation. Every +member of the 'Domain Administrators' group 'inherit' the +rights of the local 'Administrators' group when logging on the workstation. -You are now wondering how to make some of your samba PDC users members of the -'Domain Administrators' ? That's really easy. +The following steps describe how to make samba PDC users members of the +'Domain Admins' group? - -create a unix group (usually in /etc/group), let's call it domadm -add to this group the users that must be Administrators. For example if you want joe,john and mary, your entry in /etc/group will look like: + +create a unix group (usually in /etc/group), + let's call it domadm +add to this group the users that must be Administrators. For example + if you want joe,john and mary, your entry in /etc/group will + look like: - -domadm:x:502:joe,john,mary - + + domadm:x:502:joe,john,mary + - + -Map this domadm group to the domain admins group by running the command: +Map this domadm group to the "Domain Admins" group + by running the command: -smbgroupedit -c "Domain Admins" -u domadm + root# net groupmap add ntgroup="Domain Admins" unixgroup=domadm + + The quotes around "Domain Admins" are necessary due to the space in the group name. Also make + sure to leave no whitespace surrounding the equal character (=). + -You're set, joe, john and mary are domain administrators ! +Now joe, john and mary are domain administrators! -Like the Domain Admins group, you can map any arbitrary Unix group to any NT -group. You can also make any Unix group a domain group. For example, on a domain -member machine (an NT/W2K or a samba server running winbind), you would like to -give access to a certain directory to some users who are member of a group on -your samba PDC. Flag that group as a domain group by running: +It is possible to map any arbitrary UNIX group to any Windows NT +group as well as making any UNIX group a Windows domain group. +For example, if you wanted to include a UNIX group (e.g. acct) in a ACL on a +local file or printer on a domain member machine, you would flag +that group as a domain group by running the following on the Samba PDC: -smbgroupedit -a unixgroup -td +root# net groupmap add rid=1000 ntgroup="Accounting" unixgroup=acct + +Be aware that the rid parmeter is a unsigned 32 bit integer that should +normally start at 1000. However, this rid must not overlap with any RID assigned +to a user. Verifying this is done differently depending on on the passdb backend +you are using. Future versions of the tools may perform the verification automatically, +but for now the burden in on you. + +You can list the various groups in the mapping database by executing +net groupmap list. Here is an example: + +root# net groupmap list +System Administrators (S-1-5-21-2547222302-1596225915-2414751004-1002) -> sysadmin +Domain Admins (S-1-5-21-2547222302-1596225915-2414751004-512) -> domadmin +Domain Users (S-1-5-21-2547222302-1596225915-2414751004-513) -> domuser +Domain Guests (S-1-5-21-2547222302-1596225915-2414751004-514) -> domguest + -You can list the various groups in the mapping database like this -smbgroupedit -v +For complete details on net groupmap, refer to the +net(8) man page. -- cgit From 5b4ee77a5fefe3a22a98519a1dceaf9981a14e8d Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 02:34:27 +0000 Subject: Added patch from Stephen Roylance. (This used to be commit 308e3848622de0da7f1b73369c0429ac54d672ef) --- source3/web/startstop.c | 6 ------ source3/web/statuspage.c | 46 ++++++++++++++++++++++++++-------------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/source3/web/startstop.c b/source3/web/startstop.c index c6babff954..93e8650c2b 100644 --- a/source3/web/startstop.c +++ b/source3/web/startstop.c @@ -22,8 +22,6 @@ #include "../web/swat_proto.h" #include "dynconfig.h" -/** Need to wait for daemons to startup */ -#define SLEEP_TIME 3 /** Startup smbd from web interface. */ void start_smbd(void) @@ -33,7 +31,6 @@ void start_smbd(void) if (geteuid() != 0) return; if (fork()) { - sleep(SLEEP_TIME); return; } @@ -54,7 +51,6 @@ void start_nmbd(void) if (geteuid() != 0) return; if (fork()) { - sleep(SLEEP_TIME); return; } @@ -75,7 +71,6 @@ void start_winbindd(void) if (geteuid() != 0) return; if (fork()) { - sleep(SLEEP_TIME); return; } @@ -133,5 +128,4 @@ void kill_pid(pid_t pid) if (pid <= 0) return; kill(pid, SIGTERM); - sleep(SLEEP_TIME); } diff --git a/source3/web/statuspage.c b/source3/web/statuspage.c index ddbe658a6c..44461232b8 100644 --- a/source3/web/statuspage.c +++ b/source3/web/statuspage.c @@ -23,6 +23,9 @@ #define PIDMAP struct PidMap +/* how long to wait for start/stops to take effect */ +#define SLEEP_TIME 3 + PIDMAP { PIDMAP *next, *prev; pid_t pid; @@ -158,6 +161,7 @@ static int traverse_fn1(TDB_CONTEXT *tdb, TDB_DATA kbuf, TDB_DATA dbuf, void* st slprintf(buf,sizeof(buf)-1,"kill_%d", (int)crec.pid); if (cgi_variable(buf)) { kill_pid(crec.pid); + sleep(SLEEP_TIME); } } return 0; @@ -221,48 +225,62 @@ void status_page(void) int refresh_interval=30; TDB_CONTEXT *tdb; int nr_running=0; + BOOL waitup = False; smbd_pid = pidfile_pid("smbd"); if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) { stop_smbd(); start_smbd(); + waitup=True; } if (cgi_variable("smbd_start") || cgi_variable("all_start")) { start_smbd(); + waitup=True; } if (cgi_variable("smbd_stop") || cgi_variable("all_stop")) { stop_smbd(); + waitup=True; } if (cgi_variable("nmbd_restart") || cgi_variable("all_restart")) { stop_nmbd(); start_nmbd(); + waitup=True; } if (cgi_variable("nmbd_start") || cgi_variable("all_start")) { start_nmbd(); + waitup=True; } if (cgi_variable("nmbd_stop")|| cgi_variable("all_stop")) { stop_nmbd(); + waitup=True; } #ifdef WITH_WINBIND if (cgi_variable("winbindd_restart") || cgi_variable("all_restart")) { stop_winbindd(); start_winbindd(); + waitup=True; } if (cgi_variable("winbindd_start") || cgi_variable("all_start")) { start_winbindd(); + waitup=True; } if (cgi_variable("winbindd_stop") || cgi_variable("all_stop")) { stop_winbindd(); + waitup=True; } #endif + /* wait for daemons to start/stop */ + if (waitup) + sleep(SLEEP_TIME); + if (cgi_variable("autorefresh")) { autorefresh = 1; } else if (cgi_variable("norefresh")) { @@ -333,20 +351,7 @@ void status_page(void) } else { d_printf("\n", _("Start nmbd")); } - d_printf("\n", _("Restart nmbd")); -#ifndef WITH_WINBIND - if (nr_running >= 1) { - /* stop, restart all */ - d_printf("\n"); - d_printf("\n", _("Stop All")); - d_printf("\n", _("Restart All")); - } - else if (nr_running == 0) { - /* start all */ - d_printf("\n"); - d_printf("\n", _("Start All")); - } -#endif + d_printf("\n", _("Restart nmbd")); } d_printf("\n"); @@ -361,22 +366,23 @@ void status_page(void) d_printf("\n", _("Start winbindd")); } d_printf("\n", _("Restart winbindd")); + } + d_printf("\n"); +#endif + + if (geteuid() == 0) { + d_printf("\n"); if (nr_running >= 1) { /* stop, restart all */ - d_printf("\n"); d_printf("\n", _("Stop All")); d_printf("\n", _("Restart All")); } else if (nr_running == 0) { /* start all */ - d_printf("\n"); d_printf("\n", _("Start All")); } - + d_printf("\n"); } - d_printf("\n"); -#endif - d_printf("

