From 8e1e47b960495df7f603d7798d86734d070b21bb Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 May 2003 14:02:34 +0000 Subject: uff, forgot to put back this one :-/ --- source/include/mapping.h | 1 + 1 file changed, 1 insertion(+) diff --git a/source/include/mapping.h b/source/include/mapping.h index 0cb31aa040b..d4f2d28e6a1 100644 --- a/source/include/mapping.h +++ b/source/include/mapping.h @@ -43,6 +43,7 @@ typedef struct _GROUP_MAP { + struct pdb_methods *methods; gid_t gid; DOM_SID sid; enum SID_NAME_USE sid_name_use; -- cgit From 61a01797113b5b9b08face1099b0433e8f9dd114 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 May 2003 14:27:06 +0000 Subject: Domain Controller -> Domain Member Server. --- docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index 7ec687e7407..fa479d73aef 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -259,7 +259,7 @@ reinstall it. The install time choices offered are: Primary Domain Controller - The one that seeds the domain SAM Backup Domain Controller - One that obtains a copy of the domain SAM - Domain Controller - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls. + Domain Member Server - One that has NO copy of the domain SAM, rather it obtains authentication from a Domain Controller for all access controls. Stand-Alone Server - One that plays NO part is SAM synchronisation, has it's own authentication database and plays no role in Domain security. -- cgit From e599eba851db40816c684da2b7b1be4b978166e0 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 6 May 2003 17:52:11 +0000 Subject: Add metze's exit and idle event patch --- source/include/includes.h | 2 + source/include/module.h | 45 +++++++++++++++++++ source/include/smb.h | 3 -- source/lib/module.c | 107 +++++++++++++++++++++++++++++++++++++++++++++- source/smbd/process.c | 7 +++ source/smbd/server.c | 3 ++ 6 files changed, 163 insertions(+), 4 deletions(-) create mode 100644 source/include/module.h diff --git a/source/include/includes.h b/source/include/includes.h index 8fc09c2cae4..c0e59a39b36 100644 --- a/source/include/includes.h +++ b/source/include/includes.h @@ -824,6 +824,8 @@ extern int errno; #include "mangle.h" +#include "module.h" + #include "nsswitch/winbind_client.h" #include "genparser.h" diff --git a/source/include/module.h b/source/include/module.h new file mode 100644 index 00000000000..659833c91af --- /dev/null +++ b/source/include/module.h @@ -0,0 +1,45 @@ +/* + Unix SMB/CIFS implementation. + Handling of idle/exit events + Copyright (C) Stefan (metze) Metzmacher 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef _MODULE_H +#define _MODULE_H + +/* Module support */ +typedef NTSTATUS (init_module_function) (void); + + +#define SMB_IDLE_EVENT_DEFAULT_INTERVAL 180 +#define SMB_IDLE_EVENT_MIN_INTERVAL 30 + +typedef struct smb_idle_event_struct { + struct smb_idle_event_struct *prev,*next; + time_t interval; + time_t last_run; + void *data; + void (*fn)(struct smb_idle_event_struct **event, time_t now); +} smb_idle_event_struct; + +typedef struct smb_exit_event_struct { + struct smb_exit_event_struct *prev,*next; + void *data; + void (*fn)(struct smb_exit_event_struct **event); +} smb_exit_event_struct; + +#endif /* _MODULE_H */ diff --git a/source/include/smb.h b/source/include/smb.h index 2ca65ec2758..04b7d723955 100644 --- a/source/include/smb.h +++ b/source/include/smb.h @@ -1616,7 +1616,4 @@ typedef struct { #include "popt_common.h" -/* Module support */ -typedef NTSTATUS (init_module_function) (void); - #endif /* _SMB_H */ diff --git a/source/lib/module.c b/source/lib/module.c index 087c964d3c7..221538fbec7 100644 --- a/source/lib/module.c +++ b/source/lib/module.c @@ -2,7 +2,8 @@ Unix SMB/CIFS implementation. module loading system - Copyright (C) Jelmer Vernooij 2002 + Copyright (C) Jelmer Vernooij 2002-2003 + Copyright (C) Stefan (metze) Metzmacher 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -145,3 +146,107 @@ void module_path_get_name(const char *path, pstring name) } } } + + +/*************************************************************************** + * This Function registers a idle event + * + * the registered funtions are run periodically + * and maybe shutdown idle connections (e.g. to an LDAP server) + ***************************************************************************/ +static smb_idle_event_struct *smb_idle_event_list = NULL; +NTSTATUS smb_register_idle_event(smb_idle_event_struct *idle_event) +{ + if (!idle_event) { + return NT_STATUS_INVALID_PARAMETER; + } + + idle_event->last_run = 0; + + DLIST_ADD(smb_idle_event_list,idle_event); + + return NT_STATUS_OK; +} + +NTSTATUS smb_unregister_idle_event(smb_idle_event_struct *idle_event) +{ + if (!idle_event) { + return NT_STATUS_INVALID_PARAMETER; + } + + DLIST_REMOVE(smb_idle_event_list,idle_event); + + return NT_STATUS_OK; +} + +void smb_run_idle_events(time_t now) +{ + smb_idle_event_struct *tmp_event = smb_idle_event_list; + + while (tmp_event) { + time_t interval; + + if (tmp_event->fn) { + if (tmp_event->interval >= SMB_IDLE_EVENT_MIN_INTERVAL) { + interval = tmp_event->interval; + } else { + interval = SMB_IDLE_EVENT_DEFAULT_INTERVAL; + } + if (now >(tmp_event->last_run+interval)) { + tmp_event->fn(&tmp_event,now); + tmp_event->last_run = now; + } + } + + tmp_event = tmp_event->next; + } + + return; +} + +/*************************************************************************** + * This Function registers a exit event + * + * the registered funtions are run on exit() + * and maybe shutdown idle connections (e.g. to an LDAP server) + ***************************************************************************/ +static smb_exit_event_struct *smb_exit_event_list = NULL; +NTSTATUS smb_register_exit_event(smb_exit_event_struct *exit_event) +{ + if (!exit_event) { + return NT_STATUS_INVALID_PARAMETER; + } + + DLIST_ADD(smb_exit_event_list,exit_event); + + return NT_STATUS_OK; +} + +NTSTATUS smb_unregister_exit_event(smb_exit_event_struct *exit_event) +{ + if (!exit_event) { + return NT_STATUS_INVALID_PARAMETER; + } + + DLIST_REMOVE(smb_exit_event_list,exit_event); + + return NT_STATUS_OK; +} + +void smb_run_exit_events(void) +{ + smb_exit_event_struct *tmp_event = smb_exit_event_list; + + while (tmp_event) { + if (tmp_event->fn) { + tmp_event->fn(&tmp_event); + } + tmp_event = tmp_event->next; + } + + /* run exit_events only once */ + smb_exit_event_list = NULL; + + return; +} + diff --git a/source/smbd/process.c b/source/smbd/process.c index 54fd4a90d99..18acb35f7a1 100644 --- a/source/smbd/process.c +++ b/source/smbd/process.c @@ -1114,6 +1114,9 @@ static BOOL timeout_processing(int deadtime, int *select_timeout, time_t *last_t /* become root again if waiting */ change_to_root_user(); + /* run all registered idle events */ + smb_run_idle_events(t); + /* check if we need to reload services */ check_reload(t); @@ -1277,6 +1280,10 @@ void smbd_process(void) lp_talloc_free(); main_loop_talloc_free(); + /* run all registered idle events */ + smb_run_idle_events(time(NULL)); + + /* Did someone ask for immediate checks on things like blocking locks ? */ if (select_timeout == 0) { if(!timeout_processing( deadtime, &select_timeout, &last_timeout_processing_time)) diff --git a/source/smbd/server.c b/source/smbd/server.c index ef27f0b7a4b..c24fc5134de 100644 --- a/source/smbd/server.c +++ b/source/smbd/server.c @@ -567,6 +567,9 @@ void exit_server(const char *reason) print_notify_send_messages(3); /* 3 second timeout. */ + /* run all registered exit events */ + smb_run_exit_events(); + /* delete our entry in the connections database. */ yield_connection(NULL,""); -- cgit From 4c1c75ae224eb138a71058472b25f9c22b61b349 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 6 May 2003 23:57:37 +0000 Subject: More stuffing, this turkey will soon be done. --- docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index fa479d73aef..39d8eb6fc57 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -287,6 +287,22 @@ be revised to duely reflect all configuration and management requirements. Preparing for Domain Control + +There are two ways that MS Windows machines may interact with each other, with other servers, +and with Domain Controllers: Either as Stand-Alone systems, more commonly +called Workgroup members, or as full participants in a security system, +more commonly called Domain Members. + + + +It should be noted that Workgroup membership involve no special configuration +other than the machine being configured so that the network configuration has a commonly used name +for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this +mode of configuration there are NO machine trust accounts and any concept of "membership" as such +is limited to the fact that all machines appear in the network neighbourhood to be logically +groupped together. + + The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows NT4 / 200x / XP clients. -- cgit From c5b1654c28e33823a58c6447c152996a1eed1d0d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 May 2003 01:00:12 +0000 Subject: We used to use the name "*",0x0 here, but some Windows servers don't answer that name. However we *know* they have the name workgroup#1b (as we just looked it up). So do the node status request on this name instead. Found at LBL labs. Jeremy. --- source/nmbd/nmbd_browsesync.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/source/nmbd/nmbd_browsesync.c b/source/nmbd/nmbd_browsesync.c index b9082ee1c37..adfefc9f27a 100644 --- a/source/nmbd/nmbd_browsesync.c +++ b/source/nmbd/nmbd_browsesync.c @@ -316,7 +316,15 @@ static void find_domain_master_name_query_success(struct subnet_record *subrec, zero_ip(&work->dmb_addr); /* Now initiate the node status request. */ - make_nmb_name(&nmbname,"*",0x0); + + /* We used to use the name "*",0x0 here, but some Windows + * servers don't answer that name. However we *know* they + * have the name workgroup#1b (as we just looked it up). + * So do the node status request on this name instead. + * Found at LBL labs. JRA. + */ + + make_nmb_name(&nmbname,work->work_group,0x1b); /* Put the workgroup name into the userdata so we know what workgroup we're talking to when the reply comes -- cgit From c49cfe1677b8daba4e2e73813ee712b2d0ec92cd Mon Sep 17 00:00:00 2001 From: Martin Pool Date: Wed, 7 May 2003 01:18:06 +0000 Subject: Merge from distcc: Put in a prototype for dummy_snprintf() to quiet compiler warnings. Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even if the C library has some snprintf functions already. --- source/lib/snprintf.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source/lib/snprintf.c b/source/lib/snprintf.c index 02cf782520b..4aef82c7d89 100644 --- a/source/lib/snprintf.c +++ b/source/lib/snprintf.c @@ -83,6 +83,12 @@ * Remove NO_CONFIG_H so that the test case can be built within a source * tree with less trouble. * Remove unnecessary SAFE_FREE() definition. + * + * Martin Pool (mbp@samba.org) May 2003 + * Put in a prototype for dummy_snprintf() to quiet compiler warnings. + * + * Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even + * if the C library has some snprintf functions already. **************************************************************/ #ifndef NO_CONFIG_H @@ -123,8 +129,9 @@ /* only include stdio.h if we are not re-defining snprintf or vsnprintf */ #include /* make the compiler happy with an empty file */ + void dummy_snprintf(void); void dummy_snprintf(void) {} -#else +#endif /* HAVE_SNPRINTF, etc */ #ifdef HAVE_LONG_DOUBLE #define LDOUBLE long double @@ -144,7 +151,6 @@ #else #define VA_COPY(dest, src) (dest) = (src) #endif -#endif static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in); -- cgit From 56fd8427389a45fe640d84b3481e9f3f3c24b4b7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 May 2003 02:01:33 +0000 Subject: Force ASCII for client messages. Patch from David Lee Jeremy. --- source/libsmb/climessage.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source/libsmb/climessage.c b/source/libsmb/climessage.c index 5f6ce361339..2b1be75089d 100644 --- a/source/libsmb/climessage.c +++ b/source/libsmb/climessage.c @@ -40,9 +40,9 @@ BOOL cli_message_start(struct cli_state *cli, char *host, char *username, p = smb_buf(cli->outbuf); *p++ = 4; - p += clistr_push(cli, p, username, -1, STR_TERMINATE); + p += clistr_push(cli, p, username, -1, STR_ASCII|STR_TERMINATE); *p++ = 4; - p += clistr_push(cli, p, host, -1, STR_TERMINATE); + p += clistr_push(cli, p, host, -1, STR_ASCII|STR_TERMINATE); cli_setup_bcc(cli, p); @@ -128,4 +128,3 @@ BOOL cli_message_end(struct cli_state *cli, int grp) return True; } - -- cgit From c799638763fe0eb17b3bc5df853f0137aff54b94 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 7 May 2003 07:44:38 +0000 Subject: More edits. Now working on BDC Documentation. --- docs/docbook/projdoc/Samba-BDC-HOWTO.xml | 331 ++++++++++++++++++++----------- docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 102 +++++++--- 2 files changed, 283 insertions(+), 150 deletions(-) diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml index cf5684fecac..00ed3251c9b 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml @@ -1,49 +1,130 @@ + &author.jht; &author.vl; - (26 Apr 2001) Backup Domain Control -Before you continue reading in this section, please make sure -that you are comfortable with configuring a Samba PDC -as described in the Samba-PDC-HOWTO. +Before you continue reading in this section, please make sure that you are comfortable +with configuring a Samba Domain Controller as described in the +Domain Control Chapter. -Background +Features And Benefits -What is a Domain Controller? It is a machine that is able to answer -logon requests from workstations in a Windows NT Domain. Whenever a -user logs into a Windows NT Workstation, the workstation connects to a -Domain Controller and asks him whether the username and password the -user typed in is correct. The Domain Controller replies with a lot of -information about the user, for example the place where the users -profile is stored, the users full name of the user. All this -information is stored in the NT user database, the so-called SAM. +Stuff goees here + + + + + +Essential Background Information + + +A Domain Controller is a machine that is able to answer logon requests from network +workstations. Microsoft LanManager and IBM LanServer were two early products that +provided this capability. The technology has become known as the LanMan Netlogon service. + + + +When MS Windows NT3.10 was first released it supported an new style of Domain Control +and with it a new form of the network logon service that has extended functionality. +This service became known as the NT NetLogon Service. The nature of this service has +changed with the evolution of MS Windows NT and today provides a very complex array of +services that are implemented over a complex spectrum of technologies. + + + +MS Windows NT4 Style Domain Control + + +Whenever a user logs into a Windows NT4 / 200x / XP Profresional Workstation, +the workstation connects to a Domain Controller (authentication server) to validate +the username and password that the user entered are valid. If the information entered +does not validate against the account information that has been stored in the Domain +Control database (the SAM, or Security Accounts Manager database) then a set of error +codes is returned to the workstation that has made the authentication request. + + + +When the username / password pair has been validated, the Domain Controller +(authentication server) will respond with full enumeration of the account information +that has been stored regarding that user in the User and Machine Accounts database +for that Domain. This information contains a complete network access profile for +the user but excludes any information that is particular to the user's desktop profile, +or for that matter it excludes all desktop profiles for groups that the user may +belong to. It does include password time limits, password uniqueness controls, +network access time limits, account validity information, machine names from which the +user may access the network, and much more. All this information was stored in the SAM +in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0). + + +The account information (user and machine) on Domain Controllers is stored in two files, +one containing the Security information and the other the SAM. These are stored in files +by the same name in the C:\WinNT\System32\config directory. These +are the files that are involved in replication of the SAM database where Backup Domain +Controllers are present on the network. + + + +There are two situations in which it is desirable to install Backup Domain Controllers: + + + + + On the local network that the Primary Domain Controller is on if there are many + workstations and/or where the PDC is generally very busy. In this case the BDCs + will pick up network logon requests and help to add robustness to network services. + + + + At each remote site, to reduce wide area network traffic and to add stability to + remote network operations. The design of the network, the strategic placement of + Backup Domain Controllers, together with an implementation that localises as much + of network to client interchange as possible will help to minimise wide area network + bandwidth needs (and thus costs). + + + + +The PDC contains the master copy of the SAM. In the event that an administrator makes a +change to the user account database while physically present on the local network that +has the PDC, the change will likely be made directly to the PDC instance of the master +copy of the SAM. In the event that this update may be performed in a branch office the +change will likely be stored in a delta file on the local BDC. The BDC will then send +a trigger to the PDC to commence the process of SAM synchronisation. The PDC will then +request the delta from the BDC and apply it to the master SAM. THe PDC will then contact +all the BDCs in the Domain and trigger them to obtain the update and then apply that to +their own copy of the SAM. + + + +Thus the BDC is said to hold a read-only of the SAM from which +it is able to process network logon requests and to authenticate users. The BDC can +continue to provide this service, particularly while, for example, the wide area +network link to the PDC is down. Thus a BDC plays a very important role in both +maintenance of Domain security as well as in network integrity. -There are two kinds of Domain Controller in a NT 4 compatible Domain: -A Primary Domain Controller (PDC) and one or more Backup Domain -Controllers (BDC). The PDC contains the master copy of the -SAM. Whenever the SAM has to change, for example when a user changes -his password, this change has to be done on the PDC. A Backup Domain -Controller is a machine that maintains a read-only copy of the -SAM. This way it is able to reply to logon requests and authenticate -users in case the PDC is not available. During this time no changes to -the SAM are possible. Whenever changes to the SAM are done on the PDC, -all BDC receive the changes from the PDC. +In the event that the PDC should need to be taken out of service, or if it dies, then +one of the BDCs can be promoted to a PDC. If this happens while the original PDC is on +line then it is automatically demoted to a BDC. This is an important aspect of Domain +Controller management. The tool that is used to affect a promotion or a demotion is the +Server Manager for Domains. + +Example PDC Configuration + -Since version 2.2 Samba officially supports domain logons for all -current Windows Clients, including Windows 2000 and XP. This text -assumes the domain to be named SAMBA. To be able to act as a PDC, some +Since version 2.2 Samba officially supports domain logons for all current Windows Clients, +including Windows NT4, 2003 and XP Professional. For samba to be enabled as a PDC some parameters in the [global]-section of the smb.conf have to be set: @@ -54,23 +135,37 @@ parameters in the [global]-section of the smb.conf have to be set: -Several other things like a [homes] and a [netlogon] share also may be -set along with settings for the profile path, the users home drive and -others. This will not be covered in this document. +Several other things like a [homes] and a [netlogon] share also need to be set along with +settings for the profile path, the users home drive, etc.. This will not be covered in this +chapter, for more information please refer to the chapter on Domain Control. + + + + + + +Active Directory Domain Control + + +As of the release of MS Windows 2000 and Active Directory, this information is now stored +in a directory that can be replicated and for which partial or full administrative control +can be delegated. Samba-3 is NOT able to be a Domain Controller within an Active Directory +tree, and it can not be an Active Directory server. This means that Samba-3 also can NOT +act as a Backup Domain Contoller to an Active Directory Domain Controller. + + What qualifies a Domain Controller on the network? -Every machine that is a Domain Controller for the domain SAMBA has to -register the NetBIOS group name SAMBA#1c with the WINS server and/or -by broadcast on the local network. The PDC also registers the unique -NetBIOS name SAMBA#1b with the WINS server. The name type #1b is -normally reserved for the domain master browser, a role that has -nothing to do with anything related to authentication, but the -Microsoft Domain implementation requires the domain master browser to -be on the same machine as the PDC. +Every machine that is a Domain Controller for the domain SAMBA has to register the NetBIOS +group name SAMBA<#1c> with the WINS server and/or by broadcast on the local network. +The PDC also registers the unique NetBIOS name SAMBA<#1b> with the WINS server. +The name type <#1b> name is normally reserved for the Domain Master Browser, a role +that has nothing to do with anything related to authentication, but the Microsoft Domain +implementation requires the domain master browser to be on the same machine as the PDC. @@ -79,15 +174,13 @@ be on the same machine as the PDC. How does a Workstation find its domain controller? -A NT workstation in the domain SAMBA that wants a local user to be -authenticated has to find the domain controller for SAMBA. It does -this by doing a NetBIOS name query for the group name SAMBA#1c. It -assumes that each of the machines it gets back from the queries is a -domain controller and can answer logon requests. To not open security -holes both the workstation and the selected (TODO: How is the DC -chosen) domain controller authenticate each other. After that the -workstation sends the user's credentials (his name and password) to -the domain controller, asking for approval. +An MS Windows NT4 / 200x / XP Professional workstation in the domain SAMBA that wants a +local user to be authenticated has to find the domain controller for SAMBA. It does this +by doing a NetBIOS name query for the group name SAMBA<#1c>. It assumes that each +of the machines it gets back from the queries is a domain controller and can answer logon +requests. To not open security holes both the workstation and the selected domain controller +authenticate each other. After that the workstation sends the user's credentials (name and +password) to the local Domain Controller, for valdation. @@ -97,11 +190,10 @@ the domain controller, asking for approval. When is the PDC needed? -Whenever a user wants to change his password, this has to be done on -the PDC. To find the PDC, the workstation does a NetBIOS name query -for SAMBA#1b, assuming this machine maintains the master copy of the -SAM. The workstation contacts the PDC, both mutually authenticate and -the password change is done. +Whenever a user wants to change his password, this has to be done on the PDC. To find +the PDC, the workstation does a NetBIOS name query for SAMBA<#1b>, assuming this +machine maintains the master copy of the SAM. The workstation contacts the PDC, both +mutually authenticate and the password change is done. @@ -110,25 +202,22 @@ the password change is done. -Can Samba be a Backup Domain Controller to an NT PDC? +Can Samba be a Backup Domain Controller to an NT4 PDC? -With version 2.2, no. The native NT SAM replication protocols have -not yet been fully implemented. The Samba Team is working on -understanding and implementing the protocols, but this work has not -been finished for version 2.2. +With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully +implemented. The Samba Team is working on understanding and implementing the protocols, +but this work has not been finished for version 2.2. -With version 3.0, the work on both the replication protocols and a -suitable storage mechanism has progressed, and some form of NT4 BDC -support is expected soon. +With version 3.0, the work on both the replication protocols and a suitable storage +mechanism has progressed, and some form of NT4 BDC support is expected soon. -Can I get the benefits of a BDC with Samba? Yes. The main reason for -implementing a BDC is availability. If the PDC is a Samba machine, -a second Samba machine can be set up to +Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a +BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to service logon requests whenever the PDC is down. @@ -136,61 +225,59 @@ service logon requests whenever the PDC is down. -How do I set up a Samba BDC? +Backup Domain Controller Configuration Several things have to be done: - -The domain SID has to be the same on the PDC and the BDC. This used to -be stored in the file private/MACHINE.SID. This file is not created -anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is -stored in the file private/secrets.tdb. Simply copying the secrets.tdb -from the PDC to the BDC does not work, as the BDC would -generate a new SID for itself and override the domain SID with this -new BDC SID. - - -To retrieve the domain SID from the PDC or an existing BDC and store it in the -secrets.tdb, execute 'net rpc getsid' on the BDC. - - - -The Unix user database has to be synchronized from the PDC to the -BDC. This means that both the /etc/passwd and /etc/group have to be -replicated from the PDC to the BDC. This can be done manually -whenever changes are made, or the PDC is set up as a NIS master -server and the BDC as a NIS slave server. To set up the BDC as a -mere NIS client would not be enough, as the BDC would not be able to -access its user database in case of a PDC failure. - - - - -The Samba password database in the file private/smbpasswd has to be -replicated from the PDC to the BDC. This is a bit tricky, see the -next section. - - - -Any netlogon share has to be replicated from the PDC to the -BDC. This can be done manually whenever login scripts are changed, -or it can be done automatically together with the smbpasswd -synchronization. - + The domain SID has to be the same on the PDC and the BDC. This used to + be stored in the file private/MACHINE.SID. This file is not created + anymore since Samba 2.2.5 or even earlier. Nowadays the domain SID is + stored in the file private/secrets.tdb. Simply copying the secrets.tdb + from the PDC to the BDC does not work, as the BDC would + generate a new SID for itself and override the domain SID with this + new BDC SID. + + + To retrieve the domain SID from the PDC or an existing BDC and store it in the + secrets.tdb, execute 'net rpc getsid' on the BDC. + + + + The Unix user database has to be synchronized from the PDC to the + BDC. This means that both the /etc/passwd and /etc/group have to be + replicated from the PDC to the BDC. This can be done manually + whenever changes are made, or the PDC is set up as a NIS master + server and the BDC as a NIS slave server. To set up the BDC as a + mere NIS client would not be enough, as the BDC would not be able to + access its user database in case of a PDC failure. + + + + + The Samba password database in the file private/smbpasswd has to be + replicated from the PDC to the BDC. This is a bit tricky, see the + next section. + + + + Any netlogon share has to be replicated from the PDC to the + BDC. This can be done manually whenever login scripts are changed, + or it can be done automatically together with the smbpasswd + synchronization. + -Finally, the BDC has to be found by the workstations. This can be done -by setting +Finally, the BDC has to be found by the workstations. This can be done by setting: - workgroup = samba + workgroup = SAMBA domain master = no domain logons = yes @@ -208,19 +295,17 @@ name is reserved for the Primary Domain Controller. How do I replicate the smbpasswd file? -Replication of the smbpasswd file is sensitive. It has to be done -whenever changes to the SAM are made. Every user's password change is -done in the smbpasswd file and has to be replicated to the BDC. So -replicating the smbpasswd file very often is necessary. +Replication of the smbpasswd file is sensitive. It has to be done whenever changes +to the SAM are made. Every user's password change is done in the smbpasswd file and +has to be replicated to the BDC. So replicating the smbpasswd file very often is necessary. -As the smbpasswd file contains plain text password equivalents, it -must not be sent unencrypted over the wire. The best way to set up -smbpasswd replication from the PDC to the BDC is to use the utility -rsync. rsync can use ssh as a transport. ssh itself can be set up to -accept *only* rsync transfer without requiring the user to type a -password. +As the smbpasswd file contains plain text password equivalents, it must not be +sent unencrypted over the wire. The best way to set up smbpasswd replication from +the PDC to the BDC is to use the utility rsync. rsync can use ssh as a transport. +Ssh itself can be set up to accept *only* rsync transfer without requiring the user +to type a password. @@ -228,13 +313,23 @@ password. Can I do this all with LDAP? -The simple answer is YES. Samba's pdb_ldap code supports -binding to a replica LDAP server, and will also follow referrals and -rebind to the master if it ever needs to make a modification to the -database. (Normally BDCs are read only, so this will not occur -often). + + +The simple answer is YES. Samba's pdb_ldap code supports binding to a replica +LDAP server, and will also follow referrals and rebind to the master if it ever +needs to make a modification to the database. (Normally BDCs are read only, so +this will not occur often). + + + +Common Errors + + +Stuff goes here + + diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index 39d8eb6fc57..fddd5aade66 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -289,26 +289,42 @@ be revised to duely reflect all configuration and management requirements. There are two ways that MS Windows machines may interact with each other, with other servers, -and with Domain Controllers: Either as Stand-Alone systems, more commonly -called Workgroup members, or as full participants in a security system, -more commonly called Domain Members. +and with Domain Controllers: Either as Stand-Alone systems, more commonly +called Workgroup members, or as full participants in a security system, +more commonly called Domain members. -It should be noted that Workgroup membership involve no special configuration +It should be noted that Workgroup membership involve no special configuration other than the machine being configured so that the network configuration has a commonly used name for it's workgroup entry. It is not uncommon for the name WORKGROUP to be used for this. With this -mode of configuration there are NO machine trust accounts and any concept of "membership" as such +mode of configuration there are NO machine trust accounts and any concept of membership as such is limited to the fact that all machines appear in the network neighbourhood to be logically -groupped together. +groupped together. Again, just to be clear: WORKGROUP MODE DOES NOT INVOLVE ANY SECURITY MACHINE +ACCOUNTS. + +Domain member machines have a machine account in the Domain accounts database. A special procedure +must be followed on each machine to affect Domain membership. This procedure, which can be done +only by the local machine Adminisistrator account, will create the Domain machine account (if +if does not exist), and then initializes that account. When the client first logs onto the +Domain it triggers a machine password change. + + + +When running a Domain all MS Windows NT / 200x / XP Professional clients should be configured +as full Domain Members - IF A SECURE NETWORK IS WANTED. If the machine is NOT made a member of the +Domain, then it will operate like a workgroup (stand-alone) machine. Please refer to the chapter +on Domain Membership for information regarding HOW to make your MS Windows clients Domain members. + + The following are necessary for configuring Samba-3 as an MS Windows NT4 style PDC for MS Windows NT4 / 200x / XP clients. - + Configuration of basic TCP/IP and MS Windows Networking @@ -535,15 +551,8 @@ There are a couple of points to emphasize in the above configuration. Samba-3 can behave and appear to MS Windows 200x and XP clients as an Active Directory Server. -To do this, Configure samba as a Primary Domain Controller, use LDAP as the passdb backend, -and configure Kerberos5. The problem with doing this is that samba-3 is NOT, despite this -configuration, and Active Directory server and does NOT yet fully support all protocols needed -to make this a possibility. - - - -The best advice we can give at this time is - DO NOT DO THIS yet as it is NOT ready for -production deployment. +The problem with doing this is that samba-3 is NOT an Active Directory server and does NOT yet +support all protocols needed to make this a possibility. @@ -566,6 +575,7 @@ in Samba. One Domain Controller must be configured with domain master must be set. + Example Configuration @@ -583,8 +593,32 @@ must be set. + + +The Special Case of MS Windows XP Home Edition + + +MS Windows XP Home Edition does not have the ability to join any type of Domain +security facility. Unlike, MS Windows 9x / Me, MS Windows XP Home Edition also completely +lacks the ability to log onto a network. + + + +To be completely clear: If you want MS Windows XP Home Edition to integrate with your +MS Windows NT4 or Active Directory Domain security understand - IT CAN NOT BE DONE. +Your only choice is to buy the upgrade pack from MS Windows XP Home Edition to +MS Windows XP Professional. + + + +Now that this has been said, please do NOT ask the mailing list, or email any of the +Samba-Team members with your questions asking how to make this work. It can't be done. + + + + -The Special Case of Windows 9x / Me / XP Home +The Special Case of Windows 9x / Me A domain and a workgroup are exactly the same thing in terms of network @@ -641,7 +675,7 @@ worthwhile to look at how a Windows 9x/ME client performs a logon: The client broadcasts (to the IP broadcast address of the subnet it is in) - a NetLogon request. This is sent to the NetBIOS name DOMAIN<1c> at the + a NetLogon request. This is sent to the NetBIOS name DOMAIN<#1c> at the NetBIOS layer. The client chooses the first response it receives, which contains the NetBIOS name of the logon server to use in the format of \\SERVER. @@ -704,16 +738,20 @@ The main difference between a PDC and a Windows 9x logon server configuration is - Password encryption is not required for a Windows 9x logon server. + Password encryption is not required for a Windows 9x logon server. But note + that beginning with MS Windows 98 the default setting is that plain-text + password support has been disabled. It can be re-enabled with the registry + changes that are documented in the chapter on Policies. - Windows 9x/ME clients do not possess machine trust accounts. + Windows 9x/ME clients do not require and do not use machine trust accounts. -A Samba PDC will also act as a Windows 9x logon server. +A Samba PDC will act as a Windows 9x logon server, after all it does provide the +network logon services that MS Windows 9x / Me expect to find. @@ -729,7 +767,7 @@ or not it is ok to configure Samba as a Domain Controller in security modes other than USER. The only security mode which will not work due to technical reasons is SHARE mode security. DOMAIN and SERVER -mode security is really just a variation on SMB user level security. +mode security are really just a variation on SMB user level security. @@ -738,7 +776,7 @@ or not Samba must be the domain master browser for its workgroup when operating as a DC. While it may technically be possible to configure a server as such (after all, browsing and domain logons are two distinctly different functions), it is not a good idea to do -so. You should remember that the DC must register the DOMAIN#1b NetBIOS +so. You should remember that the DC must register the DOMAIN<#1b> NetBIOS name. This is the name used by Windows clients to locate the DC. Windows clients do not distinguish between the DC and the DMB. For this reason, it is very wise to configure the Samba DC as the DMB. @@ -746,22 +784,22 @@ For this reason, it is very wise to configure the Samba DC as the DMB. Now back to the issue of configuring a Samba DC to use a mode other -than "security = user". If a Samba host is configured to use +than security = user. If a Samba host is configured to use another SMB server or DC in order to validate user connection requests, then it is a fact that some other machine on the network -(the "password server") knows more about the user than the Samba host. +(the password server) knows more about the user than the Samba host. 99% of the time, this other host is a domain controller. Now -in order to operate in domain mode security, the "workgroup" parameter +in order to operate in domain mode security, the workgroup parameter must be set to the name of the Windows NT domain (which already -has a domain controller, right?) +has a domain controller). If the domain does NOT already have a Domain Controller +then you do not yet have a Domain! -Therefore configuring a Samba box as a DC for a domain that -already by definition has a PDC is asking for trouble. -Therefore, you should always configure the Samba DC to be the DMB -for its domain and set security = user. This is the only -officially supported mode of operation. +Configuring a Samba box as a DC for a domain that already by definition has a +PDC is asking for trouble. Therefore, you should always configure the Samba DC +to be the DMB for its domain and set security = user. +This is the only officially supported mode of operation. -- cgit From 453552d2cb2cdcb75c27a374fd8b93a72482cbdd Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 7 May 2003 07:51:08 +0000 Subject: Fix missing para marker. --- docs/docbook/projdoc/Samba-BDC-HOWTO.