summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-01-08s4-dsdb: implement refresh of RID Set pool for a local RID ManagerAndrew Tridgell1-44/+151
when we run out of RIDs in our RID Set pool then grab a new one from the RID Manager object Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: don't hard wire the creation of the RID Set objectAndrew Tridgell4-29/+18
We now create it automatically in the samldb module when the first user is created. The creation of the dns user also had to move to the _modify.ldif as it now relies on the fSMO role being setup for the RID Manager Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: implement creation of the RID Set objectAndrew Tridgell1-59/+289
when we are the RID Manager we can create our own RID Set object when the first user is created
2010-01-08s4-dsdb: use dsdb_next_callback()Andrew Tridgell3-9/+11
We can't just use the callers callback directly otherwise the ldb_module_done() is never called on the parent request, as the child request is passed to the callback. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: added dsdb_next_callback()Andrew Tridgell1-0/+12
This should be used when you create a sub request and just want the parent requests callback to be called when done. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: added dsdb_module_constrainted_update_integer()Andrew Tridgell1-0/+50
This provides a convenient way to update a integer attribute with a constrained delete/add Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: added dsdb_module_reference_dn()Andrew Tridgell1-0/+43
This adds a module callable version of samdb_reference_dn(), which finds a DN via a reference link Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: added dsdb_module_add()Andrew Tridgell1-0/+46
added a ldb add function for modules Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: allow provision modifies to add recordsAndrew Tridgell1-1/+4
we need to recognise a changetype of 'add'
2010-01-08s4-dsdb: move the RID allocation logic into ridalloc.cAndrew Tridgell3-89/+148
This will end up having the RID Manager logic as well, so all the RID pool allocation logic is in one spot Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-samldb: use RID Set to allocate user/group RIDsAndrew Tridgell1-559/+104
This is the first step towards DRS-friendly RID allocation. We now get the next rid from the RID Set object Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: the DC object itself needs a fixed objectSIDAndrew Tridgell2-1/+3
We can't allocate a objectSID until we have rIDSetReferences, but that is in the DC object, so we have to force the objectSID of the DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-dsdb: added samdb_rid_set_dn()Andrew Tridgell1-0/+18
This returns the DN of our RID Set object Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: added an initial RID SetAndrew Tridgell2-2/+12
We will allocate RIDs from this set Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-ldb: added nice ldif display of 64 bit ranges for RIDsAndrew Tridgell2-0/+119
2010-01-08s4-dsdb: added samdb_reference_dn()Andrew Tridgell1-0/+62
This returns a 'reference' DN, which is a link to a DN, from the specified object. It is then used by samdb_server_reference_dn() which returns the serverReference DN, and samdb_rid_manager_dn() which returns the rIDManagerReference DN.
2010-01-08linked_attributes: Fix missing dependency on util.Jelmer Vernooij1-1/+1
2010-01-08testprogs: add support for "print" option in win32 spoolss torture test.Günther Deschner6-4/+666
Guenther
2010-01-08testprogs: pass down architecture in spoolss test.Günther Deschner1-28/+37
Guenther
2010-01-08testprogs: add win32 spoolss testsuite.Günther Deschner11-0/+1277
Guenther
2010-01-07s4 torture: Add RAW-OPEN-NTCREATEDIR to test error checking for open ↵Tim Prouty1-0/+198
directories as files
2010-01-07s3 torture: Prevent smbcli segfault when running smbtorture3 against an smbd ↵Tim Prouty1-0/+5
with security=share
2010-01-07s3:auth: don't update the bad pw count if pw is among last 2 history entriesMichael Adam1-1/+73
This conforms to the behaviour of Windows 2003: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx This is supposed to fixes Bug #4347 . Michael
2010-01-07s3:auth:check_sam_security: introduce a bool var to control pad_pw_count ↵Michael Adam1-1/+7
incrementation This is a preparatory patch for the last part in fixing bug #4347 . Michael
2010-01-07s3:passdb: store the plain nt passwords hashes in history, not salted md5Michael Adam1-5/+10
This is in order to be able to do challenge response with the history, so that this can be checked when an invalid password was entered: If the given password is wrong but in the history, then the bad password count should not be updated... The "lucky" bit here is that the md5 has and the nt hash (md4) both are 16 bytes long. This is part of the fix for bug #4347 . Michael
