Age | Commit message (Collapse) | Author | Files | Lines |
|
not the privileges. Usually we don't need them, so the memory is free
early.
lib/util_sid.c: added some helper functions to check an SID.
passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !
rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.
J.F.
(This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
|
|
You can change them with either usermanager->policies->account
or from a command prompt on NT/W2K: net accounts /domain
we can add a rpc accounts to the net command. As the net_rpc.c is still
empty, I did not start. How should I add command to it ? Should I take the
rpcclient/cmd_xxx functions and call them from there ?
alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more
for jeremy ;-)
J.F.
(This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21)
|
|
this fixes the smbpasswd segvs
(This used to be commit d2bcdfd995b9562872d865e723b23ed84247a73f)
|
|
J.F.
(This used to be commit 192978e3fc96bc60fc3ceaad8f024bc91bf69da7)
|
|
(This used to be commit b35d90cd89849f0a01e8c79f0962ec9388673ad1)
|
|
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It
makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP
struct as some privilege showing in USRMGR.EXE are not real privs but a
bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT
3.1 box to verify, but I'm too lazy (yes I still have my CDs).
Added 3 more LSA calls: SetSystemAccount, AddPrivileges and
RemovePrivileges, we can manage all this privilege from UserManager.
Time to change the NT_USER_TOKEN struct and add checks in all the rpc
functions. Fun, fun, fun.
J.F.
(This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
|
|
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
|
|
and more to come ...
J.F.
(This used to be commit 1748d5a2af1f2dcf718d6f162ed483b001542494)
|
|
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
(This used to be commit f29774e58973f421bfa163c45bfae201a140f28c)
|
|
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
|
|
(This used to be commit e61aec84edaf55b9ee087b076d2f1311033dc839)
|
|
(This used to be commit 23e2561a1c303942cfceae8929e0806db91b4aa4)
|
|
(This used to be commit 89833bbbd8508dcdca70dff2c94e1d8f22535f1f)
|
|
(This used to be commit c26e0d3f27a05ecc8bd2390f9aab7f9451524e47)
|
|
Jeremy.
(This used to be commit 82153dde951ff7af3655f466cb2ea42c3195bdff)
|
|
Jeremy.
(This used to be commit 6b90263292d03b1ae2d5d18952e78fc26066f30d)
|
|
Jeremy.
(This used to be commit e4ef9e332fff99eb66101a3737a7efc3b7493cc5)
|
|
Jeremy.
(This used to be commit 560ae7615eb8eca2c872b1196ce0b9534bf8ad76)
|
|
many possible mem leaks, and segfaults fixed.
someone should port this fix to 2.2 also.
(This used to be commit fa8e55b8b465114ce209344965c1ca0333b84db9)
|
|
Jeremy.
(This used to be commit 840802f10677cb0009cb4df4c37c7d01aa5edacd)
|
|
(This used to be commit f47797fa9595fb19d9e29ef43c5d0135268db455)
|
|
(This used to be commit 8ec9c87b5d1a7dae17d5b1a30f58effaf5e69e4b)
|
|
smbd/connection.c: Sync up with code in 2.2
Jeremy.
(This used to be commit 87025c223dd33f2e02060c2a5cd45502946c87c6)
|
|
Not ready yet.
J.F.
(This used to be commit 62a7a567fdea230b77cc97a3f74d868542c34700)
|
|
I did some basic tests but I have probably broken something. Notably the
password changing. So don't cry ;-)
J.F.
(This used to be commit a4a4c02b12f030a3b9e6225b999c90689dfc4719)
|
|
Jeremy.
(This used to be commit fc76681812b1469208ad6c8847afdfc68bc6db49)
|
|
include/proto.h: Fix missing (void) in proto.
rpc_server/srv_samr_nt.c: Fix user private group problem by filtering out groups that
clash with users.
smbd/posix_acls.c: Ensure default ACE's are sensible.
utils/pdbedit.c: Fix from Simo Sorce.
