Age | Commit message (Collapse) | Author | Files | Lines |
|
This patch add privilege support for samba
Currently it is implemented only for tdbsam backend but estending it to
other sam backends is straightforward.
I must make a big thank to JFM for his teachings on the matter and the
functions at the base of this work.
At thye moment only samr_create_user honours SeAddUsersPrivilege and
SeMachineAccountPrivilege to permit any user to add machines and/or users to
the server.
The command "net priv" has been provided to manipulate the privileges
database.
There are still many things to do (like support in "net rpc vampire") but
the working core is here.
Feel free to comment/extend on this work.
Of course I will deny that any bug may affect this code :-)
Simo.
This patch adds also my patch about add share command enhancements.
(This used to be commit 7a78c3605e203bd8e0d7ae244605f076a5d0b0bc)
|
|
Jeremy.
(This used to be commit 755b66303d04b73a855fa8db5fe3ae920a901bf3)
|
|
Jeremy.
(This used to be commit d236372876918be2a886a89383cf843b82d4c8db)
|
|
Jeremy.
(This used to be commit a7d4a6d1167f7657113148cdf68ea3c491b51b14)
|
|
Remove more unused portions of the 'password cache'.
Andrew Bartlett
(This used to be commit 33cdb2bd18daca31461bbc45251679f50fd3567f)
|
|
unix jobs back to the client. Allows windows client to remove print jobs submitted from lpr
(This used to be commit 6a7f9ebccd6a40455cb5446551f3d68ea9a7a824)
|
|
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
|
|
#534
(This used to be commit 99f4fa54497ba1c0fc0ba39d51b3ce201a8e6cd2)
|
|
(This used to be commit 041c17bd665ea5fa771b111d7008036fb3e7b72f)
|
|
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
|
|
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
|
|
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
|
|
(This used to be commit 2ff89e1ee830ee2496861396ff69a232b0605b2f)
|
|
(This used to be commit e599eba851db40816c684da2b7b1be4b978166e0)
|
|
split out privileges from rpc_lsa.h
(This used to be commit 37d7cc8162d02a664095dbe0fc8d7250d1ed51c9)
|
|
(This used to be commit fb03fafed14a2816808e98fd95850db3e655d5d9)
|
|
(This used to be commit a4fc9c3b2dfbdbb3f75bf38415741ff66dbe1367)
|
|
SAM_ACCOUNT does not have anymore uid and gid fields
all the code that used them has been fixed to use the proper idmap calls
fix to idmap_tdb for first time idmap.tdb initialization.
auth_serversupplied_info structure has now an uid and gid field
few other fixes to make the system behave correctly with idmap
tested only with tdbsam, but smbpasswd and nisplus should be ok
have not tested ldap !
(This used to be commit 6a6f6032467e55aa9b76390e035623976477ba42)
|
|
function. Patch by metze with some minor modifications.
(This used to be commit f4576757d1d52a8f1b96894c869bb76450003fd1)
|
|
(This used to be commit 74fab8f0d24004b1dfd5ce0fd7402895652f941f)
|
|
requests and responses and is only compiled in when --enable-developer
is passed to configure. It includes server and client side code for
generating and responding to functions on this pipe. The functions are:
- AddOne: add one to the uint32 argument and return ig
- EchoData: echo back a variable sized char array to the caller
- SourceData: request a variable sized char array
- SinkData: send a variable sized char array and throw it away
There's a win32 implementation of the client and server in the
junkcode CVS repository in the rpcecho-win32 subdirectory.
(This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
just need to get the verifiction code working - we get back a signiture from
the server, and just can't verify it yet.
This also brings the short-packet checks into common code, and breaks the
connection if the server sends a signed reply, on an established connection,
that fails the test.
This breaks our read/write code at the moment, as we need to keep a list
of outstanding packets.
(signing is not enabled by default, unless the server demands it)
Not for 3.0 till I fix the outstanding packet list.
Andrew Barlett
(This used to be commit 808d1fcf20153970d587cb631a08607beb09703a)
|
|
(This used to be commit 5a88d78f67fd7853d6f7d5042807afa56091d52c)
|
|
Added new sid type = 9 for "computer" from MSDN.
