summaryrefslogtreecommitdiff
path: root/source3/include
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5752: implement derrell's solution for binary compatibilty in the _SMBCCTX ↵Gerald Carter2-65/+63
structure; note that we break compat with 3.0.11 but are ok with earlier versions (This used to be commit 6e8d171551bfe480cb1a526469defc33276550f6)
2007-10-10r5735: rest of derrel's patch for BUG 2308; had to move the options ↵Gerald Carter2-4/+160
structure from the _SMBCCTX to the internals structure to maintain binary compatibility (derrel, we should talk more about this) (This used to be commit a5ea01bf15758bb2be26ba16784dc0975be783bf)
2007-10-10r5731: Get delayed write semantics closer to W2K3. We need to store 2 times.Jeremy Allison1-0/+2
This may fix bug #2382. Jeremy. (This used to be commit a27c351e6beafc6609790a9bb9a3d0a1331e8f35)
2007-10-10r5726: merge LsaLookupPrivValue() code from trunkGerald Carter2-11/+10
(This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2007-10-10r5715: Update for new CIFS POSIX info levelsSteve French1-0/+25
(This used to be commit af12daba2ae57a1f768248ba60d7769063f8200b)
2007-10-10r5707: BUG 2425: remove ubran legend wrt to win98 and the DFS_PATHNAMES ↵Gerald Carter1-8/+0
capability bit (This used to be commit 6511bfe84a4036e0d203858aa2f604e346c9412b)
2007-10-10r5685: BUG 1881: only define PRINT_SPOOL_PREFIX if it is not already definedGerald Carter1-0/+2
(This used to be commit a42e3fc63cdbabd96f05e6af64344e1489ebf9da)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison2-1/+30
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5639: update smb.h with missing definesSteve French1-0/+3
(This used to be commit 0f188da8578165077b6d6df58c6e82be11943d40)
2007-10-10r5636: Re-add the allocation size - parameterized by share asJeremy Allison2-0/+5
"allocation roundup size", by default set as 1Mb. From advice by BlueArc about Windows client behaviour. VC++ people can set this to zero to turn it off. Jeremy. (This used to be commit 833ca101772bfab65dbd79eb64f63464177f144e)
2007-10-10r5580: Fix "net rpc trustdom add". Much closer to what windows does. Also stopJim McDonough1-6/+2
referencing unknown_6 from sam, because it's just fixed at 1260, the max len of LOGON_HRS. Need to go in and mark it as "remove me" from passdb. (This used to be commit ffac752875938d510446ebbeba6fc983f65cda1e)
2007-10-10r5548: Stop lying about allocation sizes to Windows clients. It was a niceJeremy Allison2-5/+0
idea, and aparently improved performance in some circumstances, but it breaks the VC++ compiler :-(. Not cool. Fix bug #2146. Jeremy. (This used to be commit b9f147634df0126320ffe3b9a23068e76f6c1681)
2007-10-10r5518: Add initial msdfs support to smbclient. Currently I can onlyGerald Carter2-0/+7
cd up and down the tree and get directory listings. Still have to figure out how to get a directory listing on a 2k dfs root. Also have to work out some issues with relative paths that cross dfs mount points. We're protected from the new code paths when connecting to a non-dfs root share ( the flag from the tcon&X is stored in the struct cli_state* ) (This used to be commit e57fd2c5f00de2b11a2b44374830e89a90bc0022)
2007-10-10r5517: code cleanup; rename the sorted_tree to pathtree (used by registry code)Gerald Carter2-1/+29
I was going to use this for tracking dfs mounts in smbclient but found another way. Still the cleanup is valid so commiting it. should be minimally disruptive since it is not widely used. (This used to be commit 00738dca3b07083c91545910486a1f30f2b17281)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-0/+12
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5456: Increase limit of mapped SIDS to 0x5000, which is what 2k and later do.Jim McDonough1-2/+2
NT has no limit. We still don't respond the way 2k would to requests larger, which is to actually allocate the memory and send back the entire response, plus a return status of NT_STATUS_NONE_MAPPED. Still looking into ways of doing this without crashing windows. (This used to be commit 9afe5acdc22adaed4b4b3d70ba3a1a7898256282)
2007-10-10r5428: Apply some const. LDAP attribs should now be declared const char ↵Volker Lendecke1-2/+2
*attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner2-16/+0
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r5262: Fix server_role in the samr_query_dom_info calls. When we are a BDC weGünther Deschner1-2/+2
should not say we are a PDC. Guenther (This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5)
2007-10-10r5203: additional changes for BUG 2291 to restrict who can join a BDC and ↵Gerald Carter2-1/+3
add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
2007-10-10r5152: Restructure the directory handling code, stop using void * pointersJeremy Allison1-1/+3
that just allow the wrong pointer to be assigned :-) and make the interface more consistent. Fix the FreeBSD directory problem. Last thing to do is to add the "singleton" directory concept from James Peach's code. Jeremy. (This used to be commit cfa8150fd9932470cb8f3b5e14c0156dda67125d)
2007-10-10r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask defineGerald Carter3-3/+6
* make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2007-10-10r5015: (based on abartlet's original patch to restrict password changes)Gerald Carter1-1/+4
* added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