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml index 00ed3251c9b..8b72c8e28f9 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml @@ -62,6 +62,7 @@ belong to. It does include password time limits, password uniqueness controls, network access time limits, account validity information, machine names from which the user may access the network, and much more. All this information was stored in the SAM in all versions of MS Windows NT (3.10, 3.50, 3.51, 4.0). + The account information (user and machine) on Domain Controllers is stored in two files, -- cgit From 4fe84f61735ee2328e01d2ae864b0e6c7729f51b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 May 2003 18:28:26 +0000 Subject: Make fchown, fchmod conditional for systems that don't have them. Jeremy. --- source/smbd/vfs-wrap.c | 21 ++++++++++++++++----- source/web/swat.c | 4 ++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/source/smbd/vfs-wrap.c b/source/smbd/vfs-wrap.c index bae304096ce..491fa70e687 100644 --- a/source/smbd/vfs-wrap.c +++ b/source/smbd/vfs-wrap.c @@ -298,10 +298,10 @@ int vfswrap_chmod(connection_struct *conn, const char *path, mode_t mode) int vfswrap_fchmod(files_struct *fsp, int fd, mode_t mode) { - int result; + int result; struct vfs_ops *vfs_ops = &fsp->conn->vfs_ops; - START_PROFILE(syscall_fchmod); + START_PROFILE(syscall_fchmod); /* * We need to do this due to the fact that the default POSIX ACL @@ -319,9 +319,15 @@ int vfswrap_fchmod(files_struct *fsp, int fd, mode_t mode) errno = saved_errno; } - result = fchmod(fd, mode); - END_PROFILE(syscall_fchmod); - return result; +#if defined(HAVE_FCHMOD) + result = fchmod(fd, mode); +#else + result = -1; + errno = ENOSYS; +#endif + + END_PROFILE(syscall_fchmod); + return result; } int vfswrap_chown(connection_struct *conn, const char *path, uid_t uid, gid_t gid) @@ -336,6 +342,7 @@ int vfswrap_chown(connection_struct *conn, const char *path, uid_t uid, gid_t gi int vfswrap_fchown(files_struct *fsp, int fd, uid_t uid, gid_t gid) { +#ifdef HAVE_FCHOWN int result; START_PROFILE(syscall_fchown); @@ -343,6 +350,10 @@ int vfswrap_fchown(files_struct *fsp, int fd, uid_t uid, gid_t gid) result = fchown(fd, uid, gid); END_PROFILE(syscall_fchown); return result; +#else + errno = ENOSYS; + return -1; +#endif } int vfswrap_chdir(connection_struct *conn, const char *path) diff --git a/source/web/swat.c b/source/web/swat.c index fa319bb3ae8..7f9492933a5 100644 --- a/source/web/swat.c +++ b/source/web/swat.c @@ -417,7 +417,11 @@ static int save_reload(int snum) /* just in case they have used the buggy xinetd to create the file */ if (fstat(fileno(f), &st) == 0 && (st.st_mode & S_IWOTH)) { +#if defined HAVE_FCHMOD fchmod(fileno(f), S_IWUSR | S_IRUSR | S_IRGRP | S_IROTH); +#else + chmod(dyn_CONFIGFILE, S_IWUSR | S_IRUSR | S_IRGRP | S_IROTH); +#endif } write_config(f, False); -- cgit From a635b6406ab091b4207b148d7a25099205008567 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 May 2003 22:19:56 +0000 Subject: SMB_QUERY_FILE_ALT_NAME_INFO and SMB_FILE_ALTERNATE_NAME_INFORMATION are identical - noticed by "Dr. Tilo Levante" . Jeremy. --- source/smbd/trans2.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index 0bfb145c104..de598d67139 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -1799,6 +1799,7 @@ static int call_trans2qfilepathinfo(connection_struct *conn, /* Get the 8.3 name - used if NT SMB was negotiated. */ case SMB_QUERY_FILE_ALT_NAME_INFO: + case SMB_FILE_ALTERNATE_NAME_INFORMATION: { pstring short_name; @@ -1935,15 +1936,6 @@ static int call_trans2qfilepathinfo(connection_struct *conn, } #endif - case SMB_FILE_ALTERNATE_NAME_INFORMATION: - /* Last component of pathname. */ - { - size_t byte_len = dos_PutUniCode(pdata+4,fname,max_data_bytes,False); - SIVAL(pdata,0,byte_len); - data_size = 4 + byte_len; - break; - } - #if 0 /* * NT4 server just returns "invalid query" to this - if we try to answer -- cgit From 5fc92d4596956ad7a2f099276fb529d0ba28d10b Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 8 May 2003 07:40:57 +0000 Subject: Another set of updates. --- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 577 +++++++++++++++++++------------ docs/docbook/projdoc/NetworkBrowsing.xml | 26 ++ docs/docbook/projdoc/ProfileMgmt.xml | 51 +++ docs/docbook/projdoc/Samba-BDC-HOWTO.xml | 133 +++++-- docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 18 + docs/docbook/projdoc/UNIX_INSTALL.xml | 195 ++++++++--- 6 files changed, 697 insertions(+), 303 deletions(-) diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index f12936a2152..de4a8510c07 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -8,186 +8,48 @@ Domain Membership - -Domain Member Server - -This mode of server operation involves the samba machine being made a member -of a domain security context. This means by definition that all user authentication -will be done from a centrally defined authentication regime. The authentication -regime may come from an NT3/4 style (old domain technology) server, or it may be -provided from an Active Directory server (ADS) running on MS Windows 2000 or later. +Domain Membership is a subject of vital concern, Samba must be able to participate +as a member server in a Microsoft Domain security context, and Samba must be capable of +providing Domain machine member trust accounts, otherwise it would not be capable of offering +a viable option for many users. - -Of course it should be clear that the authentication back end itself could be from any -distributed directory architecture server that is supported by Samba. This can be -LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. - - -Please refer to the section on Howto configure Samba as a Primary Domain Controller -and for more information regarding how to create a domain machine account for a -domain member server as well as for information regarding how to enable the samba -domain member machine to join the domain and to be fully trusted by it. +This chapter covers background information pertaining to domain membership, Samba +configuration for it, and MS Windows client procedures for joining a domain. Why is +this necessary? Because both are areas in which there exists within the current MS +Windows networking world and particularly in the Unix/Linux networking and administration +world, a considerable level of mis-information, incorrect understanding, and a lack of +knowledge. Hopefully this chapter will fill the voids. - - -Joining an NT4 type Domain with Samba-3 -Assumptions: - - NetBIOS name: SERV1 - Win2K/NT domain name: DOM - Domain's PDC NetBIOS name: DOMPDC - Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 - - - -First, you must edit your &smb.conf; file to tell Samba it should -now use domain security. - -Change (or add) your -security = line in the [global] section -of your &smb.conf; to read: - -security = domain - -Next change the -workgroup = line in the [global] section to read: - -workgroup = DOM - -as this is the name of the domain we are joining. - -You must also have the parameter -encrypt passwords set to yes - in order for your users to authenticate to the NT PDC. - -Finally, add (or modify) a -password server = line in the [global] -section to read: - -password server = DOMPDC DOMBDC1 DOMBDC2 - -These are the primary and backup domain controllers Samba -will attempt to contact in order to authenticate users. Samba will -try to contact each of these servers in order, so you may want to -rearrange this list in order to spread out the authentication load -among domain controllers. - -Alternatively, if you want smbd to automatically determine -the list of Domain controllers to use for authentication, you may -set this line to be : - -password server = * - -This method, allows Samba to use exactly the same -mechanism that NT does. This -method either broadcasts or uses a WINS database in order to -find domain controllers to authenticate against. - -In order to actually join the domain, you must run this -command: - -root# net join -S DOMPDC --UAdministrator%password +Features and Benefits -If the -S DOMPDC argument is not given then -the domain name will be obtained from smb.conf. +MS Windows workstations and servers that want to participate in domain security need to +be made Domain members. Participating in Domain security is often called +Single Sign On or SSO for short. This chapter describes the process +that must be followed to make a workstation (or another server - be it an MS Windows NT4 / 200x +server) or a Samba server a member of an MS Windows Domain security context. -as we are joining the domain DOM and the PDC for that domain -(the only machine that has write access to the domain SAM database) -is DOMPDC. The Administrator%password is -the login name and password for an account which has the necessary -privilege to add machines to the domain. If this is successful -you will see the message: - -Joined domain DOM. -or Joined 'SERV1' to realm 'MYREALM' - - -in your terminal window. See the -net(8) man page for more details. - -This process joins the server to the domain -without having to create the machine trust account on the PDC -beforehand. - -This command goes through the machine account password -change protocol, then writes the new (random) machine account -password for this Samba server into a file in the same directory -in which an smbpasswd file would be stored - normally : - -/usr/local/samba/private/secrets.tdb - -This file is created and owned by root and is not -readable by any other user. It is the key to the domain-level -security for your system, and should be treated as carefully -as a shadow password file. - -Finally, restart your Samba daemons and get ready for -clients to begin using domain security! - - -Why is this better than security = server? - -Currently, domain security in Samba doesn't free you from -having to create local Unix users to represent the users attaching -to your server. This means that if domain user DOM\fred - attaches to your domain security Samba server, there needs -to be a local Unix user fred to represent that user in the Unix -filesystem. This is very similar to the older Samba security mode -security = server, -where Samba would pass through the authentication request to a Windows -NT server in the same way as a Windows 95 or Windows 98 server would. - - -Please refer to the Winbind -paper for information on a system to automatically -assign UNIX uids and gids to Windows NT Domain users and groups. + +Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Windows +Active Directory Domain as a native member server, or a Samba Domain Control network. -The advantage to domain-level security is that the -authentication in domain-level security is passed down the authenticated -RPC channel in exactly the same way that an NT server would do it. This -means Samba servers now participate in domain trust relationships in -exactly the same way NT servers do (i.e., you can add Samba servers into -a resource domain and have the authentication passed on from a resource -domain PDC to an account domain PDC). - -In addition, with security = server every Samba -daemon on a server has to keep a connection open to the -authenticating server for as long as that daemon lasts. This can drain -the connection resources on a Microsoft NT server and cause it to run -out of available connections. With security = domain, -however, the Samba daemons connect to the PDC/BDC only for as long -as is necessary to authenticate the user, and then drop the connection, -thus conserving PDC connection resources. - -And finally, acting in the same manner as an NT server -authenticating to a PDC means that as part of the authentication -reply, the Samba server gets the user identification information such -as the user SID, the list of NT groups the user belongs to, etc. - - Much of the text of this document -was first published in the Web magazine -LinuxWorld as the article Doing -the NIS/NT Samba. - -Machine Trust Accounts and Domain Membership +MS Windows Workstation/Server Machine Trust Accounts A machine trust account is an account that is used to authenticate a client machine (rather than a user) to the Domain Controller server. In Windows terminology, -this is known as a "Computer Account." +this is known as a "Computer Account." + The password of a machine trust account acts as the shared secret for @@ -201,7 +63,8 @@ because it does not possess a machine trust account, and thus has no shared secret with the domain controller. -A Windows NT4 PDC stores each machine trust account in the Windows + +A Windows NT4 PDC stores each machine trust account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for machine trust accounts. @@ -211,13 +74,31 @@ A Samba PDC, however, stores each machine trust account in two parts, as follows: - A Samba account, stored in the same location as user - LanMan and NT password hashes (currently smbpasswd). - The Samba account possesses and uses only the NT password hash. + + A Domain Security Account (stored in the passdb backend + that has been configured in the &smb.conf; file. The precise nature of the + account information that is stored depends on the type of backend database + that has been chosen. + + + + The older format of this data is the smbpasswd database + which contains the unix login ID, the Unix user identifier (UID), and the + LanMan and NT encrypted passwords. There is also some other information in + this file that we do not need to concern ourselves with here. + - A corresponding Unix account, typically stored in - /etc/passwd. (Future releases will alleviate the need to - create /etc/passwd entries.) + + The two newer database types are called ldapsam, tdbsam. + Both store considerably more data than the older smbpasswd + file did. The extra information enables new user account controls to be used. + + + + A corresponding Unix account, typically stored in /etc/passwd. + Work is in progress to allow a simplified mode of operation that does not require + Unix user accounts, but this may not be a feature of the early releases of Samba-3. + @@ -226,39 +107,38 @@ There are two ways to create machine trust accounts: - Manual creation. Both the Samba and corresponding - Unix account are created by hand. + + Manual creation. Both the Samba and corresponding Unix account are created by hand. + - "On-the-fly" creation. The Samba machine trust - account is automatically created by Samba at the time the client - is joined to the domain. (For security, this is the - recommended method.) The corresponding Unix account may be - created automatically or manually. - - + + "On-the-fly" creation. The Samba machine trust account is automatically created by + Samba at the time the client is joined to the domain. (For security, this is the + recommended method.) The corresponding Unix account may be created automatically or manually. + Manual Creation of Machine Trust Accounts -The first step in manually creating a machine trust account is to -manually create the corresponding Unix account in -/etc/passwd. This can be done using -vipw or other 'add user' command that is normally -used to create new Unix accounts. The following is an example for a -Linux based Samba server: +The first step in manually creating a machine trust account is to manually create the +corresponding Unix account in /etc/passwd. This can be done using +vipw or other 'add user' command that is normally used to create new +Unix accounts. The following is an example for a Linux based Samba server: - root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine -nickname" -s /bin/false machine_name$ +root# /usr/sbin/useradd -g 100 -d /dev/null -c "machine nickname" -s /bin/false machine_name$ + root# passwd -l machine_name$ -On *BSD systems, this can be done using the 'chpass' utility: + +On *BSD systems, this can be done using the 'chpass' utility: + root# chpass -a "machine_name$:*:101:100::0:0:Workstation machine_name:/dev/null:/sbin/nologin" @@ -271,9 +151,9 @@ home directory. For example a machine named 'doppy' would have an /etc/passwd entry like this: - + doppy$:x:505:501:machine_nickname:/dev/null:/bin/false - + Above, machine_nickname can be any @@ -293,7 +173,9 @@ as shown here: + root# smbpasswd -a -m machine_name + @@ -325,7 +207,8 @@ the corresponding Unix account. The second (and recommended) way of creating machine trust accounts is simply to allow the Samba server to create them as needed when the client -is joined to the domain. +is joined to the domain. + Since each Samba machine trust account requires a corresponding Unix account, a method for automatically creating the @@ -357,7 +240,7 @@ The procedure for joining a client to the domain varies with the version of Wind -Windows 2000 + Windows 2000 When the user elects to join the client to a domain, Windows prompts for @@ -373,35 +256,277 @@ The procedure for joining a client to the domain varies with the version of Wind encryption key for setting the password of the machine trust account. The machine trust account will be created on-the-fly, or updated if it already exists. - + - + Windows NT -Windows NT - - If the machine trust account was created manually, on the + + If the machine trust account was created manually, on the Identification Changes menu enter the domain name, but do not check the box "Create a Computer Account in the Domain." In this case, the existing machine trust account is used to join the machine to - the domain. + the domain. + - If the machine trust account is to be created + + If the machine trust account is to be created on-the-fly, on the Identification Changes menu enter the domain name, and check the box "Create a Computer Account in the Domain." In this case, joining the domain proceeds as above for Windows 2000 (i.e., you must supply a Samba administrative account when - prompted). - + prompted). + -Samba + Samba Joining a samba client to a domain is documented in the Domain Member chapter. - + + +Domain Member Server + + +This mode of server operation involves the samba machine being made a member +of a domain security context. This means by definition that all user authentication +will be done from a centrally defined authentication regime. The authentication +regime may come from an NT3/4 style (old domain technology) server, or it may be +provided from an Active Directory server (ADS) running on MS Windows 2000 or later. + + + + +Of course it should be clear that the authentication back end itself could be from any +distributed directory architecture server that is supported by Samba. This can be +LDAP (from OpenLDAP), or Sun's iPlanet, of NetWare Directory Server, etc. + + + + +Please refer to the section on Howto configure Samba as a Primary Domain Controller +and for more information regarding how to create a domain machine account for a +domain member server as well as for information regarding how to enable the samba +domain member machine to join the domain and to be fully trusted by it. + + + +Joining an NT4 type Domain with Samba-3 + + +Assumptions: + + NetBIOS name: SERV1 + Win2K/NT domain name: DOM + Domain's PDC NetBIOS name: DOMPDC + Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2 + + + + +First, you must edit your &smb.conf; file to tell Samba it should +now use domain security. + + + +Change (or add) your +security = line in the [global] section +of your &smb.conf; to read: + + + + + security = domain + + + + +Next change the +workgroup = line in the [global] section to read: + + + + + workgroup = DOM + + + + +as this is the name of the domain we are joining. + + + +You must also have the parameter +encrypt passwords set to yes + in order for your users to authenticate to the NT PDC. + + + +Finally, add (or modify) a +password server = line in the [global] +section to read: + + + + + password server = DOMPDC DOMBDC1 DOMBDC2 + + + + +These are the primary and backup domain controllers Samba +will attempt to contact in order to authenticate users. Samba will +try to contact each of these servers in order, so you may want to +rearrange this list in order to spread out the authentication load +among domain controllers. + + + +Alternatively, if you want smbd to automatically determine +the list of Domain controllers to use for authentication, you may +set this line to be: + + + + + password server = * + + + + +This method, allows Samba to use exactly the same mechanism that NT does. This +method either broadcasts or uses a WINS database in order to +find domain controllers to authenticate against. + + + +In order to actually join the domain, you must run this command: + + + + + root# net join -S DOMPDC -UAdministrator%password + + + + +If the -S DOMPDC argument is not given then +the domain name will be obtained from smb.conf. + + + +As we are joining the domain DOM and the PDC for that domain +(the only machine that has write access to the domain SAM database) +is DOMPDC. The Administrator%password is +the login name and password for an account which has the necessary +privilege to add machines to the domain. If this is successful +you will see the message: + + + +Joined domain DOM. +or Joined 'SERV1' to realm 'MYREALM' + + + +in your terminal window. See the +net(8) man page for more details. + + + +This process joins the server to the domain without having to create the machine +trust account on the PDC beforehand. + + + +This command goes through the machine account password +change protocol, then writes the new (random) machine account +password for this Samba server into a file in the same directory +in which an smbpasswd file would be stored - normally : + + + +/usr/local/samba/private/secrets.tdb + + + +This file is created and owned by root and is not +readable by any other user. It is the key to the domain-level +security for your system, and should be treated as carefully +as a shadow password file. + + + +Finally, restart your Samba daemons and get ready for +clients to begin using domain security! + + + + + +Why is this better than security = server? + + +Currently, domain security in Samba doesn't free you from +having to create local Unix users to represent the users attaching +to your server. This means that if domain user DOM\fred + attaches to your domain security Samba server, there needs +to be a local Unix user fred to represent that user in the Unix +filesystem. This is very similar to the older Samba security mode +security = server, +where Samba would pass through the authentication request to a Windows +NT server in the same way as a Windows 95 or Windows 98 server would. + + + +Please refer to the Winbind +paper for information on a system to automatically +assign UNIX uids and gids to Windows NT Domain users and groups. + + + +The advantage to domain-level security is that the +authentication in domain-level security is passed down the authenticated +RPC channel in exactly the same way that an NT server would do it. This +means Samba servers now participate in domain trust relationships in +exactly the same way NT servers do (i.e., you can add Samba servers into +a resource domain and have the authentication passed on from a resource +domain PDC to an account domain PDC). + + + +In addition, with security = server every Samba +daemon on a server has to keep a connection open to the +authenticating server for as long as that daemon lasts. This can drain +the connection resources on a Microsoft NT server and cause it to run +out of available connections. With security = domain, +however, the Samba daemons connect to the PDC/BDC only for as long +as is necessary to authenticate the user, and then drop the connection, +thus conserving PDC connection resources. + + + +And finally, acting in the same manner as an NT server +authenticating to a PDC means that as part of the authentication +reply, the Samba server gets the user identification information such +as the user SID, the list of NT groups the user belongs to, etc. + + + + +Much of the text of this document +was first published in the Web magazine +LinuxWorld as the article Doing +the NIS/NT Samba. + + + + + + Samba ADS Domain Membership @@ -413,7 +538,9 @@ Windows2000 KDC. Setup your <filename>smb.conf</filename> -You must use at least the following 3 options in smb.conf: + +You must use at least the following 3 options in smb.conf: + realm = your.kerberos.REALM @@ -429,21 +556,25 @@ In case samba can't figure out your ads server using your realm name, use the -You do *not* need a smbpasswd file, and older clients will - be authenticated as if security = domain, - although it won't do any harm - and allows you to have local users not in the domain. - I expect that the above required options will change soon when we get better - active directory integration. + +You do *not* need a smbpasswd file, and older clients will be authenticated as if +security = domain, although it won't do any harm and allows you +to have local users not in the domain. I expect that the above required options will +change soon when we get better active directory integration. + Setup your <filename>/etc/krb5.conf</filename> -Note: you will need the krb5 workstation, devel, and libs installed + +Note: you will need the krb5 workstation, devel, and libs installed + -The minimal configuration for krb5.conf is: + +The minimal configuration for krb5.conf is: + [realms] @@ -452,17 +583,22 @@ In case samba can't figure out your ads server using your realm name, use the } -Test your config by doing a kinit + +Test your config by doing a kinit USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC. -The realm must be uppercase or you will get "Cannot find KDC for requested -realm while getting initial credentials" error + +The realm must be uppercase or you will get "Cannot find KDC for requested +realm while getting initial credentials" error + -Time between the two servers must be synchronized. You will get a + +Time between the two servers must be synchronized. You will get a "kinit(v5): Clock skew too great while getting initial credentials" if the time -difference is more than five minutes. +difference is more than five minutes. + You also must ensure that you can do a reverse DNS lookup on the IP @@ -554,11 +690,16 @@ specify the -k option to choose kerberos authentication. Notes -You must change administrator password at least once after DC -install, to create the right encoding types + +You must change administrator password at least once after DC +install, to create the right encoding types + + + +w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in +their defaults DNS setup. Maybe fixed in service packs? + -w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in - their defaults DNS setup. Maybe fixed in service packs? diff --git a/docs/docbook/projdoc/NetworkBrowsing.xml b/docs/docbook/projdoc/NetworkBrowsing.xml index 29768ea42ae..6327bde30ae 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.xml +++ b/docs/docbook/projdoc/NetworkBrowsing.xml @@ -1283,6 +1283,32 @@ If either router R1 or R2 fails the following will occur: + + + +Common Errors + + +Many questions are sked on the mailing lists regarding browsing. The majority of browsing +problems originate out of incorrect configuration of NetBIOS name resolution. Some are of +particular note. + + +How can one flush the Samba NetBIOS name cache without restarting samba? + + +Sambas' nmbd process controls all browse list handling. Under normal circumstances it is +safe to restart nmbd. This will effectively flush the samba NetBIOS name cache and cause it +to be rebuilt. Note that this does NOT make certain that a rogue machine name will not re-appear +in the browse list. When nmbd is taken out of service another machine on the network will +become the browse master. This new list may still have the rogue entry in it. If you really +want to clear a rogue machine from the list then every machine on the network will need to be +shut down and restarted at after all machines are down. Failing a complete restart, the only +other thing you can do is wait until the entry times out and is then flushed from the list. +This may take a long time on some networks (months). + + + diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 82897808b2c..140dd44ba1b 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -1123,4 +1123,55 @@ In which case, the local cache copy will be deleted on logout. + +Common Errors + + +THe following are some typical errors/problems/questions that have been asked. + + + +How does one set up roaming profiles for just one (or a few) user/s or group/s? + + +With samba-2.2.x the choice you have is to enable or disable roaming +profiles support. It is a global only setting. The default is to have +roaming profiles and the default path will locate them in the user's home +directory. + + + +If disabled globally then no-one will have roaming profile ability. +If enabled and you want it to apply only to certain machines, then on +those machines on which roaming profile support is NOT wanted it is then +necessary to disable roaming profile handling in the registry of each such +machine. + + + +With samba-3.0.0 (soon to be released) you can have a global profile +setting in smb.conf _AND_ you can over-ride this by per-user settings +using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). + + + +In any case, you can configure only one profile per user. That profile can +be either: + + + + + A profile unique to that user + + + A mandatory profile (one the user can not change) + + + A group profile (really should be mandatory ie:unchangable) + + + + + + diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml index 8b72c8e28f9..5d629024871 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml @@ -17,9 +17,50 @@ with configuring a Samba Domain Controller as described in the Features And Benefits -Stuff goees here +This is one of the most difficult chapters to summarise. It matters not what we say here +for someone will still draw conclusions and / or approach the Samba-Team with expectations +that are either not yet capable of being delivered, or that can be achieved for more +effectively using a totally different approach. Since this HOWTO is already so large and +extensive, we have taken the decision to provide sufficient (but not comprehensive) +information regarding Backup Domain Control. In the event that you should have a persistent +concern that is not addressed in this HOWTO document then please email +John H Terpstra clearly setting out your requirements +and / or question and we will do our best to provide a solution. + +Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain +Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can +operate with a slave LDAP server for the Account backend. This effectively gives samba a high +degree of scalability. This is a very sweet (nice) solution for large organisations. + + + +While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will +need to figure out precisely what is the best way to replicate (copy / distribute) the +user and machine Accounts backend. Again, Samba-3 provides a number of possibilities: + + + +Backup Domain Backend Account Distribution Options + + Passwd Backend is LDAP based, BDCs use a slave LDAP server + + + + Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to + suck down the Accounts database from the PDC + + + + Make use of rsync to replicate (pull down) copies of the essential account files + + + + Operate with an entirely local accounts database (not recommended) + + + @@ -202,29 +243,6 @@ mutually authenticate and the password change is done. - -Can Samba be a Backup Domain Controller to an NT4 PDC? - - -With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully -implemented. The Samba Team is working on understanding and implementing the protocols, -but this work has not been finished for version 2.2. - - - -With version 3.0, the work on both the replication protocols and a suitable storage -mechanism has progressed, and some form of NT4 BDC support is expected soon. - - - -Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a -BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to -service logon requests whenever the PDC is down. - - - - - Backup Domain Controller Configuration @@ -273,11 +291,15 @@ Several things have to be done: + +Example Configuration + Finally, the BDC has to be found by the workstations. This can be done by setting: +Essential Parameters for BDC Operation workgroup = SAMBA domain master = no domain logons = yes @@ -285,13 +307,58 @@ Finally, the BDC has to be found by the workstations. This can be done by settin in the [global]-section of the smb.conf of the BDC. This makes the BDC -only register the name SAMBA#1c with the WINS server. This is no -problem as the name SAMBA#1c is a NetBIOS group name that is meant to +only register the name SAMBA<#1c> with the WINS server. This is no +problem as the name SAMBA<#1c> is a NetBIOS group name that is meant to be registered by more than one machine. The parameter 'domain master = -no' forces the BDC not to register SAMBA#1b which as a unique NetBIOS +no' forces the BDC not to register SAMBA<#1b> which as a unique NetBIOS name is reserved for the Primary Domain Controller. + + + + +Common Errors + + +As this is a rather new area for Samba there are not many examples thta we may refer to. Keep +watching for updates to this section. + + + +Machine Accounts keep expiring, what can I do? + + +This problem will occur when occur when the account files are replicated from a central +server but the local Domain Controllers are not forwarding machine account password updates +back to the central server, or where there is an excessive delay in replication of the centrally +changed machine account password to the local Domain Controller. + + + + + +Can Samba be a Backup Domain Controller to an NT4 PDC? + + +With version 2.2, no. The native NT4 SAM replication protocols have not yet been fully +implemented. The Samba Team is working on understanding and implementing the protocols, +but this work has not been finished for version 2.2. + + + +With version 3.0, the work on both the replication protocols and a suitable storage +mechanism has progressed, and some form of NT4 BDC support is expected soon. + + + +Can I get the benefits of a BDC with Samba? Yes. The main reason for implementing a +BDC is availability. If the PDC is a Samba machine, a second Samba machine can be set up to +service logon requests whenever the PDC is down. + + + + How do I replicate the smbpasswd file? @@ -309,7 +376,6 @@ Ssh itself can be set up to accept *only* rsync transfer without requiring the u to type a password. - @@ -321,16 +387,7 @@ LDAP server, and will also follow referrals and rebind to the master if it ever needs to make a modification to the database. (Normally BDCs are read only, so this will not occur often). - - - - - -Common Errors - - -Stuff goes here - + diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index fddd5aade66..552a95c878b 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -68,6 +68,24 @@ to not inflict pain on others. Do your learning on a test network. Features and Benefits + +What is the key benefit of Microsoft Domain security? + + + +In a word, Single Sign On, or SSO for short. This to many is the holy +grail of MS Windows NT and beyond networking. SSO allows users in a well designed network +to log onto any workstation that is a member of the domain that their user account is in +(or in a domain that has an appropriate trust relationship with the domain they are visiting) +and they will be able to log onto the network and access resources (shares, files, and printers) +as if they are sitting at their home (personal) workstation. This is a feature of the Domain +security protocols. + + + +The benefits of Domain security are fully available to those sites that deploy a Samba PDC. + + The following functionalities are new to the Samba-3 release: diff --git a/docs/docbook/projdoc/UNIX_INSTALL.xml b/docs/docbook/projdoc/UNIX_INSTALL.xml index 39fac749b9e..3dff9a55286 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.xml +++ b/docs/docbook/projdoc/UNIX_INSTALL.xml @@ -13,7 +13,8 @@ Obtaining and installing samba - Binary packages of samba are included in almost any Linux or + + Binary packages of samba are included in almost any Linux or Unix distribution. There are also some packages available at the samba homepage. @@ -29,67 +30,80 @@ - Configuring samba + Configuring samba (smb.conf) - Samba's configuration is stored in the smb.conf file, + + Samba's configuration is stored in the smb.conf file, that usually resides in /etc/samba/smb.conf or /usr/local/samba/lib/smb.conf. You can either edit this file yourself or do it using one of the many graphical tools that are available, such as the web-based interface swat, that - is included with samba. + is included with samba. + - Editing the <filename>smb.conf</filename> file + Example Configuration - There are sample configuration files in the examples - subdirectory in the distribution. I suggest you read them - carefully so you can see how the options go together in - practice. See the man page for all the options. - - The simplest useful configuration file would be - something like this: - - -[global] - workgroup = MYGROUP - -[homes] - guest ok = no - read only = no - + + There are sample configuration files in the examples subdirectory in the + distribution. I suggest you read them carefully so you can see how the options + go together in practice. See the man page for all the options. + + + + The simplest useful configuration file would be something like this: + + + + + [global] + workgroup = MYGROUP + + [homes] + guest ok = no + read only = no + + - which would allow connections by anyone with an - account on the server, using either their login name or - "homes" as the service name. (Note that I also set the - workgroup that Samba is part of. See BROWSING.txt for details) + + This will allow connections by anyone with an account on the server, using either + their login name or "homes" as the service name. + (Note that the workgroup that Samba must also be set.) + - Make sure you put the smb.conf file in the same place + + Make sure you put the smb.conf file in the same place you specified in theMakefile (the default is to - look for it in /usr/local/samba/lib/). + look for it in /usr/local/samba/lib/). + - For more information about security settings for the + + For more information about security settings for the [homes] share please refer to the chapter - Securing Samba. + Securing Samba. + - Test your config file with - <command>testparm</command> + Test your config file with <command>testparm</command> - It's important that you test the validity of your - smb.conf file using the testparm program. - If testparm runs OK then it will list the loaded services. If - not it will give an error message. + + It's important that you test the validity of your smb.conf + file using the testparm program. If testparm runs OK + then it will list the loaded services. If not it will give an error message. + - Make sure it runs OK and that the services look - reasonable before proceeding. + + Make sure it runs OK and that the services look reasonable before proceeding. + - Always run testparm again when you change - smb.conf! + + Always run testparm again when you change smb.conf! + - + SWAT @@ -99,15 +113,21 @@ on compiling, installing and configuring swat from source. - To launch SWAT just run your favorite web browser and - point it at "http://localhost:901/". Replace localhost with the name of the computer you are running samba on if you - are running samba on a different computer than your browser. + + To launch SWAT just run your favorite web browser and + point it at "http://localhost:901/". Replace + localhost + with the name of the computer you are running samba on if you + are running samba on a different computer than your browser. + - Note that you can attach to SWAT from any IP connected + + Note that you can attach to SWAT from any IP connected machine but connecting from a remote machine leaves your connection open to password sniffing as passwords will be sent - in the clear over the wire. - + in the clear over the wire. + + @@ -179,5 +199,86 @@ Samba has been successfully installed at thousands of sites worldwide, so maybe someone else has hit your problem and has overcome it. - + + + +Common Errors + + +The following questions and issues get raised on the samba mailing list over and over again. + + + +Why are so many smbd processes eating memory? + + +Site that is running Samba on an AIX box. They are sharing out about 2 terabytes using samba. +Samba was installed using smitty and the binaries. We seem to be experiencing a memory problem +with this box. When I do a svmon -Pu the monitoring program shows that smbd has several +processes of smbd running: + + + +Is samba suppose to start this many different smbd processes? Or does it run as one smbd process? Also +is it normal for it to be taking up this much memory? + + + + +Inuse * 4096 = amount of memory being used by this process + + Pid Command Inuse Pin Pgsp Virtual 64-bit Mthrd + 20950 smbd 33098 1906 181 5017 N N + 22262 smbd 9104 1906 5410 + 21060 smbd 9048 1906 181 5479 N N + 25972 smbd 8678 1906 181 5109 N N + 24524 smbd 8674 1906 181 5105 N N + 19262 smbd 8582 1906 181 5013 N N + 20722 smbd 8572 1906 181 5003 N N + 21454 smbd 8572 1906 181 5003 N N + 28946 smbd 8567 1906 181 4996 N N + 24076 smbd 8566 1906 181 4996 N N + 20138 smbd 8566 1906 181 4996 N N + 17608 smbd 8565 1906 181 4996 N N + 21820 smbd 8565 1906 181 4996 N N + 26940 smbd 8565 1906 181 4996 N N + 19884 smbd 8565 1906 181 4996 N N + 9912 smbd 8565 1906 181 4996 N N + 25800 smbd 8564 1906 181 4995 N N + 20452 smbd 8564 1906 181 4995 N N + 18592 smbd 8562 1906 181 4993 N N + 28216 smbd 8521 1906 181 4954 N N + 19110 smbd 8404 1906 181 4862 N N + + Total memory used: 841,592,832 bytes + + + + + +ANSWER: Samba consists on three core programs: +nmbd, smbd, winbindd. nmbd is the name server message daemon, +smbd is the server message daemon, winbind is the daemon that +handles communication with Domain Controllers. + + + +If your system is NOT running as a WINS server, then there will be one (1) single instance of + nmbd running on your system. If it is running as a WINS server then there will be +two (2) instances - one to handle the WINS requests. + + + +smbd handles ALL connection requests and then spawns a new process for each client +connection made. That is why you are seeing so many of them, one (1) per client connection. + + + +winbindd will run as one or two daemons, depending on whether or not it is being +run in "split mode" (in which case there will be two instances). + + + + + -- cgit From bfcec106d00355d32eb40dde99ddd5d5bed4cedb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 May 2003 20:19:21 +0000 Subject: fixed bug #75; add check for non-zero destlen --- source/lib/charcnv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c index 7acb7147fd6..c3360bbb658 100644 --- a/source/lib/charcnv.c +++ b/source/lib/charcnv.c @@ -252,7 +252,7 @@ convert: destlen = destlen - o_len; *dest = (char *)Realloc(ob,destlen); - if (!