\n"); fflush(stdout); -- cgit From c0960be217bbf1107843b510bb0829e9c6593e85 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Apr 2003 03:01:56 +0000 Subject: update net man page for groupmap options (This used to be commit 465510e39f3366a2477ffb6e7fb121ed6c88d04a) --- docs/docbook/manpages/net.8.sgml | 61 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml index 8ee965e3ed..6b6ebd1f09 100644 --- a/docs/docbook/manpages/net.8.sgml +++ b/docs/docbook/manpages/net.8.sgml @@ -600,7 +600,7 @@ List all current items in the cache. GETLOCALSID [DOMAIN] -Print the SID of the specified domain, or if the parameter is +Print the SID of the specified domain, or if the parameter is omitted, the SID of the domain the local server is in. @@ -612,10 +612,65 @@ omitted, the SID of the domain the local server is in. + +GROUPMAP + +Manage the mappings between Windows group SIDs and UNIX groups. +Parameters take the for "parameter=value". Common options include: + + +unixgroup - Name of the UNIX group +ntgroup - Name of the Windows NT group (must be + resolvable to a SID +rid - Unsigned 32-bit integer +sid - Full SID in the form of "S-1-..." +type - Type of the group; either 'domain', 'local', + or 'builtin' +comment - Freeform text description of the group + + + +GROUPMAP ADD + +Add a new group mapping entry + +net groupmap add {rid=int|sid=string} unixgroup=string [type={domain|local|builtin}] [ntgroup=string] [comment=string] + + + + +GROUPMAP DELETE + +Delete a group mapping entry + +net groupmap delete {ntgroup=string|sid=SID} + + + + +GROUPMAP MODIFY + +Update en existing group entry + +net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] [comment=string] [type={domain|local} + + + +GROUPMAP LIST + +List existing group mapping entries + +net groupmap list [verbose] [ntgroup=string] [sid=SID] + + + + + + MAXRID -Prints out the highest RID currently in use on the local +Prints out the highest RID currently in use on the local server (by the active 'passdb backend'). @@ -624,7 +679,7 @@ server (by the active 'passdb backend'). RPC INFO -Print information about the domain of the remote server, +Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups. -- cgit From d13f5f85feb98b28251045d88435a1af8ce3f3ba Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 03:54:54 +0000 Subject: Patch from Stefan Metzmacher to add default parameters to the lp_parm() smb.conf parameters along with some other small fixes. Binary compatible with older modules. (This used to be commit aa07b12fda732ca19d8dc41cebc7bb09e2549a30) --- source3/include/smb_macros.h | 5 +- source3/modules/mysql.c | 59 +++++++------ source3/modules/vfs_recycle.c | 34 +++----- source3/modules/xml.c | 5 +- source3/param/loadparm.c | 191 +++++++++++++++++++++++++++--------------- source3/sam/sam_ads.c | 6 +- 6 files changed, 173 insertions(+), 127 deletions(-) diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h index 477940445c..8e2cb1c818 100644 --- a/source3/include/smb_macros.h +++ b/source3/include/smb_macros.h @@ -95,8 +95,11 @@ #define ERROR_WAS_LOCK_DENIED(status) (NT_STATUS_EQUAL((status), NT_STATUS_LOCK_NOT_GRANTED) || \ NT_STATUS_EQUAL((status), NT_STATUS_FILE_LOCK_CONFLICT) ) +/* the service number for the [globals] defaults */ +#define GLOBAL_SECTION_SNUM (-1) /* translates a connection number into a service number */ -#define SNUM(conn) ((conn)?(conn)->service:-1) +#define SNUM(conn) ((conn)?(conn)->service:GLOBAL_SECTION_SNUM) + /* access various service details */ #define SERVICE(snum) (lp_servicename(snum)) diff --git a/source3/modules/mysql.c b/source3/modules/mysql.c index 684eb96645..ec8c6f9ab8 100644 --- a/source3/modules/mysql.c +++ b/source3/modules/mysql.c @@ -25,12 +25,12 @@ #define CONFIG_LOGON_TIME_DEFAULT "logon_time" #define CONFIG_LOGOFF_TIME_DEFAULT "logoff_time" #define CONFIG_KICKOFF_TIME_DEFAULT "kickoff_time" -#define CONFIG_PASS_LAST_SET_TIME_DEFAULT "pass_last_set_time" -#define CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT "pass_can_change_time" -#define CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT "pass_must_change_time" +#define CONFIG_PASS_LAST_SET_TIME_DEFAULT "pass_last_set_time" +#define CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT "pass_can_change_time" +#define CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT "pass_must_change_time" #define CONFIG_USERNAME_DEFAULT "username" #define CONFIG_DOMAIN_DEFAULT "domain" -#define CONFIG_NT_USERNAME_DEFAULT "nt_username" +#define CONFIG_NT_USERNAME_DEFAULT "nt_username" #define CONFIG_FULLNAME_DEFAULT "nt_fullname" #define CONFIG_HOME_DIR_DEFAULT "home_dir" #define CONFIG_DIR_DRIVE_DEFAULT "dir_drive" @@ -40,8 +40,8 @@ #define CONFIG_WORKSTATIONS_DEFAULT "workstations" #define CONFIG_UNKNOWN_STR_DEFAULT "unknown_str" #define CONFIG_MUNGED_DIAL_DEFAULT "munged_dial" -#define CONFIG_UID_DEFAULT "uid" -#define CONFIG_GID_DEFAULT "gid" +#define CONFIG_UID_DEFAULT "uid" +#define CONFIG_GID_DEFAULT "gid" #define CONFIG_USER_SID_DEFAULT "user_sid" #define CONFIG_GROUP_SID_DEFAULT "group_sid" #define CONFIG_LM_PW_DEFAULT "lm_pw" @@ -53,11 +53,11 @@ #define CONFIG_HOURS_LEN_DEFAULT "hours_len" #define CONFIG_UNKNOWN_5_DEFAULT "unknown_5" #define CONFIG_UNKNOWN_6_DEFAULT "unknown_6" -#define CONFIG_HOST_DEFAULT "localhost" -#define CONFIG_USER_DEFAULT "samba" -#define CONFIG_PASS_DEFAULT "" -#define CONFIG_PORT_DEFAULT "3306" -#define CONFIG_DB_DEFAULT "samba" +#define CONFIG_HOST_DEFAULT "localhost" +#define CONFIG_USER_DEFAULT "samba" +#define CONFIG_PASS_DEFAULT "" +#define CONFIG_PORT_DEFAULT "3306" +#define CONFIG_DB_DEFAULT "samba" static int mysqlsam_debug_level = DBGC_ALL; @@ -91,7 +91,7 @@ typedef struct pdb_mysql_query { } static void pdb_mysql_int_field(struct pdb_methods *m, - struct pdb_mysql_query *q, char *name, int value) + struct pdb_mysql_query *q, const char *name, int value) { if (!name || strchr(name, '\'')) return; /* This field shouldn't be set by us */ @@ -110,7 +110,7 @@ static void pdb_mysql_int_field(struct pdb_methods *m, static NTSTATUS pdb_mysql_string_field(struct pdb_methods *methods, struct pdb_mysql_query *q, - char *name, const char *value) + const char *name, const char *value) { char *esc_value; struct pdb_mysql_data *data; @@ -145,20 +145,17 @@ static NTSTATUS pdb_mysql_string_field(struct pdb_methods *methods, return NT_STATUS_OK; } -static char * config_value(pdb_mysql_data * data, char *name, char *default_value) -{ - if (lp_parm_string(NULL, data->location, name)) - return lp_parm_string(NULL, data->location, name); +#define config_value(data,name,default_value) \ + lp_parm_const_string(GLOBAL_SECTION_SNUM, (data)->location, name, default_value) - return default_value; -} +static const char * config_value_write(pdb_mysql_data * data, const char *name, const char *default_value) { + char const *v = NULL; + char const *swrite = NULL; -static char * config_value_write(pdb_mysql_data * data, char *name, char *default_value) { - char *v = config_value(data, name, NULL); - char *swrite; + v = lp_parm_const_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); if (!v) - return default_value; + return NULL; swrite = strchr(v, ':'); @@ -176,13 +173,15 @@ static char * config_value_write(pdb_mysql_data * data, char *name, char *defaul return swrite; } -static const char * config_value_read(pdb_mysql_data * data, char *name, char *default_value) +static const char * config_value_read(pdb_mysql_data * data, const char *name, const char *default_value) { - char *v = config_value(data, name, NULL); + char *v = NULL; char *swrite; + v = lp_parm_talloc_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); + if (!v) - return default_value; + return "NULL"; swrite = strchr(v, ':'); @@ -190,7 +189,7 @@ static const char * config_value_read(pdb_mysql_data * data, char *name, char *d if (!swrite) { if (strlen(v) == 0) return "NULL"; - return v; + return (const char *)v; } /* Otherwise, we have to cut the ':write_part' */ @@ -198,11 +197,11 @@ static const char * config_value_read(pdb_mysql_data * data, char *name, char *d if (strlen(v) == 0) return "NULL"; - return v; + return (const char *)v; } /* Wrapper for atol that returns 0 if 'a' points to NULL */ -static long xatol(char *a) +static long xatol(const char *a) { long ret = 0; @@ -369,7 +368,7 @@ static NTSTATUS mysqlsam_setsampwent(struct pdb_methods *methods, BOOL update) } DEBUG(5, - ("mysqlsam_setsampwent succeeded(%lu results)!\n", + ("mysqlsam_setsampwent succeeded(%llu results)!\n", mysql_num_rows(data->pwent))); return NT_STATUS_OK; diff --git a/source3/modules/vfs_recycle.c b/source3/modules/vfs_recycle.c index 3a23e1a365..85ce257c02 100644 --- a/source3/modules/vfs_recycle.c +++ b/source3/modules/vfs_recycle.c @@ -126,7 +126,7 @@ static int recycle_connect(struct connection_struct *conn, const char *service, recycle_bin_connections *recconn; recycle_bin_connections *recconnbase; recycle_bin_private_data *recdata; - char *tmp_str; + const char *tmp_str; DEBUG(10, ("Called for service %s (%d) as user %s\n", service, SNUM(conn), user)); @@ -142,42 +142,34 @@ static int recycle_connect(struct connection_struct *conn, const char *service, return -1; } - recbin = talloc(ctx, sizeof(recycle_bin_struct)); + recbin = talloc_zero(ctx, sizeof(recycle_bin_struct)); if (recbin == NULL) { DEBUG(0, ("Failed to allocate memory in VFS module recycle_bin\n")); return -1; } recbin->mem_ctx = ctx; - /* Set defaults */ - recbin->repository = talloc_strdup(recbin->mem_ctx, ".recycle"); - ALLOC_CHECK(recbin->repository, error); - recbin->keep_dir_tree = False; - recbin->versions = False; - recbin->touch = False; - recbin->exclude = ""; - recbin->exclude_dir = ""; - recbin->noversions = ""; - recbin->maxsize = 0; - /* parse configuration options */ - if ((tmp_str = lp_parm_string(SNUM(conn), "vfs_recycle_bin", "repository")) != NULL) { + if ((tmp_str = lp_parm_const_string(SNUM(conn), "vfs_recycle_bin", "repository", ".recycle")) != NULL) { recbin->repository = talloc_sub_conn(recbin->mem_ctx, conn, tmp_str); ALLOC_CHECK(recbin->repository, error); trim_string(recbin->repository, "/", "/"); DEBUG(5, ("recycle.bin: repository = %s\n", recbin->repository)); + } else { + DEBUG(0,("recycle.bin: no repository found (fail) !\n")); + goto error; } - recbin->keep_dir_tree = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "keeptree"); + recbin->keep_dir_tree = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "keeptree", False); DEBUG(5, ("recycle.bin: keeptree = %d\n", recbin->keep_dir_tree)); - recbin->versions = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "versions"); + recbin->versions = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "versions", False); DEBUG(5, ("recycle.bin: versions = %d\n", recbin->versions)); - recbin->touch = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "touch"); + recbin->touch = lp_parm_bool(SNUM(conn), "vfs_recycle_bin", "touch", False); DEBUG(5, ("recycle.bin: touch = %d\n", recbin->touch)); - recbin->maxsize = lp_parm_ulong(SNUM(conn), "vfs_recycle_bin", "maxsize"); + recbin->maxsize = lp_parm_ulong(SNUM(conn), "vfs_recycle_bin", "maxsize" , 0); if (recbin->maxsize == 0) { recbin->maxsize = -1; DEBUG(5, ("recycle.bin: maxsize = -infinite-\n")); @@ -185,17 +177,17 @@ static int recycle_connect(struct connection_struct *conn, const char *service, DEBUG(5, ("recycle.bin: maxsize = %ld\n", (long int)recbin->maxsize)); } - if ((tmp_str = lp_parm_string(SNUM(conn), "vfs_recycle_bin", "exclude")) != NULL) { + if ((tmp_str = lp_parm_const_string(SNUM(conn), "vfs_recycle_bin", "exclude", "")) != NULL) { recbin->exclude = talloc_strdup(recbin->mem_ctx, tmp_str); ALLOC_CHECK(recbin->exclude, error); DEBUG(5, ("recycle.bin: exclude = %s\n", recbin->exclude)); } - if ((tmp_str = lp_parm_string(SNUM(conn), "vfs_recycle_bin", "exclude_dir")) != NULL) { + if ((tmp_str = lp_parm_const_string(SNUM(conn), "vfs_recycle_bin", "exclude_dir", "")) != NULL) { recbin->exclude_dir = talloc_strdup(recbin->mem_ctx, tmp_str); ALLOC_CHECK(recbin->exclude_dir, error); DEBUG(5, ("recycle.bin: exclude_dir = %s\n", recbin->exclude_dir)); } - if ((tmp_str = lp_parm_string(SNUM(conn), "vfs_recycle_bin", "noversions")) != NULL) { + if ((tmp_str = lp_parm_const_string(SNUM(conn), "vfs_recycle_bin", "noversions", "")) != NULL) { recbin->noversions = talloc_strdup(recbin->mem_ctx, tmp_str); ALLOC_CHECK(recbin->noversions, error); DEBUG(5, ("recycle.bin: noversions = %s\n", recbin->noversions)); diff --git a/source3/modules/xml.c b/source3/modules/xml.c index d018175d38..42503c3d39 100644 --- a/source3/modules/xml.c +++ b/source3/modules/xml.c @@ -512,7 +512,7 @@ static NTSTATUS xmlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT return NT_STATUS_OK; } -NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method, +static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method, const char *location) { NTSTATUS nt_status; @@ -553,8 +553,7 @@ NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method, (*pdb_method)->enum_group_mapping = NULL; data = talloc(pdb_context->mem_ctx, sizeof(pdb_xml)); - data->location = - (location ? talloc_strdup(pdb_context->mem_ctx, location) : "passdb.xml"); + data->location = talloc_strdup(pdb_context->mem_ctx, (location ? location : "passdb.xml")); data->pwent = NULL; data->written = 0; (*pdb_method)->private_data = data; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 4394c4df1a..c80c71d98d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -87,6 +87,7 @@ struct _param_opt_struct { param_opt_struct *prev, *next; char *key; char *value; + char **list; }; /* @@ -1889,39 +1890,49 @@ static void init_copymap(service * pservice); /* This is a helper function for parametrical options support. */ /* It returns a pointer to parametrical option value if it exists or NULL otherwise */ /* Actual parametrical functions are quite simple */ -static const char *get_parametrics(int lookup_service, const char *type, const char *option) +static param_opt_struct *get_parametrics(int snum, const char *type, const char *option) { - char* vfskey; + BOOL global_section = False; + char* param_key; param_opt_struct *data; - if (lookup_service >= iNumServices) return NULL; + if (snum >= iNumServices) return NULL; - data = (lookup_service < 0) ? - Globals.param_opt : ServicePtrs[lookup_service]->param_opt; + if (snum < 0) { + data = Globals.param_opt; + global_section = True; + } else { + data = ServicePtrs[snum]->param_opt; + } - asprintf(&vfskey, "%s:%s", type, option); + asprintf(¶m_key, "%s:%s", type, option); + if (!param_key) { + DEBUG(0,("asprintf failed!\n")); + return NULL; + } + while (data) { - if (strcmp(data->key, vfskey) == 0) { - string_free(&vfskey); - return data->value; + if (strcmp(data->key, param_key) == 0) { + string_free(¶m_key); + return data; } data = data->next; } - if (lookup_service >= 0) { + if (!global_section) { /* Try to fetch the same option but from globals */ /* but only if we are not already working with Globals */ data = Globals.param_opt; while (data) { - if (strcmp(data->key, vfskey) == 0) { - string_free(&vfskey); - return data->value; + if (strcmp(data->key, param_key) == 0) { + string_free(¶m_key); + return data; } data = data->next; } } - string_free(&vfskey); + string_free(¶m_key); return NULL; } @@ -1984,7 +1995,7 @@ static int lp_enum(const char *s,const struct enum_list *_enum) if (!s || !_enum) { DEBUG(0,("lp_enum(%s,enum): is called with NULL!\n",s)); - return False; + return (-1); } for (i=0; _enum[i].name; i++) { @@ -1996,86 +2007,116 @@ static int lp_enum(const char *s,const struct enum_list *_enum) return (-1); } + +/* DO NOT USE lp_parm_string ANYMORE!!!! + * use lp_parm_const_string or lp_parm_talloc_string + * + * lp_parm_string is only used to let old modules find this symbol + */ +#undef lp_parm_string + char *lp_parm_string(const char *servicename, const char *type, const char *option) +{ + return lp_parm_talloc_string(lp_servicenumber(servicename), type, option, NULL); +} + /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -/* Returned value is allocated in 'lp_talloc' context */ - -char *lp_parm_string(int lookup_service, const char *type, const char *option) +/* the returned value is talloced in lp_talloc */ +char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return lp_string(value); + if (data == NULL||data->value==NULL) { + if (def) { + return lp_string(def); + } else { + return NULL; + } + } - return NULL; + return lp_string(data->value); } /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -/* Returned value is allocated in 'lp_talloc' context */ - -char **lp_parm_string_list(int lookup_service, const char *type, const char *option, - const char *separator) +const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return str_list_make(value, separator); + if (data == NULL||data->value==NULL) + return def; + + return data->value; +} - return NULL; +/* Return parametric option from a given service. Type is a part of option before ':' */ +/* Parametric option has following syntax: 'Type: option = value' */ + +const char **lp_parm_string_list(int snum, const char *type, const char *option, const char **def) +{ + param_opt_struct *data = get_parametrics(snum, type, option); + + if (data == NULL||data->value==NULL) + return (const char **)def; + + if (data->list==NULL) { + data->list = str_list_make(data->value, NULL); + } + + return (const char **)data->list; } /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -int lp_parm_int(int lookup_service, const char *type, const char *option) +int lp_parm_int(int snum, const char *type, const char *option, int def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return lp_int(value); + if (data && data->value && *data->value) + return lp_int(data->value); - return (-1); + return def; } /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -unsigned long lp_parm_ulong(int lookup_service, const char *type, const char *option) +unsigned long lp_parm_ulong(int snum, const char *type, const char *option, unsigned long def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return lp_ulong(value); + if (data && data->value && *data->value) + return lp_ulong(data->value); - return (0); + return def; } /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -BOOL lp_parm_bool(int lookup_service, const char *type, const char *option) +BOOL lp_parm_bool(int snum, const char *type, const char *option, BOOL def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return lp_bool(value); + if (data && data->value && *data->value) + return lp_bool(data->value); - return False; + return def; } /* Return parametric option from a given service. Type is a part of option before ':' */ /* Parametric option has following syntax: 'Type: option = value' */ -int lp_parm_enum(int lookup_service, const char *type, const char *option, - const struct enum_list *_enum) +int lp_parm_enum(int snum, const char *type, const char *option, + const struct enum_list *_enum, int def) { - const char *value = get_parametrics(lookup_service, type, option); + param_opt_struct *data = get_parametrics(snum, type, option); - if (value) - return lp_enum(value, _enum); + if (data && data->value && *data->value && _enum) + return lp_enum(data->value, _enum); - return (-1); + return def; } @@ -2120,13 +2161,15 @@ static void free_service(service *pservice) (((char *)pservice) + PTR_DIFF(parm_table[i].ptr, &sDefault))); } - - DEBUG(5,("Freeing parametrics:\n")); + data = pservice->param_opt; + if (data) + DEBUG(5,("Freeing parametrics:\n")); while (data) { DEBUG(5,("[%s = %s]\n", data->key, data->value)); string_free(&data->key); string_free(&data->value); + str_list_free(&data->list); pdata = data->next; SAFE_FREE(data); data = pdata; @@ -2159,6 +2202,7 @@ static int add_a_service(const service *pservice, const char *name) while (data) { string_free(&data->key); string_free(&data->value); + str_list_free(&data->list); pdata = data->next; SAFE_FREE(data); data = pdata; @@ -2225,7 +2269,7 @@ BOOL lp_add_home(const char *pszHomename, int iDefaultService, return (False); if (!(*(ServicePtrs[iDefaultService]->szPath)) - || strequal(ServicePtrs[iDefaultService]->szPath, lp_pathname(-1))) { + || strequal(ServicePtrs[iDefaultService]->szPath, lp_pathname(GLOBAL_SECTION_SNUM))) { pstrcpy(newHomedir, pszHomedir); } else { pstrcpy(newHomedir, lp_pathname(iDefaultService)); @@ -2473,6 +2517,7 @@ static void copy_service(service * pserviceDest, service * pserviceSource, BOOL /* If we already have same option, override it */ if (strcmp(pdata->key, data->key) == 0) { string_free(&pdata->value); + str_list_free(&data->list); pdata->value = strdup(data->value); not_added = False; break; @@ -2483,6 +2528,7 @@ static void copy_service(service * pserviceDest, service * pserviceSource, BOOL paramo = smb_xmalloc(sizeof(param_opt_struct)); paramo->key = strdup(data->key); paramo->value = strdup(data->value); + paramo->list = NULL; DLIST_ADD(pserviceDest->param_opt, paramo); } data = data->next; @@ -3083,7 +3129,7 @@ BOOL lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue int parmnum, i, slen; void *parm_ptr = NULL; /* where we are going to store the result */ void *def_ptr = NULL; - pstring vfskey; + pstring param_key; char *sep; param_opt_struct *paramo, *data; BOOL not_added; @@ -3092,20 +3138,21 @@ BOOL lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue if (parmnum < 0) { if ((sep=strchr(pszParmName, ':')) != NULL) { - *sep = 0; - ZERO_STRUCT(vfskey); - pstr_sprintf(vfskey, "%s:", pszParmName); - slen = strlen(vfskey); - pstrcat(vfskey, sep+1); - trim_string(vfskey+slen, " ", " "); + *sep = '\0'; + ZERO_STRUCT(param_key); + pstr_sprintf(param_key, "%s:", pszParmName); + slen = strlen(param_key); + pstrcat(param_key, sep+1); + trim_string(param_key+slen, " ", " "); not_added = True; data = (snum < 0) ? Globals.param_opt : ServicePtrs[snum]->param_opt; /* Traverse destination */ while (data) { /* If we already have same option, override it */ - if (strcmp(data->key, vfskey) == 0) { + if (strcmp(data->key, param_key) == 0) { string_free(&data->value); + str_list_free(&data->list); data->value = strdup(pszParmValue); not_added = False; break; @@ -3114,8 +3161,9 @@ BOOL lp_do_parameter(int snum, const char *pszParmName, const char *pszParmValue } if (not_added) { paramo = smb_xmalloc(sizeof(param_opt_struct)); - paramo->key = strdup(vfskey); + paramo->key = strdup(param_key); paramo->value = strdup(pszParmValue); + paramo->list = NULL; if (snum < 0) { DLIST_ADD(Globals.param_opt, paramo); } else { @@ -3555,13 +3603,13 @@ static void dump_a_service(service * pService, FILE * f) /*************************************************************************** - Return info about the next service in a service. snum==-1 gives the globals. + Return info about the next service in a service. snum==GLOBAL_SECTION_SNUM gives the globals. Return NULL when out of parameters. ***************************************************************************/ struct parm_struct *lp_next_parameter(int snum, int *i, int allparameters) { - if (snum == -1) { + if (snum < 0) { /* do the globals */ for (; parm_table[*i].label; (*i)++) { if (parm_table[*i].class == P_SEPARATOR) @@ -3899,6 +3947,7 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults, while (data) { string_free(&data->key); string_free(&data->value); + str_list_free(&data->list); pdata = data->next; SAFE_FREE(data); data = pdata; @@ -3933,7 +3982,7 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults, /* Now we check bWINSsupport and set szWINSserver to 127.0.0.1 */ /* if bWINSsupport is true and we are in the client */ if (in_client && Globals.bWINSsupport) { - lp_do_parameter(-1, "wins server", "127.0.0.1"); + lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); } init_iconv(); @@ -4002,8 +4051,10 @@ int lp_servicenumber(const char *pszServiceName) { int iService; fstring serviceName; - - + + if (!pszServiceName) + return GLOBAL_SECTION_SNUM; + for (iService = iNumServices - 1; iService >= 0; iService--) { if (VALID(iService) && ServicePtrs[iService]->szService) { /* @@ -4017,8 +4068,10 @@ int lp_servicenumber(const char *pszServiceName) } } - if (iService < 0) + if (iService < 0) { DEBUG(7,("lp_servicenumber: couldn't find %s\n", pszServiceName)); + return GLOBAL_SECTION_SNUM; + } return (iService); } diff --git a/source3/sam/sam_ads.c b/source3/sam/sam_ads.c index 13e0369004..79b107e417 100755 --- a/source3/sam/sam_ads.c +++ b/source3/sam/sam_ads.c @@ -1328,10 +1328,10 @@ NTSTATUS sam_init_ads(SAM_METHODS *sam_method, const char *module_params) return NT_STATUS_NO_MEMORY; } - sam_ads_state->ads_bind_dn = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_string(NULL,"sam_ads","bind as")); - sam_ads_state->ads_bind_pw = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_string(NULL,"sam_ads","bind pw")); + sam_ads_state->ads_bind_dn = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_const_string(GLOBAL_SECTION_SNUM,"sam_ads","bind as", "")); + sam_ads_state->ads_bind_pw = talloc_strdup(sam_ads_state->mem_ctx, lp_parm_const_string(GLOBAL_SECTION_SNUM,"sam_ads","bind pw", "")); - sam_ads_state->bind_plaintext = strequal(lp_parm_string(NULL, "sam_ads", "plaintext bind"), "yes"); + sam_ads_state->bind_plaintext = lp_parm_bool(GLOBAL_SECTION_SNUM, "sam_ads", "plaintext bind" , True); if (!sam_ads_state->ads_bind_dn || !sam_ads_state->ads_bind_pw) { DEBUG(0, ("talloc_strdup() failed for bind dn or password\n")); -- cgit From 858cdd54bdc38015806958dcf44efde2255714a7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 03:55:22 +0000 Subject: Patch from Guenther Deschner to fix build with gcc 3.2 (This used to be commit f56a18853235e9090fbf962aa981688dc2e15426) --- source3/smbwrapper/smbw.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/smbwrapper/smbw.c b/source3/smbwrapper/smbw.c index 005d9af53f..7eb01c7da3 100644 --- a/source3/smbwrapper/smbw.c +++ b/source3/smbwrapper/smbw.c @@ -1512,11 +1512,11 @@ struct kernel_stat { unsigned long int st_size; unsigned long int st_blksize; unsigned long int st_blocks; - unsigned long int st_atime; + unsigned long int st_atime_; unsigned long int __unused1; - unsigned long int st_mtime; + unsigned long int st_mtime_; unsigned long int __unused2; - unsigned long int st_ctime; + unsigned long int st_ctime_; unsigned long int __unused3; unsigned long int __unused4; unsigned long int __unused5; @@ -1547,8 +1547,8 @@ struct kernel_stat { st->st_size = kbuf->st_size; st->st_blksize = kbuf->st_blksize; st->st_blocks = kbuf->st_blocks; - st->st_atime = kbuf->st_atime; - st->st_mtime = kbuf->st_mtime; - st->st_ctime = kbuf->st_ctime; + st->st_atime = kbuf->st_atime_; + st->st_mtime = kbuf->st_mtime_; + st->st_ctime = kbuf->st_ctime_; } #endif -- cgit From ffb628e9c71cf55601d098a3dfbe22fbfa3d0746 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 05:20:34 +0000 Subject: Fix for bad macro error. (This used to be commit 076882b91c3b08d4438499b185b8e8bc0f4ba716) --- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 0d72487f54..841d24b78d 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -13,7 +13,7 @@ Starting with Samba 3.0 alpha 2, new group mapping functionality is available to create associations between Windows SIDs and UNIX groups. The groupmap subcommand included with -the &net; tool can be used to manage these associations. +the net tool can be used to manage these associations. -- cgit From b7ff7b37fbf8bd47c4a4b1e224891899822bdf92 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Apr 2003 05:35:22 +0000 Subject: remove smbgroupedit entity (This used to be commit 5de29a84b3039cd951367ac78879ec8bfd4a08d1) --- docs/docbook/global.ent | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index d7c41ccbc6..2933602e60 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -384,7 +384,6 @@ an Active Directory environment. smb.conf'> smbclient'> winbindd'> -smbgroupedit'> net'> -- cgit From dbd482622a59e667724fddd8f3cbcfb729e11a35 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Thu, 24 Apr 2003 06:27:49 +0000 Subject: More functions to compute the space taken up by SIDs, ACEs, ACLs, SEC DESCs etc, so we can store these in an output file. (This used to be commit 7607a1c3cd5ffb69b8db0bfe50283bda97047c42) --- source3/utils/editreg.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 96 insertions(+), 3 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index eb796d43b6..34a9eecf11 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -444,7 +444,7 @@ struct key_sec_desc_s { struct key_sec_desc_s *prev, *next; int ref_cnt; int state; - int offset, stored; + int offset; SEC_DESC *sec_desc; }; @@ -1321,7 +1321,7 @@ KEY_SEC_DESC *nt_create_init_sec(REGF *regf) tsec->ref_cnt = 1; tsec->state = SEC_DESC_NBK; - tsec->stored = tsec->offset = 0; + tsec->offset = 0; tsec->sec_desc = regf->def_sec_desc; @@ -1798,7 +1798,7 @@ KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off) if (!tmp) { return NULL; } - bzero(tmp, sizeof(KEY_SEC_DESC)); + bzero(tmp, sizeof(KEY_SEC_DESC)); /* Neatly sets offset to 0 */ tmp->state = SEC_DESC_RES; if (!alloc_sk_map_entry(regf, tmp, sk_off)) { return NULL; @@ -1889,6 +1889,12 @@ SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc) tmp->type = SVAL(&sec_desc->type); if (verbose) fprintf(stdout, "SEC_DESC Rev: %0X, Type: %0X\n", tmp->rev, tmp->type); + if (verbose) fprintf(stdout, "SEC_DESC Owner Off: %0X\n", + IVAL(&sec_desc->owner_off)); + if (verbose) fprintf(stdout, "SEC_DESC Group Off: %0X\n", + IVAL(&sec_desc->group_off)); + if (verbose) fprintf(stdout, "SEC_DESC DACL Off: %0X\n", + IVAL(&sec_desc->dacl_off)); tmp->owner = dup_sid((DOM_SID *)((char *)sec_desc + IVAL(&sec_desc->owner_off))); if (!tmp->owner) { free(tmp); @@ -2579,6 +2585,72 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) return NULL; } +/* + * Compute the size of a SID stored ... + */ + +unsigned int sid_size(DOM_SID *sid) +{ + unsigned int size; + + if (!sid) return 0; + + size = 8 + (sid->auths * sizeof(unsigned int)); + + return size; +} + +/* + * Compute the size of an ACE on disk from its components + */ + +unsigned int ace_size(ACE *ace) +{ + unsigned int size; + + if (!ace) return 0; + + size = 8 + sid_size(ace->trustee); + + return size; +} + +/* + * Compute the size of an ACL from its components ... + */ +unsigned int acl_size(ACL *acl) +{ + unsigned int size; + int i; + + if (!acl) return 0; + + size = 8; + for (i = 0; i < acl->num_aces; i++) + size += ace_size(acl->aces[i]); + + return size; +} + +/* + * Compute the size of the sec desc as a self-relative SD + */ +unsigned int sec_desc_size(SEC_DESC *sd) +{ + unsigned int size; + + if (!sd) return 0; + + size = 20; + + if (sd->owner) size += sid_size(sd->owner); + if (sd->group) size += sid_size(sd->group); + if (sd->sacl) size += acl_size(sd->sacl); + if (sd->dacl) size += acl_size(sd->dacl); + + return size; +} + /* * Store the security information * @@ -2588,6 +2660,27 @@ void *nt_alloc_regf_space(REGF *regf, int size, int *off) unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) { + int size = 0; + unsigned int sk_off; + SK_HDR *sk_hdr; + + if (sec->offset) return sec->offset; + + /* + * OK, we don't have this one in the file yet. We must compute the + * size taken by the security descriptor as a self-relative SD, which + * means making one pass over each structure and figuring it out + */ + + size = sec_desc_size(sec->sec_desc); + + /* Allocate that much space */ + + sk_hdr = nt_alloc_regf_space(regf, size, &sk_off); + + if (!sk_hdr) return 0; + + /* Now, lay out the sec_desc in the space provided */ return 0; -- cgit From 6adaba284ec82390c8a0e83a1c3399b1be8078e8 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Thu, 24 Apr 2003 07:05:22 +0000 Subject: More code to do with constructing SK records and self relative SDs. (This used to be commit 7105265238de850f5b7effef3be8fb3f5d383669) --- source3/utils/editreg.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index 34a9eecf11..222be2da05 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -211,7 +211,7 @@ key-name you have to change the hash-value too! The "sk"-block ============== (due to the complexity of the SAM-info, not clear jet) -(This is just a security descriptor in the data. R Sharpe.) +(This is just a self-relative security descriptor in the data. R Sharpe.) Offset Size Contents @@ -440,11 +440,13 @@ typedef struct sec_desc_s { #define SEC_DESC_RES 1 #define SEC_DESC_OCU 2 #define SEC_DESC_NBK 3 +typedef struct sk_struct SK_HDR; struct key_sec_desc_s { struct key_sec_desc_s *prev, *next; int ref_cnt; int state; int offset; + SK_HDR *sk_hdr; /* This means we must keep the registry in memory */ SEC_DESC *sec_desc; }; @@ -520,7 +522,7 @@ typedef struct nk_struct { #define REG_SK_ID 0x6B73 -typedef struct sk_struct { +struct sk_struct { WORD SK_ID; WORD uk1; DWORD prev_off; @@ -528,7 +530,7 @@ typedef struct sk_struct { DWORD ref_cnt; DWORD rec_size; char sec_desc[1]; -} SK_HDR; +}; typedef struct ace_struct { unsigned char type; @@ -2651,6 +2653,15 @@ unsigned int sec_desc_size(SEC_DESC *sd) return size; } +/* + * Flatten and store the Sec Desc + */ +unsigned int nt_store_sec_desc(REGF *regf, SEC_DESC *sd, char *locn) +{ + + return 0; +} + /* * Store the security information * @@ -2677,11 +2688,24 @@ unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) /* Allocate that much space */ sk_hdr = nt_alloc_regf_space(regf, size, &sk_off); + sec->sk_hdr = sk_hdr; if (!sk_hdr) return 0; /* Now, lay out the sec_desc in the space provided */ + sk_hdr->SK_ID = REG_SK_ID; + + /* + * We can't deal with the next and prev offset in the SK_HDRs until the + * whole tree has been stored, then we can go and deal with them + */ + + sk_hdr->ref_cnt = sec->ref_cnt; + sk_hdr->rec_size = size; /* Is this correct */ + + /* Now, lay out the sec_desc */ + return 0; } -- cgit From 467f5457466e3488e60bcab3505bc920822672e6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 24 Apr 2003 16:48:08 +0000 Subject: groupmap delete should take a name or a SID (This used to be commit 4c7ee6e6b82c69ead96bc90c75cbdfab19486bb5) --- source3/utils/net_groupmap.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 2b88183f22..aaefda2e5c 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -115,19 +115,27 @@ int net_groupmap_list(int argc, const char **argv) BOOL long_list = False; int i; fstring ntgroup = ""; + fstring sid_string = ""; /* get the options */ for ( i=0; i Date: Thu, 24 Apr 2003 18:59:13 +0000 Subject: Fix length in findfirst2 responses, fix os/2 clients (This used to be commit ce56ccf932e5ae89b7d46da31ec9b17551206491) --- source3/smbd/trans2.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index 7b8b7e3a4f..0bfb145c10 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -626,7 +626,10 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, nameptr = p; p += align_string(outbuf, p, 0); len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); - SCVAL(nameptr, -1, len); + if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) + SCVAL(nameptr, -1, len-2); + else + SCVAL(nameptr, -1, len-1); p += len; break; @@ -644,10 +647,13 @@ static BOOL get_lanman2_dir_entry(connection_struct *conn, SIVAL(p,l2_cbList,0); /* No extended attributes */ p += l2_achName; nameptr = p; - len = srvstr_push(outbuf, p, fname, -1, STR_NOALIGN); - SCVAL(p, -1, len); + p += align_string(outbuf, p, 0); + len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); + if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) + SCVAL(nameptr, -1, len-2); + else + SCVAL(nameptr, -1, len-1); p += len; - *p++ = 0; /* craig from unisys pointed out we need this */ break; case SMB_FIND_FILE_BOTH_DIRECTORY_INFO: -- cgit From 477f90f95cf710578bbe2798d80b4638d714cbf3 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 19:30:16 +0000 Subject: Check for absolute paths by only checking the first character of the module name. Don't use strchr_m, which caused race conditions. (This used to be commit 9411e3336ebe781da2b418219dd5803fecfc42fe) --- source3/lib/module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/lib/module.c b/source3/lib/module.c index 763a5c2b2d..53223cfebe 100644 --- a/source3/lib/module.c +++ b/source3/lib/module.c @@ -80,7 +80,7 @@ int smb_probe_module(const char *subsystem, const char *module) pstring full_path; /* Check for absolute path */ - if(strchr_m(module, '/'))return smb_load_module(module); + if(module[0] == '/')return smb_load_module(module); pstrcpy(full_path, lib_path(subsystem)); pstrcat(full_path, "/"); -- cgit From bca6ff183c9431dc52c122e97c6060dae82e1464 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 19:59:27 +0000 Subject: Update from LanDude (This used to be commit d8f8794d10c4add9b7b850341b98c29c67028c4a) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index d08833b7fd..c7def652fc 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -11,7 +11,7 @@ This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC. - + Setup your <filename>smb.conf</filename> @@ -44,6 +44,8 @@ In case samba can't figure out your ads server using your realm name, use the Setup your <filename>/etc/krb5.conf</filename> +Note: you will need the krb5 workstation, devel, and libs installed + The minimal configuration for krb5.conf is: @@ -53,10 +55,16 @@ In case samba can't figure out your ads server using your realm name, use the } -Test your config by doing a kinit USERNAME@REALM and making sure that +Test your config by doing a kinit +USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC. -The realm must be uppercase. +The realm must be uppercase or you will get "Cannot find KDC for requested +realm while getting initial credentials" error + +Time between the two servers must be synchronized. You will get a +"kinit(v5): Clock skew too great while getting initial credentials" if the time +difference is more than five minutes. You also must ensure that you can do a reverse DNS lookup on the IP @@ -99,7 +107,15 @@ As a user that has write permission on the Samba private directory "ADS support not compiled in" -Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed. +Samba must be reconfigured (remove config.cache) and recompiled +(make clean all install) after the kerberos libs and headers are installed. + + +net ads join prompts for user name +You need to login to the domain using kinit +USERNAME@REALM. +USERNAME must be a user who has rights to add a machine +to the domain. @@ -110,6 +126,12 @@ As a user that has write permission on the Samba private directory Test your server setup + +If the join was successful, you will see a new computer account with the +NetBIOS name of your Samba server in Active Directory (in the "Computers" +folder under Users and Computers. + + On a Windows 2000 client try net use * \\server\share. You should be logged in with kerberos without needing to know a password. If @@ -136,6 +158,8 @@ specify the -k option to choose kerberos authentication. You must change administrator password at least once after DC install, to create the right encoding types + + w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? -- cgit From 01ff89b58bc1eac22166bcf583d3af3c50131b6d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 20:20:25 +0000 Subject: Get rid of module_path_get_name() (This used to be commit 9f9bdd97dbbabde7b2979c62dfdf150fae8670ec) --- source3/lib/iconv.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/source3/lib/iconv.c b/source3/lib/iconv.c index 9240e24074..906c831335 100644 --- a/source3/lib/iconv.c +++ b/source3/lib/iconv.c @@ -66,12 +66,9 @@ static struct charset_functions *charsets = NULL; static struct charset_functions *find_charset_functions(const char *name) { struct charset_functions *c = charsets; - pstring stripped; - module_path_get_name(name, stripped); - while(c) { - if (strcasecmp(stripped, c->name) == 0) { + if (strcasecmp(name, c->name) == 0) { return c; } c = c->next; @@ -86,12 +83,10 @@ BOOL smb_register_charset(struct charset_functions *funcs) DEBUG(5, ("Attempting to register new charset %s\n", funcs->name)); /* Check whether we already have this charset... */ - while(c) { - if(!strcasecmp(c->name, funcs->name)){ - DEBUG(2, ("Duplicate charset %s, not registering\n", funcs->name)); - return False; - } - c = c->next; + + if (find_charset_functions(funcs->name)) { + DEBUG(2, ("Duplicate charset %s, not registering\n", funcs->name)); + return False; } funcs->next = funcs->prev = NULL; -- cgit From 0a2060b9a7977a0545d25f0cc6687b1fcc3acaac Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 20:32:31 +0000 Subject: Declare static function before using it (This used to be commit d501946ef6e417b9d3fa4b492dd20991e3e56baf) --- source3/passdb/pdb_interface.