2010-01-07s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hashMichael Adam1-6/+24
This is to introduce a new format of the password history, maintaining backwards compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash). The new format is 16 zero bytes and 16 bytes nt hash. This will allow us to respect the last X entries of the nt password history when deciding whether to increment the bad password count. This is part of the fix for bug #4347 . Michael
2010-01-07s3: Remove some code that has become unnecessaryVolker Lendecke1-8/+0
The code I just removed was checked in with e5466fffc286a99f as a bug fix for https://bugzilla.samba.org/show_bug.cgi?id=3319. With the changes to is_visible_file made with 9e8b8f8c16612 these lines have become unnecessary, even with "hide unreadable = yes" dead msdfs symlinks show. This is because we can not stat(2) them and default to showing them. Why this change? I have a user who wants to use "hide unreadable" on msdfs links. Because you can't edit acls on symlinks themselves, the user created the targets as bogus, empty files that just exist as acl placeholders. With the code in place that this patch removes, we never allow this to work. Jeremy, please check! :-) Thanks, Volker
2010-01-07s3-docs: fix eventlogadm manpage typo.Günther Deschner1-1/+1
Guenther
2010-01-07s3: Lock down some srvsvc calls according to what w2k3 seems to doVolker Lendecke1-0/+21
2010-01-07s3:auth:check_sam_security: improve calling and logging of ↵Michael Adam1-4/+16
pdb_update_sam_account Log what went wrongl, and also call pdb_update_sam_account inside become_root/unbecome_root: do the logging outside. Michael
2010-01-07s3:auth:check_sam_security: fix a leading tab/ws mixupMichael Adam1-1/+1
Michael
2010-01-07s3:auth:check_sam_security: create (and use) a common exit pointMichael Adam1-11/+7
for use after sam_password_ok() has been called. Michael
2010-01-07s3:auth:check_sam_security: null out sampass after it has been stolen.Michael Adam1-0/+1
So that a later talloc_free would not harm. I could have used talloc_move instead of talloc steal in make_server_info_sam(), but this would have required a change of the signature. Michael
2010-01-07s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampassMichael Adam1-14/+20
This is in preparation to extending check_sam_security to also check against the password history before updating the bad password count. This way, sam_password_ok can more easily be reused for that purpose. Michael
2010-01-07s3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok()Michael Adam1-2/+2
This way it is more explicit that there is no allocated data here that may leak. Michael
2010-01-07s3:auth:sam_password_ok: fix allocation of a data blob.Michael Adam1-1/+1
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but copies 16 bytes from mem_ctx into the newly allocated data blob. This can not have been intentional. A blank uint8_t array of length 16 is allocated by passing NULL instead of mem_ctx. And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated blank 16 byte array to mem_ctx - so this is what must have been intended. Michael
2010-01-07s3:auth:sam_password_ok: enhance readability (imho) by adding some pointersMichael Adam1-17/+24
and removing bool variables and several checks. Michael
2010-01-07s3:check_sam_security: untangle assignment from statementMichael Adam1-1/+2
Michael
2010-01-07s3: Factor password_in_history() out of check_passwd_history()Volker Lendecke2-25/+44
2010-01-07Simplify E_md5hash a bitVolker Lendecke1-6/+2
2010-01-07s3: Simplify pdb_set_plaintext_passwd: pwhistory==NULL can not happen anymoreVolker Lendecke1-24/+19
2010-01-07s3: Simplify pdb_set_plaintext_passwd: pwHistLen==0 was checked aboveVolker Lendecke1-2/+4
2010-01-07s3: Add a paranoia check to pdb_set_plaintext_passwd()Volker Lendecke1-0/+5
2010-01-07s3: Simplify pdb_set_plaintext_passwd() by removing a redundant conditionVolker Lendecke1-22/+11
if (current_history_len != pwHistLen) { if (current_history_len < pwHistLen) { } } The second "if" is a bit pointless here
2010-01-07s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytesVolker Lendecke1-5/+2
2010-01-07s3: Simplify pdb_set_plaintext_passwd by using talloc_zero_arrayVolker Lendecke1-5/+2
2010-01-07s3: Make use of talloc_array in pdb_set_plaintext_passwd()Volker Lendecke1-2/+3
2010-01-07s3: Simplify pdb_set_plaintext_passwd() a bitVolker Lendecke1-66/+63
Remove an indentation by the early return in + if (pwHistLen == 0) { + /* Set the history length to zero. */ + pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED); + return true; + }
2010-01-07s3: Simplify pdb_set_plaintext_passwd() slightlyVolker Lendecke1-56/+83
No functional change, this just removes an indentation level by the early "return True;" in + if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) { + /* + * No password history for non-user accounts + */ + return true; + } Volker
2010-01-07s3: Fix a typoVolker Lendecke1-1/+1