*dest) { + if (destlen && !*dest) { DEBUG(0, ("convert_string_allocate: out of memory!\n")); SAFE_FREE(ob); return (size_t)-1; -- cgit From 26824f572d29bebd3791bad6f6690b35984705cd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 May 2003 21:20:07 +0000 Subject: fix bug #47; revert registration of workgroup<1b> to 2.2 behavior --- source/nmbd/nmbd_become_dmb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/nmbd/nmbd_become_dmb.c b/source/nmbd/nmbd_become_dmb.c index 6b92f4c3c0f..2e76e51f453 100644 --- a/source/nmbd/nmbd_become_dmb.c +++ b/source/nmbd/nmbd_become_dmb.c @@ -375,7 +375,7 @@ void add_domain_names(time_t t) add_logon_names(); /* Do the domain master names. */ - if(lp_server_role() == ROLE_DOMAIN_PDC) + if(lp_domain_master()) { if(we_are_a_wins_client()) { -- cgit From 11bc14736df6826fb1619c04da4792c27c05d06b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 May 2003 21:56:51 +0000 Subject: adding warning about case sensitive parameter --- docs/docbook/smbdotconf/smb.conf.5.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/docbook/smbdotconf/smb.conf.5.xml b/docs/docbook/smbdotconf/smb.conf.5.xml index 2a5d190f69c..9b91be4fbc1 100644 --- a/docs/docbook/smbdotconf/smb.conf.5.xml +++ b/docs/docbook/smbdotconf/smb.conf.5.xml @@ -507,9 +507,11 @@ alias|alias|alias|alias... case sensitive = yes/no - controls whether filenames are case sensitive. If - they aren't then Samba must do a filename search and match on passed - names. Default no. + controls whether filenames are case sensitive. + Windows clients will break if you enable + this parameter. It is only included for case insentive + file systems (such as VFAT) and performance testing. + Default no. -- cgit From b13046d95958995d9d05be977b8874df17fedb9b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 8 May 2003 21:58:34 +0000 Subject: add new %a strings --- docs/docbook/smbdotconf/smb.conf.5.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docbook/smbdotconf/smb.conf.5.xml b/docs/docbook/smbdotconf/smb.conf.5.xml index 9b91be4fbc1..db8eb81c286 100644 --- a/docs/docbook/smbdotconf/smb.conf.5.xml +++ b/docs/docbook/smbdotconf/smb.conf.5.xml @@ -396,10 +396,10 @@ alias|alias|alias|alias... the architecture of the remote machine. Only some are recognized, and those may not be 100% reliable. It currently recognizes Samba, WfWg, Win95, - WinNT and Win2k. Anything else will be known as + WinNT, Win2k, WinXP, and Win2K3. Anything else will be known as "UNKNOWN". If it gets it wrong then sending a level - 3 log to samba@samba.org - should allow it to be fixed. + 3 log to samba-technical@samba.org + should allow it to be fixed. -- cgit From a0688316ce0a9bad0b24cbb495f6e0a112227b50 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 9 May 2003 01:06:43 +0000 Subject: Fix nasty bug pointed out by samba-technical poster. If name is mangled then we weren't always correctly detecting that it had a valid stat struct and so might now return a 'file existed'. Finally realized this when installing the W2K resource kit as a test case. Jeremy. --- source/smbd/filename.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/source/smbd/filename.c b/source/smbd/filename.c index ad707a2b9dd..9dd1523c73d 100644 --- a/source/smbd/filename.c +++ b/source/smbd/filename.c @@ -248,6 +248,16 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen return(False); } + if (!end) { + /* + * We just scanned for, and found the end of the path. + * We must return the valid stat struct. + * JRA. + */ + + *pst = st; + } + } else { pstring rest; @@ -373,7 +383,8 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen /* * If we ended up resolving the entire path then return a valid - * stat struct if we got one. + * stat struct if we got one. Note this doesn't catch mangled paths, + * but the check in the for loop above will do that. JRA. */ if (VALID_STAT(st) && (strlen(orig_path) == strlen(name))) -- cgit From edc51dbc9ce319c612e2ff9434ca5a7521ba016f Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 9 May 2003 04:59:36 +0000 Subject: Fix some compiler warnings about const etc ... --- source/utils/editreg.c | 7 +++---- source/utils/profiles.c | 4 ++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/source/utils/editreg.c b/source/utils/editreg.c index c45959799be..709c8d53cd1 100644 --- a/source/utils/editreg.c +++ b/source/utils/editreg.c @@ -1041,7 +1041,6 @@ void *str_to_val(int type, char *val, int *len) default: return NULL; - break; } return NULL; @@ -1212,7 +1211,7 @@ int string_to_sid(DOM_SID **sid, char *sid_str) lstr = strchr(lstr + 1, '-'); } - return 1; + /*return 1; */ /* Not Reached ... */ } /* @@ -1380,7 +1379,7 @@ REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create) else { /* Create more space in the list ... */ if (!(list = (KEY_LIST *)realloc(list, sizeof(KEY_LIST) + (list->max_keys + REG_KEY_LIST_SIZE - 1) - * sizeof(REG_KEY *)))); + * sizeof(REG_KEY *)))) goto error; list->max_keys += REG_KEY_LIST_SIZE; @@ -1586,7 +1585,7 @@ int data_to_ascii(unsigned char *datap, int len, int type, char *ascii, int asci if (verbose) fprintf(stderr, "Len: %d\n", len); /* FIXME. This has to be fixed. It has to be UNICODE */ return uni_to_ascii(datap, ascii, len, ascii_max); - break; + break; /*NOTREACHED*/ case REG_TYPE_EXPANDSZ: return uni_to_ascii(datap, ascii, len, ascii_max); diff --git a/source/utils/profiles.c b/source/utils/profiles.c index 7c2d820c810..afaa83f6384 100644 --- a/source/utils/profiles.c +++ b/source/utils/profiles.c @@ -418,10 +418,10 @@ static int my_sid_equal(DOM_SID *s1, DOM_SID *s2) * Quick and dirty to read a SID in S-1-5-21-x-y-z-rid format and * construct a DOM_SID */ -static int get_sid(DOM_SID *sid, char *sid_str) +static int get_sid(DOM_SID *sid, const unsigned char *sid_str) { int i = 0, auth; - char *lstr; + const unsigned char *lstr; if (strncmp(sid_str, "S-1-5", 5)) { fprintf(stderr, "Does not conform to S-1-5...: %s\n", sid_str); -- cgit From cd1182ba75fbfa6b17964a3fefba2c2c0292cfb7 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 9 May 2003 05:39:50 +0000 Subject: Fix up a bunch of compiler warnings ... --- source/utils/editreg.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/source/utils/editreg.c b/source/utils/editreg.c index 709c8d53cd1..eb1ed9bef45 100644 --- a/source/utils/editreg.c +++ b/source/utils/editreg.c @@ -334,10 +334,10 @@ Hope this helps.... (Although it was "fun" for me to uncover this things, #define CVAL(buf) ((unsigned char)*((unsigned char *)(buf))) #define SIVAL(buf, val) \ - ((unsigned char)buf[0]=(unsigned char)((val)&0xFF),\ - (unsigned char)buf[1]=(unsigned char)(((val)>>8)&0xFF),\ - (unsigned char)buf[2]=(unsigned char)(((val)>>16)&0xFF),\ - (unsigned char)buf[3]=(unsigned char)((val)>>24)) + ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\ + (((unsigned char *)(buf))[1])=(unsigned char)(((val)>>8)&0xFF),\ + (((unsigned char *)(buf))[2])=(unsigned char)(((val)>>16)&0xFF),\ + (((unsigned char *)(buf))[3])=(unsigned char)((val)>>24)) #define SSVAL(buf, val) \ ((unsigned char)buf[0]=(unsigned char)((val)&0xFF),\ @@ -346,7 +346,7 @@ Hope this helps.... (Although it was "fun" for me to uncover this things, static int verbose = 0; static int print_security = 0; static int full_print = 0; -static char *def_owner_sid_str = NULL; +static const char *def_owner_sid_str = NULL; /* * These definitions are for the in-memory registry structure. @@ -633,7 +633,7 @@ typedef struct regf_struct_s { REG_KEY *root; /* Root of the tree for this file */ int sk_count, sk_map_size; SK_MAP *sk_map; - char *owner_sid_str; + const char *owner_sid_str; SEC_DESC *def_sec_desc; /* * These next pointers point to the blocks used to contain the @@ -1174,10 +1174,10 @@ REG_KEY *nt_create_reg_key1(char *name, REG_KEY *parent) /* * Convert a string of the form S-1-5-x[-y-z-r] to a SID */ -int string_to_sid(DOM_SID **sid, char *sid_str) +int string_to_sid(DOM_SID **sid, const char *sid_str) { int i = 0, auth; - char *lstr; + const char *lstr; *sid = (DOM_SID *)malloc(sizeof(DOM_SID)); if (!*sid) return 0; @@ -1217,7 +1217,7 @@ int string_to_sid(DOM_SID **sid, char *sid_str) /* * Create an ACE */ -ACE *nt_create_ace(int type, int flags, unsigned int perms, char *sid) +ACE *nt_create_ace(int type, int flags, unsigned int perms, const char *sid) { ACE *ace; @@ -2507,7 +2507,7 @@ HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) * Allocate a unit of space ... and return a pointer as function param * and the block's offset as a side effect */ -void *nt_alloc_regf_space(REGF *regf, int size, int *off) +void *nt_alloc_regf_space(REGF *regf, int size, unsigned int *off) { int tmp = 0; void *ret = NULL; @@ -2885,7 +2885,7 @@ int nt_store_val_list(REGF *regf, VAL_LIST * values) int nt_store_reg_key(REGF *regf, REG_KEY *key) { NK_HDR *nk_hdr; - unsigned int nk_off, sk_off, val_off, clsnam_off, size; + unsigned int nk_off, sk_off, size; if (!regf || !key) return 0; @@ -3815,7 +3815,7 @@ void print_sid(DOM_SID *sid) fprintf(stdout, "\n"); } -void print_acl(ACL *acl, char *prefix) +void print_acl(ACL *acl, const char *prefix) { int i; @@ -3924,7 +3924,7 @@ int main(int argc, char *argv[]) if (!string_to_sid(&lsid, def_owner_sid_str)) { fprintf(stderr, "Default Owner SID: %s is incorrectly formatted\n", def_owner_sid_str); - free(def_owner_sid_str); + free(&def_owner_sid_str[0]); def_owner_sid_str = NULL; } else -- cgit From 20756925486b407fbb2cf06d776ad2ce19b00c74 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 9 May 2003 06:23:15 +0000 Subject: Some more fixes for syntax problems on AIX etc ... --- source/utils/editreg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/utils/editreg.c b/source/utils/editreg.c index eb1ed9bef45..08561dd8687 100644 --- a/source/utils/editreg.c +++ b/source/utils/editreg.c @@ -340,8 +340,8 @@ Hope this helps.... (Although it was "fun" for me to uncover this things, (((unsigned char *)(buf))[3])=(unsigned char)((val)>>24)) #define SSVAL(buf, val) \ - ((unsigned char)buf[0]=(unsigned char)((val)&0xFF),\ - (unsigned char)buf[1]=(unsigned char)(((val)>>8)&0xFF)) + ((((unsigned char *)(buf))[0])=(unsigned char)((val)&0xFF),\ + (((unsigned char *)(buf))[1])=(unsigned char)((val)>>8)) static int verbose = 0; static int print_security = 0; -- cgit From 6829762e3d71bd934b834dc2f09cc136758d04e0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 9 May 2003 06:48:33 +0000 Subject: More edits. Hackety Hack. --- docs/docbook/projdoc/DOMAIN_MEMBER.xml | 229 +++++++++++++++++++++++++++--- docs/docbook/projdoc/StandAloneServer.xml | 101 +++++++++++-- 2 files changed, 298 insertions(+), 32 deletions(-) diff --git a/docs/docbook/projdoc/DOMAIN_MEMBER.xml b/docs/docbook/projdoc/DOMAIN_MEMBER.xml index de4a8510c07..ecb8a3afb34 100644 --- a/docs/docbook/projdoc/DOMAIN_MEMBER.xml +++ b/docs/docbook/projdoc/DOMAIN_MEMBER.xml @@ -1,9 +1,9 @@ + &author.jht; &author.jeremy; &author.jerry; - &author.jht; Domain Membership @@ -40,6 +40,44 @@ Samba-3 can join an MS Windows NT4 style domain as a native member server, an MS Active Directory Domain as a native member server, or a Samba Domain Control network. + +Domain membership has many advantages: + + + + + MS Windows workstation users get the benefit of SSO + + + + Domain user access rights and file ownership / access controls can be set from + the single Domain SAM (Security Accounts Management) database (works with Domain member + servers as well as with MS Windows workstations that are domain members) + + + + Only MS Windows NT4 / 200x / XP Professional workstations that are Domain members + can use network logon facilities + + + + Domain Member workstations can be better controlled through the use of Policy files + (NTConfig.POL) and Desktop Profiles. + + + + Through the use of logon scripts users can be given transparent access to network + applications that run off application servers + + + + Network administrators gain better application and user access management abilities + because there is no need to maintain user accounts on any network client or server, + other than the central Domain database (either NT4/Samba SAM style Domain, NT4 Domain + that is back ended with an LDAP directory, or via an Active Directory infrastructure) + + + @@ -64,8 +102,8 @@ shared secret with the domain controller. -A Windows NT4 PDC stores each machine trust account in the Windows -Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, +A Windows NT4 PDC stores each machine trust account in the Windows Registry. +The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for machine trust accounts. @@ -103,12 +141,19 @@ as follows: -There are two ways to create machine trust accounts: +There are three ways to create machine trust accounts: - Manual creation. Both the Samba and corresponding Unix account are created by hand. + Manual creation from the Unix/Linux command line. Here, both the Samba and corresponding + Unix account are created by hand. + + + + Using the MS Windows NT4 Server Manager (either from an NT4 Domain member server, or using + the Nexus toolkit available from the Microsoft web site. This tool can be run from any + MS Windows machine so long as the user is logged on as the administrator account. @@ -200,6 +245,56 @@ the corresponding Unix account. + +Using NT4 Server Manager to Add Machine Accounts to the Domain + + +If the machine from which you are trying to manage the domain is an MS Windows NT4 workstation +then the tool of choice is the package called SRVTOOLS.EXE. When executed in the target directory +this will unpack SrvMge.exe and UsrMgr.exe (both are Domain Management tools for MS Windows NT4 +workstation. + + + +If your workstation is any other MS Windows product you should download the Nexus.exe package +from the Microsoft web site. When executed from the target directory this will unpack the same +tools but for use on MS Windows 9x/Me/200x/XP. + + + +Launch the srvmgr.exe (Server Manager for Domains) and follow these steps: + + + +Server Manager Account Machine Account Management + + From the menu select Computer + + + + Click on "Select Domain" + + + + Click on the name of the domain you wish to administer in the "Select Domain" panel + and then Click OK. + + + + Again from the menu select Computer + + + + Select "Add to Domain" + + + + In the dialog box, click on the radio button to "Add NT Workstation of Server", then + enter the machine name in the field provided, then Click the "Add" button. + + + + "On-the-Fly" Creation of Machine Trust Accounts @@ -210,13 +305,11 @@ simply to allow the Samba server to create them as needed when the client is joined to the domain. -Since each Samba machine trust account requires a corresponding -Unix account, a method for automatically creating the -Unix account is usually supplied; this requires configuration of the -add machine script -option in smb.conf. This -method is not required, however; corresponding Unix accounts may also -be created manually. +Since each Samba machine trust account requires a corresponding Unix account, a method +for automatically creating the Unix account is usually supplied; this requires configuration of the +add machine script option in +smb.conf. This method is not required, however; corresponding Unix +accounts may also be created manually. @@ -230,25 +323,39 @@ Below is an example for a RedHat Linux system. add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u + -Joining the Client to the Domain +Making an MS Windows Workstation or Server a Domain Member -The procedure for joining a client to the domain varies with the version of Windows. +The procedure for making an MS Windows workstation of server a member of the domain varies +with the version of Windows: - Windows 2000 + Windows 200x XP Professional + + + When the user elects to make the client a domain member, Windows 200x prompts for + an account and password that has privileges to create machine accounts in the domain. + A Samba administrative account (i.e., a Samba account that has root privileges on the + Samba server) must be entered here; the operation will fail if an ordinary user + account is given. + + + + Note: For security reasons the password for this administrative account should be set + to a password that is other than that used for the root user in the + /etc/passwd. + - When the user elects to join the client to a domain, Windows prompts for - an account and password that is privileged to join the domain. A Samba administrative - account (i.e., a Samba account that has root privileges on the Samba server) must be - entered here; the operation will fail if an ordinary user account is given. - The password for this account should be set to a different password than the associated - /etc/passwd entry, for security reasons. + The name of the account that is used to create domain member machine accounts can be + anything the network administrator may choose. If it is other than root + then this is easily mapped to root using the file pointed to be the &smb.conf; parameter + username map = /etc/samba/smbusers. @@ -258,7 +365,7 @@ The procedure for joining a client to the domain varies with the version of Wind updated if it already exists. - Windows NT + Windows NT4 If the machine trust account was created manually, on the @@ -700,6 +807,84 @@ w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs? + + + + +Common Errors + + +In the process of adding / deleting / re-adding domain member machine accounts there are +many traps for the unwary player and there are many "little" things that can go wrong. +It is particularly interesting how often subscribers on the samba mailing list have concluded +after repeated failed attempts to add a machine account that it is necessary to "re-install" +MS Windows on t he machine. In truth, it is seldom necessary to reinstall because of this type +of problem. The real solution is often very simple, and with understanding of how MS Windows +networking functions. easily overcome. + + + +Can Not Add Machine Back to Domain + + +Problem: A Windows workstation was reinstalled. The original domain machine +account was deleted and added immediately. The workstation will not join the domain if I use +the same machine name. Attempts to add the machine fail with a message that the machine already +exists on the network - I know it doen't. Why is this failing? + + + +The original name is still in the NetBIOS name cache and must expire after machine account +deletion BEFORE adding that same name as a domain member again. The best advice is to delete +the old account and then to add the machine with a new name. + + + + + +Adding Machine to Domain Fails + + +Adding a Windows 200x or XP Professional machine to the Samba PDC Domain fails with a +message that, "The machine could not be added at this time, there is a network problem. +Please try again later." Why? + + + +You should check that there is an add machine script in your &smb.conf; +file. If there is not, please add one that is appropriate for your OS platform. If a script +has been defined you will need to debug it's operation. Increase the log level +in the &smb.conf; file to level 10, then try to rejoin the domain. Check the logs to see which +operation is failing. + + + +Possible causes include: + + + + + The script does not actually exist, or could not be located in the path specified. + + + + Corrective Action: Fix it. Make sure that when run manually + that the script will add both the Unix system account _and_ the Samba SAM account. + + + + The machine could not be added to the Unix system accounts file /etc/passwd + + + + Corrective Action: Check that the machine name is a legal Unix + system account name. ie: If the Unix utility useradd is called + then make sure that the machine name you are trying to add can be added using this + tool. Useradd on some systems will not allow any upper case characters + nor will it allow spaces in the name. + + + diff --git a/docs/docbook/projdoc/StandAloneServer.xml b/docs/docbook/projdoc/StandAloneServer.xml index c5b5c672509..1246ff0f3a1 100644 --- a/docs/docbook/projdoc/StandAloneServer.xml +++ b/docs/docbook/projdoc/StandAloneServer.xml @@ -4,8 +4,42 @@ Stand-Alone Servers + +Stand-Alone servers are independant of an Domain Controllers on the network. +They are NOT domain members and function more like workgroup servers. In many +cases a stand-alone server is configured with a minimum of security control +with the intent that all data served will be readilly accessible to all users. + + + +Features and Benefits + + +Stand-Alone servers can be as secure or as insecure as needs dictate. They can +have simple or complex configurations. Above all, despite the hoopla about +Domain security they remain a very common installation. + + + +If all that is needed is a server for read-only files, or for +printers alone, it may not make sense to affect a complex installation. +For example: A drafting office needs to store old drawings and reference +standards. No-one can write files to the server as it is legislatively +important that all documents remain unaltered. A share mode read-only stand-alone +server is an ideal solution. + + + +Another situation that warrants simplicity is an office that has many printers +that are queued off a single central server. Everyone needs to be able to print +to the printers, there is no need to affect any access controls and no files will +be served from the print server. Again a share mode stand-alone server makes +a great solution. + + + -Stand Alone Server +Background The term stand alone server means that the server @@ -13,21 +47,22 @@ will provide local authentication and access control for all resources that are available from it. In general this means that there will be a local user database. In more technical terms, it means that resources on the machine will either be made available in either SHARE mode or in -USER mode. SHARE mode and USER mode security are documented under -discussions regarding "security mode". The smb.conf configuration parameters -that control security mode are: "security = user" and "security = share". +USER mode. No special action is needed other than to create user accounts. Stand-alone -servers do NOT provide network logon services, meaning that machines that -use this server do NOT perform a domain logon but instead make use only of -the MS Windows logon which is local to the MS Windows workstation/server. +servers do NOT provide network logon services. This means that machines that +use this server do NOT perform a domain log onto it. Whatever logon facility +the workstations are subject to is independant of this machine. It is however +necessary to accomodate any network user so that the logon name they use will +be translated (mapped) locally on the stand-alone server to a locally known +user name. There are several ways this cane be done. Samba tends to blur the distinction a little in respect of what is -a stand alone server. This is because the authentication database may be +a stand-alone server. This is because the authentication database may be local or on a remote server, even if from the samba protocol perspective the samba server is NOT a member of a domain security context. @@ -38,10 +73,56 @@ Through the use of PAM (Pluggable Authentication Modules) and nsswitch another server. We would be inclined to call this the authentication server. This means that the samba server may use the local Unix/Linux system password database (/etc/passwd or /etc/shadow), may use a local smbpasswd -file (/etc/samba/smbpasswd or /usr/local/samba/lib/private/smbpasswd), or -may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB +file, or may use an LDAP back end, or even via PAM and Winbind another CIFS/SMB server for authentication. + + + +Example Configuration + + +The following examples are designed to inspire simplicity. It is too easy to +attempt a high level of creativity and to introduce too much complexity in +server and network design. + + + +Reference Documentation Server + + +Put one here! + + + + + +Central Print Serving + + +Put one here! + + + + + +Legal Office Daily Work Server + + +Put one here! + + + + + + + +Common Errors + + +Put stuff here. + + -- cgit From 5368f10eabbca09eee1e2777e8cb2fcb7f92fc1d Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 9 May 2003 07:03:10 +0000 Subject: Add some static ... --- source/utils/editreg.c | 118 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 84 insertions(+), 34 deletions(-) diff --git a/source/utils/editreg.c b/source/utils/editreg.c index 08561dd8687..8418a6ecc10 100644 --- a/source/utils/editreg.c +++ b/source/utils/editreg.c @@ -662,10 +662,12 @@ typedef int (*val_print_f)(const char *path, char *val_name, int val_type, typedef int (*sec_print_f)(SEC_DESC *sec_desc); +static int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, const char *path, key_print_f key_print, sec_print_f sec_print, val_print_f val_print); +static int nt_val_list_iterator(REGF *regf, VAL_LIST *val_list, int bf, char *path, int terminal, val_print_f val_print) { @@ -690,6 +692,7 @@ int nt_val_list_iterator(REGF *regf, VAL_LIST *val_list, int bf, char *path, return 1; } +static int nt_key_list_iterator(REGF *regf, KEY_LIST *key_list, int bf, const char *path, key_print_f key_print, sec_print_f sec_print, @@ -708,6 +711,7 @@ int nt_key_list_iterator(REGF *regf, KEY_LIST *key_list, int bf, return 1; } +static int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, const char *path, key_print_f key_print, sec_print_f sec_print, val_print_f val_print) @@ -774,12 +778,14 @@ int nt_key_iterator(REGF *regf, REG_KEY *key_tree, int bf, const char *path, return 1; } +static REG_KEY *nt_find_key_by_name(REG_KEY *tree, char *key); /* * Find key by name in a list ... * Take the first component and search for that in the list */ +static REG_KEY *nt_find_key_in_list_by_name(KEY_LIST *list, char *key) { int i; @@ -798,6 +804,7 @@ REG_KEY *nt_find_key_in_list_by_name(KEY_LIST *list, char *key) * Find key by name in a tree ... We will assume absolute names here, but we * need the root of the tree ... */ +static REG_KEY *nt_find_key_by_name(REG_KEY *tree, char *key) { char *lname = NULL, *c1, *c2; @@ -834,7 +841,7 @@ REG_KEY *nt_find_key_by_name(REG_KEY *tree, char *key) } /* Make, delete keys */ - +static int nt_delete_val_key(VAL_KEY *val_key) { @@ -846,6 +853,7 @@ int nt_delete_val_key(VAL_KEY *val_key) return 1; } +static int nt_delete_val_list(VAL_LIST *vl) { int i; @@ -858,7 +866,10 @@ int nt_delete_val_list(VAL_LIST *vl) return 1; } +static int nt_delete_reg_key(REG_KEY *key, int delete_name); + +static int nt_delete_key_list(KEY_LIST *key_list, int delete_name) { int i; @@ -874,6 +885,7 @@ int nt_delete_key_list(KEY_LIST *key_list, int delete_name) /* * Find the key, and if it exists, delete it ... */ +static int nt_delete_key_by_name(REGF *regf, char *name) { REG_KEY *key; @@ -891,6 +903,7 @@ int nt_delete_key_by_name(REGF *regf, char *name) } +static int nt_delete_sid(DOM_SID *sid) { @@ -899,6 +912,7 @@ int nt_delete_sid(DOM_SID *sid) } +static int nt_delete_ace(ACE *ace) { @@ -910,6 +924,7 @@ int nt_delete_ace(ACE *ace) } +static int nt_delete_acl(ACL *acl) { @@ -924,6 +939,7 @@ int nt_delete_acl(ACL *acl) return 1; } +static int nt_delete_sec_desc(SEC_DESC *sec_desc) { @@ -939,6 +955,7 @@ int nt_delete_sec_desc(SEC_DESC *sec_desc) return 1; } +static int nt_delete_key_sec_desc(KEY_SEC_DESC *key_sec_desc) { @@ -956,6 +973,7 @@ int nt_delete_key_sec_desc(KEY_SEC_DESC *key_sec_desc) return 1; } +static int nt_delete_reg_key(REG_KEY *key, int delete_name) { @@ -1010,6 +1028,7 @@ int nt_delete_reg_key(REG_KEY *key, int delete_name) * Convert a string to a value ... * FIXME: Error handling and convert this at command parse time ... */ +static void *str_to_val(int type, char *val, int *len) { unsigned int *dwordp = NULL; @@ -1052,6 +1071,7 @@ void *str_to_val(int type, char *val, int *len) * An empty name will be converted to "" before here * Hmmm, maybe not. has_name is for that */ +static VAL_KEY *nt_add_reg_value(REG_KEY *key, char *name, int type, char *value) { int i; @@ -1114,6 +1134,7 @@ VAL_KEY *nt_add_reg_value(REG_KEY *key, char *name, int type, char *value) /* * Delete a value. We return the value and let the caller deal with it. */ +static VAL_KEY *nt_delete_reg_value(REG_KEY *key, char *name) { int i, j; @@ -1148,32 +1169,10 @@ VAL_KEY *nt_delete_reg_value(REG_KEY *key, char *name) * often where we want to add values ... */ -/* - * Create a 1 component key name and set its parent to parent - */ -REG_KEY *nt_create_reg_key1(char *name, REG_KEY *parent) -{ - REG_KEY *tmp; - - if (!name || !*name) return NULL; /* A key's name cannot be empty */ - - /* There should not be more than one component */ - if (strchr(name, '\\')) return NULL; - - if (!(tmp = (REG_KEY *)malloc(sizeof(REG_KEY)))) return NULL; - - bzero(tmp, sizeof(REG_KEY)); - - if (!(tmp->name = strdup(name))) goto error; - - error: - if (tmp) free(tmp); - return NULL; -} - /* * Convert a string of the form S-1-5-x[-y-z-r] to a SID */ +static int string_to_sid(DOM_SID **sid, const char *sid_str) { int i = 0, auth; @@ -1217,6 +1216,7 @@ int string_to_sid(DOM_SID **sid, const char *sid_str) /* * Create an ACE */ +static ACE *nt_create_ace(int type, int flags, unsigned int perms, const char *sid) { ACE *ace; @@ -1238,6 +1238,7 @@ ACE *nt_create_ace(int type, int flags, unsigned int perms, const char *sid) /* * Create a default ACL */ +static ACL *nt_create_default_acl(REGF *regf) { ACL *acl; @@ -1276,6 +1277,7 @@ ACL *nt_create_default_acl(REGF *regf) * Create a default security descriptor. We pull in things from env * if need be */ +static SEC_DESC *nt_create_def_sec_desc(REGF *regf) { SEC_DESC *tmp; @@ -1302,6 +1304,7 @@ SEC_DESC *nt_create_def_sec_desc(REGF *regf) * says, but the Owner and Group SIDs can be overwridden from the command line * and additional ACEs can be applied from the command line etc. */ +static KEY_SEC_DESC *nt_inherit_security(REG_KEY *key) { @@ -1313,6 +1316,7 @@ KEY_SEC_DESC *nt_inherit_security(REG_KEY *key) * Create an initial security descriptor and init other structures, if needed * We assume that the initial security stuff is empty ... */ +static KEY_SEC_DESC *nt_create_init_sec(REGF *regf) { KEY_SEC_DESC *tsec = NULL; @@ -1332,6 +1336,7 @@ KEY_SEC_DESC *nt_create_init_sec(REGF *regf) /* * Add a sub-key */ +static REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create) { int i; @@ -1429,6 +1434,7 @@ REG_KEY *nt_add_reg_key_list(REGF *regf, REG_KEY *key, char * name, int create) * This routine only adds a key from the root down. * It calls helper functions to handle sub-key lists and sub-keys */ +static REG_KEY *nt_add_reg_key(REGF *regf, char *name, int create) { char *lname = NULL, *c1, *c2; @@ -1534,6 +1540,7 @@ const VAL_STR reg_type_names[] = { { 0, NULL }, }; +static const char *val_to_str(unsigned int val, const VAL_STR *val_array) { int i = 0; @@ -1555,6 +1562,7 @@ const char *val_to_str(unsigned int val, const VAL_STR *val_array) * Convert from UniCode to Ascii ... Does not take into account other lang * Restrict by ascii_max if > 0 */ +static int uni_to_ascii(unsigned char *uni, unsigned char *ascii, int ascii_max, int uni_max) { @@ -1575,6 +1583,7 @@ int uni_to_ascii(unsigned char *uni, unsigned char *ascii, int ascii_max, /* * Convert a data value to a string for display */ +static int data_to_ascii(unsigned char *datap, int len, int type, char *ascii, int ascii_max) { unsigned char *asciip; @@ -1623,13 +1632,16 @@ int data_to_ascii(unsigned char *datap, int len, int type, char *ascii, int asci } +static REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent); +static int nt_set_regf_input_file(REGF *regf, char *filename) { return ((regf->regfile_name = strdup(filename)) != NULL); } +static int nt_set_regf_output_file(REGF *regf, char *filename) { return ((regf->outfile_name = strdup(filename)) != NULL); @@ -1637,6 +1649,7 @@ int nt_set_regf_output_file(REGF *regf, char *filename) /* Create a regf structure and init it */ +static REGF *nt_create_regf(void) { REGF *tmp = (REGF *)malloc(sizeof(REGF)); @@ -1648,6 +1661,7 @@ REGF *nt_create_regf(void) /* Free all the bits and pieces ... Assumes regf was malloc'd */ /* If you add stuff to REGF, add the relevant free bits here */ +static int nt_free_regf(REGF *regf) { if (!regf) return 0; @@ -1667,6 +1681,7 @@ int nt_free_regf(REGF *regf) /* Get the header of the registry. Return a pointer to the structure * If the mmap'd area has not been allocated, then mmap the input file */ +static REGF_HDR *nt_get_regf_hdr(REGF *regf) { if (!regf) @@ -1708,6 +1723,7 @@ REGF_HDR *nt_get_regf_hdr(REGF *regf) * Validate a regf header * For now, do nothing, but we should check the checksum */ +static int valid_regf_hdr(REGF_HDR *regf_hdr) { if (!regf_hdr) return 0; @@ -1726,7 +1742,7 @@ int valid_regf_hdr(REGF_HDR *regf_hdr) /* * Create a new entry in the map, and increase the size of the map if needed */ - +static SK_MAP *alloc_sk_map_entry(REGF *regf, KEY_SEC_DESC *tmp, int sk_off) { if (!regf->sk_map) { /* Allocate a block of 10 */ @@ -1765,7 +1781,7 @@ SK_MAP *alloc_sk_map_entry(REGF *regf, KEY_SEC_DESC *tmp, int sk_off) * Search for a KEY_SEC_DESC in the sk_map, but don't create one if not * found */ - +static KEY_SEC_DESC *lookup_sec_key(SK_MAP *sk_map, int count, int sk_off) { int i; @@ -1786,7 +1802,7 @@ KEY_SEC_DESC *lookup_sec_key(SK_MAP *sk_map, int count, int sk_off) /* * Allocate a KEY_SEC_DESC if we can't find one in the map */ - +static KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off) { KEY_SEC_DESC *tmp = lookup_sec_key(regf->sk_map, regf->sk_count, sk_off); @@ -1812,6 +1828,7 @@ KEY_SEC_DESC *lookup_create_sec_key(REGF *regf, SK_MAP *sk_map, int sk_off) * Allocate storage and duplicate a SID * We could allocate the SID to be only the size needed, but I am too lazy. */ +static DOM_SID *dup_sid(DOM_SID *sid) { DOM_SID *tmp = (DOM_SID *)malloc(sizeof(DOM_SID)); @@ -1832,6 +1849,7 @@ DOM_SID *dup_sid(DOM_SID *sid) /* * Allocate space for an ACE and duplicate the registry encoded one passed in */ +static ACE *dup_ace(REG_ACE *ace) { ACE *tmp = NULL; @@ -1850,6 +1868,7 @@ ACE *dup_ace(REG_ACE *ace) /* * Allocate space for an ACL and duplicate the registry encoded one passed in */ +static ACL *dup_acl(REG_ACL *acl) { ACL *tmp = NULL; @@ -1876,6 +1895,7 @@ ACL *dup_acl(REG_ACL *acl) return tmp; } +static SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc) { SEC_DESC *tmp = NULL; @@ -1922,6 +1942,7 @@ SEC_DESC *process_sec_desc(REGF *regf, REG_SEC_DESC *sec_desc) return tmp; } +static KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size) { KEY_SEC_DESC *tmp = NULL; @@ -2011,6 +2032,7 @@ KEY_SEC_DESC *process_sk(REGF *regf, SK_HDR *sk_hdr, int sk_off, int size) /* * Process a VK header and return a value */ +static VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size) { char val_name[1024]; @@ -2102,6 +2124,7 @@ VAL_KEY *process_vk(REGF *regf, VK_HDR *vk_hdr, int size) /* * Process a VL Header and return a list of values */ +static VAL_LIST *process_vl(REGF *regf, VL_TYPE vl, int count, int size) { int i, vk_off; @@ -2142,6 +2165,7 @@ VAL_LIST *process_vl(REGF *regf, VL_TYPE vl, int count, int size) /* * Process an LF Header and return a list of sub-keys */ +static KEY_LIST *process_lf(REGF *regf, LF_HDR *lf_hdr, int size, REG_KEY *parent) { int count, i, nk_off; @@ -2195,6 +2219,7 @@ KEY_LIST *process_lf(REGF *regf, LF_HDR *lf_hdr, int size, REG_KEY *parent) * This routine is passed an NK_HDR pointer and retrieves the entire tree * from there down. It returns a REG_KEY *. */ +static REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent) { REG_KEY *tmp = NULL, *own; @@ -2365,6 +2390,7 @@ REG_KEY *nt_get_key_tree(REGF *regf, NK_HDR *nk_hdr, int size, REG_KEY *parent) return NULL; } +static int nt_load_registry(REGF *regf) { REGF_HDR *regf_hdr; @@ -2455,6 +2481,7 @@ int nt_load_registry(REGF *regf) /* * Allocate a new hbin block, set up the header for the block etc */ +static HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) { HBIN_BLK *tmp; @@ -2507,6 +2534,7 @@ HBIN_BLK *nt_create_hbin_blk(REGF *regf, int size) * Allocate a unit of space ... and return a pointer as function param * and the block's offset as a side effect */ +static void *nt_alloc_regf_space(REGF *regf, int size, unsigned int *off) { int tmp = 0; @@ -2589,7 +2617,7 @@ void *nt_alloc_regf_space(REGF *regf, int size, unsigned int *off) /* * Compute the size of a SID stored ... */ - +static unsigned int sid_size(DOM_SID *sid) { unsigned int size; @@ -2604,7 +2632,7 @@ unsigned int sid_size(DOM_SID *sid) /* * Compute the size of an ACE on disk from its components */ - +static unsigned int ace_size(ACE *ace) { unsigned int size; @@ -2619,6 +2647,7 @@ unsigned int ace_size(ACE *ace) /* * Compute the size of an ACL from its components ... */ +static unsigned int acl_size(ACL *acl) { unsigned int size; @@ -2636,6 +2665,7 @@ unsigned int acl_size(ACL *acl) /* * Compute the size of the sec desc as a self-relative SD */ +static unsigned int sec_desc_size(SEC_DESC *sd) { unsigned int size; @@ -2655,7 +2685,7 @@ unsigned int sec_desc_size(SEC_DESC *sd) /* * Store a SID at the location provided */ - +static int nt_store_SID(REGF *regf, DOM_SID *sid, unsigned char *locn) { int i; @@ -2678,6 +2708,7 @@ int nt_store_SID(REGF *regf, DOM_SID *sid, unsigned char *locn) } +static int nt_store_ace(REGF *regf, ACE *ace, unsigned char *locn) { int size = 0; @@ -2709,7 +2740,7 @@ int nt_store_ace(REGF *regf, ACE *ace, unsigned char *locn) /* * Store an ACL at the location provided */ - +static int nt_store_acl(REGF *regf, ACL *acl, unsigned char *locn) { int size = 0, i; @@ -2747,6 +2778,7 @@ int nt_store_acl(REGF *regf, ACL *acl, unsigned char *locn) * that first, then the owner, then the group SID. So, we do it that way * too. */ +static unsigned int nt_store_sec_desc(REGF *regf, SEC_DESC *sd, char *locn) { REG_SEC_DESC *rsd = (REG_SEC_DESC *)locn; @@ -2815,7 +2847,7 @@ unsigned int nt_store_sec_desc(REGF *regf, SEC_DESC *sd, char *locn) * If it has already been stored, just get its offset from record * otherwise, store it and record its offset */ - +static unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) { int size = 0; @@ -2863,7 +2895,7 @@ unsigned int nt_store_security(REGF *regf, KEY_SEC_DESC *sec) /* * Store a VAL LIST */ - +static int nt_store_val_list(REGF *regf, VAL_LIST * values) { @@ -2882,6 +2914,7 @@ int nt_store_val_list(REGF *regf, VAL_LIST * values) * We return the offset of the NK struct * FIXME, FIXME, FIXME: Convert to using SIVAL and SSVAL ... */ +static int nt_store_reg_key(REGF *regf, REG_KEY *key) { NK_HDR *nk_hdr; @@ -2945,6 +2978,7 @@ int nt_store_reg_key(REGF *regf, REG_KEY *key) * We actually create the registry header block and link it to the chain * of output blocks. */ +static REGF_HDR *nt_get_reg_header(REGF *regf) { HBIN_BLK *tmp = NULL; @@ -2979,6 +3013,7 @@ REGF_HDR *nt_get_reg_header(REGF *regf) * The lf fields are layed down after all sub-keys have been layed down, it * seems, including the whole tree associated with each sub-key. */ +static int nt_store_registry(REGF *regf) { REGF_HDR *reg; @@ -3066,6 +3101,7 @@ typedef struct cmd_line { char *line; } CMD_LINE; +static void free_val_spec_list(VAL_SPEC_LIST *vl) { if (!vl) return; @@ -3078,6 +3114,7 @@ void free_val_spec_list(VAL_SPEC_LIST *vl) /* * Some routines to handle lines of info in the command files */ +static void skip_to_eol(int fd) { int rc; @@ -3093,6 +3130,7 @@ void skip_to_eol(int fd) } } +static void free_cmd(CMD *cmd) { if (!cmd) return; @@ -3109,6 +3147,7 @@ void free_cmd(CMD *cmd) } +static void free_cmd_line(CMD_LINE *cmd_line) { if (cmd_line) { @@ -3117,6 +3156,7 @@ void free_cmd_line(CMD_LINE *cmd_line) } } +static void print_line(struct cmd_line *cl) { char *pl; @@ -3144,6 +3184,7 @@ void print_line(struct cmd_line *cl) * Otherwise we return a cmd_line * * Exit if other errors */ +static struct cmd_line *get_cmd_line(int fd) { struct cmd_line *cl = (CMD_LINE *)malloc(sizeof(CMD_LINE)); @@ -3215,7 +3256,7 @@ struct cmd_line *get_cmd_line(int fd) * The value name can be empty. There can only be one empty name in * a list of values. A value of - removes the value entirely. */ - +static char *dup_str(char *s, int len) { char *nstr; @@ -3227,6 +3268,7 @@ char *dup_str(char *s, int len) return nstr; } +static char *parse_name(char *nstr) { int len = 0, start = 0; @@ -3253,6 +3295,7 @@ char *parse_name(char *nstr) return dup_str(&nstr[start], len); } +static int parse_value_type(char *tstr) { int len = strlen(tstr); @@ -3278,6 +3321,7 @@ int parse_value_type(char *tstr) return 0; } +static char *parse_val_str(char *vstr) { @@ -3285,6 +3329,7 @@ char *parse_val_str(char *vstr) } +static char *parse_value(struct cmd_line *cl, int *vtype, char **val) { char *p1 = NULL, *p2 = NULL, *nstr = NULL, *tstr = NULL, *vstr = NULL; @@ -3346,6 +3391,7 @@ char *parse_value(struct cmd_line *cl, int *vtype, char **val) * Assumes that there are no leading and trailing spaces */ +static char *parse_key(struct cmd_line *cl, int *cmd) { int start = 1; @@ -3372,6 +3418,7 @@ char *parse_key(struct cmd_line *cl, int *cmd) * We only check for key or val ... */ +static int parse_line(struct cmd_line *cl) { @@ -3388,6 +3435,7 @@ int parse_line(struct cmd_line *cl) * and compare to the correct value. * We then seek back to the original location */ +static int regedit4_file_type(int fd) { int cur_ofs = 0; @@ -3427,6 +3475,7 @@ int regedit4_file_type(int fd) * Run though the data in the line and strip anything after a comment * char. */ +static void strip_comment(struct cmd_line *cl) { int i; @@ -3445,6 +3494,7 @@ void strip_comment(struct cmd_line *cl) * trim leading space */ +static void trim_leading_spaces(struct cmd_line *cl) { int i; -- cgit From 05d7850302d4369c4f8001c923217f8912261e7d Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 9 May 2003 07:42:23 +0000 Subject: Some more static definitions ... --- source/utils/editreg.