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 9224e784e0..57424bb2d8 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -34,6 +34,8 @@ static void lazy_initialize_passdb(void) initialized = True; } +static struct pdb_init_function_entry *pdb_find_backend_entry(const char *name); + BOOL smb_register_passdb(const char *name, pdb_init_function init, int version) { struct pdb_init_function_entry *entry = backends; -- cgit From d117c3bf0a53ba79a70a960d4daf3a9da9faadab Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 20:42:16 +0000 Subject: Complain about duplicate charsets at debug level 0 instead of 2 (This used to be commit d29407d41eb2ed9cf370e278cb4c95c6c341a08d) --- source3/lib/iconv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/lib/iconv.c b/source3/lib/iconv.c index 906c831335..a5fcf32b5b 100644 --- a/source3/lib/iconv.c +++ b/source3/lib/iconv.c @@ -85,7 +85,7 @@ BOOL smb_register_charset(struct charset_functions *funcs) /* Check whether we already have this charset... */ if (find_charset_functions(funcs->name)) { - DEBUG(2, ("Duplicate charset %s, not registering\n", funcs->name)); + DEBUG(0, ("Duplicate charset %s, not registering\n", funcs->name)); return False; } -- cgit From 172fe551bc5eb55bd44ddc952b94b6dd47959d48 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 20:51:16 +0000 Subject: Move pdb_mysql and pdb_xml from modules/ to passdb/, just like they are in 3_0 (This used to be commit 9b969f877f8057930fb53da99ee8a0574b4f5531) --- source3/Makefile.in | 6 +- source3/configure.in | 4 +- source3/modules/mysql.c | 977 --------------------------------------------- source3/modules/xml.c | 569 -------------------------- source3/passdb/pdb_mysql.c | 977 +++++++++++++++++++++++++++++++++++++++++++++ source3/passdb/pdb_xml.c | 569 ++++++++++++++++++++++++++ 6 files changed, 1551 insertions(+), 1551 deletions(-) delete mode 100644 source3/modules/mysql.c delete mode 100644 source3/modules/xml.c create mode 100644 source3/passdb/pdb_mysql.c create mode 100644 source3/passdb/pdb_xml.c diff --git a/source3/Makefile.in b/source3/Makefile.in index 4ad76e4bbb..3e9a6665ac 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -282,8 +282,8 @@ PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \ passdb/machine_sid.o passdb/util_sam_sid.o passdb/pdb_compat.o \ passdb/privileges.o @LDAP_OBJ@ @PDB_STATIC@ -XML_OBJ = modules/xml.o -MYSQL_OBJ = modules/mysql.o +XML_OBJ = passdb/pdb_xml.o +MYSQL_OBJ = passdb/pdb_mysql.o DEVEL_HELP_OBJ = modules/developer.o SAM_STATIC_MODULES = sam/sam_plugin.o sam/sam_skel.o sam/sam_ads.o @@ -1044,7 +1044,7 @@ bin/nisplussam.@SHLIBEXT@: passdb/pdb_nisplus.o @$(SHLD) $(LDSHFLAGS) -o $@ passdb/pdb_nisplus.o \ @SONAMEFLAG@`basename $@` -bin/weird.@SHLIBEXT@: $(DEVEL_HELP_OBJ) +bin/developer.@SHLIBEXT@: $(DEVEL_HELP_OBJ) @echo "Building plugin $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(DEVEL_HELP_OBJ) \ @SONAMEFLAG@`basename $@` diff --git a/source3/configure.in b/source3/configure.in index a8049345ca..e9f7016a8a 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3425,9 +3425,9 @@ AC_ARG_WITH(shared-modules, done fi ]) -SMB_MODULE(pdb_xml, modules/xml.o, "bin/xml.$SHLIBEXT", PDB, +SMB_MODULE(pdb_xml, passdb/pdb_xml.o, "bin/xml.$SHLIBEXT", PDB, [ PASSDBLIBS="$PASSDBLIBS $XML_LIBS" ] ) -SMB_MODULE(pdb_mysql, modules/mysql.o, "bin/mysql.$SHLIBEXT", PDB, +SMB_MODULE(pdb_mysql, passdb/pdb_mysql.o, "bin/mysql.$SHLIBEXT", PDB, [ PASSDBLIBS="$PASSDBLIBS $MYSQL_LIBS" ] ) SMB_MODULE(pdb_ldap, passdb/pdb_ldap.o, "bin/ldapsam.$SHLIBEXT", PDB, [ PASSDBLIBS="$PASSDBLIBS $LDAP_LIBS" ] ) diff --git a/source3/modules/mysql.c b/source3/modules/mysql.c deleted file mode 100644 index ec8c6f9ab8..0000000000 --- a/source3/modules/mysql.c +++ /dev/null @@ -1,977 +0,0 @@ - -/* - * MySQL password backend for samba - * Copyright (C) Jelmer Vernooij 2002 - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" -#include - -#define CONFIG_TABLE_DEFAULT "user" -#define CONFIG_LOGON_TIME_DEFAULT "logon_time" -#define CONFIG_LOGOFF_TIME_DEFAULT "logoff_time" -#define CONFIG_KICKOFF_TIME_DEFAULT "kickoff_time" -#define CONFIG_PASS_LAST_SET_TIME_DEFAULT "pass_last_set_time" -#define CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT "pass_can_change_time" -#define CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT "pass_must_change_time" -#define CONFIG_USERNAME_DEFAULT "username" -#define CONFIG_DOMAIN_DEFAULT "domain" -#define CONFIG_NT_USERNAME_DEFAULT "nt_username" -#define CONFIG_FULLNAME_DEFAULT "nt_fullname" -#define CONFIG_HOME_DIR_DEFAULT "home_dir" -#define CONFIG_DIR_DRIVE_DEFAULT "dir_drive" -#define CONFIG_LOGON_SCRIPT_DEFAULT "logon_script" -#define CONFIG_PROFILE_PATH_DEFAULT "profile_path" -#define CONFIG_ACCT_DESC_DEFAULT "acct_desc" -#define CONFIG_WORKSTATIONS_DEFAULT "workstations" -#define CONFIG_UNKNOWN_STR_DEFAULT "unknown_str" -#define CONFIG_MUNGED_DIAL_DEFAULT "munged_dial" -#define CONFIG_UID_DEFAULT "uid" -#define CONFIG_GID_DEFAULT "gid" -#define CONFIG_USER_SID_DEFAULT "user_sid" -#define CONFIG_GROUP_SID_DEFAULT "group_sid" -#define CONFIG_LM_PW_DEFAULT "lm_pw" -#define CONFIG_NT_PW_DEFAULT "nt_pw" -#define CONFIG_PLAIN_PW_DEFAULT "NULL" -#define CONFIG_ACCT_CTRL_DEFAULT "acct_ctrl" -#define CONFIG_UNKNOWN_3_DEFAULT "unknown_3" -#define CONFIG_LOGON_DIVS_DEFAULT "logon_divs" -#define CONFIG_HOURS_LEN_DEFAULT "hours_len" -#define CONFIG_UNKNOWN_5_DEFAULT "unknown_5" -#define CONFIG_UNKNOWN_6_DEFAULT "unknown_6" -#define CONFIG_HOST_DEFAULT "localhost" -#define CONFIG_USER_DEFAULT "samba" -#define CONFIG_PASS_DEFAULT "" -#define CONFIG_PORT_DEFAULT "3306" -#define CONFIG_DB_DEFAULT "samba" - -static int mysqlsam_debug_level = DBGC_ALL; - -#undef DBGC_CLASS -#define DBGC_CLASS mysqlsam_debug_level - -typedef struct pdb_mysql_data { - MYSQL *handle; - MYSQL_RES *pwent; - const char *location; -} pdb_mysql_data; - -/* Used to construct insert and update queries */ - -typedef struct pdb_mysql_query { - char update; - TALLOC_CTX *mem_ctx; - char *part1; - char *part2; -} pdb_mysql_query; -#define SET_DATA(data,methods) { \ - if(!methods){ \ - DEBUG(0, ("invalid methods!\n")); \ - return NT_STATUS_INVALID_PARAMETER; \ - } \ - data = (struct pdb_mysql_data *)methods->private_data; \ - if(!data || !(data->handle)){ \ - DEBUG(0, ("invalid handle!\n")); \ - return NT_STATUS_INVALID_HANDLE; \ - } \ -} - -static void pdb_mysql_int_field(struct pdb_methods *m, - struct pdb_mysql_query *q, const char *name, int value) -{ - if (!name || strchr(name, '\'')) - return; /* This field shouldn't be set by us */ - - if (q->update) { - q->part1 = - talloc_asprintf_append(q->mem_ctx, q->part1, - "%s = %d,", name, value); - } else { - q->part1 = - talloc_asprintf_append(q->mem_ctx, q->part1, "%s,", name); - q->part2 = - talloc_asprintf_append(q->mem_ctx, q->part2, "%d,", value); - } -} - -static NTSTATUS pdb_mysql_string_field(struct pdb_methods *methods, - struct pdb_mysql_query *q, - const char *name, const char *value) -{ - char *esc_value; - struct pdb_mysql_data *data; - char *tmp_value; - - SET_DATA(data, methods); - - if (!name || !value || !strcmp(value, "") || strchr(name, '\'')) - return NT_STATUS_INVALID_PARAMETER; /* This field shouldn't be set by module */ - - esc_value = malloc(strlen(value) * 2 + 1); - - tmp_value = smb_xstrdup(value); - mysql_real_escape_string(data->handle, esc_value, tmp_value, - strlen(tmp_value)); - SAFE_FREE(tmp_value); - - if (q->update) { - q->part1 = - talloc_asprintf_append(q->mem_ctx, q->part1, - "%s = '%s',", name, esc_value); - } else { - q->part1 = - talloc_asprintf_append(q->mem_ctx, q->part1, "%s,", name); - q->part2 = - talloc_asprintf_append(q->mem_ctx, q->part2, "'%s',", - esc_value); - } - - SAFE_FREE(esc_value); - - return NT_STATUS_OK; -} - -#define config_value(data,name,default_value) \ - lp_parm_const_string(GLOBAL_SECTION_SNUM, (data)->location, name, default_value) - -static const char * config_value_write(pdb_mysql_data * data, const char *name, const char *default_value) { - char const *v = NULL; - char const *swrite = NULL; - - v = lp_parm_const_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); - - if (!v) - return NULL; - - swrite = strchr(v, ':'); - - /* Default to the same field as read field */ - if (!swrite) - return v; - - swrite++; - - /* If the field is 0 chars long, we shouldn't write to it */ - if (!strlen(swrite) || !strcmp(swrite, "NULL")) - return NULL; - - /* Otherwise, use the additionally specified */ - return swrite; -} - -static const char * config_value_read(pdb_mysql_data * data, const char *name, const char *default_value) -{ - char *v = NULL; - char *swrite; - - v = lp_parm_talloc_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); - - if (!v) - return "NULL"; - - swrite = strchr(v, ':'); - - /* If no write is specified, there are no problems */ - if (!swrite) { - if (strlen(v) == 0) - return "NULL"; - return (const char *)v; - } - - /* Otherwise, we have to cut the ':write_part' */ - *swrite = '\0'; - if (strlen(v) == 0) - return "NULL"; - - return (const char *)v; -} - -/* Wrapper for atol that returns 0 if 'a' points to NULL */ -static long xatol(const char *a) -{ - long ret = 0; - - if (a != NULL) - ret = atol(a); - - return ret; -} - -static NTSTATUS row_to_sam_account(MYSQL_RES * r, SAM_ACCOUNT * u) -{ - MYSQL_ROW row; - pstring temp; - unsigned int num_fields; - DOM_SID sid; - - num_fields = mysql_num_fields(r); - row = mysql_fetch_row(r); - if (!row) - return NT_STATUS_INVALID_PARAMETER; - - pdb_set_logon_time(u, xatol(row[0]), PDB_SET); - pdb_set_logoff_time(u, xatol(row[1]), PDB_SET); - pdb_set_kickoff_time(u, xatol(row[2]), PDB_SET); - pdb_set_pass_last_set_time(u, xatol(row[3]), PDB_SET); - pdb_set_pass_can_change_time(u, xatol(row[4]), PDB_SET); - pdb_set_pass_must_change_time(u, xatol(row[5]), PDB_SET); - pdb_set_username(u, row[6], PDB_SET); - pdb_set_domain(u, row[7], PDB_SET); - pdb_set_nt_username(u, row[8], PDB_SET); - pdb_set_fullname(u, row[9], PDB_SET); - pdb_set_homedir(u, row[10], PDB_SET); - pdb_set_dir_drive(u, row[11], PDB_SET); - pdb_set_logon_script(u, row[12], PDB_SET); - pdb_set_profile_path(u, row[13], PDB_SET); - pdb_set_acct_desc(u, row[14], PDB_SET); - pdb_set_workstations(u, row[15], PDB_SET); - pdb_set_unknown_str(u, row[16], PDB_SET); - pdb_set_munged_dial(u, row[17], PDB_SET); - - if (row[18]) - pdb_set_uid(u, xatol(row[18]), PDB_SET); - if (row[19]) - pdb_set_gid(u, xatol(row[19]), PDB_SET); - - string_to_sid(&sid, row[20]); - pdb_set_user_sid(u, &sid, PDB_SET); - string_to_sid(&sid, row[21]); - pdb_set_group_sid(u, &sid, PDB_SET); - - if (pdb_gethexpwd(row[22], temp), PDB_SET) - pdb_set_lanman_passwd(u, temp, PDB_SET); - if (pdb_gethexpwd(row[23], temp), PDB_SET) - pdb_set_nt_passwd(u, temp, PDB_SET); - - /* Only use plaintext password storage when lanman and nt are - * NOT used */ - if (!row[22] || !row[23]) - pdb_set_plaintext_passwd(u, row[24]); - - pdb_set_acct_ctrl(u, xatol(row[25]), PDB_SET); - pdb_set_unknown_3(u, xatol(row[26]), PDB_SET); - pdb_set_logon_divs(u, xatol(row[27]), PDB_SET); - pdb_set_hours_len(u, xatol(row[28]), PDB_SET); - pdb_set_unknown_5(u, xatol(row[29]), PDB_SET); - pdb_set_unknown_6(u, xatol(row[30]), PDB_SET); - - return NT_STATUS_OK; -} - -static NTSTATUS mysqlsam_setsampwent(struct pdb_methods *methods, BOOL update) -{ - struct pdb_mysql_data *data = - (struct pdb_mysql_data *) methods->private_data; - char *query; - int ret; - - if (!data || !(data->handle)) { - DEBUG(0, ("invalid handle!\n")); - return NT_STATUS_INVALID_HANDLE; - } - - asprintf(&query, - "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s", - config_value_read(data, "logon time column", - CONFIG_LOGON_TIME_DEFAULT), - config_value_read(data, "logoff time column", - CONFIG_LOGOFF_TIME_DEFAULT), - config_value_read(data, "kickoff time column", - CONFIG_KICKOFF_TIME_DEFAULT), - config_value_read(data, "pass last set time column", - CONFIG_PASS_LAST_SET_TIME_DEFAULT), - config_value_read(data, "pass can change time column", - CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), - config_value_read(data, "pass must change time column", - CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), - config_value_read(data, "username column", - CONFIG_USERNAME_DEFAULT), - config_value_read(data, "domain column", - CONFIG_DOMAIN_DEFAULT), - config_value_read(data, "nt username column", - CONFIG_NT_USERNAME_DEFAULT), - config_value_read(data, "fullname column", - CONFIG_FULLNAME_DEFAULT), - config_value_read(data, "home dir column", - CONFIG_HOME_DIR_DEFAULT), - config_value_read(data, "dir drive column", - CONFIG_DIR_DRIVE_DEFAULT), - config_value_read(data, "logon script column", - CONFIG_LOGON_SCRIPT_DEFAULT), - config_value_read(data, "profile path column", - CONFIG_PROFILE_PATH_DEFAULT), - config_value_read(data, "acct desc column", - CONFIG_ACCT_DESC_DEFAULT), - config_value_read(data, "workstations column", - CONFIG_WORKSTATIONS_DEFAULT), - config_value_read(data, "unknown string column", - CONFIG_UNKNOWN_STR_DEFAULT), - config_value_read(data, "munged dial column", - CONFIG_MUNGED_DIAL_DEFAULT), - config_value_read(data, "uid column", CONFIG_UID_DEFAULT), - config_value_read(data, "gid column", CONFIG_GID_DEFAULT), - config_value_read(data, "user sid column", - CONFIG_USER_SID_DEFAULT), - config_value_read(data, "group sid column", - CONFIG_GROUP_SID_DEFAULT), - config_value_read(data, "lanman pass column", - CONFIG_LM_PW_DEFAULT), - config_value_read(data, "nt pass column", - CONFIG_NT_PW_DEFAULT), - config_value_read(data, "plain pass column", - CONFIG_PLAIN_PW_DEFAULT), - config_value_read(data, "acct ctrl column", - CONFIG_ACCT_CTRL_DEFAULT), - config_value_read(data, "unknown 3 column", - CONFIG_UNKNOWN_3_DEFAULT), - config_value_read(data, "logon divs column", - CONFIG_LOGON_DIVS_DEFAULT), - config_value_read(data, "hours len column", - CONFIG_HOURS_LEN_DEFAULT), - config_value_read(data, "unknown 5 column", - CONFIG_UNKNOWN_5_DEFAULT), - config_value_read(data, "unknown 6 column", - CONFIG_UNKNOWN_6_DEFAULT), - config_value(data, "table", CONFIG_TABLE_DEFAULT) - ); - DEBUG(5, ("Executing query %s\n", query)); - - ret = mysql_query(data->handle, query); - SAFE_FREE(query); - - if (ret) { - DEBUG(0, - ("Error executing MySQL query %s\n", mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - data->pwent = mysql_store_result(data->handle); - - if (data->pwent == NULL) { - DEBUG(0, - ("Error storing results: %s\n", mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(5, - ("mysqlsam_setsampwent succeeded(%llu results)!\n", - mysql_num_rows(data->pwent))); - - return NT_STATUS_OK; -} - -/*************************************************************** - End enumeration of the passwd list. - ****************************************************************/ - -static void mysqlsam_endsampwent(struct pdb_methods *methods) -{ - struct pdb_mysql_data *data = - (struct pdb_mysql_data *) methods->private_data; - - if (data == NULL) { - DEBUG(0, ("invalid handle!\n")); - return; - } - - if (data->pwent != NULL) - mysql_free_result(data->pwent); - - data->pwent = NULL; - - DEBUG(5, ("mysql_endsampwent called\n")); -} - -/***************************************************************** - Get one SAM_ACCOUNT from the list (next in line) - *****************************************************************/ - -static NTSTATUS mysqlsam_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT * user) -{ - struct pdb_mysql_data *data; - - SET_DATA(data, methods); - - if (data->pwent == NULL) { - DEBUG(0, ("invalid pwent\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - return row_to_sam_account(data->pwent, user); -} - -static NTSTATUS mysqlsam_select_by_field(struct pdb_methods * methods, SAM_ACCOUNT * user, - const char *field, const char *sname) -{ - char *esc_sname; - char *query; - NTSTATUS ret; - MYSQL_RES *res; - int mysql_ret; - struct pdb_mysql_data *data; - char *tmp_sname; - - SET_DATA(data, methods); - - esc_sname = malloc(strlen(sname) * 2 + 1); - if (!esc_sname) { - return NT_STATUS_NO_MEMORY; - } - - DEBUG(5, - ("mysqlsam_select_by_field: getting data where %s = %s(nonescaped)\n", - field, sname)); - - tmp_sname = smb_xstrdup(sname); - - /* Escape sname */ - mysql_real_escape_string(data->handle, esc_sname, tmp_sname, - strlen(tmp_sname)); - - SAFE_FREE(tmp_sname); - - if (user == NULL) { - DEBUG(0, ("pdb_getsampwnam: SAM_ACCOUNT is NULL.\n")); - SAFE_FREE(esc_sname); - return NT_STATUS_INVALID_PARAMETER; - } - - asprintf(&query, - "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s WHERE %s = '%s'", - config_value_read(data, "logon time column", - CONFIG_LOGON_TIME_DEFAULT), - config_value_read(data, "logoff time column", - CONFIG_LOGOFF_TIME_DEFAULT), - config_value_read(data, "kickoff time column", - CONFIG_KICKOFF_TIME_DEFAULT), - config_value_read(data, "pass last set time column", - CONFIG_PASS_LAST_SET_TIME_DEFAULT), - config_value_read(data, "pass can change time column", - CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), - config_value_read(data, "pass must change time column", - CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), - config_value_read(data, "username column", - CONFIG_USERNAME_DEFAULT), - config_value_read(data, "domain column", - CONFIG_DOMAIN_DEFAULT), - config_value_read(data, "nt username column", - CONFIG_NT_USERNAME_DEFAULT), - config_value_read(data, "fullname column", - CONFIG_FULLNAME_DEFAULT), - config_value_read(data, "home dir column", - CONFIG_HOME_DIR_DEFAULT), - config_value_read(data, "dir drive column", - CONFIG_DIR_DRIVE_DEFAULT), - config_value_read(data, "logon script column", - CONFIG_LOGON_SCRIPT_DEFAULT), - config_value_read(data, "profile path column", - CONFIG_PROFILE_PATH_DEFAULT), - config_value_read(data, "acct desc column", - CONFIG_ACCT_DESC_DEFAULT), - config_value_read(data, "workstations column", - CONFIG_WORKSTATIONS_DEFAULT), - config_value_read(data, "unknown string column", - CONFIG_UNKNOWN_STR_DEFAULT), - config_value_read(data, "munged dial column", - CONFIG_MUNGED_DIAL_DEFAULT), - config_value_read(data, "uid column", CONFIG_UID_DEFAULT), - config_value_read(data, "gid column", CONFIG_GID_DEFAULT), - config_value_read(data, "user sid column", - CONFIG_USER_SID_DEFAULT), - config_value_read(data, "group sid column", - CONFIG_GROUP_SID_DEFAULT), - config_value_read(data, "lanman pass column", - CONFIG_LM_PW_DEFAULT), - config_value_read(data, "nt pass column", - CONFIG_NT_PW_DEFAULT), - config_value_read(data, "plain pass column", - CONFIG_PLAIN_PW_DEFAULT), - config_value_read(data, "acct ctrl column", - CONFIG_ACCT_CTRL_DEFAULT), - config_value_read(data, "unknown 3 column", - CONFIG_UNKNOWN_3_DEFAULT), - config_value_read(data, "logon divs column", - CONFIG_LOGON_DIVS_DEFAULT), - config_value_read(data, "hours len column", - CONFIG_HOURS_LEN_DEFAULT), - config_value_read(data, "unknown 5 column", - CONFIG_UNKNOWN_5_DEFAULT), - config_value_read(data, "unknown 6 column", - CONFIG_UNKNOWN_6_DEFAULT), - config_value(data, "table", CONFIG_TABLE_DEFAULT), field, - esc_sname); - - SAFE_FREE(esc_sname); - - DEBUG(5, ("Executing query %s\n", query)); - - mysql_ret = mysql_query(data->handle, query); - - SAFE_FREE(query); - - if (mysql_ret) { - DEBUG(0, - ("Error while executing MySQL query %s\n", - mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - res = mysql_store_result(data->handle); - if (res == NULL) { - DEBUG(0, - ("Error storing results: %s\n", mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - ret = row_to_sam_account(res, user); - mysql_free_result(res); - - return ret; -} - -/****************************************************************** - Lookup a name in the SAM database - ******************************************************************/ - -static NTSTATUS mysqlsam_getsampwnam(struct pdb_methods *methods, SAM_ACCOUNT * user, - const char *sname) -{ - struct pdb_mysql_data *data; - - SET_DATA(data, methods); - - if (!sname) { - DEBUG(0, ("invalid name specified")); - return NT_STATUS_INVALID_PARAMETER; - } - - return mysqlsam_select_by_field(methods, user, - config_value_read(data, "username column", - CONFIG_USERNAME_DEFAULT), sname); -} - - -/*************************************************************************** - Search by sid - **************************************************************************/ - -static NTSTATUS mysqlsam_getsampwsid(struct pdb_methods *methods, SAM_ACCOUNT * user, - const DOM_SID * sid) -{ - struct pdb_mysql_data *data; - fstring sid_str; - - SET_DATA(data, methods); - - sid_to_string(sid_str, sid); - - return mysqlsam_select_by_field(methods, user, - config_value_read(data, "user sid column", - CONFIG_USER_SID_DEFAULT), sid_str); -} - -/*************************************************************************** - Delete a SAM_ACCOUNT - ****************************************************************************/ - -static NTSTATUS mysqlsam_delete_sam_account(struct pdb_methods *methods, - SAM_ACCOUNT * sam_pass) -{ - const char *sname = pdb_get_username(sam_pass); - char *esc; - char *query; - int ret; - struct pdb_mysql_data *data; - char *tmp_sname; - - SET_DATA(data, methods); - - if (!methods) { - DEBUG(0, ("invalid methods!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - data = (struct pdb_mysql_data *) methods->private_data; - if (!data || !(data->handle)) { - DEBUG(0, ("invalid handle!\n")); - return NT_STATUS_INVALID_HANDLE; - } - - if (!sname) { - DEBUG(0, ("invalid name specified\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* Escape sname */ - esc = malloc(strlen(sname) * 2 + 1); - if (!esc) { - DEBUG(0, ("Can't allocate memory to store escaped name\n")); - return NT_STATUS_NO_MEMORY; - } - - tmp_sname = smb_xstrdup(sname); - - mysql_real_escape_string(data->handle, esc, tmp_sname, - strlen(tmp_sname)); - - SAFE_FREE(tmp_sname); - - asprintf(&query, "DELETE FROM %s WHERE %s = '%s'", - config_value(data, "table", CONFIG_TABLE_DEFAULT), - config_value_read(data, "username column", - CONFIG_USERNAME_DEFAULT), esc); - - SAFE_FREE(esc); - - ret = mysql_query(data->handle, query); - - SAFE_FREE(query); - - if (ret) { - DEBUG(0, - ("Error while executing query: %s\n", - mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(5, ("User '%s' deleted\n", sname)); - return NT_STATUS_OK; -} - -static NTSTATUS mysqlsam_replace_sam_account(struct pdb_methods *methods, - const SAM_ACCOUNT * newpwd, char isupdate) -{ - pstring temp; - struct pdb_mysql_data *data; - pdb_mysql_query query; - fstring sid_str; - - if (!methods) { - DEBUG(0, ("invalid methods!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - data = (struct pdb_mysql_data *) methods->private_data; - if (data == NULL || data->handle == NULL) { - DEBUG(0, ("invalid handle!\n")); - return NT_STATUS_INVALID_HANDLE; - } - query.update = isupdate; - - /* I know this is somewhat overkill but only the talloc - * functions have asprint_append and the 'normal' asprintf - * is a GNU extension */ - query.mem_ctx = talloc_init("mysqlsam_replace_sam_account"); - query.part2 = talloc_asprintf(query.mem_ctx, "%s", ""); - if (query.update) { - query.part1 = - talloc_asprintf(query.mem_ctx, "UPDATE %s SET ", - config_value(data, "table", - CONFIG_TABLE_DEFAULT)); - } else { - query.part1 = - talloc_asprintf(query.mem_ctx, "INSERT INTO %s (", - config_value(data, "table", - CONFIG_TABLE_DEFAULT)); - } - - pdb_mysql_int_field(methods, &query, - config_value_write(data, "acct ctrl column", - CONFIG_ACCT_CTRL_DEFAULT), - pdb_get_acct_ctrl(newpwd)); - - if (pdb_get_init_flags(newpwd, PDB_LOGONTIME) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "logon time column", - CONFIG_LOGON_TIME_DEFAULT), - pdb_get_logon_time(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_LOGOFFTIME) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "logoff time column", - CONFIG_LOGOFF_TIME_DEFAULT), - pdb_get_logoff_time(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_KICKOFFTIME) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "kickoff time column", - CONFIG_KICKOFF_TIME_DEFAULT), - pdb_get_kickoff_time(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_CANCHANGETIME) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "pass can change time column", - CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), - pdb_get_pass_can_change_time(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_MUSTCHANGETIME) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "pass must change time column", - CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), - pdb_get_pass_must_change_time(newpwd)); - } - - if (pdb_get_pass_last_set_time(newpwd)) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "pass last set time column", - CONFIG_PASS_LAST_SET_TIME_DEFAULT), - pdb_get_pass_last_set_time(newpwd)); - } - - if (pdb_get_hours_len(newpwd)) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "hours len column", - CONFIG_HOURS_LEN_DEFAULT), - pdb_get_hours_len(newpwd)); - } - - if (pdb_get_logon_divs(newpwd)) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, - "logon divs column", - CONFIG_LOGON_DIVS_DEFAULT), - pdb_get_logon_divs(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_UID) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, "uid column", - CONFIG_UID_DEFAULT), - pdb_get_uid(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_GID) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, "gid column", - CONFIG_GID_DEFAULT), - pdb_get_gid(newpwd)); - } - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "user sid column", - CONFIG_USER_SID_DEFAULT), - sid_to_string(sid_str, - pdb_get_user_sid(newpwd))); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "group sid column", - CONFIG_GROUP_SID_DEFAULT), - sid_to_string(sid_str, - pdb_get_group_sid(newpwd))); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "username column", - CONFIG_USERNAME_DEFAULT), - pdb_get_username(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "domain column", - CONFIG_DOMAIN_DEFAULT), - pdb_get_domain(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "nt username column", - CONFIG_NT_USERNAME_DEFAULT), - pdb_get_nt_username(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "fullname column", - CONFIG_FULLNAME_DEFAULT), - pdb_get_fullname(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "logon script column", - CONFIG_LOGON_SCRIPT_DEFAULT), - pdb_get_logon_script(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "profile path column", - CONFIG_PROFILE_PATH_DEFAULT), - pdb_get_profile_path(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "dir drive column", - CONFIG_DIR_DRIVE_DEFAULT), - pdb_get_dir_drive(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, "home dir column", - CONFIG_HOME_DIR_DEFAULT), - pdb_get_homedir(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "workstations column", - CONFIG_WORKSTATIONS_DEFAULT), - pdb_get_workstations(newpwd)); - - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "unknown string column", - CONFIG_UNKNOWN_STR_DEFAULT), - pdb_get_workstations(newpwd)); - - pdb_sethexpwd(temp, pdb_get_lanman_passwd(newpwd), - pdb_get_acct_ctrl(newpwd)); - pdb_mysql_string_field(methods, &query, - config_value_write(data, - "lanman pass column", - CONFIG_LM_PW_DEFAULT), temp); - - pdb_sethexpwd(temp, pdb_get_nt_passwd(newpwd), - pdb_get_acct_ctrl(newpwd)); - pdb_mysql_string_field(methods, &query, - config_value_write(data, "nt pass column", - CONFIG_NT_PW_DEFAULT), temp); - - if (query.update) { - query.part1[strlen(query.part1) - 1] = '\0'; - query.part1 = - talloc_asprintf_append(query.mem_ctx, query.part1, - " WHERE %s = '%s'", - config_value_read(data, - "user sid column", - CONFIG_USER_SID_DEFAULT), - sid_to_string(sid_str, pdb_get_user_sid (newpwd))); - } else { - query.part2[strlen(query.part2) - 1] = ')'; - query.part1[strlen(query.part1) - 1] = ')'; - query.part1 = - talloc_asprintf_append(query.mem_ctx, query.part1, - " VALUES (%s", query.part2); - } - - DEBUG(0, ("%s\n", query.part1)); - /* Execute the query */ - if (mysql_query(data->handle, query.part1)) { - DEBUG(0, - ("Error executing %s, %s\n", query.part1, - mysql_error(data->handle))); - return NT_STATUS_INVALID_PARAMETER; - } - talloc_destroy(query.mem_ctx); - return NT_STATUS_OK; -} - -static NTSTATUS mysqlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT * newpwd) -{ - return mysqlsam_replace_sam_account(methods, newpwd, 0); -} - -static NTSTATUS mysqlsam_update_sam_account(struct pdb_methods *methods, - SAM_ACCOUNT * newpwd) -{ - return mysqlsam_replace_sam_account(methods, newpwd, 1); -} - -static NTSTATUS mysqlsam_init(struct pdb_context * pdb_context, struct pdb_methods ** pdb_method, - const char *location) -{ - NTSTATUS nt_status; - struct pdb_mysql_data *data; - - mysqlsam_debug_level = debug_add_class("mysqlsam"); - if (mysqlsam_debug_level == -1) { - mysqlsam_debug_level = DBGC_ALL; - DEBUG(0, - ("mysqlsam: Couldn't register custom debugging class!\n")); - } - - if (!pdb_context) { - DEBUG(0, ("invalid pdb_methods specified\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!NT_STATUS_IS_OK - (nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { - return nt_status; - } - - (*pdb_method)->name = "mysqlsam"; - - (*pdb_method)->setsampwent = mysqlsam_setsampwent; - (*pdb_method)->endsampwent = mysqlsam_endsampwent; - (*pdb_method)->getsampwent = mysqlsam_getsampwent; - (*pdb_method)->getsampwnam = mysqlsam_getsampwnam; - (*pdb_method)->getsampwsid = mysqlsam_getsampwsid; - (*pdb_method)->add_sam_account = mysqlsam_add_sam_account; - (*pdb_method)->update_sam_account = mysqlsam_update_sam_account; - (*pdb_method)->delete_sam_account = mysqlsam_delete_sam_account; - - data = talloc(pdb_context->mem_ctx, sizeof(struct pdb_mysql_data)); - (*pdb_method)->private_data = data; - data->handle = NULL; - data->pwent = NULL; - - if (!location) { - DEBUG(0, ("No identifier specified. Check the Samba HOWTO Collection for details\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - data->location = smb_xstrdup(location); - - DEBUG(1, - ("Connecting to database server, host: %s, user: %s, password: %s, database: %s, port: %ld\n", - config_value(data, "mysql host", CONFIG_HOST_DEFAULT), - config_value(data, "mysql user", CONFIG_USER_DEFAULT), - config_value(data, "mysql password", CONFIG_PASS_DEFAULT), - config_value(data, "mysql database", CONFIG_DB_DEFAULT), - xatol(config_value(data, "mysql port", CONFIG_PORT_DEFAULT)))); - - /* Do the mysql initialization */ - data->handle = mysql_init(NULL); - if (!data->handle) { - DEBUG(0, ("Failed to connect to server\n")); - return NT_STATUS_UNSUCCESSFUL; - } - /* Process correct entry in $HOME/.my.conf */ - if (!mysql_real_connect(data->handle, - config_value(data, "mysql host", CONFIG_HOST_DEFAULT), - config_value(data, "mysql user", CONFIG_USER_DEFAULT), - config_value(data, "mysql password", CONFIG_PASS_DEFAULT), - config_value(data, "mysql database", CONFIG_DB_DEFAULT), - xatol(config_value (data, "mysql port", CONFIG_PORT_DEFAULT)), - NULL, 0)) { - DEBUG(0, - ("Failed to connect to mysql database: error: %s\n", - mysql_error(data->handle))); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(5, ("Connected to mysql db\n")); - - return NT_STATUS_OK; -} - -int pdb_mysql_init(void) -{ - return smb_register_passdb("mysql", mysqlsam_init, PASSDB_INTERFACE_VERSION); -} diff --git a/source3/modules/xml.c b/source3/modules/xml.c deleted file mode 100644 index 42503c3d39..0000000000 --- a/source3/modules/xml.c +++ /dev/null @@ -1,569 +0,0 @@ - -/* - * XML password backend for samba - * Copyright (C) Jelmer Vernooij 2002 - * Some parts based on the libxml gjobread example by Daniel Veillard - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. - */ - -/* FIXME: - * - Support stdin input by using '-' - * - Be faster. Don't rewrite the whole file when adding a user, but store it in the memory and save it when exiting. Requires changes to samba source. - * - Gives the ability to read/write to standard input/output - * - Do locking! - * - Better names! - */ - - -#define XML_URL "http://www.samba.org/ns" - -#include "includes.h" - -#include -#include - -static int xmlsam_debug_level = DBGC_ALL; - -#undef DBGC_CLASS -#define DBGC_CLASS xmlsam_debug_level - -static char * iota(int a) { - static char tmp[10]; - - snprintf(tmp, 9, "%d", a); - return tmp; -} - -static BOOL parsePass(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u) -{ - pstring temp; - - cur = cur->xmlChildrenNode; - while (cur != NULL) { - if (strcmp(cur->name, "crypt")) - DEBUG(0, ("Unknown element %s\n", cur->name)); - else { - if (!strcmp(xmlGetProp(cur, "type"), "nt") - && - pdb_gethexpwd(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1), temp)) - pdb_set_nt_passwd(u, temp, PDB_SET); - else if (!strcmp(xmlGetProp(cur, "type"), "lanman") - && - pdb_gethexpwd(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1), temp)) - pdb_set_lanman_passwd(u, temp, PDB_SET); - else - DEBUG(0, - ("Unknown crypt type: %s\n", - xmlGetProp(cur, "type"))); - } - cur = cur->next; - } - return True; -} - -static BOOL parseUser(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u) -{ - char *tmp; - DOM_SID sid; - - tmp = xmlGetProp(cur, "sid"); - if (tmp){ - string_to_sid(&sid, tmp); - pdb_set_user_sid(u, &sid, PDB_SET); - } - tmp = xmlGetProp(cur, "uid"); - if (tmp) - pdb_set_uid(u, atol(tmp), PDB_SET); - pdb_set_username(u, xmlGetProp(cur, "name"), PDB_SET); - /* We don't care what the top level element name is */ - cur = cur->xmlChildrenNode; - while (cur != NULL) { - if ((!strcmp(cur->name, "group")) && (cur->ns == ns)) { - tmp = xmlGetProp(cur, "gid"); - if (tmp) - pdb_set_gid(u, atol(tmp), PDB_SET); - tmp = xmlGetProp(cur, "sid"); - if (tmp){ - string_to_sid(&sid, tmp); - pdb_set_group_sid(u, &sid, PDB_SET); - } - } - - else if ((!strcmp(cur->name, "domain")) && (cur->ns == ns)) - pdb_set_domain(u, - xmlNodeListGetString(doc, cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "fullname") && cur->ns == ns) - pdb_set_fullname(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "nt_username") && cur->ns == ns) - pdb_set_nt_username(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "logon_script") && cur->ns == ns) - pdb_set_logon_script(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "profile_path") && cur->ns == ns) - pdb_set_profile_path(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "logon_time") && cur->ns == ns) - pdb_set_logon_time(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "logoff_time") && cur->ns == ns) - pdb_set_logoff_time(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), - PDB_SET); - - else if (!strcmp(cur->name, "kickoff_time") && cur->ns == ns) - pdb_set_kickoff_time(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), - PDB_SET); - - else if (!strcmp(cur->name, "logon_divs") && cur->ns == ns) - pdb_set_logon_divs(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "hours_len") && cur->ns == ns) - pdb_set_hours_len(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "unknown_3") && cur->ns == ns) - pdb_set_unknown_3(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "unknown_5") && cur->ns == ns) - pdb_set_unknown_5(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "unknown_6") && cur->ns == ns) - pdb_set_unknown_6(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "homedir") && cur->ns == ns) - pdb_set_homedir(u, - xmlNodeListGetString(doc, cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "unknown_str") && cur->ns == ns) - pdb_set_unknown_str(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "dir_drive") && cur->ns == ns) - pdb_set_dir_drive(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "munged_dial") && cur->ns == ns) - pdb_set_munged_dial(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "acct_desc") && cur->ns == ns) - pdb_set_acct_desc(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if (!strcmp(cur->name, "acct_ctrl") && cur->ns == ns) - pdb_set_acct_ctrl(u, - atol(xmlNodeListGetString - (doc, cur->xmlChildrenNode, 1)), PDB_SET); - - else if (!strcmp(cur->name, "workstations") && cur->ns == ns) - pdb_set_workstations(u, - xmlNodeListGetString(doc, - cur->xmlChildrenNode, - 1), PDB_SET); - - else if ((!strcmp(cur->name, "password")) && (cur->ns == ns)) { - tmp = xmlGetProp(cur, "last_set"); - if (tmp) - pdb_set_pass_last_set_time(u, atol(tmp), PDB_SET); - tmp = xmlGetProp(cur, "must_change"); - if (tmp) - pdb_set_pass_must_change_time(u, atol(tmp), PDB_SET); - tmp = xmlGetProp(cur, "can_change"); - if (tmp) - pdb_set_pass_can_change_time(u, atol(tmp), PDB_SET); - parsePass(doc, ns, cur, u); - } - - else - DEBUG(0, ("Unknown element %s\n", cur->name)); - cur = cur->next; - } - - return True; -} - -typedef struct pdb_xml { - char *location; - char written; - xmlDocPtr doc; - xmlNodePtr users; - xmlNodePtr pwent; - xmlNsPtr ns; -} pdb_xml; - -static xmlNodePtr parseSambaXMLFile(struct pdb_xml *data) -{ - xmlNodePtr cur; - - data->doc = xmlParseFile(data->location); - if (data->doc == NULL) - return NULL; - - cur = xmlDocGetRootElement(data->doc); - if (!cur) { - DEBUG(0, ("empty document\n")); - xmlFreeDoc(data->doc); - return NULL; - } - data->ns = xmlSearchNsByHref(data->doc, cur, XML_URL); - if (!data->ns) { - DEBUG(0, - ("document of the wrong type, samba user namespace not found\n")); - xmlFreeDoc(data->doc); - return NULL; - } - if (strcmp(cur->name, "samba")) { - DEBUG(0, ("document of the wrong type, root node != samba")); - xmlFreeDoc(data->doc); - return NULL; - } - - cur = cur->xmlChildrenNode; - while (cur && xmlIsBlankNode(cur)) { - cur = cur->next; - } - if (!cur) - return NULL; - if ((strcmp(cur->name, "users")) || (cur->ns != data->ns)) { - DEBUG(0, ("document of the wrong type, was '%s', users expected", - cur->name)); - DEBUG(0, ("xmlDocDump follows\n")); - xmlDocDump(stderr, data->doc); - DEBUG(0, ("xmlDocDump finished\n")); - xmlFreeDoc(data->doc); - return NULL; - } - data->users = cur; - cur = cur->xmlChildrenNode; - return cur; -} - -static NTSTATUS xmlsam_setsampwent(struct pdb_methods *methods, BOOL update) -{ - pdb_xml *data; - - if (!methods) { - DEBUG(0, ("Invalid methods\n")); - return NT_STATUS_INVALID_PARAMETER; - } - data = (pdb_xml *) methods->private_data; - if (!data) { - DEBUG(0, ("Invalid pdb_xml_data\n")); - return NT_STATUS_INVALID_PARAMETER; - } - data->pwent = parseSambaXMLFile(data); - if (!data->pwent) - return NT_STATUS_UNSUCCESSFUL; - - return NT_STATUS_OK; -} - -/*************************************************************** - End enumeration of the passwd list. - ****************************************************************/ - -static void xmlsam_endsampwent(struct pdb_methods *methods) -{ - pdb_xml *data; - - if (!methods) { - DEBUG(0, ("Invalid methods\n")); - return; - } - - data = (pdb_xml *) methods->private_data; - - if (!data) { - DEBUG(0, ("Invalid pdb_xml_data\n")); - return; - } - - xmlFreeDoc(data->doc); - data->doc = NULL; - data->pwent = NULL; -} - -/***************************************************************** - Get one SAM_ACCOUNT from the list (next in line) - *****************************************************************/ - -static NTSTATUS xmlsam_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT * user) -{ - pdb_xml *data; - - if (!methods) { - DEBUG(0, ("Invalid methods\n")); - return NT_STATUS_INVALID_PARAMETER; - } - data = (pdb_xml *) methods->private_data; - - if (!data) { - DEBUG(0, ("Invalid pdb_xml_data\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - while (data->pwent) { - if ((!strcmp(data->pwent->name, "user")) && - (data->pwent->ns == data->ns)) { - - parseUser(data->doc, data->ns, data->pwent, user); - data->pwent = data->pwent->next; - return NT_STATUS_OK; - } - data->pwent = data->pwent->next; - } - return NT_STATUS_UNSUCCESSFUL; -} - -/*************************************************************************** - Adds an existing SAM_ACCOUNT - ****************************************************************************/ - -static NTSTATUS xmlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT * u) -{ - pstring temp; - fstring sid_str; - xmlNodePtr cur, user, pass, root; - pdb_xml *data; - - DEBUG(10, ("xmlsam_add_sam_account called!