Jeremy.
(This used to be commit 29414fe0d6665642d9b5f88a35e712426376c47f)
|
|
J.F.
(This used to be commit 7154deb026d53cb0cd503562174c3332a372be63)
|
|
(This used to be commit d7cd7c88fdabb01d9e40ae8a657737907a21ac37)
|
|
that were in the head branch but weren't in SAMBA_2_0
(This used to be commit d7b208786590b5a28618590172b8d523627dda09)
|
|
(This used to be commit 453a822a76780063dff23526c35408866d0c0154)
|
|
(This used to be commit 5b8961a9d4ef6c8188062aaca7f42151ff9684ae)
|
|
as they are generic "file line-by-line" reading routines. lines with
"#" at the front are ignored (as comments). this code started out as
the password file reading code.
(This used to be commit ef6df590fdf65a6d94b343998bac3a4d48ae07e0)
|
|
(This used to be commit 7d6337641703884a5c6914ca6e292d67ea0c803b)
|
|
database enumeration.
(This used to be commit b0381bb262f51fca916fb951fc0c7e54a58e2dd3)
|
|
(This used to be commit 2d5fc5c7cf2086c396c853c13a3409bfac77d05c)
|
|
(This used to be commit f7dfa55a2e191ae780d399026bce48f68cda4bf0)
|
|
* Added new APIs for modifying groups.
* RIDs are allocated similarly to NT, starting from 1000 and incrementing by 1
for each new user/group.
* RIDs are now consistently in hex
* Fixed bugs reported by Allan Bjorklund <allan@umich.edu>:
- ldap_close_connection is exported by OpenLDAP - changed to ldap_disconnect
- Missing ldap_connect() in getusergroups functions
- ldap_next_entry was being called too early while retrieving a sam_struct
- LDAP globals should be extern in sampassldap.c
* Fixed bugs reported by Martin Hofbauer <mh@bacher.at>
- Newly added workstation trust accounts had attributes DU rather than W.
- User dn's were forced to start with "uid=XX" rather than using the existing
dn.
(This used to be commit 91c77f5432169553572bb4d85ad5f09d17524f20)
|
|
(This used to be commit 2bc031e8fafeafdc58c6a8056597b647d00657ae)
|
|
attempt at taking lib/uid.c and getting a unix security context
change module that is independent of "cnums" and "snums".
a security context is needed for pipes, not just IPC$ or other
services.
- group database API
added add_group/alias_member, del_group/alias_member,
del_group/alias_entry functions. del_builtin_entry() is
deliberately set to NULL to cause an exception, you cannot
delete builtin aliases.
- parse_lsa.c srv_lsa.c
fixed lookup_names code, it was a load of trash and didn't do
anything.
- cmd_samr.c rpcclient.c srv_samr.c
added "deletegroup", "deletealias", "delaliasmem", "delgroupmem",
"addgroupmem", "addaliasmem", "createalias", "creategroup", to
both client and server code.
server code calls into unix stubs right now, which don't actually
do anything. the only instance where they are expected to do
anything is in appliance mode NOT even in the ldap code or anything.
client code modified to call samr_lookup_names() for group code
(because we can) and lsa_lookup_names() for alias code (because
we have to).
- srv_lookup.c
oops, lookup on unsplit name, we got lookup on DOMAIN, DOMAIN\name
instead of DOMAIN, name.
(This used to be commit b8175702ef61b8b37b078f38e81452c00a5e2986)
|
|
query.
domain groups now work, hurrah! only thing is that the description is
one character long, don't know why (which is wierd in itself).
(This used to be commit 78a86c64960a7823b0db8b7bebfffabb4a5ba864)
|
|
need to check, when looking up group members, that a group member is
a unix user [being mapped to an nt user] FIRST then if that fails
check that a group member is a unix group [being mapped to an nt group].
why? because you can have group names in a unix /etc/group file with
the same name as users.
this _might_ be a problem...
