summaryrefslogtreecommitdiffstats
path: root/source/smbd/uid.c
Commit message (Collapse)AuthorAgeFilesLines
* RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison2007-10-181-10/+10
| | | | | | | bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy.
* r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell2007-10-101-2/+1
|
* r23779: Change from v2 or later to v3 or later.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r22978: Don't use current_user to prep the security ctx in change_to_userGerald Carter2007-10-101-7/+15
| | | | | | since any SID/uid/gid translation calls will reset the struct when popping the security ctx. This should fix the standalone server configuration issues reported by David Rankin (thanks for the logs).
* r17295: Back out the become_root_uid_only change on the POSIXJeremy Allison2007-10-101-1/+0
| | | | | | | | acls code. I'm pretty sure this was safe, but become_root() does other things to the token stack that become_root_uid_only() does not, and as we're going into a vfs redirectred function I decided it wasn't safe for now. Jeremy.
* r17096: Simplify share_access_check a bit: It takes the sharename instead of ↵Volker Lendecke2007-10-101-2/+7
| | | | | | | | | the snum, and the decision which token to use (conn or vuser) does not really belong here, it is better done in the two places where this is called. Volker
* r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison2007-10-101-2/+2
| | | | | | | to do the upper layer directories but this is what everyone is waiting for.... Jeremy.
* r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter2007-10-101-2/+2
| | | | macro which sets the freed pointer to NULL.
* r13316: Let the carnage begin....Gerald Carter2007-10-101-91/+40
| | | | Sync with trunk as off r13315
* r13293: Rather a big patch I'm afraid, but this should fix bug #3347Jeremy Allison2007-10-101-15/+15
| | | | | | | | by saving the UNIX token used to set a delete on close flag, and using it when doing the delete. libsmbsharemodes.so still needs updating to cope with this change. Samba4 torture tests to follow. Jeremy.
* r12916: use rpcstr_pull() instead of unistr_to_ascii() when validating share ↵Gerald Carter2007-10-101-1/+1
| | | | names
* r12312: Reformatting and a trivial change: is_share_read_only_for_user only usesVolker Lendecke2007-10-101-14/+22
| | | | | | conn->service, so there's no point in passing down the whole conn struct. Volker
* r6385: Convert checking of egid and secondary egid list intoJeremy Allison2007-10-101-0/+23
| | | | | | iterator functions so it can be used easily in a for loop. Drops duplicated code from posix_acls.c Jeremy.
* r2016: Add message to ease access-control-debugging.Günther Deschner2007-10-101-0/+1
| | | | Guenther
* r1375: When setting writable=yes in smb.conf and only allow read access in theVolker Lendecke2007-10-101-0/+7
| | | | | | | | | | | | | | security descriptor, allow read access. The code failed in this case. Jeremy, could you please cross-check this? The way I understood your code it could only work if smb.conf and secdesc said the same. This made the use of srvmgr a bit difficult.... What was your intention on how to use the share_info.tdb? The current code might check the secdesc twice, but I don't see any decent way around it that does not completely clutter the code. Volker
* r762: Fix for #1319 when security > share.Jeremy Allison2007-10-101-2/+8
| | | | Jeremy.
* Fixup the 'multiple-vuids' bugs.Jeremy Allison2004-02-131-12/+76
| | | | Jeremy.
* nsswitch/winbindd_util.c:Andrew Bartlett2004-02-081-11/+0
| | | | | | | | | add static smbd/uid.c: remove unused function Andrew Bartlett
* Samba hasn't used this function for ages - it's now handled deep in theAndrew Bartlett2004-02-081-69/+0
| | | | | | auth subsystem. Andrew Bartlett
* Fix bug 327 (again and I think for the last time). Make sure thatGerald Carter2003-08-271-463/+0
| | | | | | | | pam_smbpass.so will load ok. Had to move some functions around to work around dependency problems (hence the new passdb/lookup_sid.c) Also make sure that libsmbclient.a is built and installed when we support shared libraries.
* Spelling.Tim Potter2003-08-061-1/+1
|
* fix sid_to_[uid|gid] (spotted by Volker).Gerald Carter2003-07-111-87/+37
| | | | | Still testing this, but I'm checking it in so Volker can test it as well. Should be right.
* Large set of changes to add UNIX account/group managementGerald Carter2003-07-091-6/+17
| | | | to winbindd. See README.idmap-and-winbind-changes for details.