\n")); - - if (!methods) { - DEBUG(0, ("Invalid methods\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - data = (pdb_xml *) methods->private_data; - if (!data) { - DEBUG(0, ("Invalid pdb_xml_data\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - /* Create a new document if we can't open the current one */ - if (!parseSambaXMLFile(data)) { - DEBUG(0, ("Can't load current XML file, creating a new one\n")); - data->doc = xmlNewDoc(XML_DEFAULT_VERSION); - root = xmlNewDocNode(data->doc, NULL, "samba", NULL); - cur = xmlDocSetRootElement(data->doc, root); - data->ns = xmlNewNs(root, XML_URL, "samba"); - data->users = xmlNewChild(root, data->ns, "users", NULL); - } - - user = xmlNewChild(data->users, data->ns, "user", NULL); - xmlNewProp(user, "sid", - sid_to_string(sid_str, pdb_get_user_sid(u))); - if (pdb_get_init_flags(u, PDB_UID) != PDB_DEFAULT) - xmlNewProp(user, "uid", iota(pdb_get_uid(u))); - - if (pdb_get_username(u) && strcmp(pdb_get_username(u), "")) - xmlNewProp(user, "name", pdb_get_username(u)); - - cur = xmlNewChild(user, data->ns, "group", NULL); - - xmlNewProp(cur, "sid", - sid_to_string(sid_str, pdb_get_group_sid(u))); - if (pdb_get_init_flags(u, PDB_GID) != PDB_DEFAULT) - xmlNewProp(cur, "gid", iota(pdb_get_gid(u))); - - if (pdb_get_init_flags(u, PDB_LOGONTIME) != PDB_DEFAULT) - xmlNewChild(user, data->ns, "login_time", - iota(pdb_get_logon_time(u))); - - if (pdb_get_init_flags(u, PDB_LOGOFFTIME) != PDB_DEFAULT) - xmlNewChild(user, data->ns, "logoff_time", - iota(pdb_get_logoff_time(u))); - - if (pdb_get_init_flags(u, PDB_KICKOFFTIME) != PDB_DEFAULT) - xmlNewChild(user, data->ns, "kickoff_time", - iota(pdb_get_kickoff_time(u))); - - if (pdb_get_domain(u) && strcmp(pdb_get_domain(u), "")) - xmlNewChild(user, data->ns, "domain", pdb_get_domain(u)); - - if (pdb_get_nt_username(u) && strcmp(pdb_get_nt_username(u), "")) - xmlNewChild(user, data->ns, "nt_username", pdb_get_nt_username(u)); - - if (pdb_get_fullname(u) && strcmp(pdb_get_fullname(u), "")) - xmlNewChild(user, data->ns, "fullname", pdb_get_fullname(u)); - - if (pdb_get_homedir(u) && strcmp(pdb_get_homedir(u), "")) - xmlNewChild(user, data->ns, "homedir", pdb_get_homedir(u)); - - if (pdb_get_dir_drive(u) && strcmp(pdb_get_dir_drive(u), "")) - xmlNewChild(user, data->ns, "dir_drive", pdb_get_dir_drive(u)); - - if (pdb_get_logon_script(u) && strcmp(pdb_get_logon_script(u), "")) - xmlNewChild(user, data->ns, "logon_script", - pdb_get_logon_script(u)); - - if (pdb_get_profile_path(u) && strcmp(pdb_get_profile_path(u), "")) - xmlNewChild(user, data->ns, "profile_path", - pdb_get_profile_path(u)); - - if (pdb_get_acct_desc(u) && strcmp(pdb_get_acct_desc(u), "")) - xmlNewChild(user, data->ns, "acct_desc", pdb_get_acct_desc(u)); - - if (pdb_get_workstations(u) && strcmp(pdb_get_workstations(u), "")) - xmlNewChild(user, data->ns, "workstations", - pdb_get_workstations(u)); - - if (pdb_get_unknown_str(u) && strcmp(pdb_get_unknown_str(u), "")) - xmlNewChild(user, data->ns, "unknown_str", pdb_get_unknown_str(u)); - - if (pdb_get_munged_dial(u) && strcmp(pdb_get_munged_dial(u), "")) - xmlNewChild(user, data->ns, "munged_dial", pdb_get_munged_dial(u)); - - - /* Password stuff */ - pass = xmlNewChild(user, data->ns, "password", NULL); - if (pdb_get_pass_last_set_time(u)) - xmlNewProp(pass, "last_set", iota(pdb_get_pass_last_set_time(u))); - if (pdb_get_init_flags(u, PDB_CANCHANGETIME) != PDB_DEFAULT) - xmlNewProp(pass, "can_change", - iota(pdb_get_pass_can_change_time(u))); - - if (pdb_get_init_flags(u, PDB_MUSTCHANGETIME) != PDB_DEFAULT) - xmlNewProp(pass, "must_change", - iota(pdb_get_pass_must_change_time(u))); - - - if (pdb_get_lanman_passwd(u)) { - pdb_sethexpwd(temp, pdb_get_lanman_passwd(u), - pdb_get_acct_ctrl(u)); - cur = xmlNewChild(pass, data->ns, "crypt", temp); - xmlNewProp(cur, "type", "lanman"); - } - - if (pdb_get_nt_passwd(u)) { - pdb_sethexpwd(temp, pdb_get_nt_passwd(u), pdb_get_acct_ctrl(u)); - cur = xmlNewChild(pass, data->ns, "crypt", temp); - xmlNewProp(cur, "type", "nt"); - } - - xmlNewChild(user, data->ns, "acct_ctrl", iota(pdb_get_acct_ctrl(u))); - xmlNewChild(user, data->ns, "unknown_3", iota(pdb_get_unknown_3(u))); - - if (pdb_get_logon_divs(u)) - xmlNewChild(user, data->ns, "logon_divs", - iota(pdb_get_logon_divs(u))); - - if (pdb_get_hours_len(u)) - xmlNewChild(user, data->ns, "hours_len", - iota(pdb_get_hours_len(u))); - - xmlNewChild(user, data->ns, "unknown_5", iota(pdb_get_unknown_5(u))); - xmlNewChild(user, data->ns, "unknown_6", iota(pdb_get_unknown_6(u))); - xmlSaveFile(data->location, data->doc); - - return NT_STATUS_OK; -} - -static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method, - const char *location) -{ - NTSTATUS nt_status; - pdb_xml *data; - - xmlsam_debug_level = debug_add_class("xmlsam"); - if (xmlsam_debug_level == -1) { - xmlsam_debug_level = DBGC_ALL; - DEBUG(0, ("xmlsam: Couldn't register custom debugging class!\n")); - } - - if (!pdb_context) { - DEBUG(0, ("invalid pdb_methods specified\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!NT_STATUS_IS_OK - (nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { - return nt_status; - } - - (*pdb_method)->name = "xmlsam"; - - (*pdb_method)->setsampwent = xmlsam_setsampwent; - (*pdb_method)->endsampwent = xmlsam_endsampwent; - (*pdb_method)->getsampwent = xmlsam_getsampwent; - (*pdb_method)->add_sam_account = xmlsam_add_sam_account; - (*pdb_method)->getsampwnam = NULL; - (*pdb_method)->getsampwsid = NULL; - (*pdb_method)->update_sam_account = NULL; - (*pdb_method)->delete_sam_account = NULL; - (*pdb_method)->getgrsid = NULL; - (*pdb_method)->getgrgid = NULL; - (*pdb_method)->getgrnam = NULL; - (*pdb_method)->add_group_mapping_entry = NULL; - (*pdb_method)->update_group_mapping_entry = NULL; - (*pdb_method)->delete_group_mapping_entry = NULL; - (*pdb_method)->enum_group_mapping = NULL; - - data = talloc(pdb_context->mem_ctx, sizeof(pdb_xml)); - data->location = talloc_strdup(pdb_context->mem_ctx, (location ? location : "passdb.xml")); - data->pwent = NULL; - data->written = 0; - (*pdb_method)->private_data = data; - - LIBXML_TEST_VERSION xmlKeepBlanksDefault(0); - - return NT_STATUS_OK; -} - -int pdb_xml_init(void) -{ - return smb_register_passdb("xml", xmlsam_init, PASSDB_INTERFACE_VERSION); -} diff --git a/source3/passdb/pdb_mysql.c b/source3/passdb/pdb_mysql.c new file mode 100644 index 0000000000..ec8c6f9ab8 --- /dev/null +++ b/source3/passdb/pdb_mysql.c @@ -0,0 +1,977 @@ + +/* + * MySQL password backend for samba + * Copyright (C) Jelmer Vernooij 2002 + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" +#include + +#define CONFIG_TABLE_DEFAULT "user" +#define CONFIG_LOGON_TIME_DEFAULT "logon_time" +#define CONFIG_LOGOFF_TIME_DEFAULT "logoff_time" +#define CONFIG_KICKOFF_TIME_DEFAULT "kickoff_time" +#define CONFIG_PASS_LAST_SET_TIME_DEFAULT "pass_last_set_time" +#define CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT "pass_can_change_time" +#define CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT "pass_must_change_time" +#define CONFIG_USERNAME_DEFAULT "username" +#define CONFIG_DOMAIN_DEFAULT "domain" +#define CONFIG_NT_USERNAME_DEFAULT "nt_username" +#define CONFIG_FULLNAME_DEFAULT "nt_fullname" +#define CONFIG_HOME_DIR_DEFAULT "home_dir" +#define CONFIG_DIR_DRIVE_DEFAULT "dir_drive" +#define CONFIG_LOGON_SCRIPT_DEFAULT "logon_script" +#define CONFIG_PROFILE_PATH_DEFAULT "profile_path" +#define CONFIG_ACCT_DESC_DEFAULT "acct_desc" +#define CONFIG_WORKSTATIONS_DEFAULT "workstations" +#define CONFIG_UNKNOWN_STR_DEFAULT "unknown_str" +#define CONFIG_MUNGED_DIAL_DEFAULT "munged_dial" +#define CONFIG_UID_DEFAULT "uid" +#define CONFIG_GID_DEFAULT "gid" +#define CONFIG_USER_SID_DEFAULT "user_sid" +#define CONFIG_GROUP_SID_DEFAULT "group_sid" +#define CONFIG_LM_PW_DEFAULT "lm_pw" +#define CONFIG_NT_PW_DEFAULT "nt_pw" +#define CONFIG_PLAIN_PW_DEFAULT "NULL" +#define CONFIG_ACCT_CTRL_DEFAULT "acct_ctrl" +#define CONFIG_UNKNOWN_3_DEFAULT "unknown_3" +#define CONFIG_LOGON_DIVS_DEFAULT "logon_divs" +#define CONFIG_HOURS_LEN_DEFAULT "hours_len" +#define CONFIG_UNKNOWN_5_DEFAULT "unknown_5" +#define CONFIG_UNKNOWN_6_DEFAULT "unknown_6" +#define CONFIG_HOST_DEFAULT "localhost" +#define CONFIG_USER_DEFAULT "samba" +#define CONFIG_PASS_DEFAULT "" +#define CONFIG_PORT_DEFAULT "3306" +#define CONFIG_DB_DEFAULT "samba" + +static int mysqlsam_debug_level = DBGC_ALL; + +#undef DBGC_CLASS +#define DBGC_CLASS mysqlsam_debug_level + +typedef struct pdb_mysql_data { + MYSQL *handle; + MYSQL_RES *pwent; + const char *location; +} pdb_mysql_data; + +/* Used to construct insert and update queries */ + +typedef struct pdb_mysql_query { + char update; + TALLOC_CTX *mem_ctx; + char *part1; + char *part2; +} pdb_mysql_query; +#define SET_DATA(data,methods) { \ + if(!methods){ \ + DEBUG(0, ("invalid methods!\n")); \ + return NT_STATUS_INVALID_PARAMETER; \ + } \ + data = (struct pdb_mysql_data *)methods->private_data; \ + if(!data || !(data->handle)){ \ + DEBUG(0, ("invalid handle!\n")); \ + return NT_STATUS_INVALID_HANDLE; \ + } \ +} + +static void pdb_mysql_int_field(struct pdb_methods *m, + struct pdb_mysql_query *q, const char *name, int value) +{ + if (!name || strchr(name, '\'')) + return; /* This field shouldn't be set by us */ + + if (q->update) { + q->part1 = + talloc_asprintf_append(q->mem_ctx, q->part1, + "%s = %d,", name, value); + } else { + q->part1 = + talloc_asprintf_append(q->mem_ctx, q->part1, "%s,", name); + q->part2 = + talloc_asprintf_append(q->mem_ctx, q->part2, "%d,", value); + } +} + +static NTSTATUS pdb_mysql_string_field(struct pdb_methods *methods, + struct pdb_mysql_query *q, + const char *name, const char *value) +{ + char *esc_value; + struct pdb_mysql_data *data; + char *tmp_value; + + SET_DATA(data, methods); + + if (!name || !value || !strcmp(value, "") || strchr(name, '\'')) + return NT_STATUS_INVALID_PARAMETER; /* This field shouldn't be set by module */ + + esc_value = malloc(strlen(value) * 2 + 1); + + tmp_value = smb_xstrdup(value); + mysql_real_escape_string(data->handle, esc_value, tmp_value, + strlen(tmp_value)); + SAFE_FREE(tmp_value); + + if (q->update) { + q->part1 = + talloc_asprintf_append(q->mem_ctx, q->part1, + "%s = '%s',", name, esc_value); + } else { + q->part1 = + talloc_asprintf_append(q->mem_ctx, q->part1, "%s,", name); + q->part2 = + talloc_asprintf_append(q->mem_ctx, q->part2, "'%s',", + esc_value); + } + + SAFE_FREE(esc_value); + + return NT_STATUS_OK; +} + +#define config_value(data,name,default_value) \ + lp_parm_const_string(GLOBAL_SECTION_SNUM, (data)->location, name, default_value) + +static const char * config_value_write(pdb_mysql_data * data, const char *name, const char *default_value) { + char const *v = NULL; + char const *swrite = NULL; + + v = lp_parm_const_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); + + if (!v) + return NULL; + + swrite = strchr(v, ':'); + + /* Default to the same field as read field */ + if (!swrite) + return v; + + swrite++; + + /* If the field is 0 chars long, we shouldn't write to it */ + if (!strlen(swrite) || !strcmp(swrite, "NULL")) + return NULL; + + /* Otherwise, use the additionally specified */ + return swrite; +} + +static const char * config_value_read(pdb_mysql_data * data, const char *name, const char *default_value) +{ + char *v = NULL; + char *swrite; + + v = lp_parm_talloc_string(GLOBAL_SECTION_SNUM, data->location, name, default_value); + + if (!v) + return "NULL"; + + swrite = strchr(v, ':'); + + /* If no write is specified, there are no problems */ + if (!swrite) { + if (strlen(v) == 0) + return "NULL"; + return (const char *)v; + } + + /* Otherwise, we have to cut the ':write_part' */ + *swrite = '\0'; + if (strlen(v) == 0) + return "NULL"; + + return (const char *)v; +} + +/* Wrapper for atol that returns 0 if 'a' points to NULL */ +static long xatol(const char *a) +{ + long ret = 0; + + if (a != NULL) + ret = atol(a); + + return ret; +} + +static NTSTATUS row_to_sam_account(MYSQL_RES * r, SAM_ACCOUNT * u) +{ + MYSQL_ROW row; + pstring temp; + unsigned int num_fields; + DOM_SID sid; + + num_fields = mysql_num_fields(r); + row = mysql_fetch_row(r); + if (!row) + return NT_STATUS_INVALID_PARAMETER; + + pdb_set_logon_time(u, xatol(row[0]), PDB_SET); + pdb_set_logoff_time(u, xatol(row[1]), PDB_SET); + pdb_set_kickoff_time(u, xatol(row[2]), PDB_SET); + pdb_set_pass_last_set_time(u, xatol(row[3]), PDB_SET); + pdb_set_pass_can_change_time(u, xatol(row[4]), PDB_SET); + pdb_set_pass_must_change_time(u, xatol(row[5]), PDB_SET); + pdb_set_username(u, row[6], PDB_SET); + pdb_set_domain(u, row[7], PDB_SET); + pdb_set_nt_username(u, row[8], PDB_SET); + pdb_set_fullname(u, row[9], PDB_SET); + pdb_set_homedir(u, row[10], PDB_SET); + pdb_set_dir_drive(u, row[11], PDB_SET); + pdb_set_logon_script(u, row[12], PDB_SET); + pdb_set_profile_path(u, row[13], PDB_SET); + pdb_set_acct_desc(u, row[14], PDB_SET); + pdb_set_workstations(u, row[15], PDB_SET); + pdb_set_unknown_str(u, row[16], PDB_SET); + pdb_set_munged_dial(u, row[17], PDB_SET); + + if (row[18]) + pdb_set_uid(u, xatol(row[18]), PDB_SET); + if (row[19]) + pdb_set_gid(u, xatol(row[19]), PDB_SET); + + string_to_sid(&sid, row[20]); + pdb_set_user_sid(u, &sid, PDB_SET); + string_to_sid(&sid, row[21]); + pdb_set_group_sid(u, &sid, PDB_SET); + + if (pdb_gethexpwd(row[22], temp), PDB_SET) + pdb_set_lanman_passwd(u, temp, PDB_SET); + if (pdb_gethexpwd(row[23], temp), PDB_SET) + pdb_set_nt_passwd(u, temp, PDB_SET); + + /* Only use plaintext password storage when lanman and nt are + * NOT used */ + if (!row[22] || !row[23]) + pdb_set_plaintext_passwd(u, row[24]); + + pdb_set_acct_ctrl(u, xatol(row[25]), PDB_SET); + pdb_set_unknown_3(u, xatol(row[26]), PDB_SET); + pdb_set_logon_divs(u, xatol(row[27]), PDB_SET); + pdb_set_hours_len(u, xatol(row[28]), PDB_SET); + pdb_set_unknown_5(u, xatol(row[29]), PDB_SET); + pdb_set_unknown_6(u, xatol(row[30]), PDB_SET); + + return NT_STATUS_OK; +} + +static NTSTATUS mysqlsam_setsampwent(struct pdb_methods *methods, BOOL update) +{ + struct pdb_mysql_data *data = + (struct pdb_mysql_data *) methods->private_data; + char *query; + int ret; + + if (!data || !(data->handle)) { + DEBUG(0, ("invalid handle!\n")); + return NT_STATUS_INVALID_HANDLE; + } + + asprintf(&query, + "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s", + config_value_read(data, "logon time column", + CONFIG_LOGON_TIME_DEFAULT), + config_value_read(data, "logoff time column", + CONFIG_LOGOFF_TIME_DEFAULT), + config_value_read(data, "kickoff time column", + CONFIG_KICKOFF_TIME_DEFAULT), + config_value_read(data, "pass last set time column", + CONFIG_PASS_LAST_SET_TIME_DEFAULT), + config_value_read(data, "pass can change time column", + CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), + config_value_read(data, "pass must change time column", + CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), + config_value_read(data, "username column", + CONFIG_USERNAME_DEFAULT), + config_value_read(data, "domain column", + CONFIG_DOMAIN_DEFAULT), + config_value_read(data, "nt username column", + CONFIG_NT_USERNAME_DEFAULT), + config_value_read(data, "fullname column", + CONFIG_FULLNAME_DEFAULT), + config_value_read(data, "home dir column", + CONFIG_HOME_DIR_DEFAULT), + config_value_read(data, "dir drive column", + CONFIG_DIR_DRIVE_DEFAULT), + config_value_read(data, "logon script column", + CONFIG_LOGON_SCRIPT_DEFAULT), + config_value_read(data, "profile path column", + CONFIG_PROFILE_PATH_DEFAULT), + config_value_read(data, "acct desc column", + CONFIG_ACCT_DESC_DEFAULT), + config_value_read(data, "workstations column", + CONFIG_WORKSTATIONS_DEFAULT), + config_value_read(data, "unknown string column", + CONFIG_UNKNOWN_STR_DEFAULT), + config_value_read(data, "munged dial column", + CONFIG_MUNGED_DIAL_DEFAULT), + config_value_read(data, "uid column", CONFIG_UID_DEFAULT), + config_value_read(data, "gid column", CONFIG_GID_DEFAULT), + config_value_read(data, "user sid column", + CONFIG_USER_SID_DEFAULT), + config_value_read(data, "group sid column", + CONFIG_GROUP_SID_DEFAULT), + config_value_read(data, "lanman pass column", + CONFIG_LM_PW_DEFAULT), + config_value_read(data, "nt pass column", + CONFIG_NT_PW_DEFAULT), + config_value_read(data, "plain pass column", + CONFIG_PLAIN_PW_DEFAULT), + config_value_read(data, "acct ctrl column", + CONFIG_ACCT_CTRL_DEFAULT), + config_value_read(data, "unknown 3 column", + CONFIG_UNKNOWN_3_DEFAULT), + config_value_read(data, "logon divs column", + CONFIG_LOGON_DIVS_DEFAULT), + config_value_read(data, "hours len column", + CONFIG_HOURS_LEN_DEFAULT), + config_value_read(data, "unknown 5 column", + CONFIG_UNKNOWN_5_DEFAULT), + config_value_read(data, "unknown 6 column", + CONFIG_UNKNOWN_6_DEFAULT), + config_value(data, "table", CONFIG_TABLE_DEFAULT) + ); + DEBUG(5, ("Executing query %s\n", query)); + + ret = mysql_query(data->handle, query); + SAFE_FREE(query); + + if (ret) { + DEBUG(0, + ("Error executing MySQL query %s\n", mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + data->pwent = mysql_store_result(data->handle); + + if (data->pwent == NULL) { + DEBUG(0, + ("Error storing results: %s\n", mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, + ("mysqlsam_setsampwent succeeded(%llu results)!\n", + mysql_num_rows(data->pwent))); + + return NT_STATUS_OK; +} + +/*************************************************************** + End enumeration of the passwd list. + ****************************************************************/ + +static void mysqlsam_endsampwent(struct pdb_methods *methods) +{ + struct pdb_mysql_data *data = + (struct pdb_mysql_data *) methods->private_data; + + if (data == NULL) { + DEBUG(0, ("invalid handle!\n")); + return; + } + + if (data->pwent != NULL) + mysql_free_result(data->pwent); + + data->pwent = NULL; + + DEBUG(5, ("mysql_endsampwent called\n")); +} + +/***************************************************************** + Get one SAM_ACCOUNT from the list (next in line) + *****************************************************************/ + +static NTSTATUS mysqlsam_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT * user) +{ + struct pdb_mysql_data *data; + + SET_DATA(data, methods); + + if (data->pwent == NULL) { + DEBUG(0, ("invalid pwent\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + return row_to_sam_account(data->pwent, user); +} + +static NTSTATUS mysqlsam_select_by_field(struct pdb_methods * methods, SAM_ACCOUNT * user, + const char *field, const char *sname) +{ + char *esc_sname; + char *query; + NTSTATUS ret; + MYSQL_RES *res; + int mysql_ret; + struct pdb_mysql_data *data; + char *tmp_sname; + + SET_DATA(data, methods); + + esc_sname = malloc(strlen(sname) * 2 + 1); + if (!esc_sname) { + return NT_STATUS_NO_MEMORY; + } + + DEBUG(5, + ("mysqlsam_select_by_field: getting data where %s = %s(nonescaped)\n", + field, sname)); + + tmp_sname = smb_xstrdup(sname); + + /* Escape sname */ + mysql_real_escape_string(data->handle, esc_sname, tmp_sname, + strlen(tmp_sname)); + + SAFE_FREE(tmp_sname); + + if (user == NULL) { + DEBUG(0, ("pdb_getsampwnam: SAM_ACCOUNT is NULL.\n")); + SAFE_FREE(esc_sname); + return NT_STATUS_INVALID_PARAMETER; + } + + asprintf(&query, + "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s WHERE %s = '%s'", + config_value_read(data, "logon time column", + CONFIG_LOGON_TIME_DEFAULT), + config_value_read(data, "logoff time column", + CONFIG_LOGOFF_TIME_DEFAULT), + config_value_read(data, "kickoff time column", + CONFIG_KICKOFF_TIME_DEFAULT), + config_value_read(data, "pass last set time column", + CONFIG_PASS_LAST_SET_TIME_DEFAULT), + config_value_read(data, "pass can change time column", + CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), + config_value_read(data, "pass must change time column", + CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), + config_value_read(data, "username column", + CONFIG_USERNAME_DEFAULT), + config_value_read(data, "domain column", + CONFIG_DOMAIN_DEFAULT), + config_value_read(data, "nt username column", + CONFIG_NT_USERNAME_DEFAULT), + config_value_read(data, "fullname column", + CONFIG_FULLNAME_DEFAULT), + config_value_read(data, "home dir column", + CONFIG_HOME_DIR_DEFAULT), + config_value_read(data, "dir drive column", + CONFIG_DIR_DRIVE_DEFAULT), + config_value_read(data, "logon script column", + CONFIG_LOGON_SCRIPT_DEFAULT), + config_value_read(data, "profile path column", + CONFIG_PROFILE_PATH_DEFAULT), + config_value_read(data, "acct desc column", + CONFIG_ACCT_DESC_DEFAULT), + config_value_read(data, "workstations column", + CONFIG_WORKSTATIONS_DEFAULT), + config_value_read(data, "unknown string column", + CONFIG_UNKNOWN_STR_DEFAULT), + config_value_read(data, "munged dial column", + CONFIG_MUNGED_DIAL_DEFAULT), + config_value_read(data, "uid column", CONFIG_UID_DEFAULT), + config_value_read(data, "gid column", CONFIG_GID_DEFAULT), + config_value_read(data, "user sid column", + CONFIG_USER_SID_DEFAULT), + config_value_read(data, "group sid column", + CONFIG_GROUP_SID_DEFAULT), + config_value_read(data, "lanman pass column", + CONFIG_LM_PW_DEFAULT), + config_value_read(data, "nt pass column", + CONFIG_NT_PW_DEFAULT), + config_value_read(data, "plain pass column", + CONFIG_PLAIN_PW_DEFAULT), + config_value_read(data, "acct ctrl column", + CONFIG_ACCT_CTRL_DEFAULT), + config_value_read(data, "unknown 3 column", + CONFIG_UNKNOWN_3_DEFAULT), + config_value_read(data, "logon divs column", + CONFIG_LOGON_DIVS_DEFAULT), + config_value_read(data, "hours len column", + CONFIG_HOURS_LEN_DEFAULT), + config_value_read(data, "unknown 5 column", + CONFIG_UNKNOWN_5_DEFAULT), + config_value_read(data, "unknown 6 column", + CONFIG_UNKNOWN_6_DEFAULT), + config_value(data, "table", CONFIG_TABLE_DEFAULT), field, + esc_sname); + + SAFE_FREE(esc_sname); + + DEBUG(5, ("Executing query %s\n", query)); + + mysql_ret = mysql_query(data->handle, query); + + SAFE_FREE(query); + + if (mysql_ret) { + DEBUG(0, + ("Error while executing MySQL query %s\n", + mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + res = mysql_store_result(data->handle); + if (res == NULL) { + DEBUG(0, + ("Error storing results: %s\n", mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + ret = row_to_sam_account(res, user); + mysql_free_result(res); + + return ret; +} + +/****************************************************************** + Lookup a name in the SAM database + ******************************************************************/ + +static NTSTATUS mysqlsam_getsampwnam(struct pdb_methods *methods, SAM_ACCOUNT * user, + const char *sname) +{ + struct pdb_mysql_data *data; + + SET_DATA(data, methods); + + if (!sname) { + DEBUG(0, ("invalid name specified")); + return NT_STATUS_INVALID_PARAMETER; + } + + return mysqlsam_select_by_field(methods, user, + config_value_read(data, "username column", + CONFIG_USERNAME_DEFAULT), sname); +} + + +/*************************************************************************** + Search by sid + **************************************************************************/ + +static NTSTATUS mysqlsam_getsampwsid(struct pdb_methods *methods, SAM_ACCOUNT * user, + const DOM_SID * sid) +{ + struct pdb_mysql_data *data; + fstring sid_str; + + SET_DATA(data, methods); + + sid_to_string(sid_str, sid); + + return mysqlsam_select_by_field(methods, user, + config_value_read(data, "user sid column", + CONFIG_USER_SID_DEFAULT), sid_str); +} + +/*************************************************************************** + Delete a SAM_ACCOUNT + ****************************************************************************/ + +static NTSTATUS mysqlsam_delete_sam_account(struct pdb_methods *methods, + SAM_ACCOUNT * sam_pass) +{ + const char *sname = pdb_get_username(sam_pass); + char *esc; + char *query; + int ret; + struct pdb_mysql_data *data; + char *tmp_sname; + + SET_DATA(data, methods); + + if (!methods) { + DEBUG(0, ("invalid methods!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + data = (struct pdb_mysql_data *) methods->private_data; + if (!data || !(data->handle)) { + DEBUG(0, ("invalid handle!\n")); + return NT_STATUS_INVALID_HANDLE; + } + + if (!sname) { + DEBUG(0, ("invalid name specified\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* Escape sname */ + esc = malloc(strlen(sname) * 2 + 1); + if (!esc) { + DEBUG(0, ("Can't allocate memory to store escaped name\n")); + return NT_STATUS_NO_MEMORY; + } + + tmp_sname = smb_xstrdup(sname); + + mysql_real_escape_string(data->handle, esc, tmp_sname, + strlen(tmp_sname)); + + SAFE_FREE(tmp_sname); + + asprintf(&query, "DELETE FROM %s WHERE %s = '%s'", + config_value(data, "table", CONFIG_TABLE_DEFAULT), + config_value_read(data, "username column", + CONFIG_USERNAME_DEFAULT), esc); + + SAFE_FREE(esc); + + ret = mysql_query(data->handle, query); + + SAFE_FREE(query); + + if (ret) { + DEBUG(0, + ("Error while executing query: %s\n", + mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("User '%s' deleted\n", sname)); + return NT_STATUS_OK; +} + +static NTSTATUS mysqlsam_replace_sam_account(struct pdb_methods *methods, + const SAM_ACCOUNT * newpwd, char isupdate) +{ + pstring temp; + struct pdb_mysql_data *data; + pdb_mysql_query query; + fstring sid_str; + + if (!methods) { + DEBUG(0, ("invalid methods!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + data = (struct pdb_mysql_data *) methods->private_data; + if (data == NULL || data->handle == NULL) { + DEBUG(0, ("invalid handle!\n")); + return NT_STATUS_INVALID_HANDLE; + } + query.update = isupdate; + + /* I know this is somewhat overkill but only the talloc + * functions have asprint_append and the 'normal' asprintf + * is a GNU extension */ + query.mem_ctx = talloc_init("mysqlsam_replace_sam_account"); + query.part2 = talloc_asprintf(query.mem_ctx, "%s", ""); + if (query.update) { + query.part1 = + talloc_asprintf(query.mem_ctx, "UPDATE %s SET ", + config_value(data, "table", + CONFIG_TABLE_DEFAULT)); + } else { + query.part1 = + talloc_asprintf(query.mem_ctx, "INSERT INTO %s (", + config_value(data, "table", + CONFIG_TABLE_DEFAULT)); + } + + pdb_mysql_int_field(methods, &query, + config_value_write(data, "acct ctrl column", + CONFIG_ACCT_CTRL_DEFAULT), + pdb_get_acct_ctrl(newpwd)); + + if (pdb_get_init_flags(newpwd, PDB_LOGONTIME) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "logon time column", + CONFIG_LOGON_TIME_DEFAULT), + pdb_get_logon_time(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_LOGOFFTIME) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "logoff time column", + CONFIG_LOGOFF_TIME_DEFAULT), + pdb_get_logoff_time(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_KICKOFFTIME) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "kickoff time column", + CONFIG_KICKOFF_TIME_DEFAULT), + pdb_get_kickoff_time(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_CANCHANGETIME) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "pass can change time column", + CONFIG_PASS_CAN_CHANGE_TIME_DEFAULT), + pdb_get_pass_can_change_time(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_MUSTCHANGETIME) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "pass must change time column", + CONFIG_PASS_MUST_CHANGE_TIME_DEFAULT), + pdb_get_pass_must_change_time(newpwd)); + } + + if (pdb_get_pass_last_set_time(newpwd)) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "pass last set time column", + CONFIG_PASS_LAST_SET_TIME_DEFAULT), + pdb_get_pass_last_set_time(newpwd)); + } + + if (pdb_get_hours_len(newpwd)) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "hours len column", + CONFIG_HOURS_LEN_DEFAULT), + pdb_get_hours_len(newpwd)); + } + + if (pdb_get_logon_divs(newpwd)) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, + "logon divs column", + CONFIG_LOGON_DIVS_DEFAULT), + pdb_get_logon_divs(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_UID) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, "uid column", + CONFIG_UID_DEFAULT), + pdb_get_uid(newpwd)); + } + + if (pdb_get_init_flags(newpwd, PDB_GID) != PDB_DEFAULT) { + pdb_mysql_int_field(methods, &query, + config_value_write(data, "gid column", + CONFIG_GID_DEFAULT), + pdb_get_gid(newpwd)); + } + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "user sid column", + CONFIG_USER_SID_DEFAULT), + sid_to_string(sid_str, + pdb_get_user_sid(newpwd))); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "group sid column", + CONFIG_GROUP_SID_DEFAULT), + sid_to_string(sid_str, + pdb_get_group_sid(newpwd))); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "username column", + CONFIG_USERNAME_DEFAULT), + pdb_get_username(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "domain column", + CONFIG_DOMAIN_DEFAULT), + pdb_get_domain(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "nt username column", + CONFIG_NT_USERNAME_DEFAULT), + pdb_get_nt_username(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "fullname column", + CONFIG_FULLNAME_DEFAULT), + pdb_get_fullname(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "logon script column", + CONFIG_LOGON_SCRIPT_DEFAULT), + pdb_get_logon_script(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "profile path column", + CONFIG_PROFILE_PATH_DEFAULT), + pdb_get_profile_path(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "dir drive column", + CONFIG_DIR_DRIVE_DEFAULT), + pdb_get_dir_drive(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, "home dir column", + CONFIG_HOME_DIR_DEFAULT), + pdb_get_homedir(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "workstations column", + CONFIG_WORKSTATIONS_DEFAULT), + pdb_get_workstations(newpwd)); + + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "unknown string column", + CONFIG_UNKNOWN_STR_DEFAULT), + pdb_get_workstations(newpwd)); + + pdb_sethexpwd(temp, pdb_get_lanman_passwd(newpwd), + pdb_get_acct_ctrl(newpwd)); + pdb_mysql_string_field(methods, &query, + config_value_write(data, + "lanman pass column", + CONFIG_LM_PW_DEFAULT), temp); + + pdb_sethexpwd(temp, pdb_get_nt_passwd(newpwd), + pdb_get_acct_ctrl(newpwd)); + pdb_mysql_string_field(methods, &query, + config_value_write(data, "nt pass column", + CONFIG_NT_PW_DEFAULT), temp); + + if (query.update) { + query.part1[strlen(query.part1) - 1] = '\0'; + query.part1 = + talloc_asprintf_append(query.mem_ctx, query.part1, + " WHERE %s = '%s'", + config_value_read(data, + "user sid column", + CONFIG_USER_SID_DEFAULT), + sid_to_string(sid_str, pdb_get_user_sid (newpwd))); + } else { + query.part2[strlen(query.part2) - 1] = ')'; + query.part1[strlen(query.part1) - 1] = ')'; + query.part1 = + talloc_asprintf_append(query.mem_ctx, query.part1, + " VALUES (%s", query.part2); + } + + DEBUG(0, ("%s\n", query.part1)); + /* Execute the query */ + if (mysql_query(data->handle, query.part1)) { + DEBUG(0, + ("Error executing %s, %s\n", query.part1, + mysql_error(data->handle))); + return NT_STATUS_INVALID_PARAMETER; + } + talloc_destroy(query.mem_ctx); + return NT_STATUS_OK; +} + +static NTSTATUS mysqlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT * newpwd) +{ + return mysqlsam_replace_sam_account(methods, newpwd, 0); +} + +static NTSTATUS mysqlsam_update_sam_account(struct pdb_methods *methods, + SAM_ACCOUNT * newpwd) +{ + return mysqlsam_replace_sam_account(methods, newpwd, 1); +} + +static NTSTATUS mysqlsam_init(struct pdb_context * pdb_context, struct pdb_methods ** pdb_method, + const char *location) +{ + NTSTATUS nt_status; + struct pdb_mysql_data *data; + + mysqlsam_debug_level = debug_add_class("mysqlsam"); + if (mysqlsam_debug_level == -1) { + mysqlsam_debug_level = DBGC_ALL; + DEBUG(0, + ("mysqlsam: Couldn't register custom debugging class!\n")); + } + + if (!pdb_context) { + DEBUG(0, ("invalid pdb_methods specified\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK + (nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { + return nt_status; + } + + (*pdb_method)->name = "mysqlsam"; + + (*pdb_method)->setsampwent = mysqlsam_setsampwent; + (*pdb_method)->endsampwent = mysqlsam_endsampwent; + (*pdb_method)->getsampwent = mysqlsam_getsampwent; + (*pdb_method)->getsampwnam = mysqlsam_getsampwnam; + (*pdb_method)->getsampwsid = mysqlsam_getsampwsid; + (*pdb_method)->add_sam_account = mysqlsam_add_sam_account; + (*pdb_method)->update_sam_account = mysqlsam_update_sam_account; + (*pdb_method)->delete_sam_account = mysqlsam_delete_sam_account; + + data = talloc(pdb_context->mem_ctx, sizeof(struct pdb_mysql_data)); + (*pdb_method)->private_data = data; + data->handle = NULL; + data->pwent = NULL; + + if (!location) { + DEBUG(0, ("No identifier specified. Check the Samba HOWTO Collection for details\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + data->location = smb_xstrdup(location); + + DEBUG(1, + ("Connecting to database server, host: %s, user: %s, password: %s, database: %s, port: %ld\n", + config_value(data, "mysql host", CONFIG_HOST_DEFAULT), + config_value(data, "mysql user", CONFIG_USER_DEFAULT), + config_value(data, "mysql password", CONFIG_PASS_DEFAULT), + config_value(data, "mysql database", CONFIG_DB_DEFAULT), + xatol(config_value(data, "mysql port", CONFIG_PORT_DEFAULT)))); + + /* Do the mysql initialization */ + data->handle = mysql_init(NULL); + if (!data->handle) { + DEBUG(0, ("Failed to connect to server\n")); + return NT_STATUS_UNSUCCESSFUL; + } + /* Process correct entry in $HOME/.my.conf */ + if (!mysql_real_connect(data->handle, + config_value(data, "mysql host", CONFIG_HOST_DEFAULT), + config_value(data, "mysql user", CONFIG_USER_DEFAULT), + config_value(data, "mysql password", CONFIG_PASS_DEFAULT), + config_value(data, "mysql database", CONFIG_DB_DEFAULT), + xatol(config_value (data, "mysql port", CONFIG_PORT_DEFAULT)), + NULL, 0)) { + DEBUG(0, + ("Failed to connect to mysql database: error: %s\n", + mysql_error(data->handle))); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Connected to mysql db\n")); + + return NT_STATUS_OK; +} + +int pdb_mysql_init(void) +{ + return smb_register_passdb("mysql", mysqlsam_init, PASSDB_INTERFACE_VERSION); +} diff --git a/source3/passdb/pdb_xml.c b/source3/passdb/pdb_xml.c new file mode 100644 index 0000000000..42503c3d39 --- /dev/null +++ b/source3/passdb/pdb_xml.c @@ -0,0 +1,569 @@ + +/* + * XML password backend for samba + * Copyright (C) Jelmer Vernooij 2002 + * Some parts based on the libxml gjobread example by Daniel Veillard + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for + * more details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 + * Mass Ave, Cambridge, MA 02139, USA. + */ + +/* FIXME: + * - Support stdin input by using '-' + * - Be faster. Don't rewrite the whole file when adding a user, but store it in the memory and save it when exiting. Requires changes to samba source. + * - Gives the ability to read/write to standard input/output + * - Do locking! + * - Better names! + */ + + +#define XML_URL "http://www.samba.org/ns" + +#include "includes.h" + +#include +#include + +static int xmlsam_debug_level = DBGC_ALL; + +#undef DBGC_CLASS +#define DBGC_CLASS xmlsam_debug_level + +static char * iota(int a) { + static char tmp[10]; + + snprintf(tmp, 9, "%d", a); + return tmp; +} + +static BOOL parsePass(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u) +{ + pstring temp; + + cur = cur->xmlChildrenNode; + while (cur != NULL) { + if (strcmp(cur->name, "crypt")) + DEBUG(0, ("Unknown element %s\n", cur->name)); + else { + if (!strcmp(xmlGetProp(cur, "type"), "nt") + && + pdb_gethexpwd(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1), temp)) + pdb_set_nt_passwd(u, temp, PDB_SET); + else if (!strcmp(xmlGetProp(cur, "type"), "lanman") + && + pdb_gethexpwd(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1), temp)) + pdb_set_lanman_passwd(u, temp, PDB_SET); + else + DEBUG(0, + ("Unknown crypt type: %s\n", + xmlGetProp(cur, "type"))); + } + cur = cur->next; + } + return True; +} + +static BOOL parseUser(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * u) +{ + char *tmp; + DOM_SID sid; + + tmp = xmlGetProp(cur, "sid"); + if (tmp){ + string_to_sid(&sid, tmp); + pdb_set_user_sid(u, &sid, PDB_SET); + } + tmp = xmlGetProp(cur, "uid"); + if (tmp) + pdb_set_uid(u, atol(tmp), PDB_SET); + pdb_set_username(u, xmlGetProp(cur, "name"), PDB_SET); + /* We don't care what the top level element name is */ + cur = cur->xmlChildrenNode; + while (cur != NULL) { + if ((!strcmp(cur->name, "group")) && (cur->ns == ns)) { + tmp = xmlGetProp(cur, "gid"); + if (tmp) + pdb_set_gid(u, atol(tmp), PDB_SET); + tmp = xmlGetProp(cur, "sid"); + if (tmp){ + string_to_sid(&sid, tmp); + pdb_set_group_sid(u, &sid, PDB_SET); + } + } + + else if ((!strcmp(cur->name, "domain")) && (cur->ns == ns)) + pdb_set_domain(u, + xmlNodeListGetString(doc, cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "fullname") && cur->ns == ns) + pdb_set_fullname(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "nt_username") && cur->ns == ns) + pdb_set_nt_username(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "logon_script") && cur->ns == ns) + pdb_set_logon_script(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "profile_path") && cur->ns == ns) + pdb_set_profile_path(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "logon_time") && cur->ns == ns) + pdb_set_logon_time(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "logoff_time") && cur->ns == ns) + pdb_set_logoff_time(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), + PDB_SET); + + else if (!strcmp(cur->name, "kickoff_time") && cur->ns == ns) + pdb_set_kickoff_time(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), + PDB_SET); + + else if (!strcmp(cur->name, "logon_divs") && cur->ns == ns) + pdb_set_logon_divs(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "hours_len") && cur->ns == ns) + pdb_set_hours_len(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "unknown_3") && cur->ns == ns) + pdb_set_unknown_3(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "unknown_5") && cur->ns == ns) + pdb_set_unknown_5(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "unknown_6") && cur->ns == ns) + pdb_set_unknown_6(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "homedir") && cur->ns == ns) + pdb_set_homedir(u, + xmlNodeListGetString(doc, cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "unknown_str") && cur->ns == ns) + pdb_set_unknown_str(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "dir_drive") && cur->ns == ns) + pdb_set_dir_drive(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "munged_dial") && cur->ns == ns) + pdb_set_munged_dial(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "acct_desc") && cur->ns == ns) + pdb_set_acct_desc(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if (!strcmp(cur->name, "acct_ctrl") && cur->ns == ns) + pdb_set_acct_ctrl(u, + atol(xmlNodeListGetString + (doc, cur->xmlChildrenNode, 1)), PDB_SET); + + else if (!strcmp(cur->name, "workstations") && cur->ns == ns) + pdb_set_workstations(u, + xmlNodeListGetString(doc, + cur->xmlChildrenNode, + 1), PDB_SET); + + else if ((!strcmp(cur->name, "password")) && (cur->ns == ns)) { + tmp = xmlGetProp(cur, "last_set"); + if (tmp) + pdb_set_pass_last_set_time(u, atol(tmp), PDB_SET); + tmp = xmlGetProp(cur, "must_change"); + if (tmp) + pdb_set_pass_must_change_time(u, atol(tmp), PDB_SET); + tmp = xmlGetProp(cur, "can_change"); + if (tmp) + pdb_set_pass_can_change_time(u, atol(tmp), PDB_SET); + parsePass(doc, ns, cur, u); + } + + else + DEBUG(0, ("Unknown element %s\n", cur->name)); + cur = cur->next; + } + + return True; +} + +typedef struct pdb_xml { + char *location; + char written; + xmlDocPtr doc; + xmlNodePtr users; + xmlNodePtr pwent; + xmlNsPtr ns; +} pdb_xml; + +static xmlNodePtr parseSambaXMLFile(struct pdb_xml *data) +{ + xmlNodePtr cur; + + data->doc = xmlParseFile(data->location); + if (data->doc == NULL) + return NULL; + + cur = xmlDocGetRootElement(data->doc); + if (!cur) { + DEBUG(0, ("empty document\n")); + xmlFreeDoc(data->doc); + return NULL; + } + data->ns = xmlSearchNsByHref(data->doc, cur, XML_URL); + if (!data->ns) { + DEBUG(0, + ("document of the wrong type, samba user namespace not found\n")); + xmlFreeDoc(data->doc); + return NULL; + } + if (strcmp(cur->name, "samba")) { + DEBUG(0, ("document of the wrong type, root node != samba")); + xmlFreeDoc(data->doc); + return NULL; + } + + cur = cur->xmlChildrenNode; + while (cur && xmlIsBlankNode(cur)) { + cur = cur->next; + } + if (!cur) + return NULL; + if ((strcmp(cur->name, "users")) || (cur->ns != data->ns)) { + DEBUG(0, ("document of the wrong type, was '%s', users expected", + cur->name)); + DEBUG(0, ("xmlDocDump follows\n")); + xmlDocDump(stderr, data->doc); + DEBUG(0, ("xmlDocDump finished\n")); + xmlFreeDoc(data->doc); + return NULL; + } + data->users = cur; + cur = cur->xmlChildrenNode; + return cur; +} + +static NTSTATUS xmlsam_setsampwent(struct pdb_methods *methods, BOOL update) +{ + pdb_xml *data; + + if (!methods) { + DEBUG(0, ("Invalid methods\n")); + return NT_STATUS_INVALID_PARAMETER; + } + data = (pdb_xml *) methods->private_data; + if (!data) { + DEBUG(0, ("Invalid pdb_xml_data\n")); + return NT_STATUS_INVALID_PARAMETER; + } + data->pwent = parseSambaXMLFile(data); + if (!data->pwent) + return NT_STATUS_UNSUCCESSFUL; + + return NT_STATUS_OK; +} + +/*************************************************************** + End enumeration of the passwd list. + ****************************************************************/ + +static void xmlsam_endsampwent(struct pdb_methods *methods) +{ + pdb_xml *data; + + if (!methods) { + DEBUG(0, ("Invalid methods\n")); + return; + } + + data = (pdb_xml *) methods->private_data; + + if (!data) { + DEBUG(0, ("Invalid pdb_xml_data\n")); + return; + } + + xmlFreeDoc(data->doc); + data->doc = NULL; + data->pwent = NULL; +} + +/***************************************************************** + Get one SAM_ACCOUNT from the list (next in line) + *****************************************************************/ + +static NTSTATUS xmlsam_getsampwent(struct pdb_methods *methods, SAM_ACCOUNT * user) +{ + pdb_xml *data; + + if (!methods) { + DEBUG(0, ("Invalid methods\n")); + return NT_STATUS_INVALID_PARAMETER; + } + data = (pdb_xml *) methods->private_data; + + if (!data) { + DEBUG(0, ("Invalid pdb_xml_data\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + while (data->pwent) { + if ((!strcmp(data->pwent->name, "user")) && + (data->pwent->ns == data->ns)) { + + parseUser(data->doc, data->ns, data->pwent, user); + data->pwent = data->pwent->next; + return NT_STATUS_OK; + } + data->pwent = data->pwent->next; + } + return NT_STATUS_UNSUCCESSFUL; +} + +/*************************************************************************** + Adds an existing SAM_ACCOUNT + ****************************************************************************/ + +static NTSTATUS xmlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT * u) +{ + pstring temp; + fstring sid_str; + xmlNodePtr cur, user, pass, root; + pdb_xml *data; + + DEBUG(10, ("xmlsam_add_sam_account called!