(This used to be commit 45929d126932e5cac5a23fe76d28a4fa05b54b77)
|
|
from .NET RC2)
(This used to be commit 4c823e61d14a33344deb887043b60b2e3c83416f)
|
|
* distinguish WinXP from Win2k
* add a 1/3 of a second delay in OpenPrinter
in order to trigger a LAN/WAN optimization in
2k clients.
(This used to be commit 96570699d1b715f47c35aa211da6ec18f6fc4109)
|
|
for smb -> smb lock release). Adds new PENDING_LOCK type to lockdb
(does not interfere with existing locks).
Jeremy.
(This used to be commit 22fc0d48ff2052b4274c65f85050c58b235bf4e4)
|
|
modules/developer.c: init_module() should return an int
(This used to be commit 7f59703550378ff2333e3c851bf1a77037510abd)
|
|
- Don't use pstrcpy into an allocated string - use safe_strcpy() directly
instead.
- Keep a copy of the 'server_info' attached to the vuid. In future use this
for things like the session key, homedir and full name instead of current
copies.
- Try to avoid memory leak/segfault on Realloc failure
- clear up #endif comments
Andrew Bartlett
(This used to be commit 162477bb086827950b6cb71afa9bef62c2753c2e)
|
|
(This used to be commit 8f495e8634a1777c4b03d3ec07c76f905ff2fb98)
|
|
level 2 and a request for open with no oplock is received then the
smbd should send *synchronous* break messages, not asynchronous,
otherwise it spins very rapidly, releasing the lock, sending the
'break to none' messages and then re-acquiring the lock before
any other process has a chance to get the lock and remove it's own
oplock (at least on linux).
Jeremy.
(This used to be commit d1e8991a76a57b7d96dd7db3c1d9bbf5b28da88e)
|
|
Jeremy.
(This used to be commit 6e0cfec16594ade6e6c499f521781348fee25040)
|
|
This patch makes Samba compile cleanly with -Wwrite-strings.
- That is, all string literals are marked as 'const'. These strings are
always read only, this just marks them as such for passing to other functions.
What is most supprising is that I didn't need to change more than a few lines of code (all
in 'net', which got a small cleanup of net.h and extern variables). The rest
is just adding a lot of 'const'.
As far as I can tell, I have not added any new warnings - apart from making all
of tdbutil.c's function const (so they warn for adding that const string to
struct).
Andrew Bartlett
(This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
|
|
server = DC1 *
(This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
|
|
jobid. This was causing Win9x client "set name" calls to fail.
Still need one cleanup fix to finish.
Jeremy.
(This used to be commit 15f0bad1fc72ff44cd195d34fd530c25a739f42d)
|
|
Jeremy.
(This used to be commit 4a9c995e50b24e6ee6ec58c46da32100a8197724)
|
|
(This used to be commit 759bcd881dd259d5ad43715f6979c5282b094d52)
|
|
Jeremy.
(This used to be commit e39e2b4c3488fbd9e9a08dd5629a672d1459e64e)
|
|
-V Version information
-n Set netbios name
-l Set directory to store log files in
-d Set debuglevel
-s Load specified configuration file
-O Set socket options
(This used to be commit 1602d5894947b59fd36c161053a66c0afe2c959c)
|
|
(This used to be commit a15434314fd8cd88eab40e7cbc8f06a7d0d0169e)
|
|
- make smb_load_module() return the return value of init_module()
(This used to be commit a8d2dd8d009797486105188f8fdb898a65bb25b0)
|
|
(This used to be commit 4d1206be5275a8af7dfb612f1747fba484a7d017)
|
|
Added directory specific access mask bits.
(This used to be commit edbd942a8d0edcb5e7cc3086c3d98c6ff1d6cd80)
|
|
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
(This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
|
|
(This used to be commit 738b9237eda8fdb8adb534ab1a84070923f352f1)
|
|
also try to uniform names to a clean scheme.
first part.
(This used to be commit a123e05877caf90c28980be2d84b1d0b46e4fd21)
|
|
the ones for debuglevel and configuration file in pdbedit
(This used to be commit cb0d03a393d9009c3e16b9d05d88c171de9a9414)
|
|
(This used to be commit f70caa25e4ee198151b915cf2bc0a26b2d0e243d)
|
|
from APP_HEAD
(This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
|