2007-10-10r4976: Try to scare people off from trying to write authentication modulesAndrew Bartlett1-0/+4
that only acheive as much as 'security=server' does. Andrew Bartlett (This used to be commit fb694f2b1a809d221f48f9b9b0e54e9512325bae)
2007-10-10r4970: Fix for bug 2092, allowing fallback after kerberos and allowJeremy Allison2-0/+7
gnome vfs to prevent auto-anonymous logon. Jeremy. (This used to be commit 843e85bcd978d025964c4d45d9a3886c7cf7f63c)
2007-10-10r4946: Our notion the other_sids in the info3 SamLogon struct wasVolker Lendecke1-2/+1
...hmmm... completely bogus. This does not affect us as a domain controller, as we never set other_sids, but I have *no* idea how winbind got away with it. Please review thoroughly, samba4 idl looks closer to reality here. Test case: Member of w2k3 domain, authenticate as a user who is member of one or more domain local groups. Easiest review with 'client schannel = no'. Thanks, Volker (This used to be commit a0a6388830d9457de3e42686c64bddeba42954f8)
2007-10-10r4932: Forgot to increase version with the account-policy-commit.Günther Deschner1-1/+1
Guenther (This used to be commit 42e380303ddce890f313c221a766dc1e1ee972fb)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner2-0/+16
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4879: Fix rewinddir -> rewind_dir. Noticed by James Peach.Jeremy Allison1-2/+2
Jeremy (This used to be commit 79f54d12759f9161dc5837a090391cd0cf6471f5)
2007-10-10r4868: Add "net rpc user RENAME"-command.Günther Deschner1-0/+8
Note that Samba3 does not yet support it server-side. Guenther (This used to be commit b2c8220931733593fd312fc25b6c73f440b4567a)
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-36/+17
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-3/+3
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4840: * Add more generic root-dse inspection function to check for givenGünther Deschner1-0/+1
controls or extensions. * Check and remember if ldapsam's LDAP Server support paged results (in preparation of adding async paged-results to set|get|end-sampwent in ldapsam). Guenther (This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
2007-10-10r4809: * include SeDiskOperatorPrivilege and SeRemoteShutdownPrivilegeGerald Carter1-0/+2
(noty enfornced yet though) * add 'enable privileges (off by default) to control whether or not any privuleges can be assigned to SIDs (This used to be commit cf63519169d2f3c56a6acf46b9257f4c11d5ea74)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter2-13/+19
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter4-14/+88
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.Jeremy Allison1-3/+0
Make all LDAP timeouts consistent. Jeremy. (This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
2007-10-10r4656: Convert the winreg pipe to use WERROR returns (as it should).Jeremy Allison1-20/+20
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>. Jeremy. (This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
2007-10-10r4651: Add "refuse machine password change" policy field. This update will justJim McDonough1-1/+1
return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. (This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
2007-10-10r4601: Removed any use of the MAX_XXX_STR style definitions. A little largerJeremy Allison1-6/+1
change than I'd hoped for due to formating changes to tidy up code. Jeremy. (This used to be commit a348f9221a9fe719dc6f0db6eb295575c2f95e1e)
2007-10-10r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for eachVolker Lendecke1-1/+1
supported pipe. Netlogon is still special, as we open that twice, one to do the auth2, the other one with schannel. The client interface is completely unchanged for those who only use a single pie. cli->pipe_idx is used as the index for everything except the "real" client rpc calls, which have been explicitly converted in my last commit. Next step is to get winbind to just use a single smb connection for multiple pipes. Volker (This used to be commit dc294c52e0216424236057ca6cd35e1ebf51d0da)
2007-10-10r4514: Fix for bugzilla 1770. Remove READ_ATTRIBUTES from GENERIC_EXECUTE, ↵Jim McDonough1-1/+1
otherwise modification of an ACL that contains an ACE with execute only will cause that to be upgraded to read/execute. Side effect is that dirs/files with execute only show up as special permissions, which is still correct. (This used to be commit 8d9dc7d543fd347e47d04157064a2f92fb5c99db)
2007-10-10r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hardGünther Deschner1-2/+1
set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-2/+9
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4287: Vampire SAM_DELTA_DOMAIN_INFO.Günther Deschner2-5/+51
Based on samba4-idl. The decoding of account-lockout-string is somewhat experimental though. Guenther (This used to be commit 721bf50d7446b8ce18bc1d45e17d4214d5a43d26)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-1/+3
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4268: Merge fix for bugzilla #2150.Tim Potter1-9/+0
(This used to be commit f00ae4ab0c36a623257861fb65373b39cf075921)
2007-10-10r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains aVolker Lendecke1-3/+2
comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
2007-10-10r4186: Fix client & server to allow 127k READX calls.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 831cb21a874601e4536c2cf76c5351e1d0defcb5)