summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-09-11nss-waf: use the right winbind pipe pathAndrew Tridgell1-0/+1
s4 uses a different location for the winbind pipe to s3
2010-09-11winbind-waf: the installed name is libnss_winbind.so.2Andrew Tridgell1-1/+1
the .2 is what libc adds to the name for this version of the nss API
2010-09-11s4:gensec Put the "NTLM" string for NTLMSSP's SASL name in a headerAndrew Bartlett2-1/+3
2010-09-11s4-param: removed the lp_ varients of the functionsAndrew Tridgell1-18/+9
these made debugging much harder. We should replace these with generated macros
2010-09-11s4-param: move back to auto-generation of loadparm prototypesAndrew Tridgell3-161/+7
2010-09-11s4-credentials: get all attributes in cli_credentials_set_secrets()Andrew Tridgell1-17/+1
This ensures we get whenChanged, which is needed by the s3 winbind code to ensure we don't repeatedly try to change the password
2010-09-11security.idl Clarify that this is not a network structureAndrew Bartlett1-0/+1
2010-09-11libcli/auth/schannel_state_tdb.c - fix includesMatthias Dieter Wallnöfer1-3/+1
Otherwise we get a "declared inside parameter list" warning.
2010-09-11lib/replace:wscript - additional attempt to fix the build on Tru64Matthias Dieter Wallnöfer1-1/+3
Obviously we really need both definitions ("socklen_t" has been found by "_XOPEN_SOURCE"=500). But now FIONREAD wasn't accessible.
2010-09-11libcli/security Use talloc_zero when making a struct security_tokenAndrew Bartlett2-7/+1
2010-09-11libcli/privileges Fix commentAndrew Bartlett1-1/+1
2010-09-11s4-privs Seperate rights and privilegesAndrew Bartlett6-82/+137
These are related, but slightly different concepts. The biggest difference is that rights are not enumerated as a system-wide list. This moves the rights to security.idl due to dependencies. Andrew Bartlett
2010-09-11s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCsAndrew Bartlett1-3/+1
The idea of this patch is: Don't support a mix of different kerberos features. Either we should prepare a GSSAPI (8003) checksum and mark the request as such, or we should use the old behaviour (a normal kerberos checksum of 0 data). Sending the GSSAPI checksum data, but without marking it as GSSAPI broke Samba4, and seems well outside the expected behaviour, even if Windows accepts it. Andrew Bartlett
2010-09-11libcli/security Remove unused SE_NONE defineAndrew Bartlett1-1/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Move 'private' privileges functions to another headerAndrew Bartlett4-24/+43
These functions work on the bitmap, and are only exposed because the source3/ privileges storage uses the bitmap in account_policy.tdb Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-samr Explian better the use of two privileges in this callAndrew Bartlett1-0/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Remove 'always true' return from se_priv_put_all_privilegesAndrew Bartlett3-6/+3
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-util_sid Tidy up global struct security_tokenAndrew Bartlett4-16/+8
This no longer needs to be global, and should be const. We now also init it with the C99 style initialisers. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s4-rpc_server Put all 'logon failure' messages at the same debug level 4Andrew Bartlett1-4/+6
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/auth Failure to find the cached session key for SCHANNEL isn't level 0Andrew Bartlett1-1/+1
This happens all the time, particularly now that we don't keep the db around after a reboot. Don't scare the admins with the level 0. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Add constAndrew Bartlett2-6/+6
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Remove extra pointer on privilege maskAndrew Bartlett1-4/+4
Now that this is a scalar, this isn't required. Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privileges: add handling of both old and new formats in databaseAndrew Tridgell1-28/+48
We update privileges on a per-record basis instead of all at once, as this maintains maximum compatibility is someone uses old tools with a new version of Samba. The also auto-detects the byte order of the old entries in the database, and copes with either native or reversed byte order. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-11s4-lsa: privilege IDs should use the enum, not an intAndrew Tridgell1-1/+1
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-11privileges: privilege luids are not all below 64Andrew Tridgell1-3/+0
the ones brought across from s3 have higher values Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-11libcli/security Make sec_privilege_from_index() return SEC_PRIV_INVALID on ↵Andrew Bartlett2-2/+2
failure This is clearer and more consistent than using a magic -1 return Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Remove unused declarations from privileges.hAndrew Bartlett1-51/+1
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Remove unused functionAndrew Bartlett2-31/+0
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Overhaul PRIVILEGE_SET handling, avoid dealing with the bitmapAndrew Bartlett3-106/+36
This avoids us dealing with the privilege bitmap in the LSA server, and overhauls much of the rest of the handling to be currnet with the modern world of talloc. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Hide the bitmap-based grant_privilege and revoke_privilegeAndrew Bartlett4-28/+44
The new wrappers avoid anything but the core privileges code dealing with the bitmap values directly. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Make privilege_enum_sids() take an LUID, not a bitmapAndrew Bartlett4-9/+12
This moves one more privileges call away from direct bitmap manipuation. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Expose sec_privilege_mask()Andrew Bartlett2-1/+6
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security make sec_privilege_id() return SEC_PRIV_INVALID on failure.Andrew Bartlett4-8/+8
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Remove unused functions and constants.Andrew Bartlett2-242/+14
All the callers to these functions have been removed or reworked. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Rework access_check_object() to take two privilegesAndrew Bartlett3-68/+60
This allows the privileges bitmap to be used only when setting privileges, and uses an the LUID constant for all 'does this user have this privilege' operations. The advantage is that we now only need one API to determine if a token has a privilege, and much less code needs to know what type is used for the underlying bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Rename all privilege bitmaps constantsAndrew Bartlett2-59/+59
The idea here to to make it very clear how they differ from the enumerated LUID values. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Rework privilege enumeration to also use new DB formatAndrew Bartlett1-5/+18
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Remove luid_to_se_priv() and luid_to_privilege_name()Andrew Bartlett2-46/+13
These functions duplicate other functions in the merged code. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Directly manipulate the privileges bitmap.Andrew Bartlett3-14/+7
There is no longer any reason to go via the se_ functions to manipulate this bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Add an invalid LUID privilege valueAndrew Bartlett1-0/+1
This helps code that may not want to specify any privilege Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Improve dump of privileges: Just walk the tableAndrew Bartlett1-5/+4
This removes some logic recently added that was just too smart - it is easier to just walk the table and do a bit match here. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Convert from user_has_privileges() -> security_token_has_privilege()Andrew Bartlett9-47/+28
This new call is available in the merged privileges code, and takes an enum as the parameter, rather than a bitmask. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Remove a pointer from grant_privilege()Andrew Bartlett4-10/+10
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Remove pointer indirection from se_priv_to_privilege_set()Andrew Bartlett3-5/+5
Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Call security_token_set_privilege() rather than manual assignmentAndrew Bartlett2-2/+3
This avoids as much direct modifiction of the bitmask as possible. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-privs Remove a pointer indirection from revoke_privilege()Andrew Bartlett4-7/+7
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Don't export privs[] as a global variableAndrew Bartlett4-50/+31
Instead, provide access functions for the LSA and net sam callers for the information they need. They still only enumerate the first 8 privileges that have traditionally been exposed. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11s3-lsa Use sec_privilege_id() to lookup name to LUIDAndrew Bartlett1-9/+4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Merge privilege lists from source3 and source4Andrew Bartlett1-169/+126
The LSA enumeration in source3 will not show the new privileges, but otherwise, they are now in common, and can be set by name. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11libcli/security Return number of entries in the old source3 listAndrew Bartlett2-4/+5
This ensures there isn't a behaviour change when the source3 list is combined with the longer source4 list. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>