(This used to be commit 585d47644d3d709ccdfd5135c5f77166b609eb3b)
|
|
(This used to be commit 58c0f0a77c396a6021596c84d4a30b1c9a4b1419)
|
|
- split sam_passwd and smb_passwd into separate higher-order function tables
- renamed struct smb_passwd's "smb_user" to "unix_user". added "nt_user"
plus user_rid, and added a "wrap" function in both sam_passwd and smb_passwd
password databases to fill in the blank entries that are not obtained
from whatever password database API instance is being used.
NOTE: whenever a struct smb_passwd or struct sam_passwd is used, it MUST
be initialised with pwdb_sam_init() or pwd_smb_init(), see chgpasswd.c
for the only example outside of the password database APIs i could find.
- added query_useraliases code to rpcclient.
- dealt with some nasty interdependencies involving non-smbd programs
and the password database API. this is still not satisfactorily
resolved completelely, but it's the best i can do for now.
- #ifdef'd out some password database options so that people don't
mistakenly set them unless they recompile to _use_ those options.
lots of debugging done, it's still not finished. the unix/NT uid/gid
and user-rid/group-rid issues are better, but not perfect. the "BUILTIN"
domain is still missing: users cannot be added to "BUILTIN" groups yet,
as we only have an "alias" db API and a "group" db API but not "builtin-alias"
db API...
(This used to be commit 5d5d7e4de7d1514ab87b07ede629de8aa00519a1)
|
|
would only be a domain group rid. it can also be a local group rid,
which causes us problems in attempting to turn a unix gid into the
correct rid (domain group or local group).
sooo.... the fix is _in_ there, we just can't use it because it causes
link / knock-on problems in nmbd.
(This used to be commit e4ee6538709c33000774eb1676608f2dd67d5a30)
|
|
now need search capability on S-1-5-20, which will need argh, a
"group database API" on S-1-5-20, and the ability to add BUILTIN\Admins
etc to "local group map" argh.
(This used to be commit a24f6eb00ba7486479cbcf7fadf5456521c56179)
|
|
(This used to be commit 591c63e3e1e3201ddcd7582585b652fb848d80ca)
|
|
aclocal.m4: Added AC_LIBTESTFUNC.
configure.in: Fixed -lsecurity -lsec problems.
client.c: dos_ fixes.
groupdb/aliasunix.c: Dead code removal.
include/includes.h: Added default PRINTCAP_NAME.
lib/genrand.c: dos_ fixes.
lib/replace.c: Added strtoul.
lib/system.c: dos_ fixes.
lib/util.c: dos_ fixes.
lib/util_sid.c: Signed/unsigned fixes.
lib/util_str.c: removed bad const.
locking/locking_slow.c: dos_ fixes.
printing/printing.c: dos_ fixes.
rpc_server/srv_samr.c: Dead code removal.
rpc_server/srv_sid.c: global_myworkgroup defined with wrong size AGAIN !
smbd/dir.c: dos_ fixes.
smbd/open.c: dos_ fixes.
smbd/oplock.c: dos_ fixes.
smbd/reply.c smbd/server.c smbd/service.c smbd/uid.c: dos_ fixes.
Jeremy.
(This used to be commit 6acb4b68f68d516e2ac3c47e500f5600d653435e)
|
|
unix groups are not explicitly mapped.
i.e as a PDC or BDC you can have domain groups, as a member of a domain
you cannot.
as a member of a domain, unmapped unix groups are assumed to be aliases,
and as a PDC or BDC, unmapped unix groups are assumed to be unix groups.
there is _one_ other check needed with aliases to be added: unmapped unix
groups that have the same name as an NT group on the PDC (for which i will
need to write an LsaLookupNames call) should be assumed to be domain groups
on the PDC.
(This used to be commit 53b49b44e13a4ca9818ebc947372b1374831b568)
|
|
(This used to be commit 22802195ed544b6042d791b34e704d608bbdfd84)
|