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/source/utils/editreg.c b/source/utils/editreg.c index 8418a6ecc10..92a39c39e2a 100644 --- a/source/utils/editreg.c +++ b/source/utils/editreg.c @@ -3512,6 +3512,7 @@ void trim_leading_spaces(struct cmd_line *cl) /* * trim trailing spaces */ +static void trim_trailing_spaces(struct cmd_line *cl) { int i; @@ -3537,6 +3538,7 @@ void trim_trailing_spaces(struct cmd_line *cl) * We alctually look for the next key to terminate a previous key * if == '-', then it is a delete type. */ +static CMD *regedit4_get_cmd(int fd) { struct command_s *cmd = NULL; @@ -3625,12 +3627,14 @@ CMD *regedit4_get_cmd(int fd) return NULL; } +static int regedit4_exec_cmd(CMD *cmd) { return 0; } +static int editreg_1_0_file_type(int fd) { int cur_ofs = 0; @@ -3661,11 +3665,13 @@ int editreg_1_0_file_type(int fd) return FMT_UNREC; } +static CMD *editreg_1_0_get_cmd(int fd) { return NULL; } +static int editreg_1_0_exec_cmd(CMD *cmd) { @@ -3695,6 +3701,7 @@ typedef struct command_file_s { * Create a new command file structure */ +static CMD_FILE *cmd_file_create(char *file) { CMD_FILE *tmp; @@ -3762,6 +3769,7 @@ CMD_FILE *cmd_file_create(char *file) * key print function here ... */ +static int print_key(const char *path, char *name, char *class_name, int root, int terminal, int vals) { @@ -3775,6 +3783,7 @@ int print_key(const char *path, char *name, char *class_name, int root, * Sec Desc print functions */ +static void print_type(unsigned char type) { switch (type) { @@ -3804,6 +3813,7 @@ void print_type(unsigned char type) } } +static void print_flags(unsigned char flags) { char flg_output[21]; @@ -3847,11 +3857,13 @@ void print_flags(unsigned char flags) fprintf(stdout, " %s", flg_output); } +static void print_perms(int perms) { fprintf(stdout, " %8X", perms); } +static void print_sid(DOM_SID *sid) { int i, comps = sid->auths; @@ -3865,6 +3877,7 @@ void print_sid(DOM_SID *sid) fprintf(stdout, "\n"); } +static void print_acl(ACL *acl, const char *prefix) { int i; @@ -3879,6 +3892,7 @@ void print_acl(ACL *acl, const char *prefix) } } +static int print_sec(SEC_DESC *sec_desc) { if (!print_security) return 1; @@ -3901,6 +3915,7 @@ int print_sec(SEC_DESC *sec_desc) /* * Value print function here ... */ +static int print_val(const char *path, char *val_name, int val_type, int data_len, void *data_blk, int terminal, int first, int last) { @@ -3916,6 +3931,7 @@ int print_val(const char *path, char *val_name, int val_type, int data_len, return 1; } +static void usage(void) { fprintf(stderr, "Usage: editreg [-f] [-v] [-p] [-k] [-s] [-c ] \n"); -- cgit From 27ca9bde6ba1a21326d89ab1dab52f7053fff9a4 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 9 May 2003 13:06:11 +0000 Subject: Fix bug #4 for net rap. Allow more than 50 chars for long form listings of users and groups. --- source/utils/net_rap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/utils/net_rap.c b/source/utils/net_rap.c index 6e691a1f60a..1f6c6e7a847 100644 --- a/source/utils/net_rap.c +++ b/source/utils/net_rap.c @@ -599,7 +599,7 @@ static void long_user_fn(const char *user_name, const char *comment, const char * home_dir, const char * logon_script, void *state) { - d_printf("%-21.21s %-50.50s\n", + d_printf("%-21.21s %s\n", user_name, comment); } @@ -717,7 +717,7 @@ int net_rap_group_usage(int argc, const char **argv) static void long_group_fn(const char *group_name, const char *comment, void *state) { - d_printf("%-21.21s %-50.50s\n", group_name, comment); + d_printf("%-21.21s %s\n", group_name, comment); } static void group_fn(const char *group_name, const char *comment, void *state) -- cgit From 6138093aa0ded3719f73ed3efbd7172131ca0fa3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 9 May 2003 21:49:24 +0000 Subject: removing total print jobs since it is not used anymore --- .../docbook/smbdotconf/printing/totalprintjobs.xml | 22 ---------------------- source/param/loadparm.c | 2 -- 2 files changed, 24 deletions(-) delete mode 100644 docs/docbook/smbdotconf/printing/totalprintjobs.xml diff --git a/docs/docbook/smbdotconf/printing/totalprintjobs.xml b/docs/docbook/smbdotconf/printing/totalprintjobs.xml deleted file mode 100644 index ccdb137a69a..00000000000 --- a/docs/docbook/smbdotconf/printing/totalprintjobs.xml +++ /dev/null @@ -1,22 +0,0 @@ - - - This parameter accepts an integer value which defines - a limit on the maximum number of print jobs that will be accepted - system wide at any given time. If a print job is submitted - by a client which will exceed this number, then smbd - 8 will return an - error indicating that no space is available on the server. The - default value of 0 means that no such limit exists. This parameter - can be used to prevent a server from exceeding its capacity and is - designed as a printing throttle. See also - max print jobs. - - - Default: total print jobs = 0 - - Example: total print jobs = 5000 - - diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 5399969f9fe..66a4b1c02e6 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -909,7 +909,6 @@ static struct parm_struct parm_table[] = { {"Printing Options", P_SEP, P_SEPARATOR}, - {"total print jobs", P_INTEGER, P_GLOBAL, &Globals.iTotalPrintJobs, NULL, NULL, FLAG_PRINT}, {"max reported print jobs", P_INTEGER, P_LOCAL, &sDefault.iMaxReportedPrintJobs, NULL, NULL, FLAG_PRINT}, {"max print jobs", P_INTEGER, P_LOCAL, &sDefault.iMaxPrintJobs, NULL, NULL, FLAG_PRINT}, {"load printers", P_BOOL, P_GLOBAL, &Globals.bLoadPrinters, NULL, NULL, FLAG_PRINT}, @@ -1735,7 +1734,6 @@ FN_GLOBAL_INTEGER(lp_maxdisksize, &Globals.maxdisksize) FN_GLOBAL_INTEGER(lp_lpqcachetime, &Globals.lpqcachetime) FN_GLOBAL_INTEGER(lp_max_smbd_processes, &Globals.iMaxSmbdProcesses) FN_GLOBAL_INTEGER(lp_disable_spoolss, &Globals.bDisableSpoolss) -FN_GLOBAL_INTEGER(lp_totalprintjobs, &Globals.iTotalPrintJobs) FN_GLOBAL_INTEGER(lp_syslog, &Globals.syslog) static FN_GLOBAL_INTEGER(lp_announce_as, &Globals.announce_as) FN_GLOBAL_INTEGER(lp_lm_announce, &Globals.lm_announce) -- cgit From ec36cb4f6f59dac2f459d831f960152603e12633 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 10 May 2003 00:32:13 +0000 Subject: Fix for possible segfault in readline handler. Found by vitalyb@mail333.com. Jeremy. --- source/client/client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/client/client.c b/source/client/client.c index f8851062756..b498b5b4a88 100644 --- a/source/client/client.c +++ b/source/client/client.c @@ -2406,10 +2406,11 @@ static void readline_callback(void) last_t = t; + again: + if (cli->fd == -1) return; - again: FD_ZERO(&fds); FD_SET(cli->fd,&fds); -- cgit From 98729bc9a60f77dbc107c42f4f7a60ed96e2102f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 10 May 2003 00:35:23 +0000 Subject: Optimisation. We don't need to do 2 strlen's when we're setting the stat struct in the correct place. Jeremy. --- source/smbd/filename.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/source/smbd/filename.c b/source/smbd/filename.c index 9dd1523c73d..b9e33e8f934 100644 --- a/source/smbd/filename.c +++ b/source/smbd/filename.c @@ -381,15 +381,6 @@ BOOL unix_convert(pstring name,connection_struct *conn,char *saved_last_componen if(!component_was_mangled && !name_has_wildcard) stat_cache_add(orig_path, name); - /* - * If we ended up resolving the entire path then return a valid - * stat struct if we got one. Note this doesn't catch mangled paths, - * but the check in the for loop above will do that. JRA. - */ - - if (VALID_STAT(st) && (strlen(orig_path) == strlen(name))) - *pst = st; - /* * The name has been resolved. */ -- cgit From 748ae44d55f54291da3fe6ba2d60285d6da3d415 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 10 May 2003 02:05:27 +0000 Subject: Fix from Tom.Lackemann@falconstor.com to correctly set the flags based on the security entries sent. Jeremy. --- source/libsmb/clisecdesc.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/source/libsmb/clisecdesc.c b/source/libsmb/clisecdesc.c index 20154dbeb29..d86a9022a69 100644 --- a/source/libsmb/clisecdesc.c +++ b/source/libsmb/clisecdesc.c @@ -79,6 +79,7 @@ BOOL cli_set_secdesc(struct cli_state *cli, int fnum, SEC_DESC *sd) char param[8]; char *rparam=NULL, *rdata=NULL; int rparam_count=0, rdata_count=0; + uint32 sec_info = 0; TALLOC_CTX *mem_ctx; prs_struct pd; BOOL ret = False; @@ -97,7 +98,14 @@ BOOL cli_set_secdesc(struct cli_state *cli, int fnum, SEC_DESC *sd) } SIVAL(param, 0, fnum); - SSVAL(param, 4, 0x7); + + if (sd->off_dacl) + sec_info |= DACL_SECURITY_INFORMATION; + if (sd->off_owner_sid) + sec_info |= OWNER_SECURITY_INFORMATION; + if (sd->off_grp_sid) + sec_info |= GROUP_SECURITY_INFORMATION; + SSVAL(param, 4, sec_info); if (!cli_send_nt_trans(cli, NT_TRANSACT_SET_SECURITY_DESC, -- cgit From 59d17982b7062e6a34e9382fb0056a913b28e23e Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 10 May 2003 05:26:48 +0000 Subject: Fixes for typos and other stuff resulting from VL's feedback. --- docs/docbook/projdoc/Samba-BDC-HOWTO.xml | 97 ++++++++++++++++++++++++-------- docs/docbook/projdoc/Samba-PDC-HOWTO.xml | 34 +++++++---- docs/docbook/projdoc/ServerType.xml | 31 +++++++--- 3 files changed, 120 insertions(+), 42 deletions(-) diff --git a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml index 5d629024871..552834e9294 100644 --- a/docs/docbook/projdoc/Samba-BDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-BDC-HOWTO.xml @@ -31,34 +31,92 @@ and / or question and we will do our best to provide a solution. Samba-3 is capable of acting as a Backup Domain Controller to another Samba Primary Domain Controller. A Samba-3 PDC can operate with an LDAP Account backend. The Samba-3 BDC can -operate with a slave LDAP server for the Account backend. This effectively gives samba a high +operate with a slave LDAP server for the Account backend. This effectively gives samba a high degree of scalability. This is a very sweet (nice) solution for large organisations. While it is possible to run a Samba-3 BDC with non-LDAP backend, the administrator will need to figure out precisely what is the best way to replicate (copy / distribute) the -user and machine Accounts backend. Again, Samba-3 provides a number of possibilities: +user and machine Accounts backend. + + + +The use of a non-LDAP backend SAM database is particularly problematic because Domain member +servers and workstations periodically change the machine trust account password. The new +password is then stored only locally. This means that in the absence of a centrally stored +accounts database (such as that provided with an LDAP based solution) if Samba-3 is running +as a BDC, the PDC instance of the Domain member trust account password will not reach the +PDC (master) copy of the SAM. If the PDC SAM is then replicated to BDCs this results in +overwriting of the SAM that contains the updated (changed) trust account password with resulting +breakage of the domain trust. + + + +Considering the number of comments and questions raised concerning how to configure a BDC +lets consider each possible option and look at the pro's and con's for each theoretical solution: Backup Domain Backend Account Distribution Options - Passwd Backend is LDAP based, BDCs use a slave LDAP server - + Solution: Passwd Backend is LDAP based, BDCs use a slave LDAP server + + + + Arguments For: This is a neat and manageable solution. The LDAP based SAM (ldapsam) + is constantly kept up to date. + + + + Arguments Against: Complexity + + Passdb Backend is tdbsam based, BDCs use cron based "net rcp vampire" to suck down the Accounts database from the PDC - + + + + Arguments For: It would be a nice solution + + + + Arguments Against: It does not work because Samba-3 does not support the required + protocols. This may become a later feature but is not available today. + + Make use of rsync to replicate (pull down) copies of the essential account files - + + + + Arguments For: It is a simple solution, easy to set up as a scheduled job + + + + Arguments Against: This will over-write the locally changed machine trust account + passwords. This is a broken and flawed solution. Do NOT do this. + + Operate with an entirely local accounts database (not recommended) - + + + + Arguments For: Simple, easy to maintain + + + + Arguments Against: All machine trust accounts and user accounts will be locally + maintained. Domain users will NOT be able to roam from office to office. This is + a broken and flawed solution. Do NOT do this. + + + @@ -227,22 +285,8 @@ password) to the local Domain Controller, for valdation. - - -When is the PDC needed? - - -Whenever a user wants to change his password, this has to be done on the PDC. To find -the PDC, the workstation does a NetBIOS name query for SAMBA<#1b>, assuming this -machine maintains the master copy of the SAM. The workstation contacts the PDC, both -mutually authenticate and the password change is done. - - - - - Backup Domain Controller Configuration @@ -329,10 +373,13 @@ watching for updates to this section. Machine Accounts keep expiring, what can I do? -This problem will occur when occur when the account files are replicated from a central -server but the local Domain Controllers are not forwarding machine account password updates -back to the central server, or where there is an excessive delay in replication of the centrally -changed machine account password to the local Domain Controller. +This problem will occur when occur when the passdb (SAM) files are copied from a central +server but the local Backup Domain Controllers. Local machine trust account password updates +are not copied back to the central server. The newer machine account password is then over +written when the SAM is copied from the PDC. The result is that the Domain member machine +on start up will find that it's passwords does not match the one now in the database and +since the startup security check will now fail, this machine will not allow logon attempts +to procede and the account expiry error will be reported. diff --git a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml index 552a95c878b..e8c60c8d6df 100644 --- a/docs/docbook/projdoc/Samba-PDC-HOWTO.xml +++ b/docs/docbook/projdoc/Samba-PDC-HOWTO.xml @@ -86,6 +86,14 @@ security protocols. The benefits of Domain security are fully available to those sites that deploy a Samba PDC. + +Network clients of an MS Windows Domain security environment must be Domain members to be +able to gain access to the advanced features provided. Domain membership involves more than just +setting the workgroup name to the Domain name. It requires the creation of a Domain trust account +for the workstation (called a machine account). Please refer to the chapter on Domain Membership +for more information. + + The following functionalities are new to the Samba-3 release: @@ -96,8 +104,10 @@ The following functionalities are new to the Samba-3 release: - Adding users via the User Manager for Domains or via the Windows 200x Microsoft - Management Console. + Adding users via the User Manager for Domains. This can be done on any MS Windows + client using the Nexus toolkit that is available from Microsoft's web site. + At some later date Samba-3 may get support for the use of the Microsoft Manangement + Console for user management. @@ -294,10 +304,11 @@ MS Windows 200x domain control protcols also. -At this time Samba-3 is capable of acting as an ADS Domain Controller but -in only a limited and experimental manner. This functionality should not be depended upon -until the samba-team offers formal support for it. At such a time, the documentation will -be revised to duely reflect all configuration and management requirements. +At this time any appearance that Samba-3 is capable of acting as an +ADS Domain Controller is limited and experimental in nature. +This functionality should not be used until the samba-team offers formal support for it. +At such a time, the documentation will be revised to duely reflect all configuration and +management requirements. @@ -493,7 +504,7 @@ Here is an example &smb.conf; for acting as a PDC: ; security settings (must user security = user) security = user - ; encrypted passwords are a requirement for a PDC + ; encrypted passwords are a requirement for a PDC (default = Yes) encrypt passwords = yes ; support domain logons @@ -568,9 +579,12 @@ There are a couple of points to emphasize in the above configuration. Samba ADS Domain Control -Samba-3 can behave and appear to MS Windows 200x and XP clients as an Active Directory Server. -The problem with doing this is that samba-3 is NOT an Active Directory server and does NOT yet -support all protocols needed to make this a possibility. +Samba-3 is not and can not act as an Active Directory Server. It can not truely function as +an Active Directory Primary Domain Controller. The protocols for some of the functionality +the Active Directory Domain Controllers is have been partially implemented on an experiemental +only basis. Please do NOT expect Samba-3 to support these protocols - nor should you depend +on any such functionality either now or in the future. The Samba-Team may well remove such +experiemental features or may change their behaviour. diff --git a/docs/docbook/projdoc/ServerType.xml b/docs/docbook/projdoc/ServerType.xml index 13377b1d5ac..8b567ca16f8 100644 --- a/docs/docbook/projdoc/ServerType.xml +++ b/docs/docbook/projdoc/ServerType.xml @@ -134,9 +134,9 @@ reduce user complaints and administrator heartache. There are in the SMB/CIFS networking world only two types of security: USER Level and SHARE Level. We refer to these collectively as security levels. In implementing these two security levels samba provides flexibilities -that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of fice (5) +that are not available with Microsoft Windows NT4 / 200x servers. Samba knows of five (5) ways that allow the security levels to be implemented. In actual fact, Samba implements -SHARE Levl security only one way, but has for ways of implementing +SHARE Level security only one way, but has for ways of implementing USER Level security. Collectively, we call the samba implementations Security Modes. These are: SHARE, USER, DOMAIN, ADS, and SERVER modes. They are documented in this chapter. @@ -306,6 +306,21 @@ security domain. This is done as follows: + +As of Samba-2.2.4 the Samba 2.2.x series can auto-join a Windows NT4 style Domain just +by executing: + + smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password + + +As of Samba-3 the same can be done by executing: + + net join -U Administrator%password + +It is not necessary with Samba-3 to specify the DOMAIN_NAME or the PDC_NAME as it figures this +out from the smb.conf file settings. + + Use of this mode of authentication does require there to be a standard Unix account for the user in order to assign a uid once the account has been authenticated by @@ -418,10 +433,12 @@ workgroup mode. -Server level security is incompatible with what is known as -schannel or sign and seal protocols. This means that -if you want to use server level security you must disable the use of -sign and seal on all machines on your network. +Server level security is incompatible with the newer security features +in recent MS Windows networking protocols. In particular it is incompatible with NTLMv2. +Server Mode security also breaks Sign and Seal interoperability because only a domain member +can sign packets in the manner in which it is currently implemented in Samba-3. +If you chose to use Server Mode security this means it is necessary to disable Sign and Seal +on all workstations. @@ -470,7 +487,7 @@ for the user, this account can be blocked to prevent logons by other than MS Win MS Windows clients may use encrypted passwords as part of a challenege/response -authentication model (a.k.a. NTLMv1) or alone, or clear text strings for simple +authentication model (a.k.a. NTLMv1 and NTLMv2) or alone, or clear text strings for simple password based authentication. It should be realized that with the SMB protocol the password is passed over the network either in plain text or encrypted, but not both in the same authentication request. -- cgit From 367a5cad1edf6a49783806d5a8b59a62d8856706 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 10 May 2003 10:56:20 +0000 Subject: Patch from metze and me that adds dummy smb_register_*() functions --- source/client/client.c | 2 ++ source/client/smbmount.c | 2 ++ source/client/smbspool.c | 2 ++ source/include/module_dummy.h | 53 +++++++++++++++++++++++++++++++++++++++++++ source/nmbd/nmbd.c | 2 ++ source/nsswitch/winbindd.c | 2 ++ source/passdb/pdb_interface.c | 4 ++-- source/rpcclient/rpcclient.c | 4 ++++ source/smbd/server.c | 7 ++++++ source/torture/locktest.c | 2 ++ source/torture/locktest2.c | 2 ++ source/torture/masktest.c | 2 ++ source/torture/msgtest.c | 2 ++ source/torture/nsstest.c | 2 ++ source/torture/rpctorture.c | 2 ++ source/torture/smbiconv.c | 2 ++ source/torture/torture.c | 2 ++ source/torture/vfstest.c | 6 +++++ source/utils/net.c | 4 ++++ source/utils/nmblookup.c | 2 ++ source/utils/ntlm_auth.c | 2 ++ source/utils/pdbedit.c | 3 +++ source/utils/profiles.c | 2 ++ source/utils/rpccheck.c | 2 ++ source/utils/smbcacls.c | 2 ++ source/utils/smbcontrol.c | 2 ++ source/utils/smbcquotas.c | 2 ++ source/utils/smbfilter.c | 2 ++ source/utils/smbpasswd.c | 3 +++ source/utils/smbtree.c | 2 ++ source/utils/status.c | 2 ++ source/utils/testparm.c | 2 ++ source/utils/testprns.c | 2 ++ source/web/swat.c | 3 +++ source/wrepld/server.c | 2 ++ 35 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 source/include/module_dummy.h diff --git a/source/client/client.c b/source/client/client.c index b498b5b4a88..04804ac1f1c 100644 --- a/source/client/client.c +++ b/source/client/client.c @@ -28,6 +28,8 @@ #define REGISTER 0 #endif +#include "module_dummy.h" + struct cli_state *cli; extern BOOL in_client; static int port = 0; diff --git a/source/client/smbmount.c b/source/client/smbmount.c index 1ee7dbc8cb9..eeaec642040 100644 --- a/source/client/smbmount.c +++ b/source/client/smbmount.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + #include #include #include diff --git a/source/client/smbspool.c b/source/client/smbspool.c index 68165792da3..eef663ebfd2 100644 --- a/source/client/smbspool.c +++ b/source/client/smbspool.c @@ -24,6 +24,8 @@ #include "includes.h" +#include "module_dummy.h" + /* * Globals... */ diff --git a/source/include/module_dummy.h b/source/include/module_dummy.h new file mode 100644 index 00000000000..dfa0e1535b1 --- /dev/null +++ b/source/include/module_dummy.h @@ -0,0 +1,53 @@ +/* + Unix SMB/CIFS implementation. + For faking up smb_register_*() functions + e.g. smb_register_vfs() in nmbd + Copyright (C) Stefan (metze) Metzmacher 2003 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#ifndef _MODULE_DUMMY_H +#define _MODULE_DUMMY_H + +#ifndef HAVE_SMB_REGISTER_AUTH +NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} +#endif /*HAVE_SMB_REGISTER_AUTH*/ + +#ifndef HAVE_SMB_REGISTER_PASSDB +NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} +#endif /*HAVE_SMB_REGISTER_PASSDB*/ + +#ifndef HAVE_RPC_PIPE_REGISTER_COMMANDS +NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} +#endif /*HAVE_RPC_PIPE_REGISTER_COMMANDS*/ + +#ifndef HAVE_SMB_REGISTER_VFS +NTSTATUS smb_register_vfs(int version, const char *name, vfs_op_tuple *(*init)(const struct vfs_ops *, struct smb_vfs_handle_struct *)) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} +#endif /*HAVE_SMB_REGISTER_VFS*/ + +#endif /* _MODULE_DUMMY_H */ diff --git a/source/nmbd/nmbd.c b/source/nmbd/nmbd.c index eec447688f0..81ef3b79a51 100644 --- a/source/nmbd/nmbd.c +++ b/source/nmbd/nmbd.c @@ -23,6 +23,8 @@ #include "includes.h" +#include "module_dummy.h" + int ClientNMB = -1; int ClientDGRAM = -1; int global_nmb_port = -1; diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c index da2540f5d98..b65af3d940e 100644 --- a/source/nsswitch/winbindd.c +++ b/source/nsswitch/winbindd.c @@ -24,6 +24,8 @@ #include "winbindd.h" +#include "module_dummy.h" + BOOL opt_nocache = False; BOOL opt_dual_daemon = False; diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c index 7b44df193fc..dc2b43d204d 100644 --- a/source/passdb/pdb_interface.c +++ b/source/passdb/pdb_interface.c @@ -436,10 +436,10 @@ static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_c /* Try to find a module that contains this module */ if (!entry) { DEBUG(2,("No builtin backend found, trying to load plugin\n")); - if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) { + if(NT_STATUS_IS_OK(nt_status = smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) { DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name)); SAFE_FREE(module_name); - return NT_STATUS_UNSUCCESSFUL; + return nt_status; } } diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c index b01e2d694c5..68f8fbae8b9 100644 --- a/source/rpcclient/rpcclient.c +++ b/source/rpcclient/rpcclient.c @@ -23,6 +23,10 @@ #include "includes.h" #include "rpcclient.h" + +#define HAVE_SMB_REGISTER_PASSDB +#include "module_dummy.h" + DOM_SID domain_sid; diff --git a/source/smbd/server.c b/source/smbd/server.c index c24fc5134de..11f06daf0dc 100644 --- a/source/smbd/server.c +++ b/source/smbd/server.c @@ -22,6 +22,13 @@ #include "includes.h" +#define HAVE_SMB_REGISTER_AUTH +#define HAVE_SMB_REGISTER_PASSDB +#define HAVE_RPC_PIPE_REGISTER_COMMANDS +#define HAVE_SMB_REGISTER_VFS +#include "module_dummy.h" + + int am_parent = 1; /* the last message the was processed */ diff --git a/source/torture/locktest.c b/source/torture/locktest.c index 63b9590dd61..c18d2c100bc 100644 --- a/source/torture/locktest.c +++ b/source/torture/locktest.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + static fstring password[2]; static fstring username[2]; static int got_user; diff --git a/source/torture/locktest2.c b/source/torture/locktest2.c index 97844b5609e..596596eb8a8 100644 --- a/source/torture/locktest2.c +++ b/source/torture/locktest2.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + static fstring password; static fstring username; static int got_pass; diff --git a/source/torture/masktest.c b/source/torture/masktest.c index 06dead3f16f..a4da1baff27 100644 --- a/source/torture/masktest.c +++ b/source/torture/masktest.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + static fstring password; static fstring username; static int got_pass; diff --git a/source/torture/msgtest.c b/source/torture/msgtest.c index 8abb0a20d2e..091b6337ab1 100644 --- a/source/torture/msgtest.c +++ b/source/torture/msgtest.c @@ -25,6 +25,8 @@ #include "includes.h" +#include "module_dummy.h" + static int pong_count; /**************************************************************************** diff --git a/source/torture/nsstest.c b/source/torture/nsstest.c index a82fa05203e..27b77e2a83b 100644 --- a/source/torture/nsstest.c +++ b/source/torture/nsstest.c @@ -20,6 +20,8 @@ #include "includes.h" +#include "module_dummy.h" + static const char *so_path = "/lib/libnss_winbind.so"; static const char *nss_name = "winbind"; static int nss_errno; diff --git a/source/torture/rpctorture.c b/source/torture/rpctorture.c index 086f8d5d331..e88a39a4839 100644 --- a/source/torture/rpctorture.c +++ b/source/torture/rpctorture.c @@ -20,6 +20,8 @@ #include "includes.h" +#include "module_dummy.h" + #ifndef REGISTER #define REGISTER 0 #endif diff --git a/source/torture/smbiconv.c b/source/torture/smbiconv.c index ce21a09025e..613082225a2 100644 --- a/source/torture/smbiconv.c +++ b/source/torture/smbiconv.c @@ -23,6 +23,8 @@ #include "includes.h" +#include "module_dummy.h" + static int process_block (smb_iconv_t cd, char *addr, size_t len, FILE *output) { diff --git a/source/torture/torture.c b/source/torture/torture.c index 840b6ad2947..d660b6d003f 100644 --- a/source/torture/torture.c +++ b/source/torture/torture.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + static fstring host, workgroup, share, password, username, myname; static int max_protocol = PROTOCOL_NT1; static const char *sockops="TCP_NODELAY"; diff --git a/source/torture/vfstest.c b/source/torture/vfstest.c index 3b28a3c496b..d6b84126a0b 100644 --- a/source/torture/vfstest.c +++ b/source/torture/vfstest.c @@ -27,6 +27,12 @@ #include "includes.h" #include "vfstest.h" +#define HAVE_SMB_REGISTER_AUTH +#define HAVE_SMB_REGISTER_PASSDB +#define HAVE_RPC_PIPE_REGISTER_COMMANDS +#define HAVE_SMB_REGISTER_VFS +#include "module_dummy.h" + /* List to hold groups of commands */ static struct cmd_list { struct cmd_list *prev, *next; diff --git a/source/utils/net.c b/source/utils/net.c index aa245a920a7..b2a86bb0201 100644 --- a/source/utils/net.c +++ b/source/utils/net.c @@ -40,6 +40,10 @@ #include "includes.h" #include "../utils/net.h" +#define HAVE_SMB_REGISTER_PASSDB +#include "module_dummy.h" + + /***********************************************************************/ /* Beginning of internationalization section. Translatable constants */ /* should be kept in this area and referenced in the rest of the code. */ diff --git a/source/utils/nmblookup.c b/source/utils/nmblookup.c index d2c5cbc00ed..7083961ccb5 100644 --- a/source/utils/nmblookup.c +++ b/source/utils/nmblookup.c @@ -24,6 +24,8 @@ #include "includes.h" +#include "module_dummy.h" + extern BOOL AllowDebugChange; static BOOL give_flags = False; diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c index 42490190f32..b30efac4b73 100644 --- a/source/utils/ntlm_auth.c +++ b/source/utils/ntlm_auth.c @@ -27,6 +27,8 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND +#include "module_dummy.h" + #define SQUID_BUFFER_SIZE 2010 enum squid_mode { diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 13f35e88806..81d0a61287d 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -23,6 +23,9 @@ #include "includes.h" +#define HAVE_SMB_REGISTER_PASSDB +#include "module_dummy.h" + #define BIT_BACKEND 0x00000004 #define BIT_VERBOSE 0x00000008 #define BIT_SPSTYLE 0x00000010 diff --git a/source/utils/profiles.c b/source/utils/profiles.c index afaa83f6384..4a6fa59b53e 100644 --- a/source/utils/profiles.c +++ b/source/utils/profiles.c @@ -297,6 +297,8 @@ Hope this helps.... (Although it was "fun" for me to uncover this things, #include #include +#include "module_dummy.h" + typedef unsigned int DWORD; typedef unsigned short WORD; diff --git a/source/utils/rpccheck.c b/source/utils/rpccheck.c index ae109f69b65..11a2a9d8baa 100644 --- a/source/utils/rpccheck.c +++ b/source/utils/rpccheck.c @@ -20,6 +20,8 @@ #include "includes.h" +#include "module_dummy.h" + main() { char filter[]="0123456789ABCDEF"; diff --git a/source/utils/smbcacls.c b/source/utils/smbcacls.c index 9d8a6577263..35a9b05dcd7 100644 --- a/source/utils/smbcacls.c +++ b/source/utils/smbcacls.c @@ -24,6 +24,8 @@ #include "includes.h" +#include "module_dummy.h" + static pstring owner_username; static fstring server; static int test_args = False; diff --git a/source/utils/smbcontrol.c b/source/utils/smbcontrol.c index 06add6af228..0c68bfc329a 100644 --- a/source/utils/smbcontrol.c +++ b/source/utils/smbcontrol.c @@ -25,6 +25,8 @@ #include "includes.h" +#include "module_dummy.h" + /* Default timeout value when waiting for replies (in seconds) */ #define DEFAULT_TIMEOUT 10 diff --git a/source/utils/smbcquotas.c b/source/utils/smbcquotas.c index 9c7379ca2a9..9ba243a4a58 100644 --- a/source/utils/smbcquotas.c +++ b/source/utils/smbcquotas.c @@ -24,6 +24,8 @@ #include "includes.h" +#include "module_dummy.h" + static pstring server; /* numeric is set when the user wants numeric SIDs and ACEs rather diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c index 1a0d639f025..fe5208227d7 100644 --- a/source/utils/smbfilter.c +++ b/source/utils/smbfilter.c @@ -20,6 +20,8 @@ #include "includes.h" +#include "module_dummy.h" + #define SECURITY_MASK 0 #define SECURITY_SET 0 diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c index 577e467fbdb..2070adb3e56 100644 --- a/source/utils/smbpasswd.c +++ b/source/utils/smbpasswd.c @@ -19,6 +19,9 @@ #include "includes.h" +#define HAVE_SMB_REGISTER_PASSDB +#include "module_dummy.h" + extern BOOL AllowDebugChange; /* diff --git a/source/utils/smbtree.c b/source/utils/smbtree.c index cbe1bd448f8..bc669b4aa16 100644 --- a/source/utils/smbtree.c +++ b/source/utils/smbtree.c @@ -22,6 +22,8 @@ #include "includes.h" +#include "module_dummy.h" + static BOOL use_bcast; /* How low can we go? */ diff --git a/source/utils/status.c b/source/utils/status.c index bbaeecdd6bb..fab55baabbb 100644 --- a/source/utils/status.c +++ b/source/utils/status.c @@ -35,6 +35,8 @@ #include "includes.h" +#include "module_dummy.h" + static pstring Ucrit_username = ""; /* added by OH */ static pid_t Ucrit_pid[100]; /* Ugly !!! */ /* added by OH */ static int Ucrit_MaxPid=0; /* added by OH */ diff --git a/source/utils/testparm.c b/source/utils/testparm.c index e3d6ce02748..b3e8f8badbf 100644 --- a/source/utils/testparm.c +++ b/source/utils/testparm.c @@ -34,6 +34,8 @@ #include "includes.h" +#include "module_dummy.h" + extern BOOL AllowDebugChange; /*********************************************** diff --git a/source/utils/testprns.c b/source/utils/testprns.c index 7e52b86afb6..758e2b41dd6 100644 --- a/source/utils/testprns.c +++ b/source/utils/testprns.c @@ -32,6 +32,8 @@ #include "includes.h" +#include "module_dummy.h" + int main(int argc, char *argv[]) { const char *pszTemp; diff --git a/source/web/swat.c b/source/web/swat.c index 7f9492933a5..e93fb2e5e12 100644 --- a/source/web/swat.c +++ b/source/web/swat.c @@ -31,6 +31,9 @@ #include "includes.h" #include "../web/swat_proto.h" +#define HAVE_SMB_REGISTER_PASSDB +#include "module_dummy.h" + #define GLOBALS_SNUM -1 static BOOL demo_mode = False; diff --git a/source/wrepld/server.c b/source/wrepld/server.c index 504818b8d52..21bc2e4925b 100644 --- a/source/wrepld/server.c +++ b/source/wrepld/server.c @@ -21,6 +21,8 @@ #include "includes.h" #include "wins_repl.h" +#include "module_dummy.h" + extern pstring user_socket_options; extern WINS_OWNER *global_wins_table; -- cgit From d31509fe88da8727521586dced1da2c73bfee2bc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 10 May 2003 11:47:29 +0000 Subject: Reverse previous patch from Stefan and me after comments by Andrew Bartlett. --- source/client/client.c | 2 -- source/client/smbmount.c | 2 -- source/client/smbspool.c | 2 -- source/nmbd/nmbd.c | 2 -- source/nsswitch/winbindd.c | 1 + source/passdb/pdb_interface.c | 4 ++-- source/rpcclient/rpcclient.c | 4 ---- source/smbd/server.c | 7 ------- source/torture/locktest.c | 2 -- source/torture/locktest2.c | 2 -- source/torture/masktest.c | 2 -- source/torture/msgtest.c | 2 -- source/torture/nsstest.c | 2 -- source/torture/rpctorture.c | 2 -- source/torture/smbiconv.c | 2 -- source/torture/torture.c | 2 -- source/torture/vfstest.c | 6 ------ source/utils/net.c | 4 ---- source/utils/nmblookup.c | 2 -- source/utils/ntlm_auth.c | 2 -- source/utils/pdbedit.c | 3 --- source/utils/profiles.c | 2 -- source/utils/rpccheck.c | 2 -- source/utils/smbcacls.c | 2 -- source/utils/smbcontrol.c | 2 -- source/utils/smbcquotas.c | 2 -- source/utils/smbfilter.c | 2 -- source/utils/smbpasswd.c | 3 --- source/utils/smbtree.c | 2 -- source/utils/status.c | 2 -- source/utils/testparm.c | 2 -- source/utils/testprns.c | 2 -- source/web/swat.c | 3 --- source/wrepld/server.c | 2 -- 34 files changed, 3 insertions(+), 82 deletions(-) diff --git a/source/client/client.c b/source/client/client.c index 04804ac1f1c..b498b5b4a88 100644 --- a/source/client/client.c +++ b/source/client/client.c @@ -28,8 +28,6 @@ #define REGISTER 0 #endif -#include "module_dummy.h" - struct cli_state *cli; extern BOOL in_client; static int port = 0; diff --git a/source/client/smbmount.c b/source/client/smbmount.c index eeaec642040..1ee7dbc8cb9 100644 --- a/source/client/smbmount.c +++ b/source/client/smbmount.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - #include #include #include diff --git a/source/client/smbspool.c b/source/client/smbspool.c index eef663ebfd2..68165792da3 100644 --- a/source/client/smbspool.c +++ b/source/client/smbspool.c @@ -24,8 +24,6 @@ #include "includes.h" -#include "module_dummy.h" - /* * Globals... */ diff --git a/source/nmbd/nmbd.c b/source/nmbd/nmbd.c index 81ef3b79a51..eec447688f0 100644 --- a/source/nmbd/nmbd.c +++ b/source/nmbd/nmbd.c @@ -23,8 +23,6 @@ #include "includes.h" -#include "module_dummy.h" - int ClientNMB = -1; int ClientDGRAM = -1; int global_nmb_port = -1; diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c index b65af3d940e..018edcb6492 100644 --- a/source/nsswitch/winbindd.c +++ b/source/nsswitch/winbindd.c @@ -24,6 +24,7 @@ #include "winbindd.h" +#define HAVE_SMB_REGISTER_PASSDB #include "module_dummy.h" BOOL opt_nocache = False; diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c index dc2b43d204d..7b44df193fc 100644 --- a/source/passdb/pdb_interface.c +++ b/source/passdb/pdb_interface.c @@ -436,10 +436,10 @@ static NTSTATUS make_pdb_methods_name(struct pdb_methods **methods, struct pdb_c /* Try to find a module that contains this module */ if (!entry) { DEBUG(2,("No builtin backend found, trying to load plugin\n")); - if(NT_STATUS_IS_OK(nt_status = smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) { + if(NT_STATUS_IS_OK(smb_probe_module("pdb", module_name)) && !