summaryrefslogtreecommitdiffstats
path: root/source3/groupdb
Commit message (Collapse)AuthorAgeFilesLines
* r15101: Little step towards getting Samba4 tdb into 3: tdb_lock_bystring ↵Volker Lendecke2007-10-101-1/+1
| | | | | | | | | | does not have the timeout argument in Samba4. Add a new routine tdb_lock_bystring_with_timeout. Volker (This used to be commit b9c6e3f55602fa505859a4b2cd137b74105d685f)
* r14634: Many bug fixes thanks to train rides and overnight stays in airportsGerald Carter2007-10-101-0/+1
| | | | | | | | | | | | | | | | | | | * Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
* r14457: Add a few more special cases for RID 513 in the samr code.Gerald Carter2007-10-101-1/+17
| | | | | | | Now that I know what all the requirements for this group are I can generalize the code some more and make it cleaner. But at least this is working with lusrmgr.msc on XP and 2k now. (This used to be commit d2c1842978cd50485849bfc4fb6d94767d96cab0)
* r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter2007-10-101-52/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
* r13955: Fix Coverity ID 139.Volker Lendecke2007-10-101-1/+1
| | | | | | | | Not a bug in the strictest sense, more a clarification. This whole routine assumes new_gid != NULL anyway, so there's no point in checking. Volker (This used to be commit dfbf09c772b9588271e2d8e053c7494bb087c544)
* r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison2007-10-101-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
* r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter2007-10-101-1/+1
| | | | | macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
* r13494: Merge the stuff I've done in head the last days.Volker Lendecke2007-10-101-9/+8
| | | | | Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
* r13316: Let the carnage begin....Gerald Carter2007-10-101-105/+90
| | | | | Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
* r12438: Remove an unused functionVolker Lendecke2007-10-101-28/+0
| | | | (This used to be commit 561e351d25b58fda4b050525aa03d18e4d88cc6c)
* r12185: Cosmetic cleanupVolker Lendecke2007-10-101-32/+3
| | | | (This used to be commit d1e8f9afffecf986a428bfac29b22dcbce610016)
* r12182: Cosmetic cleanupVolker Lendecke2007-10-101-35/+25
| | | | (This used to be commit 81c358b511457fbc6304845acb4bfbf1b4adf062)
* r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke2007-10-101-2/+13
| | | | | | | | | build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
* r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison2007-10-101-32/+32
| | | | | | x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
* r10656: BIG merge from trunk. Features not copied overGerald Carter2007-10-101-16/+44
| | | | | | | | * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
* r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter2007-10-101-37/+1
| | | | (This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
* r6769: Fix bugzilla #2538 and #2527. Unused variables found by Jason Mader.Tim Potter2007-10-101-4/+2
| | | | (This used to be commit 68b1c1f533e5c91634f5da21659c8e5793cb77f7)
* r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke2007-10-101-47/+0
| | | | | | | | | | | | | | | | | pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
* r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke2007-10-101-2/+0
| | | | | | | | | initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
* r6225: get rid of warnings from my compiler about nested externsHerb Lewis2007-10-101-2/+2
| | | | (This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
* r6092: This much const causes the compiler on Fedora Core 2Jeremy Allison2007-10-101-1/+1
| | | | | | to throw up. Jeremy. (This used to be commit 051f0ed8075a3616484888ab22d68ca11aa1dd36)
* r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke2007-10-101-5/+36
| | | | | | | | | is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
* r5647: Caches are good for performance, but you get a consistency problem.Volker Lendecke2007-10-101-0/+2
| | | | | | | Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687)
* r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner2007-10-101-5/+5
| | | | | Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
* r4724: Add support for Windows privileges in Samba 3.0Gerald Carter2007-10-101-12/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
* r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison2007-10-101-4/+4
| | | | | | | | | | allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
* r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke2007-10-101-10/+25
| | | | | | | | | | | | | | | implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
* r3561: Since we have tdb_reopen_all() after all forks, the local_pid logic ↵Volker Lendecke2007-10-101-4/+1
| | | | | | | | | | | | is not correct anymore. If we actually open the tdb before the fork, we end up opening the tdb twice. Jerry, jra, this also happens in the locking and printing subsystems. You might want to check it there (not that it actually happens right now, but this gave me some confusion lately...). Volker (This used to be commit 40cad9dcc14ddec0ce74bb9010d13bd82e4d10af)