\n")); + + if (!methods) { + DEBUG(0, ("Invalid methods\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + data = (pdb_xml *) methods->private_data; + if (!data) { + DEBUG(0, ("Invalid pdb_xml_data\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* Create a new document if we can't open the current one */ + if (!parseSambaXMLFile(data)) { + DEBUG(0, ("Can't load current XML file, creating a new one\n")); + data->doc = xmlNewDoc(XML_DEFAULT_VERSION); + root = xmlNewDocNode(data->doc, NULL, "samba", NULL); + cur = xmlDocSetRootElement(data->doc, root); + data->ns = xmlNewNs(root, XML_URL, "samba"); + data->users = xmlNewChild(root, data->ns, "users", NULL); + } + + user = xmlNewChild(data->users, data->ns, "user", NULL); + xmlNewProp(user, "sid", + sid_to_string(sid_str, pdb_get_user_sid(u))); + if (pdb_get_init_flags(u, PDB_UID) != PDB_DEFAULT) + xmlNewProp(user, "uid", iota(pdb_get_uid(u))); + + if (pdb_get_username(u) && strcmp(pdb_get_username(u), "")) + xmlNewProp(user, "name", pdb_get_username(u)); + + cur = xmlNewChild(user, data->ns, "group", NULL); + + xmlNewProp(cur, "sid", + sid_to_string(sid_str, pdb_get_group_sid(u))); + if (pdb_get_init_flags(u, PDB_GID) != PDB_DEFAULT) + xmlNewProp(cur, "gid", iota(pdb_get_gid(u))); + + if (pdb_get_init_flags(u, PDB_LOGONTIME) != PDB_DEFAULT) + xmlNewChild(user, data->ns, "login_time", + iota(pdb_get_logon_time(u))); + + if (pdb_get_init_flags(u, PDB_LOGOFFTIME) != PDB_DEFAULT) + xmlNewChild(user, data->ns, "logoff_time", + iota(pdb_get_logoff_time(u))); + + if (pdb_get_init_flags(u, PDB_KICKOFFTIME) != PDB_DEFAULT) + xmlNewChild(user, data->ns, "kickoff_time", + iota(pdb_get_kickoff_time(u))); + + if (pdb_get_domain(u) && strcmp(pdb_get_domain(u), "")) + xmlNewChild(user, data->ns, "domain", pdb_get_domain(u)); + + if (pdb_get_nt_username(u) && strcmp(pdb_get_nt_username(u), "")) + xmlNewChild(user, data->ns, "nt_username", pdb_get_nt_username(u)); + + if (pdb_get_fullname(u) && strcmp(pdb_get_fullname(u), "")) + xmlNewChild(user, data->ns, "fullname", pdb_get_fullname(u)); + + if (pdb_get_homedir(u) && strcmp(pdb_get_homedir(u), "")) + xmlNewChild(user, data->ns, "homedir", pdb_get_homedir(u)); + + if (pdb_get_dir_drive(u) && strcmp(pdb_get_dir_drive(u), "")) + xmlNewChild(user, data->ns, "dir_drive", pdb_get_dir_drive(u)); + + if (pdb_get_logon_script(u) && strcmp(pdb_get_logon_script(u), "")) + xmlNewChild(user, data->ns, "logon_script", + pdb_get_logon_script(u)); + + if (pdb_get_profile_path(u) && strcmp(pdb_get_profile_path(u), "")) + xmlNewChild(user, data->ns, "profile_path", + pdb_get_profile_path(u)); + + if (pdb_get_acct_desc(u) && strcmp(pdb_get_acct_desc(u), "")) + xmlNewChild(user, data->ns, "acct_desc", pdb_get_acct_desc(u)); + + if (pdb_get_workstations(u) && strcmp(pdb_get_workstations(u), "")) + xmlNewChild(user, data->ns, "workstations", + pdb_get_workstations(u)); + + if (pdb_get_unknown_str(u) && strcmp(pdb_get_unknown_str(u), "")) + xmlNewChild(user, data->ns, "unknown_str", pdb_get_unknown_str(u)); + + if (pdb_get_munged_dial(u) && strcmp(pdb_get_munged_dial(u), "")) + xmlNewChild(user, data->ns, "munged_dial", pdb_get_munged_dial(u)); + + + /* Password stuff */ + pass = xmlNewChild(user, data->ns, "password", NULL); + if (pdb_get_pass_last_set_time(u)) + xmlNewProp(pass, "last_set", iota(pdb_get_pass_last_set_time(u))); + if (pdb_get_init_flags(u, PDB_CANCHANGETIME) != PDB_DEFAULT) + xmlNewProp(pass, "can_change", + iota(pdb_get_pass_can_change_time(u))); + + if (pdb_get_init_flags(u, PDB_MUSTCHANGETIME) != PDB_DEFAULT) + xmlNewProp(pass, "must_change", + iota(pdb_get_pass_must_change_time(u))); + + + if (pdb_get_lanman_passwd(u)) { + pdb_sethexpwd(temp, pdb_get_lanman_passwd(u), + pdb_get_acct_ctrl(u)); + cur = xmlNewChild(pass, data->ns, "crypt", temp); + xmlNewProp(cur, "type", "lanman"); + } + + if (pdb_get_nt_passwd(u)) { + pdb_sethexpwd(temp, pdb_get_nt_passwd(u), pdb_get_acct_ctrl(u)); + cur = xmlNewChild(pass, data->ns, "crypt", temp); + xmlNewProp(cur, "type", "nt"); + } + + xmlNewChild(user, data->ns, "acct_ctrl", iota(pdb_get_acct_ctrl(u))); + xmlNewChild(user, data->ns, "unknown_3", iota(pdb_get_unknown_3(u))); + + if (pdb_get_logon_divs(u)) + xmlNewChild(user, data->ns, "logon_divs", + iota(pdb_get_logon_divs(u))); + + if (pdb_get_hours_len(u)) + xmlNewChild(user, data->ns, "hours_len", + iota(pdb_get_hours_len(u))); + + xmlNewChild(user, data->ns, "unknown_5", iota(pdb_get_unknown_5(u))); + xmlNewChild(user, data->ns, "unknown_6", iota(pdb_get_unknown_6(u))); + xmlSaveFile(data->location, data->doc); + + return NT_STATUS_OK; +} + +static NTSTATUS xmlsam_init(PDB_CONTEXT * pdb_context, PDB_METHODS ** pdb_method, + const char *location) +{ + NTSTATUS nt_status; + pdb_xml *data; + + xmlsam_debug_level = debug_add_class("xmlsam"); + if (xmlsam_debug_level == -1) { + xmlsam_debug_level = DBGC_ALL; + DEBUG(0, ("xmlsam: Couldn't register custom debugging class!\n")); + } + + if (!pdb_context) { + DEBUG(0, ("invalid pdb_methods specified\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!NT_STATUS_IS_OK + (nt_status = make_pdb_methods(pdb_context->mem_ctx, pdb_method))) { + return nt_status; + } + + (*pdb_method)->name = "xmlsam"; + + (*pdb_method)->setsampwent = xmlsam_setsampwent; + (*pdb_method)->endsampwent = xmlsam_endsampwent; + (*pdb_method)->getsampwent = xmlsam_getsampwent; + (*pdb_method)->add_sam_account = xmlsam_add_sam_account; + (*pdb_method)->getsampwnam = NULL; + (*pdb_method)->getsampwsid = NULL; + (*pdb_method)->update_sam_account = NULL; + (*pdb_method)->delete_sam_account = NULL; + (*pdb_method)->getgrsid = NULL; + (*pdb_method)->getgrgid = NULL; + (*pdb_method)->getgrnam = NULL; + (*pdb_method)->add_group_mapping_entry = NULL; + (*pdb_method)->update_group_mapping_entry = NULL; + (*pdb_method)->delete_group_mapping_entry = NULL; + (*pdb_method)->enum_group_mapping = NULL; + + data = talloc(pdb_context->mem_ctx, sizeof(pdb_xml)); + data->location = talloc_strdup(pdb_context->mem_ctx, (location ? location : "passdb.xml")); + data->pwent = NULL; + data->written = 0; + (*pdb_method)->private_data = data; + + LIBXML_TEST_VERSION xmlKeepBlanksDefault(0); + + return NT_STATUS_OK; +} + +int pdb_xml_init(void) +{ + return smb_register_passdb("xml", xmlsam_init, PASSDB_INTERFACE_VERSION); +} -- cgit From 42c01600c35e3f349abf064e3e02f0463efe8993 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 24 Apr 2003 21:04:44 +0000 Subject: Don't store UID or GID (This used to be commit b2d9d450493f6fc0ceb94dd0007cedf56371bb4b) --- source3/passdb/pdb_mysql.c | 51 ++++++++++++---------------------------------- source3/passdb/pdb_xml.c | 10 --------- 2 files changed, 13 insertions(+), 48 deletions(-) diff --git a/source3/passdb/pdb_mysql.c b/source3/passdb/pdb_mysql.c index ec8c6f9ab8..4e91994418 100644 --- a/source3/passdb/pdb_mysql.c +++ b/source3/passdb/pdb_mysql.c @@ -40,8 +40,6 @@ #define CONFIG_WORKSTATIONS_DEFAULT "workstations" #define CONFIG_UNKNOWN_STR_DEFAULT "unknown_str" #define CONFIG_MUNGED_DIAL_DEFAULT "munged_dial" -#define CONFIG_UID_DEFAULT "uid" -#define CONFIG_GID_DEFAULT "gid" #define CONFIG_USER_SID_DEFAULT "user_sid" #define CONFIG_GROUP_SID_DEFAULT "group_sid" #define CONFIG_LM_PW_DEFAULT "lm_pw" @@ -242,32 +240,27 @@ static NTSTATUS row_to_sam_account(MYSQL_RES * r, SAM_ACCOUNT * u) pdb_set_unknown_str(u, row[16], PDB_SET); pdb_set_munged_dial(u, row[17], PDB_SET); - if (row[18]) - pdb_set_uid(u, xatol(row[18]), PDB_SET); - if (row[19]) - pdb_set_gid(u, xatol(row[19]), PDB_SET); - - string_to_sid(&sid, row[20]); + string_to_sid(&sid, row[18]); pdb_set_user_sid(u, &sid, PDB_SET); - string_to_sid(&sid, row[21]); + string_to_sid(&sid, row[19]); pdb_set_group_sid(u, &sid, PDB_SET); - if (pdb_gethexpwd(row[22], temp), PDB_SET) + if (pdb_gethexpwd(row[20], temp), PDB_SET) pdb_set_lanman_passwd(u, temp, PDB_SET); - if (pdb_gethexpwd(row[23], temp), PDB_SET) + if (pdb_gethexpwd(row[21], temp), PDB_SET) pdb_set_nt_passwd(u, temp, PDB_SET); /* Only use plaintext password storage when lanman and nt are * NOT used */ - if (!row[22] || !row[23]) - pdb_set_plaintext_passwd(u, row[24]); + if (!row[20] || !row[21]) + pdb_set_plaintext_passwd(u, row[22]); - pdb_set_acct_ctrl(u, xatol(row[25]), PDB_SET); - pdb_set_unknown_3(u, xatol(row[26]), PDB_SET); - pdb_set_logon_divs(u, xatol(row[27]), PDB_SET); - pdb_set_hours_len(u, xatol(row[28]), PDB_SET); - pdb_set_unknown_5(u, xatol(row[29]), PDB_SET); - pdb_set_unknown_6(u, xatol(row[30]), PDB_SET); + pdb_set_acct_ctrl(u, xatol(row[23]), PDB_SET); + pdb_set_unknown_3(u, xatol(row[24]), PDB_SET); + pdb_set_logon_divs(u, xatol(row[25]), PDB_SET); + pdb_set_hours_len(u, xatol(row[26]), PDB_SET); + pdb_set_unknown_5(u, xatol(row[27]), PDB_SET); + pdb_set_unknown_6(u, xatol(row[28]), PDB_SET); return NT_STATUS_OK; } @@ -285,7 +278,7 @@ static NTSTATUS mysqlsam_setsampwent(struct pdb_methods *methods, BOOL update) } asprintf(&query, - "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s", + "SELECT %s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s FROM %s", config_value_read(data, "logon time column", CONFIG_LOGON_TIME_DEFAULT), config_value_read(data, "logoff time column", @@ -322,8 +315,6 @@ static NTSTATUS mysqlsam_setsampwent(struct pdb_methods *methods, BOOL update) CONFIG_UNKNOWN_STR_DEFAULT), config_value_read(data, "munged dial column", CONFIG_MUNGED_DIAL_DEFAULT), - config_value_read(data, "uid column", CONFIG_UID_DEFAULT), - config_value_read(data, "gid column", CONFIG_GID_DEFAULT), config_value_read(data, "user sid column", CONFIG_USER_SID_DEFAULT), config_value_read(data, "group sid column", @@ -488,8 +479,6 @@ static NTSTATUS mysqlsam_select_by_field(struct pdb_methods * methods, SAM_ACCOU CONFIG_UNKNOWN_STR_DEFAULT), config_value_read(data, "munged dial column", CONFIG_MUNGED_DIAL_DEFAULT), - config_value_read(data, "uid column", CONFIG_UID_DEFAULT), - config_value_read(data, "gid column", CONFIG_GID_DEFAULT), config_value_read(data, "user sid column", CONFIG_USER_SID_DEFAULT), config_value_read(data, "group sid column", @@ -758,20 +747,6 @@ static NTSTATUS mysqlsam_replace_sam_account(struct pdb_methods *methods, pdb_get_logon_divs(newpwd)); } - if (pdb_get_init_flags(newpwd, PDB_UID) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, "uid column", - CONFIG_UID_DEFAULT), - pdb_get_uid(newpwd)); - } - - if (pdb_get_init_flags(newpwd, PDB_GID) != PDB_DEFAULT) { - pdb_mysql_int_field(methods, &query, - config_value_write(data, "gid column", - CONFIG_GID_DEFAULT), - pdb_get_gid(newpwd)); - } - pdb_mysql_string_field(methods, &query, config_value_write(data, "user sid column", CONFIG_USER_SID_DEFAULT), diff --git a/source3/passdb/pdb_xml.c b/source3/passdb/pdb_xml.c index 42503c3d39..bde2d14a85 100644 --- a/source3/passdb/pdb_xml.c +++ b/source3/passdb/pdb_xml.c @@ -86,17 +86,11 @@ static BOOL parseUser(xmlDocPtr doc, xmlNsPtr ns, xmlNodePtr cur, SAM_ACCOUNT * string_to_sid(&sid, tmp); pdb_set_user_sid(u, &sid, PDB_SET); } - tmp = xmlGetProp(cur, "uid"); - if (tmp) - pdb_set_uid(u, atol(tmp), PDB_SET); pdb_set_username(u, xmlGetProp(cur, "name"), PDB_SET); /* We don't care what the top level element name is */ cur = cur->xmlChildrenNode; while (cur != NULL) { if ((!strcmp(cur->name, "group")) && (cur->ns == ns)) { - tmp = xmlGetProp(cur, "gid"); - if (tmp) - pdb_set_gid(u, atol(tmp), PDB_SET); tmp = xmlGetProp(cur, "sid"); if (tmp){ string_to_sid(&sid, tmp); @@ -406,8 +400,6 @@ static NTSTATUS xmlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT user = xmlNewChild(data->users, data->ns, "user", NULL); xmlNewProp(user, "sid", sid_to_string(sid_str, pdb_get_user_sid(u))); - if (pdb_get_init_flags(u, PDB_UID) != PDB_DEFAULT) - xmlNewProp(user, "uid", iota(pdb_get_uid(u))); if (pdb_get_username(u) && strcmp(pdb_get_username(u), "")) xmlNewProp(user, "name", pdb_get_username(u)); @@ -416,8 +408,6 @@ static NTSTATUS xmlsam_add_sam_account(struct pdb_methods *methods, SAM_ACCOUNT xmlNewProp(cur, "sid", sid_to_string(sid_str, pdb_get_group_sid(u))); - if (pdb_get_init_flags(u, PDB_GID) != PDB_DEFAULT) - xmlNewProp(cur, "gid", iota(pdb_get_gid(u))); if (pdb_get_init_flags(u, PDB_LOGONTIME) != PDB_DEFAULT) xmlNewChild(user, data->ns, "login_time", -- cgit From f0917e0bfd2eebfc9826e6924c231fab99059186 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 22:00:45 +0000 Subject: Updates: ADS typo fix, ProfileMgmt: Additional docs on how to disable roaming profiles. (This used to be commit efd8872989b13bd8daa814b6b91cab1fd30ff170) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 10 +++--- docs/docbook/projdoc/ProfileMgmt.sgml | 59 ++++++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 6 deletions(-) diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index c7def652fc..c36f150112 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -56,15 +56,16 @@ In case samba can't figure out your ads server using your realm name, use the Test your config by doing a kinit -USERNAME@REALM and making sure that - your password is accepted by the Win2000 KDC. +USERNAME@REALM and +making sure that your password is accepted by the Win2000 KDC. + The realm must be uppercase or you will get "Cannot find KDC for requested realm while getting initial credentials" error Time between the two servers must be synchronized. You will get a "kinit(v5): Clock skew too great while getting initial credentials" if the time -difference is more than five minutes. +difference is more than five minutes. You also must ensure that you can do a reverse DNS lookup on the IP @@ -86,8 +87,7 @@ If all you want is kerberos support in &smbclient; then you can skip straight to Test with &smbclient; now. Creating a computer account and testing your servers -is only needed if you want kerberos -support for &smbd; and &winbindd;. +is only needed if you want kerberos support for &smbd; and &winbindd;. diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index bc0113baeb..ac61391306 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -122,6 +122,63 @@ You can support profiles for both Win9X and WinNT clients by setting both the logon path = \\%L\profiles\%u + + +Disabling Roaming Profile Support + + +A question often asked is "How may I enforce use of local profiles?" or +"How do I disable Roaming Profiles?" + + + +There are three ways of doing this: + + + + + In smb.conf: affect the following settings and ALL clients + will be forced to use a local profile: + + logon home = + logon path = + + + + MS Windows Registry: by using the Microsoft Management Console + gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This + of course modifies registry settings. The full path to the option is: + + Local Computer Policy\ + Computer Configuration\ + Administrative Templates\ + System\ + User Profiles\ + + Disable: Only Allow Local User Profiles + Disable: Prevent Roaming Profile Change from Propogating to the Server + + + + + Change of Profile Type: From the start menu right click on the + MY Computer icon, select Properties, click on the "User Profiles + tab, select the profile you wish to change from Roaming type to Local, click Change Type. + + + + +Consult the MS Windows registry guide for your particular MS Windows version for more +information about which registry keys to change to enforce use of only local user +profiles. + + + +The specifics of how to convert a local profile to a roaming profile, or a roaming profile +to a local one vary according to the version of MS Windows you are running. Consult the +Microsoft MS Windows Resource Kit for your version of Windows for specific information. + + @@ -885,7 +942,7 @@ The default entries are: Common Desktop %SystemRoot%\Profiles\All Users\Desktop Common Programs %SystemRoot%\Profiles\All Users\Programs Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu - Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup + Common Startup %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup -- cgit From 07511789c0469829babaefbd1ad1742b1ab799da Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 24 Apr 2003 23:26:32 +0000 Subject: Corrections and edits from Jesse Jacobs (This used to be commit 2b28e69ddfb017290674298b7497ce780d189976) --- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 2 +- docs/docbook/projdoc/NetworkBrowsing.sgml | 4 ++-- docs/docbook/projdoc/PolicyMgmt.sgml | 4 ++-- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 12 ++++++------ docs/docbook/projdoc/passdb.sgml | 16 ++++++++-------- docs/docbook/projdoc/security_level.sgml | 14 +++++++------- 6 files changed, 26 insertions(+), 26 deletions(-) diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 6f995af286..9470688089 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -14,7 +14,7 @@ Joining an NT Domain with Samba 3.0 Assume you have a Samba 3.0 server with a NetBIOS name of - SERV1 and are joining an or Win2k NT domain called + SERV1 and are joining a Win2k or NT domain called DOM, which has a PDC with a NetBIOS name of DOMPDC and two backup domain controllers with NetBIOS names DOMBDC1 and DOMBDC2 diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml index 7743cb9c75..e8d1b40710 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.sgml +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -883,7 +883,7 @@ name resolve order = wins lmhosts (eliminates bcast and host) The default is: name resolve order = host lmhost wins bcast -. + where "host" refers the the native methods used by the Unix system to implement the gethostbyname() function call. This is normally controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf. @@ -927,7 +927,7 @@ that can NOT be provided by any other means of name resolution. Samba facilitates browsing. The browsing is supported by &nmbd; and is also controlled by options in the &smb.conf; file. Samba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available. +to support domain logons and scripts is now available. diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index 9ec9d452a7..333fe6ad0b 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -183,7 +183,7 @@ known as the group policy template (GPT). -With NT4 clients the policy file is read and executed upon only aas each user log onto the network. +With NT4 clients the policy file is read and executed upon only as each user logs onto the network. MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine startup (machine specific part) and when the user logs onto the network the user specific part is applied. In MS Windows 200x style policy management each machine and/or user may be subject @@ -278,7 +278,7 @@ This has considerable advanage compared with the use of NTConfig.POL (NT4) style -Inaddition to user access controls that may be imposed or applied via system and/or group policies +In addition to user access controls that may be imposed or applied via system and/or group policies in a manner that works in conjunction with user profiles, the user management environment under MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied. Common restrictions that are frequently used includes: diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 2e5f436769..7295a15875 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -109,7 +109,7 @@ The following functionalities are NOT provided by Samba 3.0: Please note that Windows 9x / Me / XP Home clients are not true members of a domain for reasons outlined in this article. Therefore the protocol for -support Windows 9x-style domain logons is completely different +support of Windows 9x-style domain logons is completely different from NT4 / Win2k type domain logons and has been officially supported for some time. @@ -263,7 +263,7 @@ shared secret with the domain controller. A Windows PDC stores each machine trust account in the Windows -Registry. A Samba-3 PDC also has to stoe machine trust account information +Registry. A Samba-3 PDC also has to store machine trust account information in a suitable back-end data store. With Samba-3 there can be multiple back-ends for this including: @@ -665,7 +665,7 @@ the network and download their preferences, desktop and start menu. Before launching into the configuration instructions, it is -worthwhile lookingat how a Windows 9x/ME client performs a logon: +worthwhile to look at how a Windows 9x/ME client performs a logon: @@ -705,7 +705,7 @@ worthwhile lookingat how a Windows 9x/ME client performs a logon: The client then sends a NetUserGetInfo request to the server, to retrieve the user's home share, which is used to search for profiles. Since the - response to the NetUserGetInfo request does not contain much more + response to the NetUserGetInfo request does not contain much more then the user's home share, profiles for Win9X clients MUST reside in the user home directory. @@ -774,7 +774,7 @@ Actually, this issue is also closely tied to the debate on whether or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons -are two distinctly different functions), it is not a good idea to +are two distinctly different functions), it is not a good idea to do so. You should remember that the DC must register the DOMAIN#1b NetBIOS name. This is the name used by Windows clients to locate the DC. Windows clients do not distinguish between the DC and the DMB. @@ -786,7 +786,7 @@ Now back to the issue of configuring a Samba DC to use a mode other than "security = user". If a Samba host is configured to use another SMB server or DC in order to validate user connection requests, then it is a fact that some other machine on the network -(the "password server") knows more about user than the Samba host. +(the "password server") knows more about the user than the Samba host. 99% of the time, this other host is a domain controller. Now in order to operate in domain mode security, the "workgroup" parameter must be set to the name of the Windows NT domain (which already diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 776c79f095..6f256daddd 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -140,7 +140,7 @@ record passwords going to the SMB server. WinNT doesn't like talking to a server - that SM not support encrypted passwords. It will refuse + that does not support encrypted passwords. It will refuse to browse the server if the server is also in user level security mode. It will insist on prompting the user for the password on each connection, which is very annoying. The @@ -300,7 +300,7 @@ in the thousands). The first is that all lookups must be performed sequentially. Given that there are approximately two lookups per domain logon (one for a normal session connection such as when mapping a network drive or printer), this -is a performance bottleneck for lareg sites. What is needed is an indexed approach +is a performance bottleneck for large sites. What is needed is an indexed approach such as is used in databases. @@ -394,7 +394,7 @@ url="mailto:jerry@samba.org">jerry@samba.org -Just as the smbpasswd file is mean to store information which supplements a +Just as the smbpasswd file is meant to store information which supplements a user's /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a STRUCTURAL objectclass so it can be stored individually @@ -528,7 +528,7 @@ use with an LDAP directory could appear as # The password for this DN is not stored in smb.conf. Rather it # must be set by using 'smbpasswd -w secretpw' to store the # passphrase in the secrets.tdb file. If the "ldap admin dn" values - # changes, this password will need to be reset. + # change, this password will need to be reset. ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org" # Define the SSL option when connecting to the directory @@ -566,12 +566,12 @@ use with an LDAP directory could appear as As users accounts are managed thru the sambaAccount objectclass, you should -modify you existing administration tools to deal with sambaAccount attributes. +modify your existing administration tools to deal with sambaAccount attributes. Machines accounts are managed with the sambaAccount objectclass, just -like users accounts. However, it's up to you to stored thoses accounts +like users accounts. However, it's up to you to store thoses accounts in a different tree of you LDAP namespace: you should use "ou=Groups,dc=plainjoe,dc=org" to store groups and "ou=People,dc=plainjoe,dc=org" to store users. Just configure your @@ -581,7 +581,7 @@ file). In Samba release 3.0, the group management system is based on posix -groups. This means that Samba make usage of the posixGroup objectclass. +groups. This means that Samba makes usage of the posixGroup objectclass. For now, there is no NT-like group system management (global and local groups). @@ -733,7 +733,7 @@ the logon home string is expanded to \\TASHTEGO\becky. If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", this value is used. However, if this attribute does not exist, then the value of the logon home parameter is used in its place. Samba -will only write the attribute value to the directory entry is the value is +will only write the attribute value to the directory entry if the value is something other than the default (e.g. \\MOBY\becky). diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index 4ce5955e35..e840ff6c17 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -136,7 +136,7 @@ MS Windows clients may use encrypted passwords as part of a challenege/response authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple password based authentication. It should be realized that with the SMB protocol the password is passed over the network either in plain text or encrypted, but -not both in the same authentication requests. +not both in the same authentication request. @@ -203,10 +203,10 @@ However, passwords on UNIX systems often make use of mixed case characters. This means that in order for a user on a Windows 9x client to connect to a Samba server using clear text authentication, the password level must be set to the maximum number of upper case letter which could -appear is a password. Note that is the server OS uses the traditional DES version -of crypt(), then a password level of 8 will result in case +appear is a password. Note that the server OS uses the traditional DES version +of crypt(), a password level of 8 will result in case insensitive passwords as seen from Windows users. This will also result in longer -login times as Samba hash to compute the permutations of the password string and +login times as Samba has to compute the permutations of the password string and try them one by one until a match is located (or all combinations fail). @@ -235,7 +235,7 @@ This method involves the additions of the following parameters in the &smb.conf; There are two ways of identifying whether or not a username and password pair was valid or not. One uses the reply information provided as part of the authentication messaging process, the other uses -just and error code. +just an error code. @@ -304,8 +304,8 @@ MS Windows NT security domain. This is done as follows: Use of this mode of authentication does require there to be a standard Unix account for the user in order to assign a uid once the account has been authenticated by -the remote Windows DC. This account can be blocked to prevent logons by other than -MS Windows clients by things such as setting an invalid shell in the +the remote Windows DC. This account can be blocked to prevent logons by clients other than +MS Windows through things such as setting an invalid shell in the /etc/passwd entry. -- cgit From f1e92738b2464d4833e1d41f0d82aef2dd071583 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Apr 2003 01:37:39 +0000 Subject: When calling cli_samr_enum_{dom,als}_groups in a while loop, the terminating condition should be result != STATUS_MORE_ENTRIES, not result == NT_STATUS_OK otherwise we get stuck in an infinite loop when there's any sign of trouble. (This used to be commit 2266d281a4bb0a034461ba3e72513609f86e9a38) --- source3/utils/net_rpc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 9ae50aaf0d..cf57004a81 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -977,7 +977,7 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli, else printf("%-21.21s\n", groups[i].acct_name); } - } while (!NT_STATUS_IS_OK(result)); + } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES)); /* query domain aliases */ do { result = cli_samr_enum_als_groups(cli, mem_ctx, &domain_pol, @@ -992,7 +992,7 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli, else printf("%-21.21s\n", groups[i].acct_name); } - } while (!NT_STATUS_IS_OK(result)); + } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES)); cli_samr_close(cli, mem_ctx, &domain_pol); /* Get builtin policy handle */ -- cgit From cc5121f9e53bc2803b61aea873e8e65f971b1e51 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Apr 2003 01:52:52 +0000 Subject: Minor cleanup of enum domain groups/aliases: - return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a talloc fails - don't try and tallocate memory when the number of entries returned was zero - rename some cut&pasted variable names in enum domain aliases function (This used to be commit cb94b2b2d141c3df1209b2b389b0cd6752ac2b6b) --- source3/rpc_client/cli_samr.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index fa4c662e04..767c6a12b2 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -677,13 +677,16 @@ NTSTATUS cli_samr_enum_dom_groups(struct cli_state *cli, TALLOC_CTX *mem_ctx, *num_dom_groups = r.num_entries2; + if (*num_dom_groups == 0) + goto done; + if (!((*dom_groups) = (struct acct_info *) talloc(mem_ctx, sizeof(struct acct_info) * *num_dom_groups))) { - result = NT_STATUS_UNSUCCESSFUL; + result = NT_STATUS_NO_MEMORY; goto done; } - memset(*dom_groups, 0, sizeof(struct acct_info) * *num_dom_groups); + memset(*dom_groups, 0, sizeof(struct acct_info) * (*num_dom_groups)); name_idx = 0; @@ -712,8 +715,8 @@ NTSTATUS cli_samr_enum_dom_groups(struct cli_state *cli, TALLOC_CTX *mem_ctx, NTSTATUS cli_samr_enum_als_groups(struct cli_state *cli, TALLOC_CTX *mem_ctx, POLICY_HND *pol, uint32 *start_idx, - uint32 size, struct acct_info **dom_groups, - uint32 *num_dom_groups) + uint32 size, struct acct_info **dom_aliases, + uint32 *num_dom_aliases) { prs_struct qbuf, rbuf; SAMR_Q_ENUM_DOM_ALIASES q; @@ -753,24 +756,27 @@ NTSTATUS cli_samr_enum_als_groups(struct cli_state *cli, TALLOC_CTX *mem_ctx, goto done; } - *num_dom_groups = r.num_entries2; + *num_dom_aliases = r.num_entries2; - if (!((*dom_groups) = (struct acct_info *) - talloc(mem_ctx, sizeof(struct acct_info) * *num_dom_groups))) { - result = NT_STATUS_UNSUCCESSFUL; + if (*num_dom_aliases == 0) + goto done; + + if (!((*dom_aliases) = (struct acct_info *) + talloc(mem_ctx, sizeof(struct acct_info) * *num_dom_aliases))) { + result = NT_STATUS_NO_MEMORY; goto done; } - memset(*dom_groups, 0, sizeof(struct acct_info) * *num_dom_groups); + memset(*dom_aliases, 0, sizeof(struct acct_info) * *num_dom_aliases); name_idx = 0; - for (i = 0; i < *num_dom_groups; i++) { + for (i = 0; i < *num_dom_aliases; i++) { - (*dom_groups)[i].rid = r.sam[i].rid; + (*dom_aliases)[i].rid = r.sam[i].rid; if (r.sam[i].hdr_name.buffer) { - unistr2_to_ascii((*dom_groups)[i].acct_name, + unistr2_to_ascii((*dom_aliases)[i].acct_name, &r.uni_grp_name[name_idx], sizeof(fstring) - 1); name_idx++; -- cgit From e4e1bface82ca48834d6dd4a13bd8d429a5534a1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 25 Apr 2003 02:26:53 +0000 Subject: fix and if () that should be an 'else if()' (This used to be commit b110c499fa2a483ee82dc471aff8b6d93f6a88cc) --- source3/utils/net_groupmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index aaefda2e5c..f4cd8c13a6 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -453,7 +453,7 @@ int net_groupmap_delete(int argc, const char **argv) return -1; } } - if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) { + else if ( !StrnCaseCmp(argv[i], "sid", strlen("sid")) ) { fstrcpy( sid_string, get_string_param( argv[i] ) ); if ( !sid_string[0] ) { d_printf("must supply a SID\n"); -- cgit From 91f650fb5b5da01ead960c1709f7545cf6a3feb4 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Apr 2003 03:53:20 +0000 Subject: Missed another condition on a while loop. (This used to be commit 8ff52aec87a2770c5d7de50786307d246b4be6af) --- source3/utils/net_rpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index cf57004a81..e3e79b0e6c 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -1016,7 +1016,7 @@ rpc_group_list_internals(const DOM_SID *domain_sid, struct cli_state *cli, else printf("%s\n", groups[i].acct_name); } - } while (!NT_STATUS_IS_OK(result)); + } while (NT_STATUS_V(result) == NT_STATUS_V(STATUS_MORE_ENTRIES)); done: return result; -- cgit From 803f2570325df38220cfc6b54dabaa2758b4fe75 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 25 Apr 2003 03:59:05 +0000 Subject: Keep coding this boring stuff to lay out security descriptors ... (This used to be commit 6cf0ee44caa182057eed09e7f646ef20eb059b17) --- source3/utils/editreg.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 77 insertions(+), 2 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index 222be2da05..273707114f 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -2653,13 +2653,85 @@ unsigned int sec_desc_size(SEC_DESC *sd) return size; } +int nt_store_SID(REGF *regf, DOM_SID *sid, char *locn) +{ + + return 0; + +} + +int nt_store_acl(REGF *regf, ACL *acl, char *locn) +{ + + return 0; +} + /* * Flatten and store the Sec Desc + * Windows lays out the DACL first, but since there is no SACL, it might be + * that first, then the owner, then the group SID. So, we do it that way + * too. */ unsigned int nt_store_sec_desc(REGF *regf, SEC_DESC *sd, char *locn) { + REG_SEC_DESC *rsd = (REG_SEC_DESC *)locn; + unsigned int size = 0, off = 0; - return 0; + if (!regf || !sd || !locn) return 0; + + /* + * Now, fill in the first two fields, then lay out the various fields + * as needed + */ + + rsd->rev = 0x01; + /* Self relative, DACL pres, owner and group not defaulted */ + rsd->type = 0x8004; + + off = 4 * sizeof(DWORD) + 4; + + if (sd->sacl){ + size = nt_store_acl(regf, sd->sacl, (char *)(locn + off)); + rsd->sacl_off = off; + } + else + rsd->sacl_off = 0; + + off += size; + + if (sd->dacl) { + rsd->dacl_off = off; + size = nt_store_acl(regf, sd->dacl, (char *)(locn + off)); + } + else { + rsd->dacl_off = 0; + } + + off += size; + + /* Now the owner and group SIDs */ + + if (sd->owner) { + rsd->owner_off = off; + size = nt_store_SID(regf, sd->owner, (char *)(locn + off)); + } + else { + rsd->owner_off = 0; + } + + off += size; + + if (sd->group) { + rsd->group_off = off; + size = nt_store_SID(regf, sd->group, (char *)(locn + off)); + } + else { + rsd->group_off = 0; + } + + off += size; + + return size; } /* @@ -2706,7 +2778,10 @@ unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) /* Now, lay out the sec_desc */ - return 0; + if (!nt_store_sec_desc(regf, sec->sec_desc, (char *)&sk_hdr->sec_desc)) + return 0; + + return sk_off; } -- cgit From 7aa3d6c2ad2ce7ba5dd76ccd03fdf90da672ed93 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 04:36:08 +0000 Subject: Fixing typos. (This used to be commit fe13a878d50f325482c6d626ed5dd6e399e4b853) --- docs/docbook/projdoc/Samba-BDC-HOWTO.sgml | 12 ++++---- docs/docbook/projdoc/ServerType.sgml | 2 +- docs/docbook/projdoc/UNIX_INSTALL.sgml | 4 +-- docs/docbook/projdoc/passdb.sgml | 8 ++--- docs/docbook/projdoc/samba-doc.sgml | 6 ++-- docs/docbook/projdoc/securing-samba.sgml | 49 ++++++++++++++++++++++++------- 6 files changed, 54 insertions(+), 27 deletions(-) diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml index 8dbc007e4f..2f3b568471 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.sgml @@ -57,9 +57,9 @@ parameters in the [global]-section of the smb.conf have to be set: -workgroup = SAMBA -domain master = yes -domain logons = yes + workgroup = SAMBA + domain master = yes + domain logons = yes @@ -201,9 +201,9 @@ by setting -workgroup = samba -domain master = no -domain logons = yes + workgroup = samba + domain master = no + domain logons = yes diff --git a/docs/docbook/projdoc/ServerType.sgml b/docs/docbook/projdoc/ServerType.sgml index b38a9c097d..7229a50201 100644 --- a/docs/docbook/projdoc/ServerType.sgml +++ b/docs/docbook/projdoc/ServerType.sgml @@ -85,7 +85,7 @@ LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. Please refer to the section on Howto configure Samba as a Primary Domain Controller and for more information regarding how to create a domain machine account for a -domain member server as well as for information regading how to enable the samba +domain member server as well as for information regarding how to enable the samba domain member machine to join the domain and to be fully trusted by it. diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index 1019e524f7..3ad83c1f9d 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -88,13 +88,13 @@ SWAT is a web-based interface that helps you configure samba. SWAT might not be available in the samba package on your platform, - but in a seperate package. Please read the swat manpage + but in a separate package. Please read the swat manpage on compiling, installing and configuring swat from source. To launch SWAT just run your favorite web browser and point it at "http://localhost:901/". Replace localhost with the name of the computer you are running samba on if you - are running samba on a different computer then your browser. + are running samba on a different computer than your browser. Note that you can attach to SWAT from any IP connected machine but connecting from a remote machine leaves your diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 6f256daddd..523a34603d 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -238,8 +238,8 @@ data is stored at all. TDB Samba can also store the user data in a "TDB" (Trivial Database). Using this backend -doesn't require any additional configuration. This backend is recommended for new installations who -don't require LDAP. +doesn't require any additional configuration. This backend is recommended for new installations that +don not require LDAP. @@ -284,7 +284,7 @@ Two additional Samba resources which may prove to be helpful are -Introduction +Encrypted Password Database Traditionally, when configuring "encrypt @@ -327,7 +327,7 @@ API, and is still so named in the CVS trees). -There are a few points to stress about what the ldapsam +There are a few points to stress about that the ldapsam does not provide. The LDAP support referred to in the this documentation does not include: diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 3b5d054cad..a729caf99f 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -19,7 +19,7 @@ This book is a collection of HOWTOs added to Samba documentation over the years. -Samba is always under development, and so is it's documentation. This release of the +Samba is always under development, and so is its' documentation. This release of the documentation represents a major revision or layout as well as contents. The most recent version of this document can be found at http://www.samba.org/ @@ -35,8 +35,8 @@ or without their knowledge contributed to this update. The size and scope of thi project would not have been possible without significant community contribution. A not insignificant number of ideas for inclusion (if not content itself) has been obtained from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. -Please keep publishing you Unofficial HOWTO's - they are a source of inspiration and -application knowledge that is most to be desired by may Samba users and administrators. +Please keep publishing your Unofficial HOWTO's - they are a source of inspiration and +application knowledge that is most to be desired by many Samba users and administrators. diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml index e9e8c4f9f8..eedc7ba725 100644 --- a/docs/docbook/projdoc/securing-samba.sgml +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -2,6 +2,7 @@ &author.tridge; + &author.jht; 17 March 2003 @@ -36,8 +37,8 @@ might be: - hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 - hosts deny = 0.0.0.0/0 + hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 + hosts deny = 0.0.0.0/0 @@ -66,8 +67,8 @@ You can change this behaviour using options like the following: - interfaces = eth* lo - bind interfaces only = yes + interfaces = eth* lo + bind interfaces only = yes @@ -105,10 +106,10 @@ UDP ports to allow and block. Samba uses the following: -UDP/137 - used by nmbd -UDP/138 - used by nmbd -TCP/139 - used by smbd -TCP/445 - used by smbd + UDP/137 - used by nmbd + UDP/138 - used by nmbd + TCP/139 - used by smbd + TCP/445 - used by smbd @@ -135,9 +136,9 @@ To do that you could use: - [ipc$] - hosts allow = 192.168.115.0/24 127.0.0.1 - hosts deny = 0.0.0.0/0 + [ipc$] + hosts allow = 192.168.115.0/24 127.0.0.1 + hosts deny = 0.0.0.0/0 @@ -163,6 +164,32 @@ methods listed above for some reason. + +NTLMv2 Security + + +To configure NTLMv2 authentication the following registry keys are worth knowing about: + + + + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] + "lmcompatibilitylevel"=dword:00000003 + + 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, + use NTLMv2 session security if the server supports it. Domain + controllers accept LM, NTLM and NTLMv2 authentication. + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] + "NtlmMinClientSec"=dword:00080000 + + 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or + NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2 + session security is not negotiated. + + + + Upgrading Samba -- cgit From 7aa665f2b29ecb4bcd9367a71eeca4944d3a8faf Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 25 Apr 2003 06:43:28 +0000 Subject: More code to store ACEs and SIDs. I have almost enough to start testing the writing of a registry tree, since I can store the header, and the first key (NK_REC) and the SD associated with that key, the SK_REC. (This used to be commit abced0ed9eec7b8467065892c56cef9b86cff947) --- source3/utils/editreg.