(entry = pdb_find_backend_entry(module_name))) { DEBUG(0,("Plugin is available, but doesn't register passdb backend %s\n", module_name)); SAFE_FREE(module_name); - return nt_status; + return NT_STATUS_UNSUCCESSFUL; } } diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c index 68f8fbae8b9..b01e2d694c5 100644 --- a/source/rpcclient/rpcclient.c +++ b/source/rpcclient/rpcclient.c @@ -23,10 +23,6 @@ #include "includes.h" #include "rpcclient.h" - -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - DOM_SID domain_sid; diff --git a/source/smbd/server.c b/source/smbd/server.c index 11f06daf0dc..c24fc5134de 100644 --- a/source/smbd/server.c +++ b/source/smbd/server.c @@ -22,13 +22,6 @@ #include "includes.h" -#define HAVE_SMB_REGISTER_AUTH -#define HAVE_SMB_REGISTER_PASSDB -#define HAVE_RPC_PIPE_REGISTER_COMMANDS -#define HAVE_SMB_REGISTER_VFS -#include "module_dummy.h" - - int am_parent = 1; /* the last message the was processed */ diff --git a/source/torture/locktest.c b/source/torture/locktest.c index c18d2c100bc..63b9590dd61 100644 --- a/source/torture/locktest.c +++ b/source/torture/locktest.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - static fstring password[2]; static fstring username[2]; static int got_user; diff --git a/source/torture/locktest2.c b/source/torture/locktest2.c index 596596eb8a8..97844b5609e 100644 --- a/source/torture/locktest2.c +++ b/source/torture/locktest2.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - static fstring password; static fstring username; static int got_pass; diff --git a/source/torture/masktest.c b/source/torture/masktest.c index a4da1baff27..06dead3f16f 100644 --- a/source/torture/masktest.c +++ b/source/torture/masktest.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - static fstring password; static fstring username; static int got_pass; diff --git a/source/torture/msgtest.c b/source/torture/msgtest.c index 091b6337ab1..8abb0a20d2e 100644 --- a/source/torture/msgtest.c +++ b/source/torture/msgtest.c @@ -25,8 +25,6 @@ #include "includes.h" -#include "module_dummy.h" - static int pong_count; /**************************************************************************** diff --git a/source/torture/nsstest.c b/source/torture/nsstest.c index 27b77e2a83b..a82fa05203e 100644 --- a/source/torture/nsstest.c +++ b/source/torture/nsstest.c @@ -20,8 +20,6 @@ #include "includes.h" -#include "module_dummy.h" - static const char *so_path = "/lib/libnss_winbind.so"; static const char *nss_name = "winbind"; static int nss_errno; diff --git a/source/torture/rpctorture.c b/source/torture/rpctorture.c index e88a39a4839..086f8d5d331 100644 --- a/source/torture/rpctorture.c +++ b/source/torture/rpctorture.c @@ -20,8 +20,6 @@ #include "includes.h" -#include "module_dummy.h" - #ifndef REGISTER #define REGISTER 0 #endif diff --git a/source/torture/smbiconv.c b/source/torture/smbiconv.c index 613082225a2..ce21a09025e 100644 --- a/source/torture/smbiconv.c +++ b/source/torture/smbiconv.c @@ -23,8 +23,6 @@ #include "includes.h" -#include "module_dummy.h" - static int process_block (smb_iconv_t cd, char *addr, size_t len, FILE *output) { diff --git a/source/torture/torture.c b/source/torture/torture.c index d660b6d003f..840b6ad2947 100644 --- a/source/torture/torture.c +++ b/source/torture/torture.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - static fstring host, workgroup, share, password, username, myname; static int max_protocol = PROTOCOL_NT1; static const char *sockops="TCP_NODELAY"; diff --git a/source/torture/vfstest.c b/source/torture/vfstest.c index d6b84126a0b..3b28a3c496b 100644 --- a/source/torture/vfstest.c +++ b/source/torture/vfstest.c @@ -27,12 +27,6 @@ #include "includes.h" #include "vfstest.h" -#define HAVE_SMB_REGISTER_AUTH -#define HAVE_SMB_REGISTER_PASSDB -#define HAVE_RPC_PIPE_REGISTER_COMMANDS -#define HAVE_SMB_REGISTER_VFS -#include "module_dummy.h" - /* List to hold groups of commands */ static struct cmd_list { struct cmd_list *prev, *next; diff --git a/source/utils/net.c b/source/utils/net.c index b2a86bb0201..aa245a920a7 100644 --- a/source/utils/net.c +++ b/source/utils/net.c @@ -40,10 +40,6 @@ #include "includes.h" #include "../utils/net.h" -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - - /***********************************************************************/ /* Beginning of internationalization section. Translatable constants */ /* should be kept in this area and referenced in the rest of the code. */ diff --git a/source/utils/nmblookup.c b/source/utils/nmblookup.c index 7083961ccb5..d2c5cbc00ed 100644 --- a/source/utils/nmblookup.c +++ b/source/utils/nmblookup.c @@ -24,8 +24,6 @@ #include "includes.h" -#include "module_dummy.h" - extern BOOL AllowDebugChange; static BOOL give_flags = False; diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c index b30efac4b73..42490190f32 100644 --- a/source/utils/ntlm_auth.c +++ b/source/utils/ntlm_auth.c @@ -27,8 +27,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -#include "module_dummy.h" - #define SQUID_BUFFER_SIZE 2010 enum squid_mode { diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 81d0a61287d..13f35e88806 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -23,9 +23,6 @@ #include "includes.h" -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - #define BIT_BACKEND 0x00000004 #define BIT_VERBOSE 0x00000008 #define BIT_SPSTYLE 0x00000010 diff --git a/source/utils/profiles.c b/source/utils/profiles.c index 4a6fa59b53e..afaa83f6384 100644 --- a/source/utils/profiles.c +++ b/source/utils/profiles.c @@ -297,8 +297,6 @@ Hope this helps.... (Although it was "fun" for me to uncover this things, #include #include -#include "module_dummy.h" - typedef unsigned int DWORD; typedef unsigned short WORD; diff --git a/source/utils/rpccheck.c b/source/utils/rpccheck.c index 11a2a9d8baa..ae109f69b65 100644 --- a/source/utils/rpccheck.c +++ b/source/utils/rpccheck.c @@ -20,8 +20,6 @@ #include "includes.h" -#include "module_dummy.h" - main() { char filter[]="0123456789ABCDEF"; diff --git a/source/utils/smbcacls.c b/source/utils/smbcacls.c index 35a9b05dcd7..9d8a6577263 100644 --- a/source/utils/smbcacls.c +++ b/source/utils/smbcacls.c @@ -24,8 +24,6 @@ #include "includes.h" -#include "module_dummy.h" - static pstring owner_username; static fstring server; static int test_args = False; diff --git a/source/utils/smbcontrol.c b/source/utils/smbcontrol.c index 0c68bfc329a..06add6af228 100644 --- a/source/utils/smbcontrol.c +++ b/source/utils/smbcontrol.c @@ -25,8 +25,6 @@ #include "includes.h" -#include "module_dummy.h" - /* Default timeout value when waiting for replies (in seconds) */ #define DEFAULT_TIMEOUT 10 diff --git a/source/utils/smbcquotas.c b/source/utils/smbcquotas.c index 9ba243a4a58..9c7379ca2a9 100644 --- a/source/utils/smbcquotas.c +++ b/source/utils/smbcquotas.c @@ -24,8 +24,6 @@ #include "includes.h" -#include "module_dummy.h" - static pstring server; /* numeric is set when the user wants numeric SIDs and ACEs rather diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c index fe5208227d7..1a0d639f025 100644 --- a/source/utils/smbfilter.c +++ b/source/utils/smbfilter.c @@ -20,8 +20,6 @@ #include "includes.h" -#include "module_dummy.h" - #define SECURITY_MASK 0 #define SECURITY_SET 0 diff --git a/source/utils/smbpasswd.c b/source/utils/smbpasswd.c index 2070adb3e56..577e467fbdb 100644 --- a/source/utils/smbpasswd.c +++ b/source/utils/smbpasswd.c @@ -19,9 +19,6 @@ #include "includes.h" -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - extern BOOL AllowDebugChange; /* diff --git a/source/utils/smbtree.c b/source/utils/smbtree.c index bc669b4aa16..cbe1bd448f8 100644 --- a/source/utils/smbtree.c +++ b/source/utils/smbtree.c @@ -22,8 +22,6 @@ #include "includes.h" -#include "module_dummy.h" - static BOOL use_bcast; /* How low can we go? */ diff --git a/source/utils/status.c b/source/utils/status.c index fab55baabbb..bbaeecdd6bb 100644 --- a/source/utils/status.c +++ b/source/utils/status.c @@ -35,8 +35,6 @@ #include "includes.h" -#include "module_dummy.h" - static pstring Ucrit_username = ""; /* added by OH */ static pid_t Ucrit_pid[100]; /* Ugly !!! */ /* added by OH */ static int Ucrit_MaxPid=0; /* added by OH */ diff --git a/source/utils/testparm.c b/source/utils/testparm.c index b3e8f8badbf..e3d6ce02748 100644 --- a/source/utils/testparm.c +++ b/source/utils/testparm.c @@ -34,8 +34,6 @@ #include "includes.h" -#include "module_dummy.h" - extern BOOL AllowDebugChange; /*********************************************** diff --git a/source/utils/testprns.c b/source/utils/testprns.c index 758e2b41dd6..7e52b86afb6 100644 --- a/source/utils/testprns.c +++ b/source/utils/testprns.c @@ -32,8 +32,6 @@ #include "includes.h" -#include "module_dummy.h" - int main(int argc, char *argv[]) { const char *pszTemp; diff --git a/source/web/swat.c b/source/web/swat.c index e93fb2e5e12..7f9492933a5 100644 --- a/source/web/swat.c +++ b/source/web/swat.c @@ -31,9 +31,6 @@ #include "includes.h" #include "../web/swat_proto.h" -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - #define GLOBALS_SNUM -1 static BOOL demo_mode = False; diff --git a/source/wrepld/server.c b/source/wrepld/server.c index 21bc2e4925b..504818b8d52 100644 --- a/source/wrepld/server.c +++ b/source/wrepld/server.c @@ -21,8 +21,6 @@ #include "includes.h" #include "wins_repl.h" -#include "module_dummy.h" - extern pstring user_socket_options; extern WINS_OWNER *global_wins_table; -- cgit From 32c8796f2a2b598daa17835394d143bd266aa7bf Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 10 May 2003 12:57:03 +0000 Subject: Remove latest module_dummy patch from metze and me. --- source/include/module_dummy.h | 53 ------------------------------------------- 1 file changed, 53 deletions(-) delete mode 100644 source/include/module_dummy.h diff --git a/source/include/module_dummy.h b/source/include/module_dummy.h deleted file mode 100644 index dfa0e1535b1..00000000000 --- a/source/include/module_dummy.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - Unix SMB/CIFS implementation. - For faking up smb_register_*() functions - e.g. smb_register_vfs() in nmbd - Copyright (C) Stefan (metze) Metzmacher 2003 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#ifndef _MODULE_DUMMY_H -#define _MODULE_DUMMY_H - -#ifndef HAVE_SMB_REGISTER_AUTH -NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} -#endif /*HAVE_SMB_REGISTER_AUTH*/ - -#ifndef HAVE_SMB_REGISTER_PASSDB -NTSTATUS smb_register_passdb(int version, const char *name, pdb_init_function init) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} -#endif /*HAVE_SMB_REGISTER_PASSDB*/ - -#ifndef HAVE_RPC_PIPE_REGISTER_COMMANDS -NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} -#endif /*HAVE_RPC_PIPE_REGISTER_COMMANDS*/ - -#ifndef HAVE_SMB_REGISTER_VFS -NTSTATUS smb_register_vfs(int version, const char *name, vfs_op_tuple *(*init)(const struct vfs_ops *, struct smb_vfs_handle_struct *)) -{ - return NT_STATUS_NOT_IMPLEMENTED; -} -#endif /*HAVE_SMB_REGISTER_VFS*/ - -#endif /* _MODULE_DUMMY_H */ -- cgit From 71f6fb16ba9c75b96aea9b0b18f4b73b0d11a5ac Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 10 May 2003 14:48:46 +0000 Subject: Forgot one file. --- source/nsswitch/winbindd.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c index 018edcb6492..da2540f5d98 100644 --- a/source/nsswitch/winbindd.c +++ b/source/nsswitch/winbindd.c @@ -24,9 +24,6 @@ #include "winbindd.h" -#define HAVE_SMB_REGISTER_PASSDB -#include "module_dummy.h" - BOOL opt_nocache = False; BOOL opt_dual_daemon = False; -- cgit From e2eb7f128ef802bde742acfd13bc093a05d31200 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 10 May 2003 20:55:14 +0000 Subject: Completion of Stand-Alone server docs. --- docs/docbook/projdoc/StandAloneServer.xml | 113 ++++++++++++++++++++++++++++-- 1 file changed, 107 insertions(+), 6 deletions(-) diff --git a/docs/docbook/projdoc/StandAloneServer.xml b/docs/docbook/projdoc/StandAloneServer.xml index 1246ff0f3a1..fc003330eae 100644 --- a/docs/docbook/projdoc/StandAloneServer.xml +++ b/docs/docbook/projdoc/StandAloneServer.xml @@ -92,7 +92,37 @@ server and network design. Reference Documentation Server -Put one here! +Configuration of a read-only data server that EVERYONE can access is very simple. +Here is the smb.conf file that will do this. Assume that all the reference documents +are stored in the directory /export, that the documents are owned by a user other than +nobody. No home directories are shared, that are no users in the /etc/passwd +Unix system database. This is a very simple system to administer. + + + + + Share Mode Read Only Stand-Alone Server + # Global parameters + [global] + workgroup = MYGROUP + netbios name = REFDOCS + security = SHARE + passdb backend = guest + wins server = 192.168.1.1 + + [data] + comment = Data + path = /export + guest only = Yes + + + + +In the above example the machine name is set to REFDOCS, the workgroup is set to the name +of the local workgroup so that the machine will appear in with systems users are familiar +with. The only password backend required is the "guest" backend so as to allow default +unprivilidged account names to be used. Given that there is a WINS server on this network +we do use it. @@ -101,16 +131,87 @@ Put one here! Central Print Serving -Put one here! +Configuration of a simple print server is very simple if you have all the right tools +on your system. - + + Assumptions: + + The print server must require no administration + + + + The print spooling and processing system on our print server will be CUPS. + (Please refer to the chapter on printing for more information). + + + + All printers will that the print server will service will be network + printers. They will be correctly configured, by the administrator, + in the CUPS environment. + + + + All workstations will be installed using postscript drivers. The printer + of choice is the Apple Color LaserWriter. + + - -Legal Office Daily Work Server + +In this example our print server will spool all incoming print jobs to +/var/spool/samba until the job is ready to be submitted by +samba to the CUPS print processor. Since all incoming connections will be as +the anonymous (guest) user two things will be required: + + + +Enablement for Anonymous Printing + + The Unix/Linux system must have a guest account. + The default for this is usually the account nobody. + To find the correct name to use for your version of Samba do the + following: + + testparm -s -v | grep "guest account" + + Then make sure that this account exists in your system password + database (/etc/passwd). + + + + The directory into which Samba will spool the file must have write + access for the guest account. The following commands will ensure that + this directory is available for use: + + mkdir /var/spool/samba + chown nobody.nobody /var/spool/samba + chmod a+rwt /var/spool/samba + + + -Put one here! + + Simple Central Print Server + # Global parameters + [global] + workgroup = MYGROUP + netbios name = PTRSVR1 + security = SHARE + passdb backend = guest + wins server = 192.168.1.1 + + [printers] + comment = All Printers + path = /var/spool/samba + printer admin = root + guest ok = Yes + printable = Yes + printing = cups + use client driver = Yes + browseable = No + -- cgit From d85ffb3e70189648cd2d0c8113dc3d8085ff80bc Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 11 May 2003 07:45:07 +0000 Subject: Extending Samba Access Control Info --- docs/docbook/global.ent | 2 +- docs/docbook/projdoc/AccessControls.xml | 547 ++++++++++++++++++++++++++ docs/docbook/projdoc/AdvancedNetworkAdmin.xml | 108 ----- docs/docbook/projdoc/NT_Security.xml | 335 ---------------- docs/docbook/projdoc/samba-doc.xml | 15 +- 5 files changed, 556 insertions(+), 451 deletions(-) create mode 100644 docs/docbook/projdoc/AccessControls.xml delete mode 100644 docs/docbook/projdoc/NT_Security.xml diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index 6a70b30940a..6a494fcf2b3 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -450,6 +450,7 @@ an Active Directory environment. + @@ -463,7 +464,6 @@ an Active Directory environment. - diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml new file mode 100644 index 00000000000..c903af4468e --- /dev/null +++ b/docs/docbook/projdoc/AccessControls.xml @@ -0,0 +1,547 @@ + + + &author.jht; + &author.jeremy; + May 10, 2003 + +File, Directory and Share Access Controls + + +Advanced MS Windows users are frequently perplexed when file, directory and share manipulation of +resources shared via Samba do not behave in the manner they might expect. MS Windows network +adminstrators are often confused regarding network access controls and what is the best way to +provide users with the type of access they need while protecting resources from the consequences +of untoward access capabilities. + + + +Unix administrators frequently are not familiar with the MS Windows environment and in particular +have difficulty in visualizing what the MS Windows user wishes to achieve in attempts to set file +and directory access permissions. + + + +The problem lies in the differences in how file and directory permissions and controls work +between the two environments. This difference is one that Samba can not completely hide, even +though it does try to make the chasm transparent. + + + +POSIX Access Control List technology has been available (along with Extended Attributes) +for Unix for many years, yet there is little evidence today of any significant use. This +explains to some extent the slow adoption of ACLs into commercial Linux products. MS Windows +administrators are astounded at this given that ACLs were a foundational capability of the now +decade old MS Windows NT operating system. + + + +The purpose of this chapter is to present each of the points of control that are possible with +Samba-3 in the hope that this will help the network administrator to find the optimum method +for delivering the best environment for MS Windows desktop users. + + + +This is an opportune point to mention that it should be borne in mind that Samba was created to +provide a means of interoperability and interchange of data between two operating environments +that are quite different. It was never the intent to make Unix/Linux like MS Windows NT. Instead +the purpose was an is to provide a sufficient level of exchange of data between the two environments. +What is available today extends well beyond early plans and expections, yet the gap continues to +shrink. + + + +Features and Benefits + + + Samba offers a lot of flexibility in file system access management. These are the key access control + facilities present in Samba today: + + + + Samba Access Control Facilities + + Unix file and directory permissions + + + + Samba Share Definitions + + + + Samba Share ACLs + + + + MS Windows ACLs through Unix POSIX ACLs + + + + + + +File System Access Controls + + +Explain here how Unix file and permissions work + + + + + +Share Definition Access Controls + + +Explain here about the smb.conf [share] parameters + + + + + +Access Controls on Shares + + + This section deals with how to configure Samba per share access control restrictions. + By default samba sets no restrictions on the share itself. Restrictions on the share itself + can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can + connect to a share. In the absence of specific restrictions the default setting is to allow + the global user Everyone Full Control (ie: Full control, Change and Read). + + + + At this time Samba does NOT provide a tool for configuring access control setting on the Share + itself. Samba does have the capacity to store and act on access control settings, but the only + way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for + Computer Management. + + + + Samba stores the per share access control settings in a file called share_info.tdb. + The location of this file on your system will depend on how samba was compiled. The default location + for samba's tdb files is under /usr/local/samba/var. If the tdbdump + utility has been compiled and installed on your system then you can examine the contents of this file + by: tdbdump share_info.tdb. + + + + Share Permissions Management + + + The best tool for the task is platform dependant. Choose the best tool for your environmemt. + + + + Windows NT4 Workstation/Server + + The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. + Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. + You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. + + + + Instructions + + Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu + select Computer, then click on the Shared Directories entry. + + + + Now click on the share that you wish to manage, then click on the Properties tab, next click on + the Permissions tab. Now you can Add or change access control settings as you wish. + + + + + + + Windows 200x/XP + + + On MS Windows NT4/200x/XP system access control lists on the share itself are set using native + tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, + then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows + Everyone Full Control on the Share. + + + + MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the + Microsoft Management Console (MMC). This tool is located by clicking on Control Panel -> + Administrative Tools -> Computer Management. + + + + Instructions + + After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', + select 'Connect to another computer'. If you are not logged onto a domain you will be prompted + to enter a domain login user identifier and a password. This will authenticate you to the domain. + If you where already logged in with administrative privilidge this step is not offered. + + + + If the Samba server is not shown in the Select Computer box, then type in the name of the target + Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] + next to 'Shared Folders' in the left panel. + + + + Now in the right panel, double-click on the share you wish to set access control permissions on. + Then click on the tab 'Share Permissions'. It is now possible to add access control entities + to the shared folder. Do NOT forget to set what type of access (full control, change, read) you + wish to assign for each entry. + + + + + + Be careful. If you take away all permissions from the Everyone user without removing this user + then effectively no user will be able to access the share. This is a result of what is known as + ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone + will have no access even if this user is given explicit full control access. + + + + + + + + + +MS Windows Access Control Lists and Unix Interoperability + + + Viewing and changing UNIX permissions using the NT + security dialogs + + Windows NT clients can use their native security settings + dialog box to view and modify the underlying UNIX permissions. + + Note that this ability is careful not to compromise + the security of the UNIX host Samba is running on, and + still obeys all the file permission rules that a Samba + administrator can set. + + + + All access to Unix/Linux system file via Samba is controlled at + the operating system file access control level. When trying to + figure out file access problems it is vitally important to identify + the identity of the Windows user as it is presented by Samba at + the point of file access. This can best be determined from the + Samba log files. + + + + + + How to view file security on a Samba share + + From an NT4/2000/XP client, single-click with the right + mouse button on any file or directory in a Samba mounted + drive letter or UNC path. When the menu pops-up, click + on the Properties entry at the bottom of + the menu. This brings up the file properties dialog + box. Click on the tab Security and you + will see three buttons, Permissions, + Auditing, and Ownership. + The Auditing button will cause either + an error message A requested privilege is not held + by the client to appear if the user is not the + NT Administrator, or a dialog which is intended to allow an + Administrator to add auditing requirements to a file if the + user is logged on as the NT Administrator. This dialog is + non-functional with a Samba share at this time, as the only + useful button, the Add button will not currently + allow a list of users to be seen. + + + + + Viewing file ownership + + Clicking on the "Ownership" button + brings up a dialog box telling you who owns the given file. The + owner name will be of the form : + + "SERVER\user (Long name)" + + Where SERVER is the NetBIOS name of + the Samba server, user is the user name of + the UNIX user who owns the file, and (Long name) + is the descriptive string identifying the user (normally found in the + GECOS field of the UNIX password database). Click on the Close + button to remove this dialog. + + If the parameter nt acl support + is set to false then the file owner will + be shown as the NT user "Everyone". + + The Take Ownership button will not allow + you to change the ownership of this file to yourself (clicking on + it will display a dialog box complaining that the user you are + currently logged onto the NT client cannot be found). The reason + for this is that changing the ownership of a file is a privileged + operation in UNIX, available only to the root + user. As clicking on this button causes NT to attempt to change + the ownership of a file to the current user logged into the NT + client this will not work with Samba at this time. + + There is an NT chown command that will work with Samba + and allow a user with Administrator privilege connected + to a Samba server as root to change the ownership of + files on both a local NTFS filesystem or remote mounted NTFS + or Samba drive. This is available as part of the Seclib + NT security library written by Jeremy Allison of + the Samba Team, available from the main Samba ftp site. + + + + + Viewing file or directory permissions + + The third button is the "Permissions" + button. Clicking on this brings up a dialog box that shows both + the permissions and the UNIX owner of the file or directory. + The owner is displayed in the form : + + "SERVER\user (Long name)" + + Where SERVER is the NetBIOS name of + the Samba server, user is the user name of + the UNIX user who owns the file, and (Long name) + is the descriptive string identifying the user (normally found in the + GECOS field of the UNIX password database). + + If the parameter nt acl support + is set to false then the file owner will + be shown as the NT user "Everyone" and the + permissions will be shown as NT "Full Control". + + + The permissions field is displayed differently for files + and directories, so I'll describe the way file permissions + are displayed first. + + + File Permissions + + The standard UNIX user/group/world triple and + the corresponding "read", "write", "execute" permissions + triples are mapped by Samba into a three element NT ACL + with the 'r', 'w', and 'x' bits mapped into the corresponding + NT permissions. The UNIX world permissions are mapped into + the global NT group Everyone, followed + by the list of permissions allowed for UNIX world. The UNIX + owner and group permissions are displayed as an NT + user icon and an NT local + group icon respectively followed by the list + of permissions allowed for the UNIX user and group. + + As many UNIX permission sets don't map into common + NT names such as "read", + "change" or "full control" then + usually the permissions will be prefixed by the words + "Special Access" in the NT display list. + + But what happens if the file has no permissions allowed + for a particular UNIX user group or world component ? In order + to allow "no permissions" to be seen and modified then Samba + overloads the NT "Take Ownership" ACL attribute + (which has no meaning in UNIX) and reports a component with + no permissions as having the NT "O" bit set. + This was chosen of course to make it look like a zero, meaning + zero permissions. More details on the decision behind this will + be given below. + + + + Directory Permissions + + Directories on an NT NTFS file system have two + different sets of permissions. The first set of permissions + is the ACL set on the directory itself, this is usually displayed + in the first set of parentheses in the normal "RW" + NT style. This first set of permissions is created by Samba in + exactly the same way as normal file permissions are, described + above, and is displayed in the same way. + + The second set of directory permissions has no real meaning + in the UNIX permissions world and represents the + "inherited" permissions that any file created within + this directory would inherit. + + Samba synthesises these inherited permissions for NT by + returning as an NT ACL the UNIX permission mode that a new file + created by Samba on this share would receive. + + + + + Modifying file or directory permissions + + Modifying file and directory permissions is as simple + as changing the displayed permissions in the dialog box, and + clicking the OK button. However, there are + limitations that a user needs to be aware of, and also interactions + with the standard Samba permission masks and mapping of DOS + attributes that need to also be taken into account. + + If the parameter nt acl support + is set to false then any attempt to set + security permissions will fail with an "Access Denied" + message. + + The first thing to note is that the "Add" + button will not return a list of users in Samba (it will give + an error message of "The remote procedure call failed + and did not execute"). This means that you can only + manipulate the current user/group/world permissions listed in + the dialog box. This actually works quite well as these are the + only permissions that UNIX actually has. + + If a permission triple (either user, group, or world) + is removed from the list of permissions in the NT dialog box, + then when the "OK" button is pressed it will + be applied as "no permissions" on the UNIX side. If you then + view the permissions again the "no permissions" entry will appear + as the NT "O" flag, as described above. This + allows you to add permissions back to a file or directory once + you have removed them from a triple component. + + As UNIX supports only the "r", "w" and "x" bits of + an NT ACL then if other NT security attributes such as "Delete + access" are selected then they will be ignored when applied on + the Samba server. + + When setting permissions on a directory the second + set of permissions (in the second set of parentheses) is + by default applied to all files within that directory. If this + is not what you want you must uncheck the "Replace + permissions on existing files" checkbox in the NT + dialog before clicking "OK". + + If you wish to remove all permissions from a + user/group/world component then you may either highlight the + component and click the "Remove" button, + or set the component to only have the special "Take + Ownership" permission (displayed as "O" + ) highlighted. + + + + Interaction with the standard Samba create mask + parameters + + There are four parameters + to control interaction with the standard Samba create mask parameters. + These are : + + security mask + force security mode + directory security mask + force directory security mode + + Once a user clicks "OK" to apply the + permissions Samba maps the given permissions into a user/group/world + r/w/x triple set, and then will check the changed permissions for a + file against the bits set in the + security mask parameter. Any bits that + were changed that are not set to '1' in this parameter are left alone + in the file permissions. + + Essentially, zero bits in the security mask + mask may be treated as a set of bits the user is not + allowed to change, and one bits are those the user is allowed to change. + + + If not set explicitly this parameter is set to the same value as + the create mask + parameter. To allow a user to modify all the + user/group/world permissions on a file, set this parameter + to 0777. + + Next Samba checks the changed permissions for a file against + the bits set in the + force security mode parameter. Any bits + that were changed that correspond to bits set to '1' in this parameter + are forced to be set. + + Essentially, bits set in the force security mode + parameter may be treated as a set of bits that, when + modifying security on a file, the user has always set to be 'on'. + + If not set explicitly this parameter is set to the same value + as the force + create mode parameter. + To allow a user to modify all the user/group/world permissions on a file + with no restrictions set this parameter to 000. + + The security mask and force + security mode parameters are applied to the change + request in that order. + + For a directory Samba will perform the same operations as + described above for a file except using the parameter + directory security mask instead of security + mask, and force directory security mode + parameter instead of force security mode + . + + The directory security mask parameter + by default is set to the same value as the directory mask + parameter and the force directory security + mode parameter by default is set to the same value as + the force directory mode parameter. + + In this way Samba enforces the permission restrictions that + an administrator can set on a Samba share, whilst still allowing users + to modify the permission bits within that restriction. + + If you want to set up a share that allows users full control + in modifying the permission bits on their files and directories and + doesn't force any particular bits to be set 'on', then set the following + parameters in the &smb.conf; file in that share specific section : + + security mask = 0777 + force security mode = 0 + directory security mask = 0777 + force directory security mode = 0 + + + + Interaction with the standard Samba file attribute + mapping + + Samba maps some of the DOS attribute bits (such as "read + only") into the UNIX permissions of a file. This means there can + be a conflict between the permission bits set via the security + dialog and the permission bits set by the file attribute mapping. + + + One way this can show up is if a file has no UNIX read access + for the owner it will show up as "read only" in the standard + file attributes tabbed dialog. Unfortunately this dialog is + the same one that contains the security info in another tab. + + What this can mean is that if the owner changes the permissions + to allow themselves read access using the security dialog, clicks + "OK" to get back to the standard attributes tab + dialog, and then clicks "OK" on that dialog, then + NT will set the file permissions back to read-only (as that is what + the attributes still say in the dialog). This means that after setting + permissions and clicking "OK" to get back to the + attributes dialog you should always hit "Cancel" + rather than "OK" to ensure that your changes + are not overridden. + + + + +Common Errors + + +Stuff here + + + + + diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml index dc2a78f5a67..e6e73472903 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml @@ -12,114 +12,6 @@ administrators who want to improve network resource access control, to automate environment, and to make their lives a little easier. - -Configuring Samba Share Access Controls - - -This section deals with how to configure Samba per share access control restrictions. -By default samba sets no restrictions on the share itself. Restrictions on the share itself -can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can -connect to a share. In the absence of specific restrictions the default setting is to allow -the global user Everyone Full Control (ie: Full control, Change and Read). - - - -At this time Samba does NOT provide a tool for configuring access control setting on the Share -itself. Samba does have the capacity to store and act on access control settings, but the only -way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for -Computer Management. - - - -Samba stores the per share access control settings in a file called share_info.tdb. -The location of this file on your system will depend on how samba was compiled. The default location -for samba's tdb files is under /usr/local/samba/var. If the tdbdump -utility has been compiled and installed on your system then you can examine the contents of this file -by: tdbdump share_info.tdb. - - - -Share Permissions Management - - -The best tool for the task is platform dependant. Choose the best tool for your environmemt. - - - -Windows NT4 Workstation/Server - -The tool you need to use to manage share permissions on a Samba server is the NT Server Manager. -Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation. -You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below. - - - -Instructions - -Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu -select Computer, then click on the Shared Directories entry. - - - - Now click on the share that you wish to manage, then click on the Properties tab, next click on - the Permissions tab. Now you can Add or change access control settings as you wish. - - - - - - -Windows 200x/XP - - -On MS Windows NT4/200x/XP system access control lists on the share itself are set using native -tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder, -then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows -Everyone Full Control on the Share. - - - -MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the -Microsoft Management Console (MMC). This tool is located by clicking on Control Panel -> -Administrative Tools -> Computer Management. - - - -Instructions - - After launching the MMC with the Computer Management snap-in, click on the menu item 'Action', - select 'Connect to another computer'. If you are not logged onto a domain you will be prompted - to enter a domain login user identifier and a password. This will authenticate you to the domain. - If you where already logged in with administrative privilidge this step is not offered. - - - -If the Samba server is not shown in the Select Computer box, then type in the name of the target -Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+] -next to 'Shared Folders' in the left panel. - - - -Now in the right panel, double-click on the share you wish to set access control permissions on. -Then click on the tab 'Share Permissions'. It is now possible to add access control entities -to the shared folder. Do NOT forget to set what type of access (full control, change, read) you -wish to assign for each entry. - - - - - -Be careful. If you take away all permissions from the Everyone user without removing this user -then effectively no user will be able to access the share. This is a result of what is known as -ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone -will have no access even if this user is given explicit full control access. - - - - - - - Remote Server Administration diff --git a/docs/docbook/projdoc/NT_Security.xml b/docs/docbook/projdoc/NT_Security.xml deleted file mode 100644 index 9bff25337c3..00000000000 --- a/docs/docbook/projdoc/NT_Security.xml +++ /dev/null @@ -1,335 +0,0 @@ - - - &author.jeremy; - 12 Apr 1999 - - -UNIX Permission Bits and Windows NT Access Control Lists - - - Viewing and changing UNIX permissions using the NT - security dialogs - - Windows NT clients can use their native security settings - dialog box to view and modify the underlying UNIX permissions. - - Note that this ability is careful not to compromise - the security of the UNIX host Samba is running on, and - still obeys all the file permission rules that a Samba - administrator can set. - - - - All access to Unix/Linux system file via Samba is controlled at - the operating system file access control level. When trying to - figure out file access problems it is vitally important to identify - the identity of the Windows user as it is presented by Samba at - the point