* r2865: Add static and remove unused functions that only cload the blame-gameAndrew Bartlett2007-10-101-122/+0
| | | | | | | | in finding out who is causing the massive performance problems with large LDAP directories. Andrew Bartlett (This used to be commit f16ed2616a67c412bc9b78354a5faf673e64cf42)
* r2753: Workaround for the (rather broken) _samr_query_useraliases rpc-call.Günther Deschner2007-10-101-14/+1
| | | | | | | | | | | | | | | _samr_query_useraliases shows up with all kind of very weird memberships (global-groups, machine-accounts, etc.). Sometimes even if there is no alias-membership at all. One of the biggest mistakes is to convert any unix-group the user is a member of, into an alias by default in get_group_from_gid. get_alias_user_groups should be rewritten to use pdb_enum_alias_memberships. Guenther (This used to be commit 73ab2d2a74d3992167d9304dd41f60ad0805dd67)
* r116: volker's patch for local group and group nestingGerald Carter2007-10-101-1/+459
| | | | (This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
* r39: * importing .cvsignore filesGerald Carter2007-10-101-2/+0
| | | | | * updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
* Fix to debug message lacking termination with '\n'.Rafal Szczesniak2004-03-091-12/+12
| | | | | rafal (This used to be commit 2a7dd469430459d124cb48d516b82766a2a249bc)
* When creating a group via a script, don't let winbind do it as well.Volker Lendecke2004-02-171-3/+1
| | | | | Volker (This used to be commit 6a229f1488c2f0935c24e223614e4c88b36d15c0)
* Fix memleak just introduced. Thanks to abartlet :-)Volker Lendecke2004-01-251-0/+1
| | | | | Volker (This used to be commit be485eea81c6bab8067642c26e41a14652ce7ee6)
* On my SuSE 8.2 (glibc 2.3.2) the getpwnam inside pdb_getsampwnam resetVolker Lendecke2004-01-251-30/+43
| | | | | | | | the surrounding getpwent loop to the first entry. So smbd went into an endless loop. Volker (This used to be commit 1797b16fadd61ef1f30a1be950e3afe7a2e1d791)
* JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett2004-01-021-28/+63
| | | | | | | | | | | | | his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
* more group lookup access fixes on the neverending bug 281Gerald Carter2003-12-101-5/+23
| | | | (This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
* * fix RemoveSidForeignDomain() ; bug 252Gerald Carter2003-12-041-14/+16
| | | | | | | | * don't fall back to unmapped UNIX group for get_local_group_from_sid() * remove an extra become/unbecome_root() pair from group enumeration (This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
* more access fixes for group enumeration in LDAP; bug 281Gerald Carter2003-11-241-1/+7
| | | | (This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
* Fix syntax error!Tim Potter2003-08-151-1/+1
| | | | (This used to be commit cd0b6f74baa01dbe43c29cdadf1505083cdc878f)
* fix compile warnings on IRIXGerald Carter2003-08-151-5/+29
| | | | (This used to be commit b9779ba590a62acac12fa268c0e9dbe054176ae4)
* Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter2003-07-221-1/+1
| | | | | | | displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
* fixes for 'net rpc vampire'. I can now take a blank Samba hostGerald Carter2003-07-161-18/+14
| | | | | | | | | | | | and migrate an NT4 domain and still logon from domain members (tested logon scripts, system policies, profiles, & home directories) (passdb backend = tdbsam) removed call to idmap_init_wellknown_sids() from winbindd.c since the local domain should be handled by the guest passdb backend (and you don't really always want the Administrator account to be root) ...and we didn't pay attention to this anyways now. (This used to be commit 837d7c54d3ca780160aa0d6a2f0a109bb691948e)
* We should report if a group mapping fails. This should fix bug#225.Volker Lendecke2003-07-151-3/+1
| | | | | | | | | | Jerry, this is assigned to you. Do you want to answer it? However, we have to decide what to do if a mapping is to be done for a unix group not in LDAP.... Volker (This used to be commit bf449d467cfe4987df17010490a16ab0472c0803)
* moving more code around.Gerald Carter2003-07-111-4/+2
| | | | | | | | | | | | | | | | | | * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
* Large set of changes to add UNIX account/group managementGerald Carter2003-07-091-56/+121
| | | | | to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
* Fix memleak in groupdb. Spotted by MetzeAlexander Bokovoy2003-07-041-1/+1
| | | | (This used to be commit 5280c6953195c2664628ecaab59ea82b4863e8f7)
* Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce2003-06-181-510/+47
| | | | | | | | | | | | | | The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
* And some more memory leaks in mapping.c and pdb_tdb.c. tdb_nextkeyVolker Lendecke2003-06-181-0/+2
| | | | | | | mallocs its key, so we should free it after use. Volker (This used to be commit 9750799ba2e1aaa59fa255f23880c9c618195c3d)