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 80 insertions(+), 4 deletions(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index 273707114f..a367c92d32 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -2653,17 +2653,93 @@ unsigned int sec_desc_size(SEC_DESC *sd) return size; } -int nt_store_SID(REGF *regf, DOM_SID *sid, char *locn) +/* + * Store a SID at the location provided + */ + +int nt_store_SID(REGF *regf, DOM_SID *sid, unsigned char *locn) { + int i; + unsigned char *p = locn; - return 0; + if (!regf || !sid || !locn) return 0; + + *p = sid->ver; p++; + *p = sid->auths; p++; + + for (i=0; i < 6; i++) { + *p = sid->auth[i]; p++; + } + + for (i=0; i < sid->auths; i++) { + SIVAL(p, sid->sub_auths[i]); p+=4; + } + + return p - locn; } -int nt_store_acl(REGF *regf, ACL *acl, char *locn) +int nt_store_ace(REGF *regf, ACE *ace, unsigned char *locn) { + int size = 0; + REG_ACE *reg_ace = (REG_ACE *)locn; + unsigned char *p; - return 0; + if (!regf || !ace || !locn) return 0; + + reg_ace->type = ace->type; + reg_ace->flags = ace->flags; + + /* Deal with the length when we have stored the SID */ + + p = (unsigned char *)®_ace->perms; + + SIVAL(p, ace->perms); p += 4; + + size = nt_store_SID(regf, ace->trustee, p); + + size += 8; /* Size of the fixed header */ + + p = (unsigned char *)®_ace->length; + + SSVAL(p, size); + + return size; +} + +/* + * Store an ACL at the location provided + */ + +int nt_store_acl(REGF *regf, ACL *acl, unsigned char *locn) +{ + int size = 0, i; + unsigned char *p = locn, *s; + + if (!regf || !acl || !locn) return 0; + + /* + * Now store the header and then the ACEs ... + */ + + SSVAL(p, acl->rev); + + p += 2; s = p; /* Save this for the size field */ + + p += 2; + + SIVAL(p, acl->num_aces); + + p += 4; + + for (i = 0; i < acl->num_aces; i++) { + size = nt_store_ace(regf, acl->aces[i], p); + p += size; + } + + size = s - locn; + SSVAL(s, size); + return size; } /* -- cgit From 11b96ef57485a15ec72e1d890ce6ba01b2089464 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 25 Apr 2003 07:04:32 +0000 Subject: Finish laying out the SD, and now back to finishing off NK records ... (This used to be commit 74c8f616c33b08d94a15e1ba8219063b190fe5f2) --- source3/utils/editreg.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/source3/utils/editreg.c b/source3/utils/editreg.c index a367c92d32..641c7070ad 100644 --- a/source3/utils/editreg.c +++ b/source3/utils/editreg.c @@ -2861,6 +2861,16 @@ unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) } +/* + * Store a VAL LIST + */ + +int nt_store_val_list(REGF *regf, VAL_LIST * values) +{ + + return 0; +} + /* * Store a KEY in the file ... * @@ -2871,6 +2881,7 @@ unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) * recurse down the LF structures ... * * We return the offset of the NK struct + * FIXME, FIXME, FIXME: Convert to using SIVAL and SSVAL ... */ int nt_store_reg_key(REGF *regf, REG_KEY *key) { @@ -2908,11 +2919,19 @@ int nt_store_reg_key(REGF *regf, REG_KEY *key) */ sk_off = nt_store_security(regf, key->security); + nk_hdr->sk_off = sk_off; /* * Then, store the val list and store its offset */ - + if (key->values) { + nk_hdr->val_cnt = key->values->val_count; + nk_hdr->val_off = nt_store_val_list(regf, key->values); + } + else { + nk_hdr->val_off = -1; + nk_hdr->val_cnt = 0; + } /* * Finally, store the subkeys, and their offsets -- cgit From 23836e62fcb801348ba6aab6d3bbdcd88228ec27 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 25 Apr 2003 12:42:57 +0000 Subject: As nobody really objected to this patch, I opted to create facts :-) This uses 'socket address' as the source address for nmbd. This way we can again synchronize with the DMB if we have 'bind interfaces only' to a virtual interface. I'd love to see this in 2.2.9, but that is up to jerry or jra. Volker (This used to be commit 5e305e425592ede977880a347b2ed811d6376f75) --- source3/nmbd/nmbd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c index f87ab97798..eec447688f 100644 --- a/source3/nmbd/nmbd.c +++ b/source3/nmbd/nmbd.c @@ -547,7 +547,9 @@ static BOOL open_sockets(BOOL isdaemon, int port) */ if ( isdaemon ) - ClientNMB = open_socket_in(SOCK_DGRAM, port,0,0,True); + ClientNMB = open_socket_in(SOCK_DGRAM, port, + interpret_addr(lp_socket_address()), + 0,True); else ClientNMB = 0; -- cgit From 26724fa2b08bc3aab43cd357df38c2a04363ef98 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 14:26:08 +0000 Subject: Update from Rick Segeberg (This used to be commit af4fa1aea6bc69d56da88c83968561f0fac1f3a4) --- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 9470688089..335e5cc7db 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -12,15 +12,18 @@ Joining an NT Domain with Samba 3.0 + + + + "Assumptions:" + NetBIOS name: SERV1 + Win2K/NT domain name: DOM + Domain's PDC NetBIOS name: DOMPDC + Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + + - Assume you have a Samba 3.0 server with a NetBIOS name of - SERV1 and are joining a Win2k or NT domain called - DOM, which has a PDC with a NetBIOS name - of DOMPDC and two backup domain controllers - with NetBIOS names DOMBDC1 and DOMBDC2 - . - - Firstly, you must edit your &smb.conf; file to tell Samba it should + First, you must edit your &smb.conf; file to tell Samba it should now use domain security. Change (or add) your @@ -83,7 +86,7 @@ in your terminal window. See the net(8) man page for more details. - This process joins the server to thedomain + This process joins the server to the domain without having to create the machine trust account on the PDC beforehand. @@ -129,7 +132,7 @@ means Samba servers now participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba servers into a resource domain and have the authentication passed on from a resource - domain PDC to an account domain PDC. + domain PDC to an account domain PDC). In addition, with security = server every Samba daemon on a server has to keep a connection open to the -- cgit From dfdc9b19f8d0ad5cde6657db6b76b628f5cb9ce2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 15:49:02 +0000 Subject: Adding edits from Vance Lankhaar. (This used to be commit a7788bc3b9ae4aec48bf94ed446e6bc0668863bf) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 40 ++++++++------- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 10 ++-- docs/docbook/projdoc/NetworkBrowsing.sgml | 2 +- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 82 ++++++++++++++++++++++--------- docs/docbook/projdoc/security_level.sgml | 13 ++++- 5 files changed, 99 insertions(+), 48 deletions(-) diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index c36f150112..1ee0ab1962 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -19,16 +19,16 @@ Windows2000 KDC. You must use at least the following 3 options in smb.conf: - realm = YOUR.KERBEROS.REALM - security = ADS - encrypt passwords = yes + realm = YOUR.KERBEROS.REALM + security = ADS + encrypt passwords = yes In case samba can't figure out your ads server using your realm name, use the ads server option in smb.conf: - ads server = your.kerberos.server + ads server = your.kerberos.server @@ -49,10 +49,10 @@ In case samba can't figure out your ads server using your realm name, use the The minimal configuration for krb5.conf is: -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } + [realms] + YOUR.KERBEROS.REALM = { + kdc = your.kerberos.server + } Test your config by doing a kinit @@ -98,7 +98,9 @@ is only needed if you want kerberos support for &smbd; and &winbindd;. As a user that has write permission on the Samba private directory (usually root) run: -net ads join + + net join -U Administrator%password + @@ -106,16 +108,16 @@ As a user that has write permission on the Samba private directory -"ADS support not compiled in" -Samba must be reconfigured (remove config.cache) and recompiled -(make clean all install) after the kerberos libs and headers are installed. - - -net ads join prompts for user name -You need to login to the domain using kinit -USERNAME@REALM. -USERNAME must be a user who has rights to add a machine -to the domain. + "ADS support not compiled in" + Samba must be reconfigured (remove config.cache) and recompiled + (make clean all install) after the kerberos libs and headers are installed. + + + net join prompts for user name + You need to login to the domain using kinit + USERNAME@REALM. + USERNAME must be a user who has rights to add a machine + to the domain. diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index 335e5cc7db..cd4168e446 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -69,9 +69,14 @@ In order to actually join the domain, you must run this command: - root# net rpc join -S DOMPDC + root# net join -S DOMPDC -UAdministrator%password + + If the -S DOMPDC argument is not given then + the domain name will be obtained from smb.conf. + + as we are joining the domain DOM and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC. The Administrator%password is @@ -123,8 +128,7 @@ Please refer to the Winbind paper for information on a system to automatically assign UNIX uids and gids to Windows NT Domain users and groups. - This code is available in development branches only at the moment, - but will be moved to release branches soon. + The advantage to domain-level security is that the authentication in domain-level security is passed down the authenticated diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml index e8d1b40710..29768ea42a 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.sgml +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -8,7 +8,7 @@ Samba / MS Windows Network Browsing Guide -This document contains detailed informataion as well as a fast track guide to +This document contains detailed information as well as a fast track guide to implementing browsing across subnets and / or across workgroups (or domains). WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling except by way of name to address resolution. diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index 7295a15875..be7a6d5201 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -169,6 +169,11 @@ Here is an example &smb.conf; for acting as a PDC: netbios name = POGO workgroup = NARNIA + ; User and Machine Account Backends + ; Choices are: tdbsam, tdbsam_nua, smbpasswd, smbpasswd_nua, ldapsam, ldapsam_nua, ... + ; mysqlsam, xmlsam, guest + passdb backend = ldapsam, guest + ; we should act as the domain and local master browser os level = 64 preferred master = yes @@ -209,6 +214,20 @@ Here is an example &smb.conf; for acting as a PDC: directory mask = 0700 + +The above parameters make for a full set of parameters that may define the server's mode +of operation. The following parameters are the essentials alone: + + + workgroup = NARNIA + domain logons = Yes + security = User + + +The additional parameters shown in the longer listing above just makes for a +more complete environment. + + There are a couple of points to emphasize in the above configuration. @@ -264,13 +283,13 @@ shared secret with the domain controller. A Windows PDC stores each machine trust account in the Windows Registry. A Samba-3 PDC also has to store machine trust account information -in a suitable back-end data store. With Samba-3 there can be multiple back-ends +in a suitable backend data store. With Samba-3 there can be multiple back-ends for this including: - smbpaswd - the plain ascii file stored used by + smbpasswd - the plain ascii file stored used by earlier versions of Samba. This file configuration option requires a Unix/Linux system account for EVERY entry (ie: both for user and for machine accounts). This file will be located in the private @@ -311,9 +330,16 @@ for this including: -Read the chapter about the User Database +Read the chapter about the User Database for details. + +The new tdbsam and ldapsam account backends store vastly more information than +smbpasswd is capable of. The new backend database includes capacity to specify +per user settings for many parameters, over-riding global settings given in the +smb.conf file. eg: logon drive, logon home, logon path, etc. + + A Samba PDC, however, stores each machine trust account in two parts, as follows: @@ -420,7 +446,7 @@ the corresponding Unix account. equivalent of creating a machine trust account on a Windows NT PDC using the "Server Manager". From the time at which the account is created to the time which the client joins the domain and changes the password, - your domain is vulnerable to an intruder joining your domain using a + your domain is vulnerable to an intruder joining your domain using a machine with the same NetBIOS name. A PDC inherently trusts members of the domain and will serve out a large degree of user information to such clients. You have been warned! @@ -469,20 +495,22 @@ version of Windows. Windows 2000 - When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A - Samba administrative account (i.e., a Samba account that has root - privileges on the Samba server) must be entered here; the - operation will fail if an ordinary user account is given. - The password for this account should be - set to a different password than the associated - /etc/passwd entry, for security - reasons. - - The session key of the Samba administrative account acts as an + + When the user elects to join the client to a domain, Windows prompts for + an account and password that is privileged to join the domain. A Samba administrative + account (i.e., a Samba account that has root privileges on the Samba server) must be + entered here; the operation will fail if an ordinary user account is given. + The password for this account should be set to a different password than the associated + /etc/passwd entry, for security reasons. + + + + The session key of the Samba administrative account acts as an encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or - updated if it already exists. + updated if it already exists. + + Windows NT @@ -522,11 +550,9 @@ systems?) won't create a user with a '$' in their name. -The problem is only in the program used to make the entry, once -made, it works perfectly. So create a user without the '$' and -use vipw to edit the entry, adding the '$'. Or create -the whole entry with vipw if you like, make sure you use a -unique User ID ! +The problem is only in the program used to make the entry. Once made, it works perfectly. +Create a user without the '$' using vipw to edit the entry, adding +the '$'. Or create the whole entry with vipw if you like, make sure you use a unique User ID! @@ -547,7 +573,7 @@ will remove all network drive connections: -Further, if the machine is a already a 'member of a workgroup' that +Further, if the machine is already a 'member of a workgroup' that is the same name as the domain you are joining (bad idea) you will get this message. Change the workgroup name to something else, it does not matter what, reboot, and try again. @@ -569,8 +595,18 @@ is changed. The most common cause of a change in domain SID is when the domain name and/or the server name (netbios name) is changed. The only way to correct the problem is to restore the original domain SID or remove the domain client from the domain and rejoin. The domain -SID may be reset using either the smbpasswd or rpcclient utilities. +SID may be reset using either the net or rpcclient utilities. + + + +The reset or change the domain SID you can use the net command as follows: + + + net getlocalsid 'OLDNAME' + net setlocalsid 'SID' + + diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index e840ff6c17..a59392bbac 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -128,6 +128,13 @@ That real authentication server can be another Samba server or can be a Windows NT server, the later natively capable of encrypted password support. + +Server level security is incompatible with what is known +as schannel or "sign and seal" protocols. This means that +if you want to use server level security you must disable +the use of "sign and seal" on all machines on your network. + + Configuring Samba for Seemless Windows Network Integration @@ -270,7 +277,7 @@ all authentication requests to be passed through to the domain controllers. Samba as a member of an MS Windows NT security domain -This method involves additon of the following paramters in the &smb.conf; file: +This method involves addition of the following parameters in the &smb.conf; file: @@ -297,7 +304,9 @@ MS Windows NT security domain. This is done as follows: Next, on the Linux system execute: - smbpasswd -r PDC_NAME -j DOMAIN_NAME + smbpasswd -r PDC_NAME -j DOMAIN_NAME (samba 2.x) + + net join -U administrator%password (samba-3) -- cgit From 0f5feb2105f2d3ffd0d7f1f74ec24257358b2e2c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 15:59:42 +0000 Subject: Update from Rick Segeberg (This used to be commit 2310cee6abf66bf52b2c90fed4c7db7412153e10) --- docs/docbook/projdoc/Diagnosis.sgml | 46 ++++++++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 9ab95dad86..1ca15d189a 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -20,13 +20,15 @@ then it is probably working fine. You should do ALL the tests, in the order shown. We have tried to carefully choose them so later tests only use capabilities verified in -the earlier tests. +the earlier tests. However, do not stop at the first error as there +have been some instances when continuing with the tests has helped +to solve a problem. If you send one of the samba mailing lists an email saying "it doesn't work" and you have not followed this test procedure then you should not be surprised -your email is ignored. +if your email is ignored. @@ -46,7 +48,7 @@ The procedure is similar for other types of clients. It is also assumed you know the name of an available share in your &smb.conf;. I will assume this share is called tmp. -You can add a tmp share like by adding the +You can add a tmp share like this by adding the following to &smb.conf;: @@ -61,12 +63,13 @@ following to &smb.conf;: -These tests assume version 3.0 or later of the samba suite. Some commands shown did not exist in earlier versions. +These tests assume version 3.0 or later of the samba suite. +Some commands shown did not exist in earlier versions. Please pay attention to the error messages you receive. If any error message -reports that your server is being unfriendly you should first check that you +reports that your server is being unfriendly you should first check that your IP name resolution is correctly set up. eg: Make sure your /etc/resolv.conf file points to name servers that really do exist. @@ -77,6 +80,21 @@ that the settings for your &smb.conf; file results in dns proxy = notestparm smb.conf. + +It is helpful to monitor the log files during testing by using the +tail -F log_file_name in a separate +terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). +Relevant log files can be found (for default installations) in +/usr/local/samba/var. Also, connection logs from +machines can be found here or possibly in /var/log/samba +depending on how or if you specified logging in your &smb.conf; file. + + + +If you make changes to your &smb.conf; file while going through these test, +don't forget to restart &smbd; and &nmbd;. + + @@ -124,6 +142,11 @@ software. You will need to relax the rules to let in the workstation in question, perhaps by allowing access from another subnet (on Linux this is done via the ipfwadm program.) + + +Note: Modern Linux distributions install ipchains/iptables by default. +This is a common problem that is often overlooked. + @@ -149,6 +172,13 @@ it is running, and check that the netbios-ssn port is in a LISTEN state using netstat -a. + +Some Unix / Linux systems use xinetd in place of +inetd. Check your system documentation for the location +of the control file/s for your particular system implementation of +this network super daemon. + + If you get a "session request failed" then the server refused the connection. If it says "Your server software is being unfriendly" then @@ -265,7 +295,7 @@ hosts. If this doesn't give a similar result to the previous test then nmblookup isn't correctly getting your broadcast address through its -automatic mechanism. In this case you should experiment use the +automatic mechanism. In this case you should experiment with the interfaces option in &smb.conf; to manually configure your IP address, broadcast and netmask. @@ -358,7 +388,7 @@ when you type dir. -On the PC type the command net view \\BIGSERVER. You will +On the PC, type the command net view \\BIGSERVER. You will need to do this from within a "dos prompt" window. You should get back a list of available shares on the server. @@ -463,7 +493,7 @@ an election is held at startup. -From file manager try to browse the server. Your samba server should +>From file manager try to browse the server. Your samba server should appear in the browse list of your local workgroup (or the one you specified in smb.conf). You should be able to double click on the name of the server and get a list of shares. If you get a "invalid -- cgit From 6c9b614c5becb84359d8547cc5bb76d0523bea4e Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 25 Apr 2003 18:05:59 +0000 Subject: Fixes for syntax errors. (This used to be commit 837141f45ef0a007a4cf46690c9eb0d838a25b2f) --- docs/docbook/projdoc/ADS-HOWTO.sgml | 2 -- docs/docbook/projdoc/DOMAIN_MEMBER.sgml | 16 +++++++--------- docs/docbook/projdoc/Diagnosis.sgml | 2 +- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml | 2 +- docs/docbook/projdoc/security_level.sgml | 4 ++-- 5 files changed, 11 insertions(+), 15 deletions(-) diff --git a/docs/docbook/projdoc/ADS-HOWTO.sgml b/docs/docbook/projdoc/ADS-HOWTO.sgml index 1ee0ab1962..c89a0e4f87 100644 --- a/docs/docbook/projdoc/ADS-HOWTO.sgml +++ b/docs/docbook/projdoc/ADS-HOWTO.sgml @@ -160,8 +160,6 @@ specify the -k option to choose kerberos authentication. You must change administrator password at least once after DC install, to create the right encoding types - - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml index cd4168e446..a5921e8ce3 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.sgml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.sgml @@ -12,15 +12,13 @@ Joining an NT Domain with Samba 3.0 - - - - "Assumptions:" - NetBIOS name: SERV1 - Win2K/NT domain name: DOM - Domain's PDC NetBIOS name: DOMPDC - Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 - + Assumptions: + + NetBIOS name: SERV1 + Win2K/NT domain name: DOM + Domain's PDC NetBIOS name: DOMPDC + Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + First, you must edit your &smb.conf; file to tell Samba it should diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 1ca15d189a..6c7ac68ba4 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -82,7 +82,7 @@ best way to check this is with testparm smb.conf. It is helpful to monitor the log files during testing by using the -tail -F log_file_name in a separate +tail -F log_file_name in a separate terminal console (use ctrl-alt-F1 through F6 or multiple terminals in X). Relevant log files can be found (for default installations) in /usr/local/samba/var. Also, connection logs from diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml index be7a6d5201..6a3bcacf17 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.sgml @@ -330,7 +330,7 @@ for this including: -Read the chapter about the User Database +Read the chapter about the User Database for details. diff --git a/docs/docbook/projdoc/security_level.sgml b/docs/docbook/projdoc/security_level.sgml index a59392bbac..f19ec4a1e8 100644 --- a/docs/docbook/projdoc/security_level.sgml +++ b/docs/docbook/projdoc/security_level.sgml @@ -130,8 +130,8 @@ Windows NT server, the later natively capable of encrypted password support. Server level security is incompatible with what is known -as schannel or "sign and seal" protocols. This means that -if you want to use server level security you must disable +as schannel or "sign and seal" protocols. This means that +if you want to use server level security you must disable the use of "sign and seal" on all machines on your network. -- cgit From 221729252b844e00f368c1e99f3010617e6781e5 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 26 Apr 2003 01:01:14 +0000 Subject: A RID can never be zero (This used to be commit e2d757aed27ede67cf904c01e8f23e436d764108) --- source3/rpc_server/srv_samr_util.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c index d7ead0d15f..b81c441811 100644 --- a/source3/rpc_server/srv_samr_util.c +++ b/source3/rpc_server/srv_samr_util.c @@ -169,13 +169,17 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from) pdb_set_munged_dial(to , new_string, PDB_CHANGED); } - if (from->user_rid != pdb_get_user_rid(to)) { + if (from->user_rid == 0) { + DEBUG(10, ("INFO_21: Asked to set User RID to 0 !? Skipping change!\n")); + } else if (from->user_rid != pdb_get_user_rid(to)) { DEBUG(10,("INFO_21 USER_RID: %u -> %u NOT UPDATED!\n",pdb_get_user_rid(to),from->user_rid)); /* we really allow this ??? metze */ /* pdb_set_user_sid_from_rid(to, from->user_rid, PDB_CHANGED);*/ } - if (from->group_rid != pdb_get_group_rid(to)) { + if (from->group_rid == 0) { + DEBUG(10, ("INFO_21: Asked to set Group RID to 0 !? Skipping change!\n")); + } else if (from->group_rid != pdb_get_group_rid(to)) { DEBUG(10,("INFO_21 GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid)); pdb_set_group_sid_from_rid(to, from->group_rid, PDB_CHANGED); } @@ -371,13 +375,16 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from) pdb_set_munged_dial(to , new_string, PDB_CHANGED); } - if (from->user_rid != pdb_get_user_rid(to)) { + if (from->user_rid == 0) { + DEBUG(10, ("INFO_23: Asked to set User RID to 0 !? Skipping change!\n")); + } else if (from->user_rid != pdb_get_user_rid(to)) { DEBUG(10,("INFO_23 USER_RID: %u -> %u NOT UPDATED!\n",pdb_get_user_rid(to),from->user_rid)); /* we really allow this ??? metze */ /* pdb_set_user_sid_from_rid(to, from->user_rid, PDB_CHANGED);*/ } - - if (from->group_rid != pdb_get_group_rid(to)) { + if (from->group_rid == 0) { + DEBUG(10, ("INFO_23: Asked to set Group RID to 0 !? Skipping change!\n")); + } else if (from->group_rid != pdb_get_group_rid(to)) { DEBUG(10,("INFO_23 GROUP_RID: %u -> %u\n",pdb_get_group_rid(to),from->group_rid)); pdb_set_group_sid_from_rid(to, from->group_rid, PDB_CHANGED); } -- cgit From 05a7f65f8a107302ff29aac9e49b9e29a792b6fd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 26 Apr 2003 01:02:25 +0000 Subject: let's suppose I want to specify exactly which SID a user should have ... Simo. (This used to be commit ef1eaa9b7e98b532e8ef98c1036a4b2d5f3d4dc5) --- source3/utils/pdbedit.c | 79 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 74 insertions(+), 5 deletions(-) diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index bf42fb805f..d7de709e21 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -258,7 +258,8 @@ static int print_users_list (struct pdb_context *in, BOOL verbosity, BOOL smbpwd static int set_user_info (struct pdb_context *in, const char *username, const char *fullname, const char *homedir, const char *drive, const char *script, - const char *profile, const char *account_control) + const char *profile, const char *account_control, + const char *user_sid, const char *group_sid) { SAM_ACCOUNT *sam_pwent=NULL; BOOL ret; @@ -299,6 +300,36 @@ static int set_user_info (struct pdb_context *in, const char *username, (pdb_get_acct_ctrl(sam_pwent) & not_settable) | newflag, PDB_CHANGED); } + if (user_sid) { + DOM_SID u_sid; + if (!string_to_sid(&u_sid, user_sid)) { + /* not a complete sid, may be a RID, try building a SID */ + int u_rid; + + if (sscanf(user_sid, "%d", &u_rid) != 1) { + fprintf(stderr, "Error passed string is not a complete user SID or RID!\n"); + return -1; + } + sid_copy(&u_sid, get_global_sam_sid()); + sid_append_rid(&u_sid, u_rid); + } + pdb_set_user_sid (sam_pwent, &u_sid, PDB_CHANGED); + } + if (group_sid) { + DOM_SID g_sid; + if (!string_to_sid(&g_sid, group_sid)) { + /* not a complete sid, may be a RID, try building a SID */ + int g_rid; + + if (sscanf(group_sid, "%d", &g_rid) != 1) { + fprintf(stderr, "Error passed string is not a complete group SID or RID!\n"); + return -1; + } + sid_copy(&g_sid, get_global_sam_sid()); + sid_append_rid(&g_sid, g_rid); + } + pdb_set_group_sid (sam_pwent, &g_sid, PDB_CHANGED); + } if (NT_STATUS_IS_OK(in->pdb_update_sam_account (in, sam_pwent))) print_user_info (in, username, True, False); @@ -314,7 +345,10 @@ static int set_user_info (struct pdb_context *in, const char *username, /********************************************************* Add New User **********************************************************/ -static int new_user (struct pdb_context *in, const char *username, const char *fullname, const char *homedir, const char *drive, const char *script, const char *profile) +static int new_user (struct pdb_context *in, const char *username, + const char *fullname, const char *homedir, + const char *drive, const char *script, + const char *profile, char *user_sid, char *group_sid) { SAM_ACCOUNT *sam_pwent=NULL; struct passwd *pwd = NULL; @@ -329,7 +363,7 @@ static int new_user (struct pdb_context *in, const char *username, const char *f fprintf (stderr, "WARNING: user %s does not exist in system passwd\n", username); pdb_init_sam(&sam_pwent); if (!pdb_set_username(sam_pwent, username, PDB_CHANGED)) { - return False; + return -1; } } @@ -365,6 +399,36 @@ static int new_user (struct pdb_context *in, const char *username, const char *f pdb_set_logon_script(sam_pwent, script, PDB_CHANGED); if (profile) pdb_set_profile_path (sam_pwent, profile, PDB_CHANGED); + if (user_sid) { + DOM_SID u_sid; + if (!string_to_sid(&u_sid, user_sid)) { + /* not a complete sid, may be a RID, try building a SID */ + int u_rid; + + if (sscanf(user_sid, "%d", &u_rid) != 1) { + fprintf(stderr, "Error passed string is not a complete user SID or RID!\n"); + return -1; + } + sid_copy(&u_sid, get_global_sam_sid()); + sid_append_rid(&u_sid, u_rid); + } + pdb_set_user_sid (sam_pwent, &u_sid, PDB_CHANGED); + } + if (group_sid) { + DOM_SID g_sid; + if (!string_to_sid(&g_sid, group_sid)) { + /* not a complete sid, may be a RID, try building a SID */ + int g_rid; + + if (sscanf(group_sid, "%d", &g_rid) != 1) { + fprintf(stderr, "Error passed string is not a complete group SID or RID!