of file access. This can best be determined from the - Samba log files. - - - - - - How to view file security on a Samba share - - From an NT4/2000/XP client, single-click with the right - mouse button on any file or directory in a Samba mounted - drive letter or UNC path. When the menu pops-up, click - on the Properties entry at the bottom of - the menu. This brings up the file properties dialog - box. Click on the tab Security and you - will see three buttons, Permissions, - Auditing, and Ownership. - The Auditing button will cause either - an error message A requested privilege is not held - by the client to appear if the user is not the - NT Administrator, or a dialog which is intended to allow an - Administrator to add auditing requirements to a file if the - user is logged on as the NT Administrator. This dialog is - non-functional with a Samba share at this time, as the only - useful button, the Add button will not currently - allow a list of users to be seen. - - - - - Viewing file ownership - - Clicking on the "Ownership" button - brings up a dialog box telling you who owns the given file. The - owner name will be of the form : - - "SERVER\user (Long name)" - - Where SERVER is the NetBIOS name of - the Samba server, user is the user name of - the UNIX user who owns the file, and (Long name) - is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). Click on the Close - button to remove this dialog. - - If the parameter nt acl support - is set to false then the file owner will - be shown as the NT user "Everyone". - - The Take Ownership button will not allow - you to change the ownership of this file to yourself (clicking on - it will display a dialog box complaining that the user you are - currently logged onto the NT client cannot be found). The reason - for this is that changing the ownership of a file is a privileged - operation in UNIX, available only to the root - user. As clicking on this button causes NT to attempt to change - the ownership of a file to the current user logged into the NT - client this will not work with Samba at this time. - - There is an NT chown command that will work with Samba - and allow a user with Administrator privilege connected - to a Samba server as root to change the ownership of - files on both a local NTFS filesystem or remote mounted NTFS - or Samba drive. This is available as part of the Seclib - NT security library written by Jeremy Allison of - the Samba Team, available from the main Samba ftp site. - - - - - Viewing file or directory permissions - - The third button is the "Permissions" - button. Clicking on this brings up a dialog box that shows both - the permissions and the UNIX owner of the file or directory. - The owner is displayed in the form : - - "SERVER\user (Long name)" - - Where SERVER is the NetBIOS name of - the Samba server, user is the user name of - the UNIX user who owns the file, and (Long name) - is the descriptive string identifying the user (normally found in the - GECOS field of the UNIX password database). - - If the parameter nt acl support - is set to false then the file owner will - be shown as the NT user "Everyone" and the - permissions will be shown as NT "Full Control". - - - The permissions field is displayed differently for files - and directories, so I'll describe the way file permissions - are displayed first. - - - File Permissions - - The standard UNIX user/group/world triple and - the corresponding "read", "write", "execute" permissions - triples are mapped by Samba into a three element NT ACL - with the 'r', 'w', and 'x' bits mapped into the corresponding - NT permissions. The UNIX world permissions are mapped into - the global NT group Everyone, followed - by the list of permissions allowed for UNIX world. The UNIX - owner and group permissions are displayed as an NT - user icon and an NT local - group icon respectively followed by the list - of permissions allowed for the UNIX user and group. - - As many UNIX permission sets don't map into common - NT names such as "read", - "change" or "full control" then - usually the permissions will be prefixed by the words - "Special Access" in the NT display list. - - But what happens if the file has no permissions allowed - for a particular UNIX user group or world component ? In order - to allow "no permissions" to be seen and modified then Samba - overloads the NT "Take Ownership" ACL attribute - (which has no meaning in UNIX) and reports a component with - no permissions as having the NT "O" bit set. - This was chosen of course to make it look like a zero, meaning - zero permissions. More details on the decision behind this will - be given below. - - - - Directory Permissions - - Directories on an NT NTFS file system have two - different sets of permissions. The first set of permissions - is the ACL set on the directory itself, this is usually displayed - in the first set of parentheses in the normal "RW" - NT style. This first set of permissions is created by Samba in - exactly the same way as normal file permissions are, described - above, and is displayed in the same way. - - The second set of directory permissions has no real meaning - in the UNIX permissions world and represents the - "inherited" permissions that any file created within - this directory would inherit. - - Samba synthesises these inherited permissions for NT by - returning as an NT ACL the UNIX permission mode that a new file - created by Samba on this share would receive. - - - - - Modifying file or directory permissions - - Modifying file and directory permissions is as simple - as changing the displayed permissions in the dialog box, and - clicking the OK button. However, there are - limitations that a user needs to be aware of, and also interactions - with the standard Samba permission masks and mapping of DOS - attributes that need to also be taken into account. - - If the parameter nt acl support - is set to false then any attempt to set - security permissions will fail with an "Access Denied" - message. - - The first thing to note is that the "Add" - button will not return a list of users in Samba (it will give - an error message of "The remote procedure call failed - and did not execute"). This means that you can only - manipulate the current user/group/world permissions listed in - the dialog box. This actually works quite well as these are the - only permissions that UNIX actually has. - - If a permission triple (either user, group, or world) - is removed from the list of permissions in the NT dialog box, - then when the "OK" button is pressed it will - be applied as "no permissions" on the UNIX side. If you then - view the permissions again the "no permissions" entry will appear - as the NT "O" flag, as described above. This - allows you to add permissions back to a file or directory once - you have removed them from a triple component. - - As UNIX supports only the "r", "w" and "x" bits of - an NT ACL then if other NT security attributes such as "Delete - access" are selected then they will be ignored when applied on - the Samba server. - - When setting permissions on a directory the second - set of permissions (in the second set of parentheses) is - by default applied to all files within that directory. If this - is not what you want you must uncheck the "Replace - permissions on existing files" checkbox in the NT - dialog before clicking "OK". - - If you wish to remove all permissions from a - user/group/world component then you may either highlight the - component and click the "Remove" button, - or set the component to only have the special "Take - Ownership" permission (displayed as "O" - ) highlighted. - - - - Interaction with the standard Samba create mask - parameters - - There are four parameters - to control interaction with the standard Samba create mask parameters. - These are : - - security mask - force security mode - directory security mask - force directory security mode - - Once a user clicks "OK" to apply the - permissions Samba maps the given permissions into a user/group/world - r/w/x triple set, and then will check the changed permissions for a - file against the bits set in the - security mask parameter. Any bits that - were changed that are not set to '1' in this parameter are left alone - in the file permissions. - - Essentially, zero bits in the security mask - mask may be treated as a set of bits the user is not - allowed to change, and one bits are those the user is allowed to change. - - - If not set explicitly this parameter is set to the same value as - the create mask - parameter. To allow a user to modify all the - user/group/world permissions on a file, set this parameter - to 0777. - - Next Samba checks the changed permissions for a file against - the bits set in the - force security mode parameter. Any bits - that were changed that correspond to bits set to '1' in this parameter - are forced to be set. - - Essentially, bits set in the force security mode - parameter may be treated as a set of bits that, when - modifying security on a file, the user has always set to be 'on'. - - If not set explicitly this parameter is set to the same value - as the force - create mode parameter. - To allow a user to modify all the user/group/world permissions on a file - with no restrictions set this parameter to 000. - - The security mask and force - security mode parameters are applied to the change - request in that order. - - For a directory Samba will perform the same operations as - described above for a file except using the parameter - directory security mask instead of security - mask, and force directory security mode - parameter instead of force security mode - . - - The directory security mask parameter - by default is set to the same value as the directory mask - parameter and the force directory security - mode parameter by default is set to the same value as - the force directory mode parameter. - - In this way Samba enforces the permission restrictions that - an administrator can set on a Samba share, whilst still allowing users - to modify the permission bits within that restriction. - - If you want to set up a share that allows users full control - in modifying the permission bits on their files and directories and - doesn't force any particular bits to be set 'on', then set the following - parameters in the &smb.conf; file in that share specific section : - - security mask = 0777 - force security mode = 0 - directory security mask = 0777 - force directory security mode = 0 - - - - Interaction with the standard Samba file attribute - mapping - - Samba maps some of the DOS attribute bits (such as "read - only") into the UNIX permissions of a file. This means there can - be a conflict between the permission bits set via the security - dialog and the permission bits set by the file attribute mapping. - - - One way this can show up is if a file has no UNIX read access - for the owner it will show up as "read only" in the standard - file attributes tabbed dialog. Unfortunately this dialog is - the same one that contains the security info in another tab. - - What this can mean is that if the owner changes the permissions - to allow themselves read access using the security dialog, clicks - "OK" to get back to the standard attributes tab - dialog, and then clicks "OK" on that dialog, then - NT will set the file permissions back to read-only (as that is what - the attributes still say in the dialog). This means that after setting - permissions and clicking "OK" to get back to the - attributes dialog you should always hit "Cancel" - rather than "OK" to ensure that your changes - are not overridden. - - - diff --git a/docs/docbook/projdoc/samba-doc.xml b/docs/docbook/projdoc/samba-doc.xml index 8a582cf6e46..c6822303302 100644 --- a/docs/docbook/projdoc/samba-doc.xml +++ b/docs/docbook/projdoc/samba-doc.xml @@ -90,27 +90,28 @@ section carefully. Valuable Nuts and Bolts Information -Samba has several features that you might want or might not want to use. The chapters in this part each cover specific Samba features. +Samba has several features that you might want or might not want to use. +The chapters in this part each cover specific Samba features. &NetworkBrowsing; &Passdb; -&NT-Security; &GROUP-MAPPING-HOWTO; +&AccessControls; +&locking; +&SecuringSamba; +&Trusts; +&MS-Dfs-Setup; &PRINTER-DRIVER2; &CUPS; +&VFS; &WINBIND; &AdvancedNetworkAdmin; &PolicyMgmt; &ProfileMgmt; -&Trusts; &Samba-PAM; -&VFS; -&MS-Dfs-Setup; &IntegratingWithWindows; -&SecuringSamba; &unicode; -&locking; -- cgit From b58e30a4019bad2614833de43f49e460b76459a6 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 11 May 2003 19:58:15 +0000 Subject: Rolling in VL's changes. --- docs/docbook/projdoc/ServerType.xml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/docs/docbook/projdoc/ServerType.xml b/docs/docbook/projdoc/ServerType.xml index 8b567ca16f8..9081956bb0a 100644 --- a/docs/docbook/projdoc/ServerType.xml +++ b/docs/docbook/projdoc/ServerType.xml @@ -342,17 +342,21 @@ in this HOWTO collection. ADS Security Mode (User Level Security) -Samba-2.2.x could join and Active Directory domain so long as the Active Directory domain -controller is configured for mixed mode operation, and is running NetBIOS over TCP/IP. MS -Windows 2000 and later can be configured to run without NetBIOS over TCP/IP, instead it -can run SMB natively over TCP/IP. +Both Samba 2.2 and 3.0 can join an active directory domain. This is +possible even if the domain is run in native mode. Active Directory in +native mode perfectly allows NT4-style domain members, contrary to +popular belief. The only thing that Active Directory in native mode +prohibits is Backup Domain Controllers running NT4. -The ability to natively join an Active Directory domain requires the use of Kerberos -based authentication. The Kerberos protocols have been extended by Microsoft so that -a plain MIT Kerberos, or a Heimdal client is not sufficient. Samba-3 now has the ability -to be a native Active Directory member server. +If you are running Active Directory starting with Samba 3.0 you can +however join as a native AD member. Why would you want to do that? +Your security policy might prohibit the use of NT-compatible +authentication protocols. All your machines are running Windows 2000 +and above and all use full Kerberos. In this case Samba as a NT4-style +domain would still require NT-compatible authentication data. Samba in +AD-member mode can accept Kerberos. -- cgit From 75cb9a32f6822adbd689cc7a1f74feb8e966084a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 12 May 2003 05:15:08 +0000 Subject: Added info on File and Directory info. --- docs/docbook/projdoc/AccessControls.xml | 205 ++++++++++++++++++++++++++++++-- 1 file changed, 193 insertions(+), 12 deletions(-) diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index c903af4468e..f7445bdb4a4 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -60,20 +60,61 @@ shrink. Samba Access Control Facilities - Unix file and directory permissions - + Unix File and Directory Permissions + + + + Samba honours and implements Unix file system access controls. Users + who access a Samba server will do so as a particular MS Windows user. + This information is passed to the Samba server as part of the logon orr + connection setup process. Samba uses this user identity to validate + whether or not the user should be given access to file system resources + (files and directories). This chapter provides an overview for those + to whom the Unix permissions and controls are a little strange or unknown. + + - Samba Share Definitions - + Samba Share Definitions + + + + In configuring share settings and controls in the &smb.conf; file + the network administrator can exercise over-rides to native file + system permissions and behaviours. This can be handy and convenient + to affect behaviour that is more like what MS Windows NT users expect + but it is seldom the best way to achieve this. + The basic options and techniques are described herein. + + - Samba Share ACLs - + Samba Share ACLs + + + + Just like it is possible in MS Windows NT to set ACLs on shares + themselves, so it is possible to do this in Samba. + Very few people make use of this facility, yet it remains on of the + easiest ways to affect access controls (restrictions) and can often + do so with minimum invasiveness compared with other methods. + + - MS Windows ACLs through Unix POSIX ACLs - + MS Windows ACLs through Unix POSIX ACLs + + + + The use of POSIX ACLs on Unix/Linux is possible ONLY if the underlying + operating system supports them. If not, then this option will not be + available to you. Current Unix technology platforms have native support + for POSIX ACLs. There are patches for the Linux kernel that provide + this also. Sadly, few Linux paltforms ship today with native ACLs and + Extended Attributes enabled. This chapter has pertinent information + for users of platforms that support them. + + @@ -82,16 +123,156 @@ shrink. File System Access Controls -Explain here how Unix file and permissions work +Perhaps the most important recognition to be made is the simple fact that MS Windows NT4 / 200x / XP +implement a totally divergent file system technology from what is provided in the Unix operating system +environment. Firstly we should consider what the most significant differences are, then we shall look +at how Samba helps to bridge the differences. + + MS Windows NTFS Comparison with Unix File Systems + + + Samba operates on top of the Unix file system. This means it is subject to Unix file system conventions + and permissions. It also means that if the MS Windows networking environment requires file system + behaviour that differs from unix file system behaviour then somehow Samba is responsible for emulating + that in a transparent and consistent manner. + + + + It is good news that Samba does this to a very large extent and on top of that provides a high degree + of optional configuration to over-ride the default behaviour. We will look at some of these over-rides, + but for the greater part we will stay withing the bounds of default behaviour. Those wishing to explore + to depths of control ability should review the &smb.conf; man page. + + + + File System Feature Comparison + + Name Space + + MS Windows NT4 / 200x/ XP files names may be up to 254 characters long, Unix file names + may be 1023 characters long. In MS Windows file extensions indicate particular file types, + in Unix this is not so rigorously observed as all names are considered arbitrary. + + + What MS Windows calls a Folder, Unix calls a directory, + + + + + Case Sensitivity + + MS Windows file names are generally Upper Case if made up of 8.3 (ie: 8 character file name + and 3 character extension. If longer than 8.3 file names are Case Preserving, and Case + Insensitive. + + + Unix file and directory names are Case Sensitive and Case Preserving. Samba implements the + MS Windows file name behaviour, but it does so as a user application. The Unix file system + provides no mechanism to perform case insensitive file name lookups. MS Windows does this + by default. This means that Samba has to carry the processing overhead to provide features + that are NOT native to the Unix operating system environment. + + + Consider the following, all are unique Unix names but one single MS Windows file name: + + MYFILE.TXT + MyFile.txt + myfile.txt + + So clearly, In an MS Windows file name space these three files CAN NOT co-exist! But in Unix + they can. So what should Samba do if all three are present? Answer, the one that is lexically + first will be accessible to MS Windows users, the others are invisible and unaccessible - any + other solution would be suicidal. + + + + + Directory Separators + + MS Windows and DOS uses the back-slash '\' as a directory delimiter, Unix uses the forward-slash '/' + as it's directory delimiter. This is transparently handled by Samba. + + + + + Drive Identification + + MS Windows products support a notion of drive letters, like C: to represent + disk partitions. Unix has NO concept if separate identifiers for file partitions since each + such file system is mounted to become part of the over-all directory tree. + The Unix directory tree begins at '/', just like the root of a DOS drive is specified like + C:\. + + + + + File Naming Conventions + + MS Windows generally never experiences file names that begin with a '.', while in Unix these + are commonly found in a user's home directory. Files that begin with a '.' are typically + either start up files for various Unix applications, or they may be files that contain + start-up configuration data. + + + + + Links and Short-Cuts + + MS Windows make use of "links and Short-Cuts" that are actually special types of files that will + redirect an attempt to execute the file to the real location of the file. Unix knows of file and directory + links, but they are entirely different from what MS Windows users are used to. + + + Symbolic links are files in Unix that contain the actual location of the data (file OR directory). An + operation (like read or write) will operate directly on the file referenced. Symbolic links are also + referred to as 'soft links'. A hard link is something that MS Windows is NOT familiar with. It allows + one physical file to be known simulataneously by more than one file name. + + + + + + There are many other subtle differences that may cause the MS Windows administrator some temporary discomfort + in the process of becoming familiar with Unix/Linux. These are best left for a text that is dedicated to the + purpose of Unix/Linux training/education. + + + + + + Managing Directories + + + There are three basic operations for managing directories, create, delete, rename. + + Action MS Windows Command Unix Command + ------ ------------------ ------------ + create md folder mkdir folder + delete rd folder rmdir folder + rename rename oldname newname mv oldname newname + + + + + + + File and Directory Access Control + + + Explain the anatomy of a directory listing, permissions and what they mean. + + + + Share Definition Access Controls -Explain here about the smb.conf [share] parameters +Explain here about the smb.conf [share] Access Control parameters, Mode and Mask parameters, force user/group, valid/invalid users, etc. @@ -241,7 +422,7 @@ Explain here about the smb.conf [share] parameters on the Properties entry at the bottom of the menu. This brings up the file properties dialog box. Click on the tab Security and you - will see three buttons, Permissions, + will see three buttons, Permissions, Auditing, and Ownership. The Auditing button will cause either an error message A requested privilege is not held @@ -539,7 +720,7 @@ Explain here about the smb.conf [share] parameters Common Errors -Stuff here +Stuff from mailing lists here -- cgit From bd660f45df4df686f58a181f002ca1d88e7c1015 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 12 May 2003 16:08:11 +0000 Subject: fixing typos in debug statements --- source/passdb/pdb_ldap.c | 2 +- source/smbd/password.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index b23b7286ea6..da3a163c1e6 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -471,7 +471,7 @@ static int ldapsam_open(struct ldapsam_privates *ldap_state) } if (ldap_state->ldap_struct != NULL) { - DEBUG(5,("ldapsam_open: allready connected to the LDAP server\n")); + DEBUG(5,("ldapsam_open: already connected to the LDAP server\n")); return LDAP_SUCCESS; } diff --git a/source/smbd/password.c b/source/smbd/password.c index c4f813b00cc..81849b709a2 100644 --- a/source/smbd/password.c +++ b/source/smbd/password.c @@ -222,7 +222,7 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) /* Register a home dir service for this user */ if ((!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) { - DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n", + DEBUG(3, ("Adding/updating homes service for user '%s' using home directory: '%s'\n", vuser->user.unix_name, vuser->unix_homedir)); vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir); } else { -- cgit From e12934c67b6aea9e3e449009e159ce6814dcbd11 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 12 May 2003 21:29:01 +0000 Subject: Fix compiler warnings. Jeremy. --- source/passdb/pdb_guest.c | 1 - source/passdb/pdb_ldap.c | 1 - source/passdb/pdb_tdb.c | 1 - source/rpc_server/srv_samr_nt.c | 1 - source/sam/idmap_util.c | 2 -- source/utils/pdbedit.c | 1 - 6 files changed, 7 deletions(-) diff --git a/source/passdb/pdb_guest.c b/source/passdb/pdb_guest.c index 9bcdccc7e7b..f5cd3d996d2 100644 --- a/source/passdb/pdb_guest.c +++ b/source/passdb/pdb_guest.c @@ -26,7 +26,6 @@ static NTSTATUS guestsam_getsampwnam (struct pdb_methods *methods, SAM_ACCOUNT *sam_account, const char *sname) { - NTSTATUS nt_status; const char *guest_account = lp_guestaccount(); if (!sam_account || !sname) { diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index da3a163c1e6..b75238e971b 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -1599,7 +1599,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, acct_desc, munged_dial, workstations; - struct passwd *pw; uint32 user_rid; uint8 smblmpwd[LM_HASH_LEN], smbntpwd[NT_HASH_LEN]; diff --git a/source/passdb/pdb_tdb.c b/source/passdb/pdb_tdb.c index 74437cba6f3..93fa4e1886b 100644 --- a/source/passdb/pdb_tdb.c +++ b/source/passdb/pdb_tdb.c @@ -99,7 +99,6 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state, uint32 len = 0; uint32 lm_pw_len, nt_pw_len, hourslen; BOOL ret = True; - struct passwd *pw; uid_t uid = -1; gid_t gid = -1; diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index 69ac60a7db0..0f7f6fc9dff 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -3516,7 +3516,6 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD struct group *grp; fstring grp_name; GROUP_MAP map; - uid_t uid; NTSTATUS ret; SAM_ACCOUNT *sam_user=NULL; BOOL check; diff --git a/source/sam/idmap_util.c b/source/sam/idmap_util.c index e0c492542b3..8c3a3788327 100644 --- a/source/sam/idmap_util.c +++ b/source/sam/idmap_util.c @@ -175,7 +175,6 @@ NTSTATUS uid_to_sid(DOM_SID *sid, uid_t uid) NTSTATUS gid_to_sid(DOM_SID *sid, gid_t gid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - GROUP_MAP map; unid_t id; int flags; @@ -272,7 +271,6 @@ NTSTATUS sid_to_gid(const DOM_SID *sid, gid_t *gid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; BOOL fallback = False; - uint32 rid; unid_t id; int flags; diff --git a/source/utils/pdbedit.c b/source/utils/pdbedit.c index 13f35e88806..9a45049bc5e 100644 --- a/source/utils/pdbedit.c +++ b/source/utils/pdbedit.c @@ -112,7 +112,6 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) { static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdstyle) { uid_t uid; - gid_t gid; time_t tmp; /* TODO: chaeck if entry is a user or a workstation */ -- cgit From b02ea3c137ebab506599ca4168bd50f77e1c995e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 13 May 2003 04:35:58 +0000 Subject: Sync up with 3.0 version. --- source/python/setup.py | 51 +++++++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/source/python/setup.py b/source/python/setup.py index 65693310318..a9f220f195a 100755 --- a/source/python/setup.py +++ b/source/python/setup.py @@ -41,15 +41,24 @@ samba_srcdir = os.environ.get("SRCDIR", "") samba_libs = os.environ.get("LIBS", "") -# Convert libs and objs from space separated strings to lists of strings -# for distutils to digest. Split "-l" prefix off library list. - obj_list = string.split(samba_objs) -lib_list = [] +# Unfortunately the samba_libs variable contains both shared libraries +# and linker flags. The python distutils doesn't like this so we have +# to split $samba_libs into a flags component and a library component. + +libraries = [] +library_dirs = [] for lib in string.split(samba_libs): - lib_list.append(string.replace(lib, "-l", "")) + if lib[0:2] == "-l": + libraries.append(lib[2:]) + continue + if lib[0:2] == "-L": + library_dirs.append(lib[2:]) + continue + print "Unknown entry '%s' in $LIBS variable passed to setup.py" % lib + sys.exit(1) flags_list = string.split(samba_cflags) @@ -96,8 +105,8 @@ setup( samba_srcdir + "python/py_spoolss_jobs.c", samba_srcdir + "python/py_spoolss_jobs_conv.c", ], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -107,8 +116,8 @@ setup( sources = [samba_srcdir + "python/py_lsa.c", samba_srcdir + "python/py_common.c", samba_srcdir + "python/py_ntsec.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -119,8 +128,8 @@ setup( samba_srcdir + "python/py_conv.c", samba_srcdir + "python/py_samr_conv.c", samba_srcdir + "python/py_common.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -131,8 +140,8 @@ setup( samba_srcdir + "python/py_winbind_conv.c", samba_srcdir + "python/py_conv.c", samba_srcdir + "python/py_common.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -141,8 +150,8 @@ setup( Extension(name = "winreg", sources = [samba_srcdir + "python/py_winreg.c", samba_srcdir + "python/py_common.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -153,8 +162,8 @@ setup( samba_srcdir + "python/py_conv.c", samba_srcdir + "python/py_srvsvc_conv.c", samba_srcdir + "python/py_common.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -162,8 +171,8 @@ setup( Extension(name = "tdb", sources = [samba_srcdir + "python/py_tdb.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), @@ -173,8 +182,8 @@ setup( sources = [samba_srcdir + "python/py_smb.c", samba_srcdir + "python/py_common.c", samba_srcdir + "python/py_ntsec.c"], - libraries = lib_list, - library_dirs = ["/usr/kerberos/lib"], + libraries = libraries, + library_dirs = ["/usr/kerberos/lib"] + library_dirs, extra_compile_args = flags_list, extra_objects = obj_list), -- cgit From 7149dc65c7e22d53110c5e8bbab8ba96963ade76 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 13 May 2003 04:38:09 +0000 Subject: Add pythoncheck to make check target. --- source/Makefile.in | 5 ++++- source/stf/pythoncheck.py | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100755 source/stf/pythoncheck.py diff --git a/source/Makefile.in b/source/Makefile.in index 7f9c2a8b930..2e5bf71923f 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -1375,7 +1375,10 @@ Makefile: $(srcdir)/Makefile.in config.status check: check-programs LD_LIBRARY_PATH="`pwd`/bin:$$LD_LIBRARY_PATH" \ PATH="`pwd`/bin:$$PATH" \ - python stf/standardcheck.py + python stf/standardcheck.py; \ + if test -n "$(PYTHON)"; then \ + python stf/pythoncheck.py; \ + fi # These are called by the test suite and need to be built before # running it. For the time being we don't build all of BIN_PROGS, diff --git a/source/stf/pythoncheck.py b/source/stf/pythoncheck.py new file mode 100755 index 00000000000..398bb2c3d69 --- /dev/null +++ b/source/stf/pythoncheck.py @@ -0,0 +1,48 @@ +#! /usr/bin/python + +# Comfychair test cases for Samba python extensions + +# Copyright (C) 2003 by Tim Potter +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# USA + +"""These tests are run by Samba's "make check".""" + +import sys, comfychair + +class ImportTest(comfychair.TestCase): + """Check that all modules can be imported without error.""" + def runtest(self): + python_modules = ['spoolss', 'lsa', 'samr', 'winbind', 'winreg', + 'srvsvc', 'tdb', 'smb', 'tdbpack'] + for m in python_modules: + try: + __import__('samba.%s' % m) + except ImportError, msg: + self.log(str(msg)) + self.fail('error importing %s module' % m) + +tests = [ImportTest] + +if __name__ == '__main__': + # Some magic to repend build directory to python path so we see the + # objects we have built and not previously installed stuff. + from distutils.util import get_platform + from os import getcwd + sys.path.insert(0, '%s/build/lib.%s-%s' % + (getcwd(), get_platform(), sys.version[0:3])) + + comfychair.main(tests) -- cgit From f8762d3308e142dbd5462be876df5a3e400c763d Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 13 May 2003 06:13:44 +0000 Subject: More info on Unix permissions. --- docs/docbook/projdoc/AccessControls.xml | 100 +++++++++++++++++++++++++++++++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/docs/docbook/projdoc/AccessControls.xml b/docs/docbook/projdoc/AccessControls.xml index f7445bdb4a4..16057411e2a 100644 --- a/docs/docbook/projdoc/AccessControls.xml +++ b/docs/docbook/projdoc/AccessControls.xml @@ -261,7 +261,105 @@ at how Samba helps to bridge the differences. File and Directory Access Control - Explain the anatomy of a directory listing, permissions and what they mean. + The network administrator is strongly advised to read foundational training manuals and reference materials + regarding file and directory permissions maintenance. Much can be achieved with the basic Unix permissions + without having to resort to more complex facilities like POSIX Access Control Lists (ACLs) or Extended + Attributes (EAs). + + + + Unix/Linux file and directory access permissions invloves setting three (3) primary sets of data and one (1) control set. + A Unix file listing looks as follows:- + + + jht@frodo:~/stuff> ls -la + total 632 + drwxr-xr-x 13 jht users 816 2003-05-12 22:56 . + drwxr-xr-x 37 jht users 3800 2003-05-12 22:29 .. + d--------- 2 jht users 48 2003-05-12 22:29 muchado00 + d--x--x--x 2 jht users 48 2003-05-12 22:29 muchado01 + dr-xr-xr-x 2 jht users 48 2003-05-12 22:29 muchado02 + drwxrwxrwx 2 jht users 48 2003-05-12 22:29 muchado03 + drw-rw-rw- 2 jht users 48 2003-05-12 22:29 muchado04 + d-w--w--w- 2 jht users 48 2003-05-12 22:29 muchado05 + dr--r--r-- 2 jht users 48 2003-05-12 22:29 muchado06 + drwxrwxrwt 2 jht users 48 2003-05-12 22:29 muchado07 + drwsrwsrwx 2 jht users 48 2003-05-12 22:29 muchado08 + ---------- 1 jht users 1242 2003-05-12 22:31 mydata00.lst + ---x--x--x 1 jht users 1674 2003-05-12 22:33 mydata01.lst + --w--w--w- 1 jht users 7754 2003-05-12 22:33 mydata02.lst + --wx-wx-wx 1 jht users 260179 2003-05-12 22:33 mydata03.lst + -r--r--r-- 1 jht users 21017 2003-05-12 22:32 mydata04.lst + -r-xr-xr-x 1 jht users 206339 2003-05-12 22:32 mydata05.lst + -rw-rw-rw- 1 jht users 41105 2003-05-12 22:32 mydata06.lst + -rwxrwxrwx 1 jht users 19312 2003-05-12 22:32 mydata07.lst + jht@frodo:~/stuff> + + + + + The columns above represent (from left to right): permissions, no blocks used, owner, group, size (bytes), access date, access time, file name. + + + + The permissions field is made up of: + + + [ type ] [ users ] [ group ] [ others ] [File, Directory Permissions] + [ d | l ] [ r w x ] [ r w x ] [ r w x ] + | | | | | | | | | | | + | | | | | | | | | | |-----> Can Execute, List files + | | | | | | | | | |-------> Can Write, Create files + | | | | | | | | |---------> Can Read, Read files + | | | | | | | |---------------> Can Execute, List files + | | | | | | |-----------------> Can Write, Create files + | | | | | |-------------------> Can Read, Read files + | | | | |-------------------------> Can Execute, List files + | | | |---------------------------> Can Write, Create files + | | |-----------------------------> Can Read, Read files + | |-----------------------------------> Is a symbolic Link + |---------------------------------------> Is a directory + + + + + Any bit flag may be unset. An unset bit flag is the equivalent of 'Can NOT' and is represented as a '-' character. + + Example File + -rwxr-x--- Means: The owner (user) can read, write, execute + the group can read and execute + everyone else can NOT do anything with it + + + + + Additional posibilities in the [type] field are: c = character device, b = block device, p = pipe device, s = Unix Domain Socket. + + + + The letters `rwxXst' set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x),r + execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), + sticky (t). + + + + When the sticky bit is set on a directory, files in that directory may be unlinked (deleted) or renamed only by root or their owner. + Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on + directories, such as /tmp, that are world-writable. + + + + When the set user or group ID bit (s) is set on a directory, then all files created within it will be owned by the user and/or + group whose 'set user or group' bit is set. This can be very helpful in setting up directories that for which it is desired that + all users who are in a group should be able to write to and read from a file, particularly when it is undesirable for that file + to be exclusively owned by a user who's primary group is not the group that all such users belong to. + + + + When a directory is set drw-r----- this means that the owner can read and create (write) files in it, but because + the (x) execute flags are not set files can not be listed (seen) in the directory by anyone. The group can read files in the + directory but can NOT create new files. NOTE: If files in the directory are set to be readable and writable for the group, then + group members will be able to write to (or delete) them. -- cgit From 6097b050d082c7c88dca5416389617306e6dab0c Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 00:26:32 +0000 Subject: spelling --- source/passdb/pdb_ldap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index b75238e971b..8f4f04d57ed 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -3181,13 +3181,13 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met ldap_state->permit_non_unix_accounts = True; - /* We know these uids can't turn up as allogorithmic RIDs */ + /* We know these uids can't turn up as algorithmic RIDs */ if (!lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)) { DEBUG(0, ("cannot use ldapsam_nua without 'idmap uid' range in smb.conf!\n")); return NT_STATUS_UNSUCCESSFUL; } - /* We know these gids can't turn up as allogorithmic RIDs */ + /* We know these gids can't turn up as algorithmic RIDs */ if (!lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) { DEBUG(0, ("cannot use ldapsam_nua without 'wibnind gid' range in smb.conf!\n")); return NT_STATUS_UNSUCCESSFUL; -- cgit From 249a6974702d050644d6d61f33f0034ce2a689ee Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 00:38:58 +0000 Subject: spelling --- source/auth/auth_sam.c | 4 ++-- source/libsmb/cliconnect.c | 2 +- source/libsmb/clientgen.c | 2 +- source/passdb/passdb.c | 4 ++-- source/passdb/pdb_get_set.c | 2 +- source/smbd/chgpasswd.c | 4 ++-- source/smbd/service.c | 2 +- source/smbd/session.c | 2 +- source/smbd/sesssetup.c | 2 +- source/tdb/tdbutil.c | 4 ++-- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/source/auth/auth_sam.c b/source/auth/auth_sam.c index 33ea9bc73e5..dc5f86bae3f 100644 --- a/source/auth/auth_sam.c +++ b/source/auth/auth_sam.c @@ -224,7 +224,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* no return, becouse we might pick up LMv2 in the LM feild */ + /* no return, because we might pick up LMv2 in the LM feild */ } } @@ -419,7 +419,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return NT_STATUS_UNSUCCESSFUL; } - /* Can't use the talloc version here, becouse the returned struct gets + /* Can't use the talloc version here, because the returned struct gets kept on the server_info */ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { return nt_status; diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c index 4bfa694e634..43405031480 100644 --- a/source/libsmb/cliconnect.c +++ b/source/libsmb/cliconnect.c @@ -286,7 +286,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, } else { /* pre-encrypted password supplied. Only used for security=server, can't do - signing becouse we don't have oringial key */ + signing because we don't have original key */ lm_response = data_blob(pass, passlen); nt_response = data_blob(ntpass, ntpasslen); diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c index 81cb61d757c..8d4e8a266cf 100644 --- a/source/libsmb/clientgen.c +++ b/source/libsmb/clientgen.c @@ -274,7 +274,7 @@ struct cli_state *cli_initialise(struct cli_state *cli) memset(cli->outbuf, 0, cli->bufsize); memset(cli->inbuf, 0, cli->bufsize); - /* just becouse we over-allocate, doesn't mean it's right to use it */ + /* just because we over-allocate, doesn't mean it's right to use it */ clobber_region(FUNCTION_MACRO, __LINE__, cli->outbuf+cli->bufsize, SAFETY_MARGIN); clobber_region(FUNCTION_MACRO, __LINE__, cli->inbuf+cli->bufsize, SAFETY_MARGIN); diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index aa378ecd6e0..ccfc9a1693e 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -181,7 +181,7 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd) mechinism, we should call it here. We can't just set this to 0 or allow it only to be filled - in when added to the backend, becouse the user's SID + in when added to the backend, because the user's SID may already be in security descriptors etc. -- abartlet 11-May-02 @@ -627,7 +627,7 @@ uint32 pdb_gid_to_group_rid(gid_t gid) static BOOL pdb_rid_is_well_known(uint32 rid) { - /* Not using rid_offset here, becouse this is the actual + /* Not using rid_offset here, because this is the actual NT fixed value (1000) */ return (rid < BASE_RID); diff --git a/source/passdb/pdb_get_set.c b/source/passdb/pdb_get_set.c index 4370dc2c36c..c95719451a2 100644 --- a/source/passdb/pdb_get_set.c +++ b/source/passdb/pdb_get_set.c @@ -28,7 +28,7 @@ #define DBGC_CLASS DBGC_PASSDB /** - * @todo Redefine this to NULL, but this changes the API becouse + * @todo Redefine this to NULL, but this changes the API because * much of samba assumes that the pdb_get...