* Get rid of DISP_USER_INFO/DISP_GROUP_INFO as they serve no usefulJeremy Allison2003-07-091-0/+4
| | | | | | | purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries. ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX functions fail. Getting ready to add caching. Jeremy.
* Ensure we correctly test for errors in uid/gid_to sid.Jeremy Allison2003-07-091-15/+14
| | | | Jeremy.
* Fixed a couple of const issues with the new code.Jeremy Allison2003-07-071-1/+1
| | | | Jeremy.
* and so it begins....Gerald Carter2003-07-071-0/+408
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb)
* And finally IDMAP in 3_0Simo Sorce2003-05-121-418/+1
| | | | | | | | | | | | | | | | | | | | We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo.
* pdb_ldap may require ROOT privilages to access the group mapping. (yes, it's ↵Andrew Bartlett2003-03-271-0/+2
| | | | | | ugly :-) Andrew Bartlett
* Merge of server-side authentication changes to 3.0:Andrew Bartlett2003-02-241-2/+2
| | | | | | | | | | | | | | | | | - user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett
* Fix inspired by Stefan (metze) Metzmacher - cache the sidtype also.Jeremy Allison2003-02-191-19/+27
| | | | Jeremy.
* Added code based on Michael Steffens <michael.steffens@hp.com> uid/gidJeremy Allison2003-02-121-1/+205
| | | | | | caching code. Reduces load on winbindd. Probably should be moved to use gencache at some future date. Jeremy.
* Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison2002-11-121-4/+2
| | | | | | dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy.
* Merges from HEAD:Andrew Bartlett2002-11-011-0/+2
| | | | | - off-by-one fix - fixes warnings about insufficent space in buffer. - fix a memleak in uid.c - we forgot to free() the allocated struct.
* First cut of new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.Jeremy Allison2002-10-231-1/+1
| | | | | | | This is not 100% the same as what SuSE shipped in their Samba, there is a crash bug fix, a race condition fix, and a few logic changes I'd like to discuss with Andreas. Added Andreas to (C) notices for posix_acls.c Jeremy.
* sync'ing up for 3.0alpha20 releaseGerald Carter2002-09-251-18/+24
|
* Sync 3.0 branch with headJelmer Vernooij2002-08-171-39/+47
|
* updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell2002-07-151-7/+8
|
* merged the mangling test and passdb bugfixes into SAMBA_3_0Andrew Tridgell2002-04-121-5/+15
|
* if we know that the SID is local then don't try via winbinddAndrew Tridgell2002-03-131-0/+5
|
* fixed mapping of SIDs for local usersAndrew Tridgell2002-03-131-1/+1
|
* Fixed compiler warning about unused variables.Tim Potter2002-03-051-5/+5
|
* this allows us to support foreign SIDs in winbindd and smbdAndrew Tridgell2002-02-271-2/+13
| | | | | | | this means "xcopy /o" has a chance of working with ACLs that contain ACEs that use SIDs that the Samba server has no knowledge of. It's a bit hackish, Tim, can you look at my uid.c changes?
* Removed version number from file header.Tim Potter2002-01-301-2/+1
| | | | Changed "SMB/Netbios" to "SMB/CIFS" in file header.
* - Provide sid->name lookup support for non-unix accounts.Andrew Bartlett2002-01-261-36/+33
| | | | | | | | | - Rework the name -> sid lookup function to always try local lookup first (for local domain names) before trying winbind. This seems to eliminate my winbind feedback loop problems. (I don't use winbind for nsswitch, where there are almost certainly further issues). Andrew Bartlett
* Rework lookup_name() to take seperate username/domain args, and to removeAndrew Bartlett2002-01-261-31/+24
| | | | | varioius crazy 'if winbind didn't find it' cases. This makes winbind default domain support easier to intergrate with smbd.
* This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett2002-01-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett
* A nice *big* change to the fundemental way we do things.Andrew Bartlett2002-01-171-9/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett
* added a boolean to the group mapping functions to specify if we need orJean-François Micouleau2001-12-041-1/+1
| | | | | | | | | | | | | | | | | | | | | not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F.
* Moved name_is_local to the correct place. Ooops.Jeremy Allison2001-12-041-10/+0
| | | | Jeremy.
generated by cgit (git 2.34.1) at 2025-09-25 19:29:51 +0000