\n"); + return -1; + } + sid_copy(&g_sid, get_global_sam_sid()); + sid_append_rid(&g_sid, g_rid); + } + pdb_set_group_sid (sam_pwent, &g_sid, PDB_CHANGED); + } pdb_set_acct_ctrl (sam_pwent, ACB_NORMAL, PDB_CHANGED); @@ -507,6 +571,8 @@ int main (int argc, char **argv) static char *profile_path = NULL; static char *account_control = NULL; static char *account_policy = NULL; + static char *user_sid = NULL; + static char *group_sid = NULL; static long int account_policy_value = 0; BOOL account_policy_value_set = False; @@ -525,6 +591,8 @@ int main (int argc, char **argv) {"drive", 'D', POPT_ARG_STRING, &home_drive, 0, "set home drive", NULL}, {"script", 'S', POPT_ARG_STRING, &logon_script, 0, "set logon script", NULL}, {"profile", 'p', POPT_ARG_STRING, &profile_path, 0, "set profile path", NULL}, + {"user SID", 'U', POPT_ARG_STRING, &user_sid, 0, "set user SID or RID", NULL}, + {"group SID", 'G', POPT_ARG_STRING, &group_sid, 0, "set group SID or RID", NULL}, {"create", 'a', POPT_ARG_NONE, &add_user, 0, "create user", NULL}, {"modify", 'r', POPT_ARG_NONE, &modify_user, 0, "modify user", NULL}, {"machine", 'm', POPT_ARG_NONE, &machine, 0, "account is a machine account", NULL}, @@ -693,7 +761,7 @@ int main (int argc, char **argv) } else { return new_user (bdef, user_name, full_name, home_dir, home_drive, logon_script, - profile_path); + profile_path, user_sid, group_sid); } } @@ -712,7 +780,8 @@ int main (int argc, char **argv) home_dir, home_drive, logon_script, - profile_path, account_control); + profile_path, account_control, + user_sid, group_sid); } } -- cgit From d820b547bd5c555c566bb49cefb7004597cfe114 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 26 Apr 2003 01:38:46 +0000 Subject: Many typos, syntax fixes, more. Multiple sources including mega patch from - Jesse Jacobs (This used to be commit 5da18339e19bf2bcc23a19339c8a6a3052246d44) --- docs/docbook/projdoc/Bugs.sgml | 4 +- docs/docbook/projdoc/CUPS-printing.sgml | 83 ++++++++++++---------- docs/docbook/projdoc/Compiling.sgml | 4 +- docs/docbook/projdoc/Diagnosis.sgml | 4 +- docs/docbook/projdoc/Integrating-with-Windows.sgml | 8 +-- docs/docbook/projdoc/InterdomainTrusts.sgml | 12 ++-- docs/docbook/projdoc/NT4Migration.sgml | 13 ++-- docs/docbook/projdoc/Other-Clients.sgml | 2 +- .../projdoc/PAM-Authentication-And-Samba.sgml | 2 +- docs/docbook/projdoc/Problems.sgml | 4 +- docs/docbook/projdoc/ProfileMgmt.sgml | 13 ++-- docs/docbook/projdoc/SWAT.sgml | 10 +-- docs/docbook/projdoc/Speed.sgml | 2 +- docs/docbook/projdoc/VFS.sgml | 10 +-- docs/docbook/projdoc/passdb.sgml | 27 ++++--- docs/docbook/projdoc/securing-samba.sgml | 4 +- docs/docbook/projdoc/unicode.sgml | 4 +- 17 files changed, 116 insertions(+), 90 deletions(-) diff --git a/docs/docbook/projdoc/Bugs.sgml b/docs/docbook/projdoc/Bugs.sgml index 155ab353f4..e7ebde788b 100644 --- a/docs/docbook/projdoc/Bugs.sgml +++ b/docs/docbook/projdoc/Bugs.sgml @@ -164,7 +164,7 @@ occurred. Include this in your mail. -If you known any assembly language then do a disass of the routine +If you know any assembly language then do a disass of the routine where the problem occurred (if its in a library routine then disassemble the routine that called it) and try to work out exactly where the problem is by looking at the surrounding code. Even if you @@ -195,7 +195,7 @@ where it occurred. The best sort of bug report is one that includes a fix! If you send us patches please use diff -u format if your version of diff supports it, otherwise use diff -c4. Make sure -your do the diff against a clean version of the source and let me know +you do the diff against a clean version of the source and let me know exactly what version you used. diff --git a/docs/docbook/projdoc/CUPS-printing.sgml b/docs/docbook/projdoc/CUPS-printing.sgml index ea10ba0e75..57faebdcd6 100644 --- a/docs/docbook/projdoc/CUPS-printing.sgml +++ b/docs/docbook/projdoc/CUPS-printing.sgml @@ -294,9 +294,12 @@ for the mailing, etc.). -CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe -PostScript driver with CUPS-PPDs downloaded to clients +CUPS as a network PostScript RIP + +This is the configuration where CUPS drivers are working on server, and where the +Adobe PostScript driver with CUPS-PPDs is downloaded to clients. + CUPS is perfectly able to use PPD files (PostScript @@ -543,7 +546,8 @@ associated with this printer is copied from /etc/cups/ppd/ root# cupsaddsmb -U root infotec_IS2027 -Password for root required to access localhost via SAMBA: [type in password 'secret'] +Password for root required to access localhost via +SAMBA: [type in password 'secret'] @@ -568,7 +572,8 @@ Note: The following line shave been wrapped so that information is not lost. root# cupsaddsmb -v -U root infotec_IS2027 Password for root required to access localhost via SAMBA: Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put - /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/ + /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put + /usr/share/cups/drivers/ ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP' added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0 @@ -576,14 +581,14 @@ Note: The following line shave been wrapped so that information is not lost. added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86 - putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s) - (average 17395.2 kb/s) - putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s) - (average 11343.0 kb/s) - putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s) - (average 9260.4 kb/s) - putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s) - (average 9247.1 kb/s) + putting file /var/spool/cups/tmp/3cd1cc66376c0 as + \W32X86/infotec_IS2027.PPD (17394.6 kb/s) (average 17395.2 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS5.DLL as + \W32X86/ADOBEPS5.DLL (10877.4 kb/s) (average 11343.0 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.DLL as + \W32X86/ADOBEPSU.DLL (5095.2 kb/s) (average 9260.4 kb/s) + putting file /usr/share/cups/drivers/ADOBEPSU.HLP as + \W32X86/ADOBEPSU.HLP (8828.7 kb/s) (average 9247.1 kb/s) Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put @@ -598,32 +603,37 @@ Note: The following line shave been wrapped so that information is not lost. added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0 Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs] NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40 - putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s) - (average 26092.8 kb/s) - putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s) - (average 11812.9 kb/s) - putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s) - (average 14679.3 kb/s) - putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s) - (average 14281.5 kb/s) - putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s) - (average 12944.0 kb/s) - putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s) - (average 13169.7 kb/s) - putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s) - (average 13266.7 kb/s) - - Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86" - "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"' - cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: + putting file /var/spool/cups/tmp/3cd1cc66376c0 as + \WIN40/infotec_IS2027.PPD (26091.5 kb/s) (average 26092.8 kb/s) + putting file /usr/share/cups/drivers/ADFONTS.MFM as + \WIN40/ADFONTS.MFM (11241.6 kb/s) (average 11812.9 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.DRV as + \WIN40/ADOBEPS4.DRV (16640.6 kb/s) (average 14679.3 kb/s) + putting file /usr/share/cups/drivers/ADOBEPS4.HLP as + \WIN40/ADOBEPS4.HLP (11285.6 kb/s) (average 14281.5 kb/s) + putting file /usr/share/cups/drivers/DEFPRTR2.PPD as + \WIN40/DEFPRTR2.PPD (823.5 kb/s) (average 12944.0 kb/s) + putting file /usr/share/cups/drivers/ICONLIB.DLL as + \WIN40/ICONLIB.DLL (19226.2 kb/s) (average 13169.7 kb/s) + putting file /usr/share/cups/drivers/PSMON.DLL as + \WIN40/PSMON.DLL (18666.1 kb/s) (average 13266.7 kb/s) + + Running command: rpcclient localhost -N -U'root%secret' + -c 'adddriver "Windows NT x86" + "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: + ADOBEPSU.HLP:NULL:RAW:NULL"' + cmd = adddriver "Windows NT x86" + "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL: ADOBEPSU.HLP:NULL:RAW:NULL" Printer Driver infotec_IS2027 successfully installed. - Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0" - "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW: - ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' - cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL: - ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" + Running command: rpcclient localhost -N -U'root%secret' + -c 'adddriver "Windows 4.0" + "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL: + ADOBEPS4.HLP:PSMON.DLL:RAW: ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"' + cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV: + infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW: + ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL" Printer Driver infotec_IS2027 successfully installed. Running command: rpcclient localhost -N -U'root%secret' @@ -1537,7 +1547,8 @@ as compared to the Adobe drivers? the Adobe drivers (depending on the printer PPD associated with them) often put a PJL header in front of the core PostScript part of the print - file (thus the file starts with "1B%-12345X" or "escape%-12345X" + file (thus the file starts with "1B%-12345X" + or "escape%-12345X" instead of "%!PS"). This leads to the CUPS daemon autotyping the arriving file as a print-ready file, not requiring a pass thru the "pstops" filter (to speak more technical, it is not regarded as the diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml index 15b5acc594..664975779c 100644 --- a/docs/docbook/projdoc/Compiling.sgml +++ b/docs/docbook/projdoc/Compiling.sgml @@ -71,7 +71,7 @@ url="http://samba.org/cgi-bin/cvsweb">http://samba.org/cgi-bin/cvsweb You can also access the source code via a -normal cvs client. This gives you much more control over you can +normal cvs client. This gives you much more control over what you can do with the repository and allows you to checkout whole source trees and keep them up to date via normal cvs commands. This is the preferred method of access if you are a developer and not @@ -134,7 +134,7 @@ on this system just substitute the correct package name - CVS branches other HEAD can be obtained by using the -r + CVS branches other then HEAD can be obtained by using the -r and defining a tag name. A list of branch tag names can be found on the "Development" page of the samba web site. A common request is to obtain the latest 2.2 release code. This could be done by using the following userinput. diff --git a/docs/docbook/projdoc/Diagnosis.sgml b/docs/docbook/projdoc/Diagnosis.sgml index 6c7ac68ba4..150f071b78 100644 --- a/docs/docbook/projdoc/Diagnosis.sgml +++ b/docs/docbook/projdoc/Diagnosis.sgml @@ -216,7 +216,7 @@ To solve this problem change these lines to: Do NOT use the bind interfaces only parameter where you may wish to use the samba password change facility, or where &smbclient; may need to -access local service for name resolution or for local resource +access a local service for name resolution or for local resource connections. (Note: the bind interfaces only parameter deficiency where it will not allow connections to the loopback address will be fixed soon). @@ -302,7 +302,7 @@ address, broadcast and netmask. If your PC and server aren't on the same subnet then you will need to -use the -B option to set the broadcast address to the that of the PCs +use the -B option to set the broadcast address to that of the PCs subnet. diff --git a/docs/docbook/projdoc/Integrating-with-Windows.sgml b/docs/docbook/projdoc/Integrating-with-Windows.sgml index f6ac0be5a4..9f0de0a56a 100644 --- a/docs/docbook/projdoc/Integrating-with-Windows.sgml +++ b/docs/docbook/projdoc/Integrating-with-Windows.sgml @@ -8,7 +8,7 @@ Integrating MS Windows networks with Samba -This section deals with NetBIOS over TCP/IP name to IP address resolution. If you +This section deals with NetBIOS over TCP/IP name to IP address resolution. If your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this section does not apply to your installation. If your installation involves use of NetBIOS over TCP/IP then this section may help you to resolve networking problems. @@ -307,7 +307,7 @@ One further point of clarification should be noted, the /etc/hostsC:\WINNT\SYSTEM32\DRIVERS\ETC and contains the IP Address and the machine name in matched pairs. The LMHOSTS file performs NetBIOS name -to IP address mapping oriented. +to IP address mapping. @@ -493,7 +493,7 @@ every way the equivalent of the Unix/Linux /etc/hosts file. This capability is configured in the TCP/IP setup area in the network configuration facility. If enabled an elaborate name resolution sequence -is followed the precise nature of which isdependant on what the NetBIOS +is followed the precise nature of which is dependant on what the NetBIOS Node Type parameter is configured to. A Node Type of 0 means use NetBIOS broadcast (over UDP broadcast) is first used if the name that is the subject of a name lookup is not found in the NetBIOS name diff --git a/docs/docbook/projdoc/InterdomainTrusts.sgml b/docs/docbook/projdoc/InterdomainTrusts.sgml index dc34e7eca7..2c492d4ac0 100644 --- a/docs/docbook/projdoc/InterdomainTrusts.sgml +++ b/docs/docbook/projdoc/InterdomainTrusts.sgml @@ -123,7 +123,7 @@ between domains in purely Samba environment. Samba-3 as the Trusting Domain -In order to set Samba PDC to be trusted party of the relationship first you need +In order to set the Samba PDC to be the trusted party of the relationship first you need to create special account for the domain that will be the trusting party. To do that, you can use the 'smbpasswd' utility. Creating the trusted domain account is very similiar to creating a trusted machine account. Suppose, your domain is @@ -152,8 +152,8 @@ The account name will be 'rumba$' (the name of the remote domain) After issuing this command you'll be asked to enter the password for the account. You can use any password you want, but be aware that Windows NT will not change this password until 7 days following account creation. -After the command returns successfully, you can look at the entry for new account -(in the way depending on your configuration) and see that account's name is +After the command returns successfully, you can look at the entry for the new account +(in the stardard way depending on your configuration) and see that account's name is really RUMBA$ and it has 'I' flag in the flags field. Now you're ready to confirm the trust by establishing it from Windows NT Server. @@ -187,8 +187,8 @@ domain (SAMBA) and password securing the relationship. -The password can be arbitrarily chosen. It is easy to change it the password -from Samba server whenever you want. After confirming the password your account is +The password can be arbitrarily chosen. It is easy to change the password +from the Samba server whenever you want. After confirming the password your account is ready for use. Now it's Samba's turn. @@ -202,7 +202,7 @@ Using your favourite shell while being logged in as root, issue this command: You will be prompted for the password you just typed on your Windows NT4 Server box. -Don not worry if you see an error message that mentions a returned code of +Do not worry if you see an error message that mentions a returned code of NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT. It means the password you gave is correct and the NT4 Server says the account is ready for interdomain connection and not for ordinary diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 469215e32e..733d1f75ae 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -129,7 +129,7 @@ includes: Ability to implement a full single-signon architecture - Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand + Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand @@ -462,8 +462,9 @@ Policies (migrate or create new ones) Watch out for Tattoo effect User and Group Profiles - Platform specific so use platform tool to change from a Local to a Roaming profile - Can use new profiles tool to change SIDs (NTUser.DAT) + Platform specific so use platform tool to change from a Local + to a Roaming profile Can use new profiles tool to change SIDs + (NTUser.DAT) Logon Scripts (Know how they work) @@ -472,7 +473,8 @@ User and Group mapping to Unix/Linux Use 'net groupmap' to connect NT4 groups to Unix groups Use pdbedit to set/change user configuration NOTE: -If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP +If migrating to LDAP back end it may be easier to dump initial LDAP database +to LDIF, then edit, then reload into LDAP OS specific scripts / programs may be needed Add / delete Users @@ -482,7 +484,8 @@ If migrating to LDAP back end it may be easier to dump initial LDAP database to Applied only to domain members (note up to 16 chars) Add / delete Groups Note OS limits on size and nature - Linux limit is 16 char, no spaces and no upper case chars (groupadd) + Linux limit is 16 char, + no spaces and no upper case chars (groupadd) Migration Tools Domain Control (NT4 Style) diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml index 73316927e0..068b9c0b32 100644 --- a/docs/docbook/projdoc/Other-Clients.sgml +++ b/docs/docbook/projdoc/Other-Clients.sgml @@ -14,7 +14,7 @@ Macintosh clients? -Yes. Thursby now have a CIFS Client / Server called DAVE - see +Yes. Thursby now have a CIFS Client / Server called DAVE diff --git a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml index 395bd71a27..9f03f98b5f 100644 --- a/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml +++ b/docs/docbook/projdoc/PAM-Authentication-And-Samba.sgml @@ -34,7 +34,7 @@ or by editing individual files that are located in /etc/pam.d/lib/security. If the module - is located other than default then the path may be specified as: + is located outside the default then the path must be specified as: auth required /other_path/pam_strange_module.so diff --git a/docs/docbook/projdoc/Problems.sgml b/docs/docbook/projdoc/Problems.sgml index 1f880a78cd..eb43b63b63 100644 --- a/docs/docbook/projdoc/Problems.sgml +++ b/docs/docbook/projdoc/Problems.sgml @@ -44,7 +44,7 @@ generate a 'LsaEnumTrustedDomains'. Thereafter, the workstation maintains an open connection, and therefore there will be an smbd process running (assuming that you haven't set a really short smbd idle timeout) So, in between pressing ctrl alt delete, and actually -typing in your password, you can gdb attach and continue. +typing in your password, you can attach gdb and continue. @@ -85,7 +85,7 @@ formatted files. Installing netmon on an NT workstation requires a couple of steps. The following are for installing Netmon V4.00.349, which comes with Microsoft Windows NT Server 4.0, on Microsoft Windows NT -Workstation 4.0. The process should be similar for other version of +Workstation 4.0. The process should be similar for other versions of Windows NT / Netmon. You will need both the Microsoft Windows NT Server 4.0 Install CD and the Workstation 4.0 Install CD. diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index ac61391306..82897808b2 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -102,7 +102,7 @@ of your home directory called .profiles (thus making them h -Not only that, but net use/home will also work, because of a feature in +Not only that, but net use /home will also work, because of a feature in Windows 9x / Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you specified \\%L\%U for logon home. @@ -157,7 +157,8 @@ There are three ways of doing this: Disable: Only Allow Local User Profiles Disable: Prevent Roaming Profile Change from Propogating to the Server - + + @@ -964,7 +965,7 @@ The default entries are: When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from C:\Documents and Settings\Default User. The administrator can modify (or change -the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum +the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. @@ -981,7 +982,7 @@ login name of the user. This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory - should be created at the root of this share and msut be called Default Profile. + should be created at the root of this share and must be called Default Profile. @@ -998,7 +999,7 @@ the local machine only under the path C:\Documents and Settings\%USERN -Those wishing to modify the default behaviour can do so through up to three methods: +Those wishing to modify the default behaviour can do so through three methods: @@ -1078,7 +1079,7 @@ the others are of type REG_EXPAND_SZ. It makes a huge difference to the speed of handling roaming user profiles if all the folders are stored on a dedicated location on a network server. This means that it will NOT be necessary to -write Outlook PST file over the network for every login and logout. +write the Outlook PST file over the network for every login and logout. diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 0aea999b53..f238e8e1b0 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -230,9 +230,9 @@ SWAT has context sensitive help. To find out what each parameter is for simply c Share Settings -To affect a currenly configured share, simple click on the pull down button between the +To affect a currenly configured share, simply click on the pull down button between the Choose Share and the Delete Share buttons, -select the share you wish to operation on, then to edit the settings click on the +select the share you wish to operate on, then to edit the settings click on the Choose Share button, to delete the share simply press the Delete Share button. @@ -249,9 +249,9 @@ into the text field the name of the share to be created, then click on the Printers Settings -To affect a currenly configured printer, simple click on the pull down button between the +To affect a currenly configured printer, simply click on the pull down button between the Choose Printer and the Delete Printer buttons, -select the printer you wish to operation on, then to edit the settings click on the +select the printer you wish to operate on, then to edit the settings click on the Choose Printer button, to delete the share simply press the Delete Printer button. @@ -330,7 +330,7 @@ parameters and their settings. The Password Change Page -The Password Change page is a popular tool. This tool allows to creation, deletion, deactivation +The Password Change page is a popular tool. This tool allows the creation, deletion, deactivation and reactivation of MS Windows networking users on the local machine. Alternatively, you can use this tool to change a local password for a user account. diff --git a/docs/docbook/projdoc/Speed.sgml b/docs/docbook/projdoc/Speed.sgml index 753810c1d8..2509883916 100644 --- a/docs/docbook/projdoc/Speed.sgml +++ b/docs/docbook/projdoc/Speed.sgml @@ -117,7 +117,7 @@ pointless and will cause you to allocate memory unnecessarily. At startup the client and server negotiate a maximum transmit size, which limits the size of nearly all SMB commands. You can set the maximum size that Samba will negotiate using the max xmit = option -in &smb.conf;. Note that this is the maximum size of SMB request that +in &smb.conf;. Note that this is the maximum size of SMB requests that Samba will accept, but not the maximum size that the *client* will accept. The client maximum receive size is sent to Samba by the client and Samba honours this limit. diff --git a/docs/docbook/projdoc/VFS.sgml b/docs/docbook/projdoc/VFS.sgml index 1f29a754b0..225411b427 100644 --- a/docs/docbook/projdoc/VFS.sgml +++ b/docs/docbook/projdoc/VFS.sgml @@ -99,9 +99,9 @@ following information will be recorded: recycle -A recycle-bin like modules. When used any unlink call +A recycle-bin like module. When used any unlink call will be intercepted and files moved to the recycle -directory instead of beeing deleted. +directory instead of being deleted. Supported options: @@ -159,7 +159,7 @@ netatalk file sharing services. Advantages compared to the old netatalk module: -it doesn't care about creating of .AppleDouble forks, just keeps ones in sync +it doesn't care about creating of .AppleDouble forks, just keeps them in sync if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically @@ -174,12 +174,12 @@ netatalk file sharing services. This section contains a listing of various other VFS modules that have been posted but don't currently reside in the Samba CVS -tree for one reason ot another (e.g. it is easy for the maintainer +tree for one reason or another (e.g. it is easy for the maintainer to have his or her own CVS tree). -No statemets about the stability or functionality any module +No statemets about the stability or functionality of any module should be implied due to its presence here. diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 523a34603d..422cf7b7e7 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -867,13 +867,15 @@ identifier:pass must change time column - int(9) identifier:username column - varchar(255) - unix username identifier:domain column - varchar(255) - NT domain user is part of identifier:nt username column - varchar(255) - NT username -identifier:fullname column - varchar(255) - Full name of user +identifier:fullname column - varchar(255) - Full name of user identifier:home dir column - varchar(255) - Unix homedir path -identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') -identifier:logon script column - varchar(255) - Batch file to run on client side when logging on +identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:') +identifier:logon script column - varchar(255) + - Batch file to run on client side when logging on identifier:profile path column - varchar(255) - Path of profile identifier:acct desc column - varchar(255) - Some ASCII NT user data -identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all) +identifier:workstations column - varchar(255) + - Workstations user can logon to (or NULL for all) identifier:unknown string column - varchar(255) - unknown string identifier:munged dial column - varchar(255) - ? identifier:uid column - int(9) - Unix user ID (uid) @@ -908,11 +910,15 @@ I strongly discourage the use of plaintext passwords, however, you can use them: -If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. +If you would like to use plaintext passwords, set +'identifier:lanman pass column' and 'identifier:nt pass column' to +'NULL' (without the quotes) and 'identifier:plain pass column' to the +name of the column containing the plaintext passwords. -If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default. +If you use encrypted passwords, set the 'identifier:plain pass +column' to 'NULL' (without the quotes). This is the default. @@ -944,16 +950,21 @@ Or, set 'identifier:workstations column' to : This module requires libxml2 to be installed. The usage of pdb_xml is pretty straightforward. To export data, use: + -pdbedit -e xml:filename + + pdbedit -e xml:filename + + (where filename is the name of the file to put the data in) To import data, use: pdbedit -i xml:filename -e current-pdb - + + Where filename is the name to read the data from and current-pdb to put it in. diff --git a/docs/docbook/projdoc/securing-samba.sgml b/docs/docbook/projdoc/securing-samba.sgml index eedc7ba725..d320767a77 100644 --- a/docs/docbook/projdoc/securing-samba.sgml +++ b/docs/docbook/projdoc/securing-samba.sgml @@ -44,7 +44,7 @@ might be: The above will only allow SMB connections from 'localhost' (your own computer) and from the two private networks 192.168.2 and -192.168.3. All other connections will be refused connections as soon +192.168.3. All other connections will be refused as soon as the client sends its first packet. The refusal will be marked as a 'not listening on called name' error. @@ -84,7 +84,7 @@ If you use the above and someone tries to make a SMB connection to your host over a PPP interface called 'ppp0' then they will get a TCP connection refused reply. In that case no Samba code is run at all as the operating system has been told not to pass connections from that -interface to any process. +interface to any samba process. diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml index 42d2e1d50f..eaf9990dcb 100644 --- a/docs/docbook/projdoc/unicode.sgml +++ b/docs/docbook/projdoc/unicode.sgml @@ -36,9 +36,9 @@ store one character). -A standardised multibyte charset is unicode, info available at +A standardised multibyte charset is unicode, info is available at www.unicode.org. -Big advantage of using a multibyte charset is that you only need one; no +A big advantage of using a multibyte charset is that you only need one; no need to make sure two computers use the same charset when they are communicating. -- cgit From 629f9d7c95e189981b9890f88775577984e107a7 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 26 Apr 2003 02:28:01 +0000 Subject: Use &author.jerry;, not &person.jerry; (This used to be commit 0833677ee51c95d27b146b40b2e5f681a7f02fcc) --- docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml index 841d24b78d..7250bca824 100644 --- a/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml +++ b/docs/docbook/projdoc/GROUP-MAPPING-HOWTO.sgml @@ -3,7 +3,7 @@ Jean Fran�oisMicouleau - &person.jerry; + &author.jerry; -- cgit From 74b9fdc1ccd6c061038d86f7713cb33a89e2261c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 26 Apr 2003 02:29:33 +0000 Subject: --with-tdbsam is gone (This used to be commit 8f63f7142c6bf1e89b5cc3c0d02cbe480bc247b4) --- docs/docbook/manpages/smb.conf.5.sgml | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml index 9486eb87ea..fa61121f4b 100644 --- a/docs/docbook/manpages/smb.conf.5.sgml +++ b/docs/docbook/manpages/smb.conf.5.sgml @@ -5423,8 +5423,6 @@ df $1 | tail -1 | awk '{print $2" "$4}' This option allows the administrator to chose which backends to retrieve and store passwords with. This allows (for example) both smbpasswd and tdbsam to be used without a recompile. Multiple backends can be specified, separated by spaces. The backends will be searched in the order they are specified. New users are always added to the first backend specified. - Experimental backends must still be selected - (eg --with-tdbsam) at configure time. This parameter is in two parts, the backend's name, and a 'location' -- cgit From 54c285888509dcd4520f2608d618012f5877d073 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 26 Apr 2003 02:30:53 +0000 Subject: The net manpage is complete, say so in the VERSION section (This used to be commit ff76db525180f0fc192a9c0cfb56781dbfb418ee) --- docs/docbook/manpages/net.8.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml index 6b6ebd1f09..ca52ce8ffc 100644 --- a/docs/docbook/manpages/net.8.sgml +++ b/docs/docbook/manpages/net.8.sgml @@ -883,7 +883,7 @@ to show in the result. VERSION - This man page is incomplete for version 3.0 of the Samba + This man page is complete for version 3.0 of the Samba suite. -- cgit From 17c29f0faf96f522fb5179bda1ea1904b18df7d5 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 26 Apr 2003 11:38:42 +0000 Subject: Fix the 'weird' charset module. Also, built it by default for ./configure --enable-developer (This used to be commit 1c0ae103010766cb3dd5adb36ea7af9324bd0672) --- source3/Makefile.in | 4 ++-- source3/configure.in | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source3/Makefile.in b/source3/Makefile.in index 3e9a6665ac..7291b4b3c5 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1044,7 +1044,7 @@ bin/nisplussam.@SHLIBEXT@: passdb/pdb_nisplus.o @$(SHLD) $(LDSHFLAGS) -o $@ passdb/pdb_nisplus.o \ @SONAMEFLAG@`basename $@` -bin/developer.@SHLIBEXT@: $(DEVEL_HELP_OBJ) +bin/weird.@SHLIBEXT@: $(DEVEL_HELP_OBJ) @echo "Building plugin $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(DEVEL_HELP_OBJ) \ @SONAMEFLAG@`basename $@` @@ -1138,7 +1138,7 @@ installbin: all installdirs @$(SHELL) $(srcdir)/script/installbin.sh $(INSTALLPERMS) $(DESTDIR)$(BASEDIR) $(DESTDIR)$(BINDIR) $(DESTDIR)$(LIBDIR) $(DESTDIR)$(VARDIR) $(BIN_PROGS) -installmodules: all modules installdirs +installmodules: modules installdirs @$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR)$(BASEDIR) $(DESTDIR)$(VFSLIBDIR) $(VFS_MODULES) @$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR)$(BASEDIR) $(DESTDIR)$(PDBLIBDIR) $(PDB_MODULES) @$(SHELL) $(srcdir)/script/installmodules.sh $(INSTALLPERMS) $(DESTDIR)$(BASEDIR) $(DESTDIR)$(RPCLIBDIR) $(RPC_MODULES) diff --git a/source3/configure.in b/source3/configure.in index e9f7016a8a..cd3b2cedcc 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -247,13 +247,14 @@ dnl Add modules that have to be built by default here dnl These have to be built static: default_static_modules="pdb_smbpasswd pdb_tdbsam pdb_unix rpc_lsa rpc_samr rpc_reg rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin idmap_winbind" +dnl These are preferably build shared, and static if dlopen() is not available +default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_fake_perms vfs_netatalk" + if test "x$enable_developer" = xyes; then default_static_modules="$default_static_modules rpc_echo" + default_shared_modules="$default_shared_modules charset_weird" fi -dnl These are preferably build shared, and static if dlopen() is not available -default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_fake_perms vfs_netatalk" - # # Config CPPFLAG settings for strange OS's that must be set # before other tests. @@ -3449,7 +3450,7 @@ SMB_MODULE(rpc_samr, \$(RPC_SAMR_OBJ), "bin/librpc_samr.$SHLIBEXT", RPC) SMB_MODULE(rpc_echo, \$(RPC_ECHO_OBJ), "bin/librpc_echo.$SHLIBEXT", RPC) SMB_SUBSYSTEM(RPC) -SMB_MODULE(charset_weird, modules/developer.o, "bin/developer.$SHLIBEXT", CHARSET) +SMB_MODULE(charset_weird, modules/developer.o, "bin/weird.$SHLIBEXT", CHARSET) SMB_SUBSYSTEM(CHARSET) SMB_MODULE(auth_rhosts, \$(AUTH_RHOSTS_OBJ), "bin/rhosts.$SHLIBEXT", AUTH) -- cgit From 0bc85d32e196acb50dfece16d63410e04c58b712 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 26 Apr 2003 14:43:33 +0000 Subject: add idmap only parameter make idmap not map SIDs outside the uid/gid range defined by default this is to keep backward compatibility (This used to be commit bec45093c379915082d7b7f44113f5c17110d123) --- source3/param/loadparm.c | 6 +++++- source3/sam/idmap.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c80c71d98d..60ba76a32f 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -164,6 +164,7 @@ typedef struct char *szSourceEnv; char *szIdmapUID; char *szIdmapGID; + BOOL *bIdmapOnly; char *szNonUnixAccountRange; int AlgorithmicRidBase; char *szTemplateHomedir; @@ -756,7 +757,6 @@ static struct parm_struct parm_table[] = { {"server schannel", P_ENUM, P_GLOBAL, &Globals.serverSchannel, NULL, enum_bool_auto, FLAG_BASIC}, {"allow trusted domains", P_BOOL, P_GLOBAL, &Globals.bAllowTrustedDomains, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, - {"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"min passwd length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1120,6 +1120,8 @@ static struct parm_struct parm_table[] = { {"Winbind options", P_SEP, P_SEPARATOR}, + {"idmap only", P_BOOL, P_GLOBAL, &Globals.bIdmapOnly, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, + {"idmap backend", P_STRING, P_GLOBAL, &Globals.szIdmapBackend, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"idmap uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"winbind uid", P_STRING, P_GLOBAL, &Globals.szIdmapUID, handle_idmap_uid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER | FLAG_HIDE}, {"idmap gid", P_STRING, P_GLOBAL, &Globals.szIdmapGID, handle_idmap_gid, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -1478,6 +1480,7 @@ static void init_globals(void) Globals.bWinbindEnumGroups = True; Globals.bWinbindUseDefaultDomain = False; + Globals.bIdmapOnly = False; string_set(&Globals.szWinbindBackend, "tdb"); Globals.name_cache_timeout = 660; /* In seconds */ @@ -1657,6 +1660,7 @@ FN_GLOBAL_BOOL(lp_winbind_use_default_domain, &Globals.bWinbindUseDefaultDomain) FN_GLOBAL_STRING(lp_winbind_backend, &Globals.szWinbindBackend) FN_GLOBAL_STRING(lp_idmap_backend, &Globals.szIdmapBackend) +FN_GLOBAL_BOOL(lp_idmap_only, &Globals.bIdmapOnly) #ifdef WITH_LDAP_SAMCONFIG FN_GLOBAL_STRING(lp_ldap_server, &Globals.szLdapServer) diff --git a/source3/sam/idmap.c b/source3/sam/idmap.c index 771f4169a2..c2b966cfbe 100644 --- a/source3/sam/idmap.c +++ b/source3/sam/idmap.c @@ -91,6 +91,35 @@ NTSTATUS idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type) { NTSTATUS ret; + if (!lp_idmap_only()) { + if (id_type & ID_USERID) { + uid_t low, high; + if (!lp_idmap_uid(&low, &high)) { + DEBUG(0, ("idmap uid range missing or invalid\n")); + DEBUGADD(0, ("idmap will be unable to map SIDs\n")); + return NT_STATUS_UNSUCCESSFUL; + } + if (low > id.uid || high < id.uid) { + DEBUG(0, ("uid not in range and idmap only is flase - not storing the mapping\n")); + return NT_STATUS_UNSUCCESSFUL; + } + } else if (id_type & ID_GROUPID) { + gid_t low, high; + if (!lp_idmap_gid(&low, &high)) { + DEBUG(0, ("idmap gid range missing or invalid\n")); + DEBUGADD(0, ("idmap will be unable to map SIDs\n")); + return NT_STATUS_UNSUCCESSFUL; + } + if (low > id.gid || high < id.gid) { + DEBUG(0, ("uid not in range and idmap only is flase - not storing the mapping\n")); + return NT_STATUS_UNSUCCESSFUL; + } + } else { + DEBUG(0, ("Wrong ID Type, mapping failed!")); + return NT_STATUS_UNSUCCESSFUL; + } + } + ret = local_map->set_mapping(sid, id, id_type); if (NT_STATUS_IS_ERR(ret)) { DEBUG (0, ("idmap_set_mapping: Error, unable to modify local cache!\n")); -- cgit From fc955b8c18f8ac12cb98d333b33013670397cb9b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 26 Apr 2003 15:48:48 +0000 Subject: enhancements (This used to be commit ff051e9cf4b468aa9fe7e3f84483571d3d2de556) --- source3/sam/idmap_tdb.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/source3/sam/idmap_tdb.c b/source3/sam/idmap_tdb.c index a43f5824a1..27cf706e7d 100644 --- a/source3/sam/idmap_tdb.c +++ b/source3/sam/idmap_tdb.c @@ -211,7 +211,7 @@ idok: return ret; } -static NTSTATUS db_set_mapping(DOM_SID *sid, unid_t id, int id_type) +static NTSTATUS db_set_mapping(const DOM_SID *sid, unid_t id, int id_type) { TDB_DATA ksid, kid; fstring ksidstr; @@ -252,23 +252,45 @@ static NTSTATUS db_set_mapping(DOM_SID *sid, unid_t id, int id_type) static NTSTATUS db_idmap_init(void) { SMB_STRUCT_STAT stbuf; + char *tdbfile; + int32 version; - /* move to the new database on first startup */ + /* use the old database if present */ if (!file_exist(lock_path("idmap.tdb"), &stbuf)) { if (file_exist(lock_path("winbindd_idmap.tdb"), &stbuf)) { - DEBUG(0, ("idmap_init: winbindd_idmap.tdb is present and idmap.tdb is not!\nPlease RUN winbindd first to convert the db to the new format!\n")); - return NT_STATUS_UNSUCCESSFUL; + DEBUG(0, ("idmap_init: using winbindd_idmap.tdb file!\n")); + tdbfile = strdup(lock_path("winbindd_idmap.tdb")); + if (!tdbfile) { + DEBUG(0, ("idmap_init: out of memory!\n")); + return NT_STATUS_NO_MEMORY; + } + } + } else { + tdbfile = strdup(lock_path("idmap.tdb")); + if (!tdbfile) { + DEBUG(0, ("idmap_init: out of memory!\n")); + return NT_STATUS_NO_MEMORY; } } /* Open tdb cache */ - if (!(idmap_tdb = tdb_open_log(lock_path("idmap.tdb"), 0, + if (!(idmap_tdb = tdb_open_log(tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0600))) { DEBUG(0, ("idmap_init: Unable to open idmap database\n")); + SAFE_FREE(tdbfile); return NT_STATUS_UNSUCCESSFUL; } + SAFE_FREE(tdbfile); + + /* check against earlier versions */ + version = tdb_fetch_int32(idmap_tdb, "IDMAP_VERSION"); + if (version != IDMAP_VERSION) { + DEBUG(0, ("idmap_init: Unable to open idmap database, it's in an old format!\n")); + return NT_STATUS_INTERNAL_DB_ERROR; + } + /* Create high water marks for group and user id */ if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) { if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) { -- cgit From e82f3c4461bea78530003d7476bfe19e962521b4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 26 Apr 2003 16:18:39 +0000 Subject: round three of CIDR fixes; spotted by Tomoki AONO (This used to be commit 920958a392b41c23ecd4db3ca32ae90a2e09bff9) --- source3/lib/access.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source3/lib/access.c b/source3/lib/access.c index 9d07893c2f..c30b3c33cc 100644 --- a/source3/lib/access.c +++ b/source3/lib/access.c @@ -34,6 +34,8 @@ static BOOL masked_match(const char *tok, const char *slash, const char *s) mask = interpret_addr(slash + 1); } else { mask = (uint32)((ALLONES >> atoi(slash + 1)) ^ ALLONES); + /* convert to network byte order */ + mask = htonl(mask); } if (net == INADDR_NONE || mask == INADDR_NONE) { @@ -41,9 +43,6 @@ static BOOL masked_match(const char *tok, const char *slash, const char *s) return (False); } - /* convert to network byte order */ - mask = htonl(mask); - return ((addr & mask) == net); } -- cgit From 013fa338a27eda32dac92882e4fcd39218d8285e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 26 Apr 2003 17:22:13 +0000 Subject: removing smbgroupedit manpage (This used to be commit 4a0c02d133af6ea6f1009b81067974d6ad4fb404) --- docs/docbook/Makefile.in | 2 +- docs/docbook/manpages/smbgroupedit.8.sgml | 229 --------------------- docs/htmldocs/smbgroupedit.8.html | 331 ------------------------------ docs/manpages/manpage.links | 0 docs/manpages/manpage.refs | 39 ---- docs/manpages/smbgroupedit.8 | 148 ------------- 6 files changed, 1 insertion(+), 748 deletions(-) delete mode 100644 docs/docbook/manpages/smbgroupedit.8.sgml delete mode 100644 docs/htmldocs/smbgroupedit.8.html delete mode 100644 docs/manpages/manpage.links delete mode 100644 docs/manpages/manpage.refs delete mode 100644 docs/manpages/smbgroupedit.8 diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index 0739f43f84..ce3d009f6c 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -21,7 +21,7 @@ MANPAGES_NAMES=findsmb.1 smbclient.1 \ smbpasswd.8 testprns.1 \ smb.conf.5 wbinfo.1 pdbedit.8 \ smbcacls.1 smbsh.1 winbindd.8 \ - smbgroupedit.8 vfstest.1 \ + vfstest.1 \ profiles.1 smbtree.1 ntlm_auth.1 \ editreg.1 smbcquotas.1 diff --git a/docs/docbook/manpages/smbgroupedit.8.sgml b/docs/docbook/manpages/smbgroupedit.8.sgml deleted file mode 100644 index 6c489bb785..0000000000 --- a/docs/docbook/manpages/smbgroupedit.8.sgml +++ /dev/null @@ -1,229 +0,0 @@ - - - - - smbgroupedit - 8 - - - - smbgroupedit - Query/set/change UNIX - Windows NT group mapping - - - - - smbroupedit - -v [l|s] - -a UNIX-groupname [-d NT-groupname|-p privilege|] - - - - - - - -DESCRIPTION - - -This program is part of the Samba -7 suite. - - -The smbgroupedit command allows for mapping unix groups -to NT Builtin, Domain, or Local groups. Also -allows setting privileges for that group, such as saAddUser, -etc. - - - - - - OPTIONS - - - - -v[l|s] - This option will list all groups available - in the Windows NT domain in which samba is operating. - - - - - -l - give a long listing, of the format: - - -"NT Group Name" - SID : - Unix group : - Group type : - Comment : - Privilege : - - -For example: - -Users - SID : S-1-5-32-545 - Unix group: -1 - Group type: Local group - Comment : - Privilege : No privilege - - - - - - - -s - display a short listing of the format: - - -NTGroupName(SID) -> UnixGroupName - - -For example: - -Users (S-1-5-32-545) -> -1 - - - - - - - - - - - - - - - -FILES - - - - - - - - - -EXIT STATUS - - -smbgroupedit returns a status of 0 if the -operation completed successfully, and a value of 1 in the event -of a failure. - - - - - - - - - - -EXAMPLES - - - -To make a subset of your samba PDC users members of -the 'Domain Admins' Global group: - - - - - create a unix group (usually in - /etc/group), let's call it domadm. - - - add to this group the users that you want to be - domain administrators. For example if you want joe, john and mary, - your entry in /etc/group will look like: - - - domadm:x:502:joe,john,mary - - - map this domadm group to the 'domain admins' group: - - Get the SID for the Windows NT "Domain Admins" group: - -root# smbgroupedit -vs | grep "Domain Admins" -Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1 - - - map the unix domadm group to the Windows NT - "Domain Admins" group, by running the command: - -root# smbgroupedit \ --c S-1-5-21-1108995562-3116817432-1375597819-512 \ --u domadm -td - - - warning: don't copy and paste this sample, the - Domain Admins SID (the S-1-5-21-...-512) is different for every PDC. - - - - - - -To verify that your mapping has taken effect: - -root# smbgroupedit -vs|grep "Domain Admins" -Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm - - -To give access to a certain directory on a domain member machine (an -NT/W2K or a samba server running winbind) to some users who are member -of a group on your samba PDC, flag that group as a domain group: - -root# smbgroupedit -a unixgroup -td - - - - - - -VERSION - - -This man page is correct for the 3.0alpha releases of -the Samba suite. - - - - -SEE ALSO - - -smb.conf -5 - - - - - -AUTHOR - - -The original Samba software and related utilities -were created by Andrew Tridgell. Samba is now developed -by the Samba Team as an Open Source project similar -to the way the Linux kernel is developed. - - - -smbgroupedit was written by Jean Francois Micouleau. -The current set of manpages and documentation is maintained -by the Samba Team in the same fashion as the Samba source code. The conversion -to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy. - - - diff --git a/docs/htmldocs/smbgroupedit.8.html b/docs/htmldocs/smbgroupedit.8.html deleted file mode 100644 index 32e00315b4..0000000000 --- a/docs/htmldocs/smbgroupedit.8.html +++ /dev/null @@ -1,331 +0,0 @@ - -smbgroupedit