() funtions * return pstrings. (ie not null-pointers). * See also pdb_fill_default_sam(). diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c index 3d25f33f45d..5c1d9a79a6e 100644 --- a/source/smbd/chgpasswd.c +++ b/source/smbd/chgpasswd.c @@ -980,10 +980,10 @@ NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passw * the /etc/passwd database first. Return failure if this cannot * be done. * - * This occurs before the oem change, becouse we don't want to + * This occurs before the oem change, because we don't want to * update it if chgpasswd failed. * - * Conditional on lp_unix_password_sync() becouse we don't want + * Conditional on lp_unix_password_sync() because we don't want * to touch the unix db unless we have admin permission. */ diff --git a/source/smbd/service.c b/source/smbd/service.c index cfb5e0e4143..c9f53305514 100644 --- a/source/smbd/service.c +++ b/source/smbd/service.c @@ -792,7 +792,7 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, if(lp_security() != SEC_SHARE) { DATA_BLOB no_pw = data_blob(NULL, 0); if (vuser->homes_snum == -1) { - DEBUG(2, ("[homes] share not available for this user becouse it was not found or created at session setup time\n")); + DEBUG(2, ("[homes] share not available for this user because it was not found or created at session setup time\n")); *status = NT_STATUS_BAD_NETWORK_NAME; return NULL; } diff --git a/source/smbd/session.c b/source/smbd/session.c index 54b7a24b070..07a95042340 100644 --- a/source/smbd/session.c +++ b/source/smbd/session.c @@ -98,7 +98,7 @@ BOOL session_claim(user_struct *vuser) } /* If 'hostname lookup' == yes, then do the DNS lookup. This is - needed becouse utmp and PAM both expect DNS names + needed because utmp and PAM both expect DNS names client_name() handles this case internally. */ diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c index a9842424a56..fc223ecf37f 100644 --- a/source/smbd/sesssetup.c +++ b/source/smbd/sesssetup.c @@ -644,7 +644,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, if (*user) { if (global_spnego_negotiated) { - /* This has to be here, becouse this is a perfectly valid behaviour for guest logons :-( */ + /* This has to be here, because this is a perfectly valid behaviour for guest logons :-( */ DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); return ERROR_NT(NT_STATUS_UNSUCCESSFUL); diff --git a/source/tdb/tdbutil.c b/source/tdb/tdbutil.c index 69b282cda02..19dfe642df0 100644 --- a/source/tdb/tdbutil.c +++ b/source/tdb/tdbutil.c @@ -311,7 +311,7 @@ int32 tdb_change_int32_atomic(TDB_CONTEXT *tdb, const char *keystr, int32 *oldva if ((val = tdb_fetch_int32(tdb, keystr)) == -1) { /* The lookup failed */ if (tdb_error(tdb) != TDB_ERR_NOEXIST) { - /* but not becouse it didn't exist */ + /* but not because it didn't exist */ goto err_out; } @@ -352,7 +352,7 @@ BOOL tdb_change_uint32_atomic(TDB_CONTEXT *tdb, const char *keystr, uint32 *oldv if (!tdb_fetch_uint32(tdb, keystr, &val)) { /* It failed */ if (tdb_error(tdb) != TDB_ERR_NOEXIST) { - /* and not becouse it didn't exist */ + /* and not because it didn't exist */ goto err_out; } -- cgit From 04e2fe104dfa4508b59276ecd7bee201d453462e Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 00:59:26 +0000 Subject: Fix pointer return bug in get_unix_attributes() --- source/passdb/pdb_ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index 8f4f04d57ed..b0448509484 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -1565,7 +1565,7 @@ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp)) return False; - gid = (gid_t)atol(temp); + *gid = (gid_t)atol(temp); pdb_set_unix_homedir(sampass, homedir, PDB_SET); -- cgit From 080a943e24f1dd02ebdf31ec3e76a1c3d19834df Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 01:14:06 +0000 Subject: Move some #ifdefs and function prototypes around to avoid a compiler warning when we have a working version of snprintf() --- source/lib/snprintf.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/source/lib/snprintf.c b/source/lib/snprintf.c index 4aef82c7d89..062521e726c 100644 --- a/source/lib/snprintf.c +++ b/source/lib/snprintf.c @@ -152,16 +152,6 @@ #define VA_COPY(dest, src) (dest) = (src) #endif -static size_t dopr(char *buffer, size_t maxlen, const char *format, - va_list args_in); -static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, - char *value, int flags, int min, int max); -static void fmtint(char *buffer, size_t *currlen, size_t maxlen, - long value, int base, int min, int max, int flags); -static void fmtfp(char *buffer, size_t *currlen, size_t maxlen, - LDOUBLE fvalue, int min, int max, int flags); -static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); - /* * dopr(): poor man's version of doprintf */ @@ -196,6 +186,19 @@ static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); #define MAX(p,q) (((p) >= (q)) ? (p) : (q)) #endif +/* yes this really must be a ||. Don't muck with this (tridge) */ +#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_C99_VSNPRINTF) + +static size_t dopr(char *buffer, size_t maxlen, const char *format, + va_list args_in); +static void fmtstr(char *buffer, size_t *currlen, size_t maxlen, + char *value, int flags, int min, int max); +static void fmtint(char *buffer, size_t *currlen, size_t maxlen, + long value, int base, int min, int max, int flags); +static void fmtfp(char *buffer, size_t *currlen, size_t maxlen, + LDOUBLE fvalue, int min, int max, int flags); +static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c); + static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in) { char ch; @@ -810,15 +813,13 @@ static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c) (*currlen)++; } -/* yes this really must be a ||. Don't muck with this (tridge) */ -#if !defined(HAVE_VSNPRINTF) || !defined(HAVE_C99_VSNPRINTF) int vsnprintf (char *str, size_t count, const char *fmt, va_list args) { return dopr(str, count, fmt, args); } #endif -/* yes this really must be a ||. Don't muck wiith this (tridge) +/* yes this really must be a ||. Don't muck with this (tridge) * * The logic for these two is that we need our own definition if the * OS *either* has no definition of *sprintf, or if it does have one -- cgit From a1326ea34831bf49942f7bcb954999091c3ea820 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 04:39:55 +0000 Subject: syncing LDAP schema changes with Samba_3_0 --- examples/LDAP/samba.schema | 165 ++++++- source/lib/snprintf.c | 18 +- source/param/loadparm.c | 2 +- source/passdb/pdb_ldap.c | 1094 ++++++++++++++++++++++++++++++++------------ source/sam/idmap_tdb.c | 8 +- 5 files changed, 958 insertions(+), 329 deletions(-) diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema index f9475f07ea3..6ef89806139 100644 --- a/examples/LDAP/samba.schema +++ b/examples/LDAP/samba.schema @@ -10,6 +10,10 @@ ## 1.3.6.1.4.1.7165.2.2.x - objectclasses ## +####################################################################### +## Attributes used by Samba 2.2 schema ## +####################################################################### + ## ## Password hashes ## @@ -110,19 +114,122 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +####################################################################### +## Attributes used by Samba 3.0 schema ## +####################################################################### + +## +## Password hashes +## +attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' + DESC 'LanManager Passwd' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' + DESC 'NT Passwd' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) + +## +## Account flags in string format ([UWDX ]) +## +attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' + DESC 'Account Flags' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) + +## +## Password timestamps & policies +## +attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' + DESC 'NT pwdLastSet' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' + DESC 'NT pwdCanChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' + DESC 'NT pwdMustChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' + DESC 'NT logonTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' + DESC 'NT logoffTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' + DESC 'NT kickoffTime' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + + +## +## string settings +## +attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' + DESC 'NT homeDrive' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' + DESC 'NT scriptPath' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' + DESC 'NT profilePath' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' + DESC 'userWorkstations' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' + DESC 'smbHome' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' + DESC 'Windows NT domain to which the user belongs' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + ## ## SID, of any type ## -attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid' +attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + +## +## Primary group SID, compatible with ntSid +## + +attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' + DESC 'Primary Group Security ID' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) + ## ## group mapping attributes ## -attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' +attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -131,16 +238,21 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'ntGroupType' ## Store info on the domain ## -attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'nextUserRid' +attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid' +attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC 'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +######################################################################## +## HISTORICAL ## +######################################################################## + ## ## The smbPasswordEntry objectclass has been depreciated in favor of the ## sambaAccount objectclass @@ -158,18 +270,36 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'nextGroupRid' # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ # description $ userWorkstations $ primaryGroupID $ domain )) +######################################################################## +## END OF HISTORICAL ## +######################################################################## + ## The X.500 data model (and therefore LDAPv3) says that each entry can ## only have one structural objectclass. OpenLDAP 2.0 does not enforce ## this currently but will in v2.1 objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Auxilary Account' - MUST ( uid $ ntSid ) + MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ description $ userWorkstations $ primaryGroupID $ domain )) +## +## added new objectclass (and OID) for 3.0 to help us deal with backwards +## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry +## +objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY + DESC 'Samba 3.0 Auxilary Account' + MUST ( uid $ sambaSID ) + MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ + sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ + sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ + displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ + sambaProfilePath $ description $ sambaUserWorkstations $ + sambaPrimaryGroupSID $ sambaDomainName )) + ############################################################################ ## ## Please note that this schema is really experimental and might @@ -177,30 +307,19 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY ## ############################################################################ -## -## Whole-of-domain info -## - -objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL - DESC 'Samba Domain Information' - MUST ( domain $ nextGroupRid $ nextUserRid $ ntSid)) - ## ## Group mapping info ## objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY DESC 'Samba Group Mapping' - MUST ( gidNumber $ ntSid $ ntGroupType ) - MAY ( displayName $ description )) + MUST ( gidNumber $ sambaSID $ sambaGroupType ) + MAY ( displayName $ description $ cn )) ## -## Used for Winbind experimentation +## Whole-of-domain info ## -#objectclass ( 1.3.6.1.4.1.7165.1.2.2.3 NAME 'uidPool' SUP top AUXILIARY -# DESC 'Pool for allocating UNIX uids' -# MUST ( uidNumber ) ) - -#objectclass ( 1.3.6.1.4.1.7165.1.2.2.4 NAME 'gidPool' SUP top AUXILIARY -# DESC 'Pool for allocating UNIX gids' -# MUST ( gidNumber ) ) +objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL + DESC 'Samba Domain Information' + MUST ( sambaDomainName $ sambaNextGroupRid $ sambaNextUserRid $ + sambaSID ) ) diff --git a/source/lib/snprintf.c b/source/lib/snprintf.c index 062521e726c..9b9ceb60cac 100644 --- a/source/lib/snprintf.c +++ b/source/lib/snprintf.c @@ -665,7 +665,7 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen, int padlen = 0; /* amount to pad */ int zpadlen = 0; int caps = 0; - int index; + int idx; double intpart; double fracpart; double temp; @@ -724,11 +724,11 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen, do { temp = intpart*0.1; my_modf(temp, &intpart); - index = (int) ((temp -intpart +0.05)* 10.0); - /* index = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */ - /* printf ("%llf, %f, %x\n", temp, intpart, index); */ + idx = (int) ((temp -intpart +0.05)* 10.0); + /* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */ + /* printf ("%llf, %f, %x\n", temp, intpart, idx); */ iconvert[iplace++] = - (caps? "0123456789ABCDEF":"0123456789abcdef")[index]; + (caps? "0123456789ABCDEF":"0123456789abcdef")[idx]; } while (intpart && (iplace < 311)); if (iplace == 311) iplace--; iconvert[iplace] = 0; @@ -739,11 +739,11 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen, do { temp = fracpart*0.1; my_modf(temp, &fracpart); - index = (int) ((temp -fracpart +0.05)* 10.0); - /* index = (int) ((((temp/10) -fracpart) +0.05) *10); */ - /* printf ("%lf, %lf, %ld\n", temp, fracpart, index); */ + idx = (int) ((temp -fracpart +0.05)* 10.0); + /* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */ + /* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */ fconvert[fplace++] = - (caps? "0123456789ABCDEF":"0123456789abcdef")[index]; + (caps? "0123456789ABCDEF":"0123456789abcdef")[idx]; } while(fracpart && (fplace < 311)); if (fplace == 311) fplace--; } diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 66a4b1c02e6..51a1b028a46 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -1416,10 +1416,10 @@ static void init_globals(void) #endif /* WITH_LDAP_SAMCONFIG */ string_set(&Globals.szLdapSuffix, ""); + string_set(&Globals.szLdapFilter, "(uid=%u)"); string_set(&Globals.szLdapMachineSuffix, ""); string_set(&Globals.szLdapUserSuffix, ""); - string_set(&Globals.szLdapFilter, "(&(uid=%u)(objectclass=sambaAccount))"); string_set(&Globals.szLdapAdminDn, ""); Globals.ldap_ssl = LDAP_SSL_ON; Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF; diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c index b0448509484..5dbf10c5b9d 100644 --- a/source/passdb/pdb_ldap.c +++ b/source/passdb/pdb_ldap.c @@ -1,8 +1,8 @@ /* - Unix SMB/CIFS implementation. + Unix SMB/CIFS mplementation. LDAP protocol helper functions for SAMBA Copyright (C) Jean François Micouleau 1998 - Copyright (C) Gerald Carter 2001 + Copyright (C) Gerald Carter 2001-2003 Copyright (C) Shahms King 2001 Copyright (C) Andrew Bartlett 2002 Copyright (C) Stefan (metze) Metzmacher 2002 @@ -23,11 +23,6 @@ */ -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_PASSDB - /* TODO: * persistent connections: if using NSS LDAP, many connections are made * however, using only one within Samba would be nice @@ -48,6 +43,11 @@ * and/or winbind */ +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_PASSDB + #include #include @@ -73,7 +73,7 @@ struct ldapsam_privates { DOM_SID domain_sid; /* configuration items */ - BOOL use_ntsid; + int schema_ver; BOOL permit_non_unix_accounts; @@ -93,6 +93,257 @@ struct ldapsam_privates { static struct ldapsam_privates *static_ldap_state; +/* specify schema versions between 2.2. and 3.0 */ + +#define SCHEMAVER_SAMBAACCOUNT 1 +#define SCHEMAVER_SAMBASAMACCOUNT 2 + +/* objectclass names */ + +#define LDAP_OBJ_SAMBASAMACCOUNT "sambaSamAccount" +#define LDAP_OBJ_SAMBAACCOUNT "sambaAccount" +#define LDAP_OBJ_GROUPMAP "sambaGroupMapping" +#define LDAP_OBJ_DOMINFO "sambaDomain" + +#define LDAP_OBJ_ACCOUNT "account" +#define LDAP_OBJ_POSIXACCOUNT "posixAccount" + +/* some generic attributes that get reused a lot */ + +#define LDAP_ATTRIBUTE_SID "sambaSID" + +/* attribute map table indexes */ + +#define LDAP_ATTR_LIST_END 0 +#define LDAP_ATTR_UID 1 +#define LDAP_ATTR_UIDNUMBER 2 +#define LDAP_ATTR_GIDNUMBER 3 +#define LDAP_ATTR_UNIX_HOME 4 +#define LDAP_ATTR_PWD_LAST_SET 5 +#define LDAP_ATTR_PWD_CAN_CHANGE 6 +#define LDAP_ATTR_PWD_MUST_CHANGE 7 +#define LDAP_ATTR_LOGON_TIME 8 +#define LDAP_ATTR_LOGOFF_TIME 9 +#define LDAP_ATTR_KICKOFF_TIME 10 +#define LDAP_ATTR_CN 11 +#define LDAP_ATTR_DISPLAY_NAME 12 +#define LDAP_ATTR_HOME_PATH 13 +#define LDAP_ATTR_LOGON_SCRIPT 14 +#define LDAP_ATTR_PROFILE_PATH 15 +#define LDAP_ATTR_DESC 16 +#define LDAP_ATTR_USER_WKS 17 +#define LDAP_ATTR_USER_SID 18 +#define LDAP_ATTR_USER_RID 18 +#define LDAP_ATTR_PRIMARY_GROUP_SID 19 +#define LDAP_ATTR_PRIMARY_GROUP_RID 20 +#define LDAP_ATTR_LMPW 21 +#define LDAP_ATTR_NTPW 22 +#define LDAP_ATTR_DOMAIN 23 +#define LDAP_ATTR_OBJCLASS 24 +#define LDAP_ATTR_ACB_INFO 25 +#define LDAP_ATTR_NEXT_USERRID 26 +#define LDAP_ATTR_NEXT_GROUPRID 27 +#define LDAP_ATTR_DOM_SID 28 +#define LDAP_ATTR_HOME_DRIVE 29 +#define LDAP_ATTR_GROUP_SID 30 +#define LDAP_ATTR_GROUP_TYPE 31 + + +typedef struct _attrib_map_entry { + int attrib; + const char *name; +} ATTRIB_MAP_ENTRY; + + +/* attributes used by Samba 2.2 */ + +static ATTRIB_MAP_ENTRY attrib_map_v22[] = { + { LDAP_ATTR_UID, "uid" }, + { LDAP_ATTR_UIDNUMBER, "uidNumber" }, + { LDAP_ATTR_GIDNUMBER, "gidNumber" }, + { LDAP_ATTR_UNIX_HOME, "homeDirectory" }, + { LDAP_ATTR_PWD_LAST_SET, "pwdLastSet" }, + { LDAP_ATTR_PWD_CAN_CHANGE, "pwdCanChange" }, + { LDAP_ATTR_PWD_MUST_CHANGE, "pwdMustChange" }, + { LDAP_ATTR_LOGON_TIME, "logonTime" }, + { LDAP_ATTR_LOGOFF_TIME, "logoffTime" }, + { LDAP_ATTR_KICKOFF_TIME, "kickoffTime" }, + { LDAP_ATTR_CN, "cn" }, + { LDAP_ATTR_DISPLAY_NAME, "displayName" }, + { LDAP_ATTR_HOME_PATH, "smbHome" }, + { LDAP_ATTR_HOME_DRIVE, "homeDrives" }, + { LDAP_ATTR_LOGON_SCRIPT, "scriptPath" }, + { LDAP_ATTR_PROFILE_PATH, "profilePath" }, + { LDAP_ATTR_DESC, "description" }, + { LDAP_ATTR_USER_WKS, "userWorkstations"}, + { LDAP_ATTR_USER_RID, "rid" }, + { LDAP_ATTR_PRIMARY_GROUP_RID, "primaryGroupID"}, + { LDAP_ATTR_LMPW, "lmPassword" }, + { LDAP_ATTR_NTPW, "ntPassword" }, + { LDAP_ATTR_DOMAIN, "domain" }, + { LDAP_ATTR_OBJCLASS, "objectClass" }, + { LDAP_ATTR_ACB_INFO, "acctFlags" }, + { LDAP_ATTR_LIST_END, NULL } +}; + +/* attributes used by Samba 3.0's sambaSamAccount */ + +static ATTRIB_MAP_ENTRY attrib_map_v30[] = { + { LDAP_ATTR_UID, "uid" }, + { LDAP_ATTR_UIDNUMBER, "uidNumber" }, + { LDAP_ATTR_GIDNUMBER, "gidNumber" }, + { LDAP_ATTR_UNIX_HOME, "homeDirectory" }, + { LDAP_ATTR_PWD_LAST_SET, "sambaPwdLastSet" }, + { LDAP_ATTR_PWD_CAN_CHANGE, "sambaPwdCanChange" }, + { LDAP_ATTR_PWD_MUST_CHANGE, "sambaPwdMustChange" }, + { LDAP_ATTR_LOGON_TIME, "sambaLogonTime" }, + { LDAP_ATTR_LOGOFF_TIME, "sambaLogoffTime" }, + { LDAP_ATTR_KICKOFF_TIME, "sambaKickoffTime" }, + { LDAP_ATTR_CN, "cn" }, + { LDAP_ATTR_DISPLAY_NAME, "displayName" }, + { LDAP_ATTR_HOME_DRIVE, "sambaHoneDrive" }, + { LDAP_ATTR_HOME_PATH, "sambaHomePath" }, + { LDAP_ATTR_LOGON_SCRIPT, "sambaLogonScript" }, + { LDAP_ATTR_PROFILE_PATH, "sambaProfilePath" }, + { LDAP_ATTR_DESC, "description" }, + { LDAP_ATTR_USER_WKS, "sambaUserWorkstations" }, + { LDAP_ATTR_USER_SID, "sambaSID" }, + { LDAP_ATTR_PRIMARY_GROUP_SID, "sambaPrimaryGroupSID" }, + { LDAP_ATTR_LMPW, "sambaLMPassword" }, + { LDAP_ATTR_NTPW, "sambaNTPassword" }, + { LDAP_ATTR_DOMAIN, "sambaDomainName" }, + { LDAP_ATTR_OBJCLASS, "objectClass" }, + { LDAP_ATTR_ACB_INFO, "sambaAcctFlags" }, + { LDAP_ATTR_LIST_END, NULL } +}; + +/* attributes used for alalocating RIDs */ + +static ATTRIB_MAP_ENTRY dominfo_attr_list[] = { + { LDAP_ATTR_DOMAIN, "sambaDomainName" }, + { LDAP_ATTR_NEXT_USERRID, "sambaNextUserRid" }, + { LDAP_ATTR_NEXT_GROUPRID, "sambaNextGroupRid" }, + { LDAP_ATTR_DOM_SID, "sambaSID" }, + { LDAP_ATTR_LIST_END, NULL }, +}; + +/* Samba 3.0 group mapping attributes */ + +static ATTRIB_MAP_ENTRY groupmap_attr_list[] = { + { LDAP_ATTR_GIDNUMBER, "gidNumber" }, + { LDAP_ATTR_GROUP_SID, "sambaSID" }, + { LDAP_ATTR_GROUP_TYPE, "sambaGroupType" }, + { LDAP_ATTR_DESC, "description" }, + { LDAP_ATTR_DISPLAY_NAME, "displayName" }, + { LDAP_ATTR_CN, "cn" }, + { LDAP_ATTR_LIST_END, NULL } +}; + +/********************************************************************** + perform a simple table lookup and return the attribute name + **********************************************************************/ + +static const char* get_attr_key2string( ATTRIB_MAP_ENTRY table[], int key ) +{ + int i = 0; + + while ( table[i].attrib != LDAP_ATTR_LIST_END ) { + if ( table[i].attrib == key ) + return table[i].name; + i++; + } + + return NULL; +} + +/********************************************************************** + get the attribute name given a user schame version + **********************************************************************/ + +static const char* get_userattr_key2string( int schema_ver, int key ) +{ + switch ( schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + return get_attr_key2string( attrib_map_v22, key ); + + case SCHEMAVER_SAMBASAMACCOUNT: + return get_attr_key2string( attrib_map_v30, key ); + + default: + DEBUG(0,("get_userattr_key2string: unknown schema version specified\n")); + break; + } + return NULL; +} + +/********************************************************************** + Return the list of attribute names from a mapping table + **********************************************************************/ + +static char** get_attr_list( ATTRIB_MAP_ENTRY table[] ) +{ + char **names; + int i = 0; + + while ( table[i].attrib != LDAP_ATTR_LIST_END ) + i++; + i++; + + names = (char**)malloc( sizeof(char*)*i ); + if ( !names ) { + DEBUG(0,("get_attr_list: out of memory\n")); + return NULL; + } + + i = 0; + while ( table[i].attrib != LDAP_ATTR_LIST_END ) { + names[i] = strdup( table[i].name ); + i++; + } + names[i] = NULL; + + return names; +} + +/********************************************************************* + Cleanup + ********************************************************************/ + +static void free_attr_list( char **list ) +{ + int i = 0; + + if ( !list ) + return; + + while ( list[i] ) + SAFE_FREE( list[i] ); + + SAFE_FREE( list ); +} + +/********************************************************************** + return the list of attribute names given a user schema version + **********************************************************************/ + +static char** get_userattr_list( int schema_ver ) +{ + switch ( schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + return get_attr_list( attrib_map_v22 ); + + case SCHEMAVER_SAMBASAMACCOUNT: + return get_attr_list( attrib_map_v30 ); + default: + DEBUG(0,("get_userattr_list: unknown schema version specified!\n")); + break; + } + + return NULL; +} + /******************************************************************* find the ldap password ******************************************************************/ @@ -156,23 +407,7 @@ static BOOL fetch_ldapsam_pw(char **dn, char** pw) return True; } - -static const char *attr[] = {"uid", "pwdLastSet", "logonTime", - "logoffTime", "kickoffTime", "cn", - "pwdCanChange", "pwdMustChange", - "displayName", "homeDrive", - "smbHome", "scriptPath", - "profilePath", "description", - "userWorkstations", "rid", "ntSid", - "primaryGroupID", "lmPassword", - "ntPassword", "acctFlags", - "domain", "objectClass", - "uidNumber", "gidNumber", - "homeDirectory", NULL }; - -static const char *domain_info_attrs[] = {"domain", "nextUserRid", - "nextGroupRid", "ntSid", NULL }; - + /******************************************************************* open a connection to the ldap server. ******************************************************************/ @@ -542,9 +777,12 @@ static int ldapsam_retry_open(struct ldapsam_privates *ldap_state, int *attempts } +/********************************************************************* + ********************************************************************/ + static int ldapsam_search(struct ldapsam_privates *ldap_state, const char *base, int scope, const char *filter, - const char *attrs[], int attrsonly, + char *attrs[], int attrsonly, LDAPMessage **res) { int rc = LDAP_SERVER_DOWN; @@ -563,7 +801,7 @@ static int ldapsam_search(struct ldapsam_privates *ldap_state, continue; rc = ldap_search_s(ldap_state->ldap_struct, base, scope, - utf8_filter, (char **)attrs, attrsonly, res); + utf8_filter, attrs, attrsonly, res); } if (rc == LDAP_SERVER_DOWN) { @@ -691,14 +929,15 @@ static int ldapsam_extended_operation(struct ldapsam_privates *ldap_state, LDAP_ /******************************************************************* run the search by name. ******************************************************************/ -static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const char *filter, const char **search_attr, LDAPMessage ** result) +static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const char *filter, + char **search_attr, LDAPMessage ** result) { int scope = LDAP_SCOPE_SUBTREE; int rc; DEBUG(2, ("ldapsam_search_suffix: searching for:[%s]\n", filter)); - rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, filter, search_attr, 0, result); + rc = ldapsam_search(ldap_state, lp_ldap_suffix(), scope, filter, search_attr, 0, result); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -714,11 +953,36 @@ static int ldapsam_search_suffix (struct ldapsam_privates *ldap_state, const cha return rc; } +/******************************************************************* + generate the LDAP search filter for the objectclass based on the + version of the schema we are using + ******************************************************************/ + +static const char* get_objclass_filter( int schema_ver ) +{ + static fstring objclass_filter; + + switch( schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBAACCOUNT ); + break; + case SCHEMAVER_SAMBASAMACCOUNT: + snprintf( objclass_filter, sizeof(objclass_filter)-1, "(objectclass=%s)", LDAP_OBJ_SAMBASAMACCOUNT ); + break; + default: + DEBUG(0,("ldapsam_search_suffix_by_name(): Invalid schema version specified!\n")); + break; + } + + return objclass_filter; +} + /******************************************************************* run the search by name. ******************************************************************/ static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, const char *user, - LDAPMessage ** result) + LDAPMessage ** result, char **attr) { pstring filter; char *escape_user = escape_ldap_string_alloc(user); @@ -731,7 +995,8 @@ static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, c * in the filter expression, replace %u with the real name * so in ldap filter, %u MUST exist :-) */ - pstrcpy(filter, lp_ldap_filter()); + snprintf(filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(), + get_objclass_filter(ldap_state->schema_ver)); /* * have to use this here because $ is filtered out @@ -749,15 +1014,17 @@ static int ldapsam_search_suffix_by_name (struct ldapsam_privates *ldap_state, c run the search by rid. ******************************************************************/ static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, - uint32 rid, - LDAPMessage ** result) + uint32 rid, LDAPMessage ** result, + char **attr) { pstring filter; int rc; - /* check if the user rid exsists, if not, try searching on the uid */ + /* check if the user rid exists, if not, try searching on the uid */ + + snprintf(filter, sizeof(filter)-1, "(&(rid=%i)%s)", rid, + get_objclass_filter(ldap_state->schema_ver)); - snprintf(filter, sizeof(filter) - 1, "rid=%i", rid); rc = ldapsam_search_suffix(ldap_state, filter, attr, result); return rc; @@ -767,8 +1034,8 @@ static int ldapsam_search_suffix_by_rid (struct ldapsam_privates *ldap_state, run the search by SID. ******************************************************************/ static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, - const DOM_SID *sid, - LDAPMessage ** result) + const DOM_SID *sid, LDAPMessage ** result, + char **attr) { pstring filter; int rc; @@ -776,7 +1043,11 @@ static int ldapsam_search_suffix_by_sid (struct ldapsam_privates *ldap_state, /* check if the user rid exsists, if not, try searching on the uid */ - snprintf(filter, sizeof(filter) - 1, "ntSid=%s", sid_to_string(sid_string, sid)); + snprintf(filter, sizeof(filter)-1, "(&(%s=%s)%s)", + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), + sid_to_string(sid_string, sid), + get_objclass_filter(ldap_state->schema_ver)); + rc = ldapsam_search_suffix(ldap_state, filter, attr, result); return rc; @@ -789,6 +1060,10 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry, const char *attribute, pstring value) { char **values; + + if ( !attribute ) + return False; + value[0] = '\0'; if ((values = ldap_get_values (ldap_struct, entry, attribute)) == NULL) { @@ -797,9 +1072,7 @@ static BOOL get_single_attribute (LDAP * ldap_struct, LDAPMessage * entry, return False; } - if (convert_string(CH_UTF8, CH_UNIX, - values[0], -1, - value, sizeof(pstring)) == (size_t)-1) + if (convert_string(CH_UTF8, CH_UNIX,values[0], -1, value, sizeof(pstring)) == (size_t)-1) { DEBUG(1, ("get_single_attribute: string conversion of [%s] = [%s] failed!\n", attribute, values[0])); @@ -827,11 +1100,12 @@ static void make_a_mod (LDAPMod *** modlist, int modop, const char *attribute, c mods = *modlist; - if (attribute == NULL || *attribute == '\0') - return; + /* sanity checks on the mod values */ -#if 0 - /* Why do we need this??? -- vl */ + if (attribute == NULL || *attribute == '\0') + return; +#if 0 /* commented out after discussion with abartlet. Do not reenable. + left here so other so re-add similar code --jerry */ if (value == NULL || *value == '\0') return; #endif @@ -956,7 +1230,7 @@ static void make_ldap_mod(LDAP *ldap_struct, LDAPMessage *existing, static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state, LDAPMessage *result, const char *objectclass, - const char **attrs) + char **attrs) { int rc; LDAPMessage *entry; @@ -987,17 +1261,18 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state, } /* Ok, delete only the SAM attributes */ - + for (name = ldap_first_attribute(ldap_state->ldap_struct, entry, &ptr); name != NULL; - name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr)) { - - const char **attrib; + name = ldap_next_attribute(ldap_state->ldap_struct, entry, ptr)) + { + char **attrib; /* We are only allowed to delete the attributes that really exist. */ - for (attrib = attrs; *attrib != NULL; attrib++) { + for (attrib = attrs; *attrib != NULL; attrib++) + { if (StrCaseCmp(*attrib, name) == 0) { DEBUG(10, ("deleting attribute %s\n", name)); make_a_mod(&mods, LDAP_MOD_DELETE, name, NULL); @@ -1006,7 +1281,7 @@ static NTSTATUS ldapsam_delete_entry(struct ldapsam_privates *ldap_state, ldap_memfree(name); } - + if (ptr != NULL) { ber_free(ptr, 0); } @@ -1040,15 +1315,19 @@ static int ldapsam_search_domain_info(struct ldapsam_privates *ldap_state, { pstring filter; int rc; + char **attr_list; - slprintf(filter, sizeof(filter)-1, - "(&(objectClass=sambaDomain)(domain=%s))", - ldap_state->domain_name); + snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))", + LDAP_OBJ_DOMINFO, + get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + ldap_state->domain_name); DEBUG(2, ("Searching for:[%s]\n", filter)); - rc = ldapsam_search_suffix(ldap_state, filter, - domain_info_attrs, result); + + attr_list = get_attr_list( dominfo_attr_list ); + rc = ldapsam_search_suffix(ldap_state, filter, attr_list , result); + free_attr_list( attr_list ); if (rc != LDAP_SUCCESS) { DEBUG(2,("Problem during LDAPsearch: %s\n", ldap_err2string (rc))); @@ -1071,8 +1350,9 @@ static uint32 entry_to_rid(struct ldapsam_privates *ldap_state, LDAPMessage *ent DOM_SID dom_sid; uint32 rid; - if (!get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", - sid_string)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + LDAP_ATTRIBUTE_SID, sid_string)) + { return 0; } @@ -1120,13 +1400,14 @@ static uint32 search_next_allocated_rid(struct ldapsam_privates *ldap_state, int uint32 next_rid; uint32 count; uint32 rid; - const char *sid_attr[] = {"ntSid", NULL}; - const char *filter = "(ntSid=*)"; + char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL}; + fstring filter; + + snprintf( filter, sizeof(filter)-1, "(%s=*)", LDAP_ATTRIBUTE_SID ); DEBUG(2, ("search_top_allocated_rid: searching for:[%s]\n", filter)); - rc = ldapsam_search_suffix(ldap_state, filter, - sid_attr, &result); + rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result); if (rc != LDAP_SUCCESS) { DEBUG(3, ("LDAP search failed! cannot find base for NUA RIDs: %s\n", ldap_err2string(rc))); @@ -1199,9 +1480,9 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) int rc; int ldap_op; LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; char *dn = NULL; int num_result; + char **attr_list; uint32 next_allocated_user_rid; uint32 next_allocated_group_rid; @@ -1216,8 +1497,14 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) return NT_STATUS_UNSUCCESSFUL; } - slprintf (filter, sizeof (filter) - 1, "domain=%s", ldap_state->domain_name); - rc = ldapsam_search_suffix(ldap_state, filter, domain_info_attrs, &result); + slprintf (filter, sizeof (filter) - 1, "(&(%s=%s)(objectclass=%s))", + get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + ldap_state->domain_name, LDAP_OBJ_DOMINFO); + + attr_list = get_attr_list( dominfo_attr_list ); + rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result); + free_attr_list( attr_list ); + if (rc != LDAP_SUCCESS) { return NT_STATUS_UNSUCCESSFUL; } @@ -1230,43 +1517,32 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) return NT_STATUS_UNSUCCESSFUL; } - /* Check if we need to update an existing entry */ - if (num_result == 1) { - char *tmp_dn; - - DEBUG(3,("Domain exists without samba properties: adding them\n")); - ldap_op = LDAP_MOD_REPLACE; - entry = ldap_first_entry (ldap_state->ldap_struct, result); - tmp_dn = ldap_get_dn (ldap_state->ldap_struct, entry); - asprintf (&dn, "%s", tmp_dn); - ldap_memfree (tmp_dn); - } else { - /* Check if we need to add an entry */ - DEBUG(3,("Adding new domain\n")); - ldap_op = LDAP_MOD_ADD; - asprintf (&dn, "domain=%s,%s", ldap_state->domain_name, lp_ldap_suffix ()); - } + /* Check if we need to add an entry */ + DEBUG(3,("Adding new domain\n")); + ldap_op = LDAP_MOD_ADD; + asprintf (&dn, "%s=%s,%s", get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + ldap_state->domain_name, lp_ldap_suffix()); /* Free original search */ ldap_msgfree(result); - if (!dn) { + if (!dn) return NT_STATUS_NO_MEMORY; - } /* make the changes - the entry *must* not already have samba attributes */ - make_a_mod(&mods, LDAP_MOD_ADD, "domain", ldap_state->domain_name); + make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOMAIN), + ldap_state->domain_name); sid_to_string(tmp, &ldap_state->domain_sid); - make_a_mod(&mods, LDAP_MOD_ADD, "ntSid", tmp); + make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), tmp); snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_user_rid); - make_a_mod(&mods, LDAP_MOD_ADD, "nextUserRid", tmp); + make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), tmp); snprintf(tmp, sizeof(tmp)-1, "%i", next_allocated_group_rid); - make_a_mod(&mods, LDAP_MOD_ADD, "nextGroupRid", tmp); + make_a_mod(&mods, LDAP_MOD_ADD, get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), tmp); - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaDomain"); + make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_DOMINFO); switch(ldap_op) { @@ -1308,14 +1584,14 @@ static NTSTATUS add_new_domain_info(struct ldapsam_privates *ldap_state) static BOOL sid_in_use(struct ldapsam_privates *ldap_state, const DOM_SID *sid, int *error) { - pstring filter; + fstring filter; fstring sid_string; LDAPMessage *result = NULL; int count; int rc; - const char *sid_attr[] = {"ntSid", NULL}; + char *sid_attr[] = {LDAP_ATTRIBUTE_SID, NULL}; - slprintf(filter, sizeof(filter)-1, "(ntSid=%s)", sid_to_string(sid_string, sid)); + slprintf(filter, sizeof(filter)-1, "(%s=%s)", LDAP_ATTRIBUTE_SID, sid_to_string(sid_string, sid)); rc = ldapsam_search_suffix(ldap_state, filter, sid_attr, &result); @@ -1363,12 +1639,14 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri uint32 next_rid; int attempts = 0; - if (!ldap_state->use_ntsid) { - DEBUG(0, ("Allocated RIDs require 'ldap use ntSid' to be set in smb.conf\n")); + if ( ldap_state->schema_ver != SCHEMAVER_SAMBASAMACCOUNT ) { + DEBUG(0, ("Allocated RIDs require the %s objectclass used by 'ldapsam'\n", + LDAP_OBJ_SAMBASAMACCOUNT)); return NT_STATUS_UNSUCCESSFUL; } - while (attempts < 10) { + while (attempts < 10) + { char *ld_error; if (ldapsam_search_domain_info(ldap_state, &result)) { return ret; @@ -1445,7 +1723,9 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri /* Try to make the modification atomically by enforcing the old value in the delete mod. */ - make_ldap_mod(ldap_state->ldap_struct, entry, &mods, "nextUserRid", next_rid_string); + make_ldap_mod(ldap_state->ldap_struct, entry, &mods, + get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_USERRID), + next_rid_string); break; case GROUP_RID_TYPE: @@ -1455,7 +1735,9 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri /* Try to make the modification atomically by enforcing the old value in the delete mod. */ - make_ldap_mod(ldap_state->ldap_struct, entry, &mods, "nextGroupRid", next_rid_string); + make_ldap_mod(ldap_state->ldap_struct, entry, &mods, + get_attr_key2string(dominfo_attr_list, LDAP_ATTR_NEXT_GROUPRID), + next_rid_string); break; } @@ -1465,8 +1747,10 @@ static NTSTATUS ldapsam_next_rid(struct ldapsam_privates *ldap_state, uint32 *ri pstring domain_sid_string; int error = 0; - if (!get_single_attribute(ldap_state->ldap_struct, result, "ntSid", - domain_sid_string)) { + if (!get_single_attribute(ldap_state->ldap_struct, result, + get_attr_key2string(dominfo_attr_list, LDAP_ATTR_DOM_SID), + domain_sid_string)) + { ldap_mods_free(mods, 1); ldap_memfree(dn); ldap_msgfree(result); @@ -1547,29 +1831,36 @@ static BOOL get_unix_attributes (struct ldapsam_privates *ldap_state, } for (values=ldap_values;*values;values++) { - if (strcasecmp(*values, "posixAccount") == 0) { + if (strcasecmp(*values, LDAP_OBJ_POSIXACCOUNT ) == 0) { break; } } if (!*values) { /*end of array, no posixAccount */ - DEBUG(10, ("user does not have posixAcccount attributes\n")); + DEBUG(10, ("user does not have %s attributes\n", LDAP_OBJ_POSIXACCOUNT)); ldap_value_free(ldap_values); return False; } ldap_value_free(ldap_values); - if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDirectory", homedir)) + if ( !get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_UNIX_HOME), homedir) ) + { return False; + } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "gidNumber", temp)) + if ( !get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_GIDNUMBER), temp) ) + { return False; + } *gid = (gid_t)atol(temp); pdb_set_unix_homedir(sampass, homedir, PDB_SET); - DEBUG(10, ("user has posixAcccount attributes\n")); + DEBUG(10, ("user has %s attributes\n", LDAP_OBJ_POSIXACCOUNT)); + return True; } @@ -1652,37 +1943,65 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_domain(sampass, domain, PDB_DEFAULT); pdb_set_nt_username(sampass, nt_username, PDB_SET); - if (ldap_state->use_ntsid) { - if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) { + /* deal with different attributes between the schema first */ + + if ( ldap_state->schema_ver == SCHEMAVER_SAMBASAMACCOUNT ) + { + if (get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), temp)) + { pdb_set_user_sid_from_string(sampass, temp, PDB_SET); } - } else { - if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) { + + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), temp)) + { + pdb_set_group_sid_from_string(sampass, temp, PDB_SET); + } + else + { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } + + + } + else + { + if (get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), temp)) + { user_rid = (uint32)atol(temp); pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET); } + + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), temp)) + { + pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); + } else { + uint32 group_rid; + group_rid = (uint32)atol(temp); + pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); + } } if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) { - DEBUG(1, ("no rid or ntSid attribute found for this user %s\n", username)); + DEBUG(1, ("no %s or %s attribute found for this user %s\n", + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), + username)); return False; } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) { - pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT); - } else { - uint32 group_rid; - group_rid = (uint32)atol(temp); - pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET); - } /* * If so configured, try and get the values from LDAP */ - if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) { - - if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) { + if (!lp_ldap_trust_ids() && (get_unix_attributes(ldap_state, sampass, entry, &gid))) + { + if (pdb_get_init_flags(sampass,PDB_GROUPSID) == PDB_DEFAULT) + { GROUP_MAP map; /* call the mapping code here */ if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { @@ -1694,42 +2013,54 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, } } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdLastSet", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), temp)) + { /* leave as default */ } else { pass_last_set_time = (time_t) atol(temp); pdb_set_pass_last_set_time(sampass, pass_last_set_time, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "logonTime", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp)) + { /* leave as default */ } else { logon_time = (time_t) atol(temp); pdb_set_logon_time(sampass, logon_time, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "logoffTime", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp)) + { /* leave as default */ } else { logoff_time = (time_t) atol(temp); pdb_set_logoff_time(sampass, logoff_time, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "kickoffTime", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp)) + { /* leave as default */ } else { kickoff_time = (time_t) atol(temp); pdb_set_kickoff_time(sampass, kickoff_time, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdCanChange", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp)) + { /* leave as default */ } else { pass_can_change_time = (time_t) atol(temp); pdb_set_pass_can_change_time(sampass, pass_can_change_time, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "pwdMustChange", temp)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp)) + { /* leave as default */ } else { pass_must_change_time = (time_t) atol(temp); @@ -1743,9 +2074,11 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, */ if (!get_single_attribute(ldap_state->ldap_struct, entry, - "displayName", fullname)) { + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), fullname)) + { if (!get_single_attribute(ldap_state->ldap_struct, entry, - "cn", fullname)) { + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_CN), fullname)) + { /* leave as default */ } else { pdb_set_fullname(sampass, fullname, PDB_SET); @@ -1754,7 +2087,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_fullname(sampass, fullname, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "homeDrive", dir_drive)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), dir_drive)) + { pdb_set_dir_drive(sampass, talloc_sub_specified(sampass->mem_ctx, lp_logon_drive(), username, domain, @@ -1764,7 +2099,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_dir_drive(sampass, dir_drive, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "smbHome", homedir)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), homedir)) + { pdb_set_homedir(sampass, talloc_sub_specified(sampass->mem_ctx, lp_logon_home(), username, domain, @@ -1774,7 +2111,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_homedir(sampass, homedir, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "scriptPath", logon_script)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), logon_script)) + { pdb_set_logon_script(sampass, talloc_sub_specified(sampass->mem_ctx, lp_logon_script(), username, domain, @@ -1784,7 +2123,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_logon_script(sampass, logon_script, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "profilePath", profile_path)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), profile_path)) + { pdb_set_profile_path(sampass, talloc_sub_specified(sampass->mem_ctx, lp_logon_path(), username, domain, @@ -1794,13 +2135,17 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, pdb_set_profile_path(sampass, profile_path, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "description", acct_desc)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), acct_desc)) + { /* leave as default */ } else { pdb_set_acct_desc(sampass, acct_desc, PDB_SET); } - if (!get_single_attribute(ldap_state->ldap_struct, entry, "userWorkstations", workstations)) { + if (!get_single_attribute(ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), workstations)) + { /* leave as default */; } else { pdb_set_workstations(sampass, workstations, PDB_SET); @@ -1812,7 +2157,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, hours_len = 21; memset(hours, 0xff, hours_len); - if (!get_single_attribute (ldap_state->ldap_struct, entry, "lmPassword", temp)) { + if (!get_single_attribute (ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), temp)) + { /* leave as default */ } else { pdb_gethexpwd(temp, smblmpwd); @@ -1822,7 +2169,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, ZERO_STRUCT(smblmpwd); } - if (!get_single_attribute (ldap_state->ldap_struct, entry, "ntPassword", temp)) { + if (!get_single_attribute (ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), temp)) + { /* leave as default */ } else { pdb_gethexpwd(temp, smbntpwd); @@ -1832,7 +2181,9 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, ZERO_STRUCT(smbntpwd); } - if (!get_single_attribute (ldap_state->ldap_struct, entry, "acctFlags", temp)) { + if (!get_single_attribute (ldap_state->ldap_struct, entry, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), temp)) + { acct_ctrl |= ACB_NORMAL; } else { acct_ctrl = pdb_decode_acct_ctrl(temp); @@ -1905,7 +2256,8 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } /* now that we have figured out the RID, always store it, as - the schema requires it */ + the schema requires it (either as a SID or a RID) */ + if (!pdb_set_user_sid_from_rid(sampass, rid, PDB_CHANGED)) { DEBUG(0, ("Could not store RID back onto SAM_ACCOUNT for user %s!\n", pdb_get_username(sampass))); @@ -1915,37 +2267,69 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, } /* only update the RID if we actually need to */ - if (need_update(sampass, PDB_USERSID)) { + if (need_update(sampass, PDB_USERSID)) + { fstring sid_string; fstring dom_sid_string; const DOM_SID *user_sid; user_sid = pdb_get_user_sid(sampass); - if (ldap_state->use_ntsid) { - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "ntSid", sid_to_string(sid_string, user_sid)); - } else { - if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) { - DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid()))); - return False; - } - slprintf(temp, sizeof(temp) - 1, "%i", rid); - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "rid", temp); - } - + switch ( ldap_state->schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) { + DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid()))); + return False; + } + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_RID), + temp); + break; + + case SCHEMAVER_SAMBASAMACCOUNT: + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_SID), + sid_to_string(sid_string, user_sid)); + break; + + default: + DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n")); + break; + } } /* we don't need to store the primary group RID - so leaving it 'free' to hang off the unix primary group makes life easier */ - if (need_update(sampass, PDB_GROUPSID)) { - rid = pdb_get_group_rid(sampass); - slprintf(temp, sizeof(temp) - 1, "%i", rid); - make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "primaryGroupID", temp); + if (need_update(sampass, PDB_GROUPSID)) + { + switch ( ldap_state->schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + rid = pdb_get_group_rid(sampass); + slprintf(temp, sizeof(temp) - 1, "%i", rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_RID), + temp); + break; + + case SCHEMAVER_SAMBASAMACCOUNT: + rid = pdb_get_group_rid(sampass); + slprintf(temp, sizeof(temp) - 1, "%s-%i", + sid_string_static(get_global_sam_sid()), rid); + make_ldap_mod(ldap_state->ldap_struct, existing, mods, + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PRIMARY_GROUP_SID), + temp); + break; + + default: + DEBUG(0,("init_ldap_from_sam: unknown schema version specified\n")); + break; + } + } - + /* displayName, cn, and gecos should all be the same * most easily accomplished by giving them the same OID * gecos isn't set here b/c it should be handled by the @@ -1956,97 +2340,97 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state, if (need_update(sampass, PDB_FULLNAME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "displayName", pdb_get_fullname(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DISPLAY_NAME), + pdb_get_fullname(sampass)); if (need_update(sampass, PDB_ACCTDESC)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "description", pdb_get_acct_desc(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_DESC), + pdb_get_acct_desc(sampass)); if (need_update(sampass, PDB_WORKSTATIONS)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "userWorkstations", pdb_get_workstations(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_USER_WKS), + pdb_get_workstations(sampass)); if (need_update(sampass, PDB_SMBHOME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "smbHome", pdb_get_homedir(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_PATH), + pdb_get_homedir(sampass)); if (need_update(sampass, PDB_DRIVE)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "homeDrive", pdb_get_dir_drive(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_HOME_DRIVE), + pdb_get_dir_drive(sampass)); if (need_update(sampass, PDB_LOGONSCRIPT)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "scriptPath", pdb_get_logon_script(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_SCRIPT), + pdb_get_logon_script(sampass)); if (need_update(sampass, PDB_PROFILE)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "profilePath", pdb_get_profile_path(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PROFILE_PATH), + pdb_get_profile_path(sampass)); slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logon_time(sampass)); - if (need_update(sampass, PDB_LOGONTIME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "logonTime", temp); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGON_TIME), temp); slprintf(temp, sizeof(temp) - 1, "%li", pdb_get_logoff_time(sampass)); - if (need_update(sampass, PDB_LOGOFFTIME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "logoffTime", temp); - - slprintf (temp, sizeof (temp) - 1, "%li", - pdb_get_kickoff_time(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LOGOFF_TIME), temp); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_kickoff_time(sampass)); if (need_update(sampass, PDB_KICKOFFTIME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "kickoffTime", temp); - - slprintf (temp, sizeof (temp) - 1, "%li", - pdb_get_pass_can_change_time(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_KICKOFF_TIME), temp); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_can_change_time(sampass)); if (need_update(sampass, PDB_CANCHANGETIME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "pwdCanChange", temp); - - slprintf (temp, sizeof (temp) - 1, "%li", - pdb_get_pass_must_change_time(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_CAN_CHANGE), temp); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_must_change_time(sampass)); if (need_update(sampass, PDB_MUSTCHANGETIME)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "pwdMustChange", temp); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_MUST_CHANGE), temp); - if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))|| - (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) { + if ((pdb_get_acct_ctrl(sampass)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) + || (lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_ONLY)) + { - pdb_sethexpwd (temp, pdb_get_lanman_passwd(sampass), + pdb_sethexpwd(temp, pdb_get_lanman_passwd(sampass), pdb_get_acct_ctrl(sampass)); if (need_update(sampass, PDB_LMPASSWD)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "lmPassword", temp); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_LMPW), + temp); pdb_sethexpwd (temp, pdb_get_nt_passwd(sampass), pdb_get_acct_ctrl(sampass)); if (need_update(sampass, PDB_NTPASSWD)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "ntPassword", temp); - - slprintf (temp, sizeof (temp) - 1, "%li", - pdb_get_pass_last_set_time(sampass)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_NTPW), + temp); + slprintf (temp, sizeof (temp) - 1, "%li", pdb_get_pass_last_set_time(sampass)); if (need_update(sampass, PDB_PASSLASTSET)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "pwdLastSet", temp); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_PWD_LAST_SET), + temp); } /* FIXME: Hours stuff goes in LDAP */ if (need_update(sampass, PDB_ACCTCTRL)) make_ldap_mod(ldap_state->ldap_struct, existing, mods, - "acctFlags", - pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), - NEW_PW_FORMAT_SPACE_PADDED_LEN)); + get_userattr_key2string(ldap_state->schema_ver, LDAP_ATTR_ACB_INFO), + pdb_encode_acct_ctrl (pdb_get_acct_ctrl(sampass), NEW_PW_FORMAT_SPACE_PADDED_LEN)); return True; } @@ -2061,13 +2445,15 @@ static NTSTATUS ldapsam_setsampwent(struct pdb_methods *my_methods, BOOL update) struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; int rc; pstring filter; + char **attr_list; - pstrcpy(filter, lp_ldap_filter()); + snprintf( filter, sizeof(filter)-1, "(&%s%s)", lp_ldap_filter(), + get_objclass_filter(ldap_state->schema_ver)); all_string_sub(filter, "%u", "*", sizeof(pstring)); - rc = ldapsam_search_suffix(ldap_state, - filter, attr, - &ldap_state->result); + attr_list = get_userattr_list(ldap_state->schema_ver); + rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &ldap_state->result); + free_attr_list( attr_list ); if (rc != LDAP_SUCCESS) { DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc))); @@ -2137,16 +2523,21 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *my_methods, SAM_ACCOUNT LDAPMessage *result; LDAPMessage *entry; int count; + char ** attr_list; + int rc; - if (ldapsam_search_suffix_by_name(ldap_state, sname, &result) != LDAP_SUCCESS) { + attr_list = get_userattr_list( ldap_state->schema_ver ); + rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); + free_attr_list( attr_list ); + + if ( rc != LDAP_SUCCESS ) return NT_STATUS_NO_SUCH_USER; - } count = ldap_count_entries(ldap_state->ldap_struct, result); if (count < 1) { DEBUG(4, - ("We don't find this user [%s] count=%d\n", sname, + ("Unable to locate user [%s] count=%d\n", sname, count)); return NT_STATUS_NO_SUCH_USER; } else if (count > 1) { @@ -2177,36 +2568,53 @@ Get SAM_ACCOUNT entry from LDAP by SID static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, const DOM_SID *sid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)my_methods->private_data; + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; LDAPMessage *result; LDAPMessage *entry; fstring sid_string; int count; + int rc; + char ** attr_list; - if (ldap_state->use_ntsid) { - if (ldapsam_search_suffix_by_sid(ldap_state, sid, &result) != LDAP_SUCCESS) { - return NT_STATUS_NO_SUCH_USER; - } - } else { - uint32 rid; - if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { - return NT_STATUS_NO_SUCH_USER; - } + switch ( ldap_state->schema_ver ) + { + case SCHEMAVER_SAMBASAMACCOUNT: + attr_list = get_userattr_list(ldap_state->schema_ver); + rc = ldapsam_search_suffix_by_sid(ldap_state, sid, &result, attr_list); + free_attr_list( attr_list ); + + if ( rc != LDAP_SUCCESS ) + return NT_STATUS_NO_SUCH_USER; + break; + + case SCHEMAVER_SAMBAACCOUNT: + { + uint32 rid; + if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)) { + return NT_STATUS_NO_SUCH_USER; + } - if (ldapsam_search_suffix_by_rid(ldap_state, rid, &result) != LDAP_SUCCESS) { - return NT_STATUS_NO_SUCH_USER; + attr_list = get_userattr_list(ldap_state->schema_ver); + rc = ldapsam_search_suffix_by_rid(ldap_state, rid, &result, attr_list ); + free_attr_list( attr_list ); + + if ( rc != LDAP_SUCCESS ) + return NT_STATUS_NO_SUCH_USER; } + break; } count = ldap_count_entries(ldap_state->ldap_struct, result); - if (count < 1) { + if (count < 1) + { DEBUG(4, - ("We don't find this SID [%s] count=%d\n", sid_to_string(sid_string, sid), + ("Unable to locate SID [%s] count=%d\n", sid_to_string(sid_string, sid), count)); return NT_STATUS_NO_SUCH_USER; - } else if (count > 1) { + } + else if (count > 1) + { DEBUG(1, ("More than one user with SID [%s]. Failing. count=%d\n", sid_to_string(sid_string, sid), count)); @@ -2214,7 +2622,8 @@ static NTSTATUS ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT } entry = ldap_first_entry(ldap_state->ldap_struct, result); - if (entry) { + if (entry) + { if (!init_sam_from_ldap(ldap_state, user, entry)) { DEBUG(1,("ldapsam_getsampwrid: init_sam_from_ldap failed!\n")); ldap_msgfree(result); @@ -2253,7 +2662,7 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, switch(ldap_op) { case LDAP_MOD_ADD: - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "account"); + make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_ACCOUNT); rc = ldapsam_add(ldap_state, dn, mods); break; case LDAP_MOD_REPLACE: @@ -2351,11 +2760,8 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A int rc; LDAPMessage *result; NTSTATUS ret; - const char *sam_user_attrs[] = - { "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime", - "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags", - "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath", - "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL }; + char **attr_list; + fstring objclass; if (!sam_acct) { DEBUG(0, ("sam_acct was NULL!\n")); @@ -2366,14 +2772,33 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A DEBUG (3, ("Deleting user %s from LDAP.\n", sname)); - rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result); - if (rc != LDAP_SUCCESS) { + attr_list= get_userattr_list( ldap_state->schema_ver ); + rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); + + if (rc != LDAP_SUCCESS) { + free_attr_list( attr_list ); return NT_STATUS_NO_SUCH_USER; } + + switch ( ldap_state->schema_ver ) + { + case SCHEMAVER_SAMBASAMACCOUNT: + fstrcpy( objclass, LDAP_OBJ_SAMBASAMACCOUNT ); + break; + + case SCHEMAVER_SAMBAACCOUNT: + fstrcpy( objclass, LDAP_OBJ_SAMBAACCOUNT ); + break; + default: + fstrcpy( objclass, "UNKNOWN" ); + DEBUG(0,("ldapsam_delete_sam_account: Unknown schema version specified!\n")); + break; + } - ret = ldapsam_delete_entry(ldap_state, result, "sambaAccount", - sam_user_attrs); + ret = ldapsam_delete_entry(ldap_state, result, objclass, attr_list ); ldap_msgfree(result); + free_attr_list( attr_list ); + return ret; } @@ -2399,11 +2824,13 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A LDAPMessage *result; LDAPMessage *entry; LDAPMod **mods; + char **attr_list; - rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result); - if (rc != LDAP_SUCCESS) { + attr_list = get_userattr_list(ldap_state->schema_ver); + rc = ldapsam_search_suffix_by_name(ldap_state, pdb_get_username(newpwd), &result, attr_list ); + free_attr_list( attr_list ); + if (rc != LDAP_SUCCESS) return NT_STATUS_UNSUCCESSFUL; - } if (ldap_count_entries(ldap_state->ldap_struct, result) == 0) { DEBUG(0, ("No user to modify!\n")); @@ -2451,7 +2878,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A /********************************************************************** Helper function to determine for update_sam_account whether we need LDAP modification. -*********************************************************************/ + *********************************************************************/ static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass, enum pdb_elements element) { @@ -2462,43 +2889,60 @@ static BOOL element_is_set_or_changed(const SAM_ACCOUNT *sampass, /********************************************************************** Add SAM_ACCOUNT to LDAP *********************************************************************/ + static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCOUNT * newpwd) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; int rc; - pstring filter; - LDAPMessage *result = NULL; - LDAPMessage *entry = NULL; - pstring dn; - LDAPMod **mods = NULL; + LDAPMessage *result = NULL; + LDAPMessage *entry = NULL; + pstring dn; + LDAPMod **mods = NULL; int ldap_op; uint32 num_result; - - const char *username = pdb_get_username(newpwd); + char **attr_list; + char *escape_user; + const char *username = pdb_get_username(newpwd); + pstring filter; + if (!username || !*username) { DEBUG(0, ("Cannot add user without a username!\n")); return NT_STATUS_INVALID_PARAMETER; } - rc = ldapsam_search_suffix_by_name (ldap_state, username, &result); + /* free this list after the second search or in case we exit on failure */ + + attr_list = get_userattr_list(ldap_state->schema_ver); + rc = ldapsam_search_suffix_by_name (ldap_state, username, &result, attr_list); + if (rc != LDAP_SUCCESS) { + free_attr_list( attr_list ); return NT_STATUS_UNSUCCESSFUL; } if (ldap_count_entries(ldap_state->ldap_struct, result) != 0) { - DEBUG(0,("User '%s' already in the base, with samba properties\n", + DEBUG(0,("User '%s' already in the base, with samba attributes\n", username)); ldap_msgfree(result); + free_attr_list( attr_list ); return NT_STATUS_UNSUCCESSFUL; } ldap_msgfree(result); - slprintf (filter, sizeof (filter) - 1, "uid=%s", username); - rc = ldapsam_search_suffix(ldap_state, filter, attr, &result); - if (rc != LDAP_SUCCESS) { + /* does the entry already exist but without a samba rttibutes? + we don't really care what attributes are returned here */ + + escape_user = escape_ldap_string_alloc( username ); + pstrcpy( filter, lp_ldap_filter() ); + all_string_sub( filter, "%u", escape_user, sizeof(filter) ); + SAFE_FREE( escape_user ); + + rc = ldapsam_search_suffix(ldap_state, filter, attr_list, &result); + free_attr_list( attr_list ); + + if ( rc != LDAP_SUCCESS ) return NT_STATUS_UNSUCCESSFUL; - } num_result = ldap_count_entries(ldap_state->ldap_struct, result); @@ -2512,7 +2956,7 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO if (num_result == 1) { char *tmp; - DEBUG(3,("User exists without samba properties: adding them\n")); + DEBUG(3,("User exists without samba attributes: adding them\n")); ldap_op = LDAP_MOD_REPLACE; entry = ldap_first_entry (ldap_state->ldap_struct, result); tmp = ldap_get_dn (ldap_state->ldap_struct, entry); @@ -2542,8 +2986,18 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO DEBUG(0,("mods is empty: nothing to add for user: %s\n",pdb_get_username(newpwd))); return NT_STATUS_UNSUCCESSFUL; } - - make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); + switch ( ldap_state->schema_ver ) + { + case SCHEMAVER_SAMBAACCOUNT: + make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBAACCOUNT); + break; + case SCHEMAVER_SAMBASAMACCOUNT: + make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", LDAP_OBJ_SAMBASAMACCOUNT); + break; + default: + DEBUG(0,("ldapsam_add_sam_account: invalid schema version specified\n")); + break; + } ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed); if (NT_STATUS_IS_ERR(ret)) { @@ -2553,11 +3007,16 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO return ret; } - DEBUG(2,("added: uid = %s in the LDAP database\n", pdb_get_username(newpwd))); + DEBUG(2,("added: uid == %s in the LDAP database\n", pdb_get_username(newpwd))); ldap_mods_free(mods, 1); + return NT_STATUS_OK; } +/********************************************************************** + Housekeeping + *********************************************************************/ + static void free_private_data(void **vp) { struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp; @@ -2578,22 +3037,24 @@ static void free_private_data(void **vp) /* No need to free any further, as it is talloc()ed */ } -static const char *group_attr[] = {"cn", "ntSid", "ntGroupType", - "gidNumber", - "displayName", "description", - NULL }; - +/********************************************************************** + *********************************************************************/ + static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, const char *filter, LDAPMessage ** result) { int scope = LDAP_SCOPE_SUBTREE; int rc; + char **attr_list; DEBUG(2, ("ldapsam_search_one_group: searching for:[%s]\n", filter)); + + attr_list = get_attr_list(groupmap_attr_list); rc = ldapsam_search(ldap_state, lp_ldap_suffix (), scope, - filter, group_attr, 0, result); + filter, attr_list, 0, result); + free_attr_list( attr_list ); if (rc != LDAP_SUCCESS) { char *ld_error = NULL; @@ -2610,6 +3071,9 @@ static int ldapsam_search_one_group (struct ldapsam_privates *ldap_state, return rc; } +/********************************************************************** + *********************************************************************/ + static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state, GROUP_MAP *map, LDAPMessage *entry) { @@ -2676,6 +3140,9 @@ static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state, return True; } +/********************************************************************** + *********************************************************************/ + static BOOL init_ldap_from_group(LDAP *ldap_struct, LDAPMessage *existing, LDAPMod ***mods, @@ -2701,6 +3168,9 @@ static BOOL init_ldap_from_group(LDAP *ldap_struct, return True; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods, const char *filter, GROUP_MAP *map) @@ -2747,6 +3217,9 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods, return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, DOM_SID sid, BOOL with_priv) { @@ -2759,6 +3232,9 @@ static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, return ldapsam_getgroup(methods, filter, map); } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, gid_t gid, BOOL with_priv) { @@ -2771,6 +3247,9 @@ static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, return ldapsam_getgroup(methods, filter, map); } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, char *name, BOOL with_priv) { @@ -2785,6 +3264,9 @@ static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, return ldapsam_getgroup(methods, filter, map); } +/********************************************************************** + *********************************************************************/ + static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state, gid_t gid, LDAPMessage **result) @@ -2797,6 +3279,9 @@ static int ldapsam_search_one_group_by_gid(struct ldapsam_privates *ldap_state, return ldapsam_search_one_group(ldap_state, filter, result); } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, GROUP_MAP *map) { @@ -2871,6 +3356,9 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods, GROUP_MAP *map) { @@ -2928,22 +3416,23 @@ static NTSTATUS ldapsam_update_group_mapping_entry(struct pdb_methods *methods, return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods, DOM_SID sid) { - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)methods->private_data; + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)methods->private_data; pstring sidstring, filter; LDAPMessage *result; int rc; NTSTATUS ret; + char **attr_list; - const char *sam_group_attrs[] = { "ntSid", "ntGroupType", - "description", "displayName", - NULL }; sid_to_string(sidstring, &sid); - snprintf(filter, sizeof(filter)-1, - "(&(objectClass=sambaGroupMapping)(ntSid=%s))", sidstring); + + snprintf(filter, sizeof(filter)-1, "(&(objectClass=%s)(%s=%s))", + LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, sidstring); rc = ldapsam_search_one_group(ldap_state, filter, &result); @@ -2951,23 +3440,31 @@ static NTSTATUS ldapsam_delete_group_mapping_entry(struct pdb_methods *methods, return NT_STATUS_NO_SUCH_GROUP; } - ret = ldapsam_delete_entry(ldap_state, result, "sambaGroupMapping", - sam_group_attrs); + attr_list = get_attr_list( groupmap_attr_list ); + ret = ldapsam_delete_entry(ldap_state, result, LDAP_OBJ_GROUPMAP, attr_list); + free_attr_list ( attr_list ); + ldap_msgfree(result); + return ret; } -static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, - BOOL update) +/********************************************************************** + *********************************************************************/ + +static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, BOOL update) { - struct ldapsam_privates *ldap_state = - (struct ldapsam_privates *)my_methods->private_data; - const char *filter = "(objectClass=sambaGroupMapping)"; + struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; + fstring filter; int rc; + char **attr_list; + snprintf( filter, sizeof(filter)-1, "(%s=*)", LDAP_OBJ_GROUPMAP ); + attr_list = get_attr_list( groupmap_attr_list ); rc = ldapsam_search(ldap_state, lp_ldap_suffix(), LDAP_SCOPE_SUBTREE, filter, - group_attr, 0, &ldap_state->result); + attr_list, 0, &ldap_state->result); + free_attr_list( attr_list ); if (rc != LDAP_SUCCESS) { DEBUG(0, ("LDAP search failed: %s\n", ldap_err2string(rc))); @@ -2981,18 +3478,23 @@ static NTSTATUS ldapsam_setsamgrent(struct pdb_methods *my_methods, ldap_count_entries(ldap_state->ldap_struct, ldap_state->result))); - ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, - ldap_state->result); + ldap_state->entry = ldap_first_entry(ldap_state->ldap_struct, ldap_state->result); ldap_state->index = 0; return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static void ldapsam_endsamgrent(struct pdb_methods *my_methods) { ldapsam_endsampwent(my_methods); } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods, GROUP_MAP *map) { @@ -3018,6 +3520,9 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods, return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, @@ -3068,7 +3573,11 @@ static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, return NT_STATUS_OK; } -static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) +/********************************************************************** + *********************************************************************/ + +static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, + const char *location) { NTSTATUS nt_status; struct ldapsam_privates *ldap_state; @@ -3118,8 +3627,6 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS ** sid_copy(&ldap_state->domain_sid, get_global_sam_sid()); - ldap_state->use_ntsid = True; - (*pdb_method)->private_data = ldap_state; (*pdb_method)->free_private_data = free_private_data; @@ -3127,6 +3634,9 @@ static NTSTATUS pdb_init_ldapsam_common(PDB_CONTEXT *pdb_context, PDB_METHODS ** return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; @@ -3139,7 +3649,7 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS ** (*pdb_method)->name = "ldapsam_compat"; ldap_state = (*pdb_method)->private_data; - ldap_state->use_ntsid = False; + ldap_state->schema_ver = SCHEMAVER_SAMBAACCOUNT; if (location) { ldap_state->uri = talloc_strdup(pdb_context->mem_ctx, location); @@ -3164,6 +3674,9 @@ static NTSTATUS pdb_init_ldapsam_compat(PDB_CONTEXT *pdb_context, PDB_METHODS ** return NT_STATUS_OK; } +/********************************************************************** + *********************************************************************/ + static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_method, const char *location) { NTSTATUS nt_status; @@ -3178,28 +3691,23 @@ static NTSTATUS pdb_init_ldapsam(PDB_CONTEXT *pdb_context, PDB_METHODS **pdb_met (*pdb_method)->name = "ldapsam"; ldap_state = (*pdb_method)->private_data; - - ldap_state->permit_non_unix_accounts = True; + ldap_state->schema_ver = SCHEMAVER_SAMBASAMACCOUNT; + ldap_state->permit_non_unix_accounts = False; - /* We know these uids can't turn up as algorithmic RIDs */ - if (!lp_idmap_uid(&low_idmap_uid, &high_idmap_uid)) { - DEBUG(0, ("cannot use ldapsam_nua without 'idmap uid' range in smb.conf!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - /* We know these gids can't turn up as algorithmic RIDs */ - if (!lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) { - DEBUG(0, ("cannot use ldapsam_nua without 'wibnind gid' range in smb.conf!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - - ldap_state->low_allocated_user_rid=fallback_pdb_uid_to_user_rid(low_idmap_uid); + /* check for non-unix account ranges */ - ldap_state->high_allocated_user_rid=fallback_pdb_uid_to_user_rid(high_idmap_uid); + if (lp_idmap_uid(&low_idmap_uid, &high_idmap_uid) + && lp_idmap_gid(&low_idmap_gid, &high_idmap_gid)) + { + DEBUG(2, ("Enabling non-unix account ranges\n")); - ldap_state->low_allocated_group_rid=pdb_gid_to_group_rid(low_idmap_gid); + ldap_state->permit_non_unix_accounts = True; - ldap_state->high_allocated_group_rid=pdb_gid_to_group_rid(high_idmap_gid); + ldap_state->low_allocated_user_rid = fallback_pdb_uid_to_user_rid(low_idmap_uid); + ldap_state->high_allocated_user_rid = fallback_pdb_uid_to_user_rid(high_idmap_uid); + ldap_state->low_allocated_group_rid = pdb_gid_to_group_rid(low_idmap_gid); + ldap_state->high_allocated_group_rid = pdb_gid_to_group_rid(high_idmap_gid); + } return NT_STATUS_OK; } @@ -3215,3 +3723,5 @@ NTSTATUS pdb_ldap_init(void) return NT_STATUS_OK; } + + diff --git a/source/sam/idmap_tdb.c b/source/sam/idmap_tdb.c index ab86eaf4ebf..31c12241bf7 100644 --- a/source/sam/idmap_tdb.c +++ b/source/sam/idmap_tdb.c @@ -316,8 +316,8 @@ static NTSTATUS db_idmap_init(void) /* Create high water marks for group and user id */ if (!lp_idmap_uid(&idmap_state.uid_low, &idmap_state.uid_high)) { - DEBUG(0, ("idmap uid range missing or invalid\n")); - DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n")); + DEBUG(1, ("idmap uid range missing or invalid\n")); + DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); } else { if (tdb_fetch_int32(idmap_tdb, HWM_USER) == -1) { if (tdb_store_int32(idmap_tdb, HWM_USER, idmap_state.uid_low) == -1) { @@ -328,8 +328,8 @@ static NTSTATUS db_idmap_init(void) } if (!lp_idmap_gid(&idmap_state.gid_low, &idmap_state.gid_high)) { - DEBUG(0, ("idmap gid range missing or invalid\n")); - DEBUGADD(0, ("idmap will be unable to map foreign SIDs\n")); + DEBUG(1, ("idmap gid range missing or invalid\n")); + DEBUGADD(1, ("idmap will be unable to map foreign SIDs\n")); } else { if (tdb_fetch_int32(idmap_tdb, HWM_GROUP) == -1) { if (tdb_store_int32(idmap_tdb, HWM_GROUP, idmap_state.gid_low) == -1) { -- cgit From 5b6f22f7c986bc423246adeecc0d5a4bd5f307c6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 04:40:04 +0000 Subject: perl script to convert from sambaAccount to sambaSamAccount; requires Net::LDAP::LDIF --- examples/LDAP/convertSambaAccount | 105 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100755 examples/LDAP/convertSambaAccount diff --git a/examples/LDAP/convertSambaAccount b/examples/LDAP/convertSambaAccount new file mode 100755 index 00000000000..9fccf6a8b2e --- /dev/null +++ b/examples/LDAP/convertSambaAccount @@ -0,0 +1,105 @@ +#!/usr/bin/perl -w +## +## Convert an LDIF file containing sambaAccount entries +## to the new sambaSamAccount objectclass +## +## Copyright Gerald (Jerry) Carter 2003 +## +## Usage: convertSambaAccount +## + + +use strict; +use Net::LDAP::LDIF; + +my ( $domain, $domsid ); +my ( $ldif, $ldif2 ); +my ( $entry, @objclasses, $obj ); +my ( $is_samba_account ); +my ( %attr_map, $key ); + +if ( $#ARGV != 2 ) { + print "Usage: convertSambaAccount domain_sid input_ldif output_ldif\n"; + exit 1; +} + +%attr_map = ( + lmPassword => 'sambaLMPassword', + ntPassword => 'sambaNTPassword', + pwdLastSet => 'sambaPwdLastSet', + pwdMustChange => 'sambaPwdMustChange', + pwdCanChange => 'sambaPwdCanChange', + homeDrive => 'sambaHomeDrive', + smbHome => 'sambaHomePath', + scriptPath => 'sambaLogonScript', + profilePath => 'sambaProfilePath', + kickoffTime => 'sambaKickoffTime', + logonTime => 'sambaLogonTime', + logoffTime => 'sambaLogoffTime', + userWorkstations => 'sambaUserWorkstations', + domain => 'sambaDomainName', + acctFlags => 'sambaAcctFlags', +); + +$domsid = $ARGV[0]; + +$ldif = Net::LDAP::LDIF->new ($ARGV[1], "r") + or die $!; +$ldif2 = Net::LDAP::LDIF->new ($ARGV[2], "w") + or die $!; + +while ( !$ldif->eof ) { + undef ( $entry ); + $entry = $ldif->read_entry(); + + ## skip entry if we find an error + if ( $ldif->error() ) { + print "Error msg: ",$ldif->error(),"\n"; + print "Error lines:\n",$ldif->error_lines(),"\n"; + next; + } + + ## + ## check to see if we have anything to do on this + ## entry. If not just write it out + ## + @objclasses = $entry->get_value( "objectClass" ); + undef ( $is_samba_account ); + foreach $obj ( @objclasses ) { + if ( "$obj" eq "sambaAccount" ) { + $is_samba_account = 1; + } + } + + if ( !defined ( $is_samba_account ) ) { + $ldif2->write_entry( $entry ); + next; + } + + ## + ## start editing the sambaAccount + ## + + $entry->delete( 'objectclass' => [ 'sambaAccount' ] ); + $entry->add( 'objectclass' => 'sambaSamAccount' ); + + $entry->add( 'sambaSID' => $domsid."-".$entry->get_value( "rid" ) ); + $entry->delete( 'rid' ); + + if ( $entry->get_value( "primaryGroupID" ) ) { + $entry->add( 'primaryGroupSID' => $domsid."-".$entry->get_value( "primaryGroupID" ) ); + $entry->delete( 'primaryGroupID' ); + } + + + foreach $key ( keys %attr_map ) { + if ( $entry->get_value($key) ) { + $entry->add( $attr_map{$key} => $entry->get_value($key) ); + $entry->delete( $key ); + } + } + + $ldif2->write_entry( $entry ); +} + + -- cgit From 15676b50e1b6d2f24d0207116c133bca4a2cbaf8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 May 2003 04:41:19 +0000 Subject: ignore manpage.[refs|links] --- docs/manpages/.cvsignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 docs/manpages/.cvsignore diff --git a/docs/manpages/.cvsignore b/docs/manpages/.cvsignore new file mode 100644 index 00000000000..aa705081338 --- /dev/null +++ b/docs/manpages/.cvsignore @@ -0,0 +1,2 @@ +manpage.links +manpage.refs -- cgit