smbgroupedit

Name

smbgroupedit -- Query/set/change UNIX - Windows NT group mapping

Synopsis

smbroupedit [-v [l|s]] [-a UNIX-groupname [-d NT-groupname|-p privilege|]]

DESCRIPTION

This program is part of the Samba(7) suite.

The smbgroupedit command allows for mapping unix groups -to NT Builtin, Domain, or Local groups. Also -allows setting privileges for that group, such as saAddUser, -etc.

OPTIONS

-v[l|s]

This option will list all groups available - in the Windows NT domain in which samba is operating. -

-l

give a long listing, of the format:

"NT Group Name"
-    SID            :
-    Unix group     :
-    Group type     :
-    Comment        :
-    Privilege      :

For example: -

Users
-    SID       : S-1-5-32-545
-    Unix group: -1
-    Group type: Local group
-    Comment   :
-    Privilege : No privilege

-s

display a short listing of the format:

NTGroupName(SID) -> UnixGroupName

For example: -

Users (S-1-5-32-545) -> -1

FILES

EXIT STATUS

smbgroupedit returns a status of 0 if the -operation completed successfully, and a value of 1 in the event -of a failure.

EXAMPLES

To make a subset of your samba PDC users members of -the 'Domain Admins' Global group:

create a unix group (usually in - /etc/group), let's call it domadm. -
add to this group the users that you want to be - domain administrators. For example if you want joe, john and mary, - your entry in /etc/group will look like: -
domadm:x:502:joe,john,mary
map this domadm group to the 'domain admins' group:
1. Get the SID for the Windows NT "Domain Admins" group:
```
root# smbgroupedit -vs | grep "Domain Admins"
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1
```
2. map the unix domadm group to the Windows NT - "Domain Admins" group, by running the command: -
```
root# smbgroupedit \
--c S-1-5-21-1108995562-3116817432-1375597819-512 \
--u domadm -td
```
  warning: don't copy and paste this sample, the - Domain Admins SID (the S-1-5-21-...-512) is different for every PDC. -

To verify that your mapping has taken effect: -

root# smbgroupedit -vs|grep "Domain Admins"
-Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm

To give access to a certain directory on a domain member machine (an -NT/W2K or a samba server running winbind) to some users who are member -of a group on your samba PDC, flag that group as a domain group: -

root# smbgroupedit -a unixgroup -td

VERSION

This man page is correct for the 3.0alpha releases of -the Samba suite.

AUTHOR

The original Samba software and related utilities -were created by Andrew Tridgell. Samba is now developed -by the Samba Team as an Open Source project similar -to the way the Linux kernel is developed.

smbgroupedit was written by Jean Francois Micouleau. -The current set of manpages and documentation is maintained -by the Samba Team in the same fashion as the Samba source code. The conversion -to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy.

\ No newline at end of file diff --git a/docs/manpages/manpage.links b/docs/manpages/manpage.links deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/docs/manpages/manpage.refs b/docs/manpages/manpage.refs deleted file mode 100644 index 81323bebe1..0000000000 --- a/docs/manpages/manpage.refs +++ /dev/null @@ -1,39 +0,0 @@ -{ - '' => '', - 'refentry:SMBGROUPEDIT.8' => 'smbgroupedit(8)', - 'refentry:NET.8' => 'net(8)', - 'refentry:SAMBA.7' => 'samba(7)', - 'refentry:SMBSTATUS.1' => 'smbstatus(1)', - 'refentry:SMBCACLS.1' => 'smbcacls(1)', - 'refentry:WBINFO.1' => 'wbinfo(1)', - 'refentry:NTLM-AUTH.1' => 'ntlm_auth(1)', - 'refentry:SMBPASSWD.8' => 'smbpasswd(8)', - 'refentry:SMB.CONF.5' => 'smb.conf(5)', - 'refentry:FINDSMB.1' => 'findsmb(1)', - 'refentry:SMBCONTROL.1' => 'smbcontrol(1)', - 'refentry:TESTPRNS.1' => 'testprns(1)', - 'refentry:SMBPASSWD.5' => 'smbpasswd(5)', - 'refentry:SMBD.8' => 'smbd(8)', - 'refentry:SMBTREE.1' => 'smbtree(1)', - 'refentry:EDITREG.1' => 'editreg(1)', - 'refentry:SMBCLIENT.1' => 'smbclient(1)', - 'refentry:WINBINDD.8' => 'winbindd(8)', - 'refentry:NMBLOOKUP' => 'nmblookup(1)', - 'refentry:SMBMOUNT.8' => 'smbmount(8)', - 'refentry:SMBCQUOTAS.1' => 'smbcquotas(1)', - 'refentry:PDBEDIT.8' => 'pdbedit(8)', - 'refentry:NTLM_AUTH.1' => 'ntlm_auth(1)', - 'refentry:SWAT.8' => 'swat(8)', - 'refentry:PROFILES.1' => 'profiles(1)', - 'refentry:LMHOSTS.5' => 'lmhosts(5)', - 'refentry:SMBMNT.8' => 'smbmnt(8)', - 'refentry:SMBSH.1' => 'smbsh(1)', - 'refentry:SMBSPOOL.8' => 'smbspool(8)', - 'refentry:RPCCLIENT.1' => 'rpcclient(1)', - 'refentry:VFSTEST.1' => 'vfstest(1)', - 'refentry:NMBD.8' => 'nmbd(8)', - 'refentry:TESTPARM.1' => 'testparm(1)', - 'refentry:SMBUMOUNT.8' => 'smbumount(8)', - 'refentry:SMBTAR.1' => 'smbtar(1)', - '' => '' -} diff --git a/docs/manpages/smbgroupedit.8 b/docs/manpages/smbgroupedit.8 deleted file mode 100644 index cd6a79acb1..0000000000 --- a/docs/manpages/smbgroupedit.8 +++ /dev/null @@ -1,148 +0,0 @@ -.\" This manpage has been automatically generated by docbook2man -.\" from a DocBook document. This tool can be found at: -.\" -.\" Please send any bug reports, improvements, comments, patches, -.\" etc. to Steve Cheng . -.TH "SMBGROUPEDIT" "8" "19 april 2003" "" "" - -.SH NAME -smbgroupedit \- Query/set/change UNIX - Windows NT group mapping -.SH SYNOPSIS - -\fBsmbroupedit\fR [ \fB-v [l|s]\fR ] [ \fB-a UNIX-groupname [-d NT-groupname|-p privilege|]\fR ] - -.SH "DESCRIPTION" -.PP -This program is part of the \fBSamba\fR(7) suite. -.PP -The smbgroupedit command allows for mapping unix groups -to NT Builtin, Domain, or Local groups. Also -allows setting privileges for that group, such as saAddUser, -etc. -.SH "OPTIONS" -.TP -\fB-v[l|s]\fR -This option will list all groups available -in the Windows NT domain in which samba is operating. -.RS -.TP -\fB-l\fR -give a long listing, of the format: - - -.nf -"NT Group Name" - SID : - Unix group : - Group type : - Comment : - Privilege : -.fi - -For example: - -.nf -Users - SID : S-1-5-32-545 - Unix group: -1 - Group type: Local group - Comment : - Privilege : No privilege -.fi -.TP -\fB-s\fR -display a short listing of the format: - - -.nf -NTGroupName(SID) -> UnixGroupName -.fi - -For example: - -.nf -Users (S-1-5-32-545) -> -1 -.fi -.RE -.SH "FILES" -.PP -.SH "EXIT STATUS" -.PP -\fBsmbgroupedit\fR returns a status of 0 if the -operation completed successfully, and a value of 1 in the event -of a failure. -.SH "EXAMPLES" -.PP -To make a subset of your samba PDC users members of -the 'Domain Admins' Global group: -.TP 3 -1. -create a unix group (usually in -\fI/etc/group\fR), let's call it domadm. -.TP 3 -2. -add to this group the users that you want to be -domain administrators. For example if you want joe, john and mary, -your entry in \fI/etc/group\fR will look like: - -domadm:x:502:joe,john,mary -.TP 3 -3. -map this domadm group to the 'domain admins' group: -.RS -.TP 3 -1. -Get the SID for the Windows NT "Domain Admins" group: - - -.nf -root# \fBsmbgroupedit -vs | grep "Domain Admins"\fR -Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> -1 -.fi -.TP 3 -2. -map the unix domadm group to the Windows NT -"Domain Admins" group, by running the command: - -.nf -root# \fBsmbgroupedit \\ --c S-1-5-21-1108995562-3116817432-1375597819-512 \\ --u domadm -td\fR -.fi - -\fBwarning:\fR don't copy and paste this sample, the -Domain Admins SID (the S-1-5-21-...-512) is different for every PDC. -.RE -.PP -To verify that your mapping has taken effect: - -.nf -root# \fBsmbgroupedit -vs|grep "Domain Admins"\fR -Domain Admins (S-1-5-21-1108995562-3116817432-1375597819-512) -> domadm -.fi -.PP -To give access to a certain directory on a domain member machine (an -NT/W2K or a samba server running winbind) to some users who are member -of a group on your samba PDC, flag that group as a domain group: - -.nf -root# \fBsmbgroupedit -a unixgroup -td\fR -.fi -.SH "VERSION" -.PP -This man page is correct for the 3.0alpha releases of -the Samba suite. -.SH "SEE ALSO" -.PP -\fBsmb.conf\fR(5) -.SH "AUTHOR" -.PP -The original Samba software and related utilities -were created by Andrew Tridgell. Samba is now developed -by the Samba Team as an Open Source project similar -to the way the Linux kernel is developed. -.PP -\fBsmbgroupedit\fR was written by Jean Francois Micouleau. -The current set of manpages and documentation is maintained -by the Samba Team in the same fashion as the Samba source code. The conversion -to DocBook XML 4.2 for Samba 3.0 was done by Alexander Bokovoy. -- cgit From ca42a64f9b2bca475cc77c8fd08d54c397c311eb Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 26 Apr 2003 18:42:17 +0000 Subject: Added tdbbackup man page. (This used to be commit b217373ba8fc167efc8e68b6db1a9e51e670b12a) --- docs/docbook/global.ent | 1 + docs/docbook/manpages/tdbbackup.8.sgml | 130 +++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 docs/docbook/manpages/tdbbackup.8.sgml diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 2933602e60..efe33c4ff9 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -442,6 +442,7 @@ an Active Directory environment. + diff --git a/docs/docbook/manpages/tdbbackup.8.sgml b/docs/docbook/manpages/tdbbackup.8.sgml new file mode 100644 index 0000000000..25b2c27aef --- /dev/null +++ b/docs/docbook/manpages/tdbbackup.8.sgml @@ -0,0 +1,130 @@ + %globalentities; +]> + + + + tdbbackup + 1 + + + + + tdbbackup + tool for backing up and for validating the integrity of samba .tdb files + + + + + tdbbackup + -s suffix + -v + -h + + + + + DESCRIPTION + + This tool is part of the Samba + 1 suite. + + tdbbackup is a tool that may be used to backup samba .tdb + files. This tool may also be used to verify the integrity of the .tdb files prior + to samba startup, in which case, if it find file damage and it finds a prior backup + it will restore the backup file. + + + + + + OPTIONS + + + + + -s suffix + + The -s option allows the adminisistrator to specify a file + backup extension. This way it is possible to keep a history of tdb backup + files by using a new suffix for each backup. + + + + &stdarg.help; + + + -v + + The -v will check the database for damages (currupt data) + which if detected causes the backup to be restored. + + + + &popt.common.samba; + + + + + + + COMMANDS + + GENERAL INFORMATION + + + The tdbbackup utility should be run as soon as samba has shut down. + Do NOT run this command on a live database. Typical usage for the command will be: + + + tdbbackup [-s suffix] *.tdb + + + Before restarting samba the following command may be run to validate .tdb files: + + + tdbbackup -v [-s suffix] *.tdb + + + Samba .tdb files are stored in various locations, be sure to run backup all + .tdb file on the system. Imporatant files includes: + + + + secrets.tdb - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + + + + passdb.tdb - usual location is in the /usr/local/samba/private + directory, or on some systems in /etc/samba. + + + + *.tdb located in the /usr/local/samba/var directory or on some + systems in the /var/cache or /var/lib/samba directories. + + + + + + + + VERSION + + This man page is correct for version 3.0 of the Samba suite. + + + + AUTHOR + + + The original Samba software and related utilities were created by Andrew Tridgell. + Samba is now developed by the Samba Team as an Open Source project similar to the way + the Linux kernel is developed. + + + The tdbbackup man page was written by John H Terpstra. + + + -- cgit