summaryrefslogtreecommitdiff
path: root/source3/include
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5203: additional changes for BUG 2291 to restrict who can join a BDC and ↵Gerald Carter2-1/+3
add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
2007-10-10r5152: Restructure the directory handling code, stop using void * pointersJeremy Allison1-1/+3
that just allow the wrong pointer to be assigned :-) and make the interface more consistent. Fix the FreeBSD directory problem. Last thing to do is to add the "singleton" directory concept from James Peach's code. Jeremy. (This used to be commit cfa8150fd9932470cb8f3b5e14c0156dda67125d)
2007-10-10r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask defineGerald Carter3-3/+6
* make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2007-10-10r5015: (based on abartlet's original patch to restrict password changes)Gerald Carter1-1/+4
* added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
2007-10-10r4976: Try to scare people off from trying to write authentication modulesAndrew Bartlett1-0/+4
that only acheive as much as 'security=server' does. Andrew Bartlett (This used to be commit fb694f2b1a809d221f48f9b9b0e54e9512325bae)
2007-10-10r4970: Fix for bug 2092, allowing fallback after kerberos and allowJeremy Allison2-0/+7
gnome vfs to prevent auto-anonymous logon. Jeremy. (This used to be commit 843e85bcd978d025964c4d45d9a3886c7cf7f63c)
2007-10-10r4946: Our notion the other_sids in the info3 SamLogon struct wasVolker Lendecke1-2/+1
...hmmm... completely bogus. This does not affect us as a domain controller, as we never set other_sids, but I have *no* idea how winbind got away with it. Please review thoroughly, samba4 idl looks closer to reality here. Test case: Member of w2k3 domain, authenticate as a user who is member of one or more domain local groups. Easiest review with 'client schannel = no'. Thanks, Volker (This used to be commit a0a6388830d9457de3e42686c64bddeba42954f8)
2007-10-10r4932: Forgot to increase version with the account-policy-commit.Günther Deschner1-1/+1
Guenther (This used to be commit 42e380303ddce890f313c221a766dc1e1ee972fb)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner2-0/+16
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4879: Fix rewinddir -> rewind_dir. Noticed by James Peach.Jeremy Allison1-2/+2
Jeremy (This used to be commit 79f54d12759f9161dc5837a090391cd0cf6471f5)
2007-10-10r4868: Add "net rpc user RENAME"-command.Günther Deschner1-0/+8
Note that Samba3 does not yet support it server-side. Guenther (This used to be commit b2c8220931733593fd312fc25b6c73f440b4567a)
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-36/+17
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-3/+3
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4840: * Add more generic root-dse inspection function to check for givenGünther Deschner1-0/+1
controls or extensions. * Check and remember if ldapsam's LDAP Server support paged results (in preparation of adding async paged-results to set|get|end-sampwent in ldapsam). Guenther (This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
2007-10-10r4809: * include SeDiskOperatorPrivilege and SeRemoteShutdownPrivilegeGerald Carter1-0/+2
(noty enfornced yet though) * add 'enable privileges (off by default) to control whether or not any privuleges can be assigned to SIDs (This used to be commit cf63519169d2f3c56a6acf46b9257f4c11d5ea74)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter2-13/+19
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter4-14/+88
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4665: Fix inspired by posting from Joe Meadows <jameadows@webopolis.com>.Jeremy Allison1-3/+0
Make all LDAP timeouts consistent. Jeremy. (This used to be commit 0f0281c2348b10ffdea744ecade6b2be0814c872)
2007-10-10r4656: Convert the winreg pipe to use WERROR returns (as it should).Jeremy Allison1-20/+20
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>. Jeremy. (This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
2007-10-10r4651: Add "refuse machine password change" policy field. This update will justJim McDonough1-1/+1
return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. (This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
2007-10-10r4601: Removed any use of the MAX_XXX_STR style definitions. A little largerJeremy Allison1-6/+1
change than I'd hoped for due to formating changes to tidy up code. Jeremy. (This used to be commit a348f9221a9fe719dc6f0db6eb295575c2f95e1e)
2007-10-10r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for eachVolker Lendecke1-1/+1
supported pipe. Netlogon is still special, as we open that twice, one to do the auth2, the other one with schannel. The client interface is completely unchanged for those who only use a single pie. cli->pipe_idx is used as the index for everything except the "real" client rpc calls, which have been explicitly converted in my last commit. Next step is to get winbind to just use a single smb connection for multiple pipes. Volker (This used to be commit dc294c52e0216424236057ca6cd35e1ebf51d0da)
2007-10-10r4514: Fix for bugzilla 1770. Remove READ_ATTRIBUTES from GENERIC_EXECUTE, ↵Jim McDonough1-1/+1
otherwise modification of an ACL that contains an ACE with execute only will cause that to be upgraded to read/execute. Side effect is that dirs/files with execute only show up as special permissions, which is still correct. (This used to be commit 8d9dc7d543fd347e47d04157064a2f92fb5c99db)
2007-10-10r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hardGünther Deschner1-2/+1
set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-2/+9
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4287: Vampire SAM_DELTA_DOMAIN_INFO.Günther Deschner2-5/+51
Based on samba4-idl. The decoding of account-lockout-string is somewhat experimental though. Guenther (This used to be commit 721bf50d7446b8ce18bc1d45e17d4214d5a43d26)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-1/+3
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4268: Merge fix for bugzilla #2150.Tim Potter1-9/+0
(This used to be commit f00ae4ab0c36a623257861fb65373b39cf075921)
2007-10-10r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains aVolker Lendecke1-3/+2
comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
2007-10-10r4186: Fix client & server to allow 127k READX calls.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 831cb21a874601e4536c2cf76c5351e1d0defcb5)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison2-4/+89
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3859: Ensure if num_acls is set to 0xFFFF this field is ignored.Jeremy Allison1-0/+6
Use def_acl everywhere instead of dir_acl. Jeremy. (This used to be commit d28611c960f87830aa8449725951984aa155b089)
2007-10-10r3844: Attempt to get the build farm in line. Some systems seem to have definedVolker Lendecke2-3/+3
rewinddir as a macro and don't like the construct to call a function pointer called rewinddir. Work around by renaming the function pointer... Volker (This used to be commit e547308d3ed307a242723076dff9974973fccc97)
2007-10-10r3772: BUG 2006: patch from Michel Gravey <michel.gravey@optogone.com>; fix ↵Gerald Carter1-1/+1
build when using gcc 3.0 (This used to be commit 1bc79a28080f2ff783b49e5cf3adfdfc4a4940ee)
2007-10-10r3713: Implementation of get posix acls in UNIX extensions. Passes valgrind.Jeremy Allison1-0/+71
Need to add printout functions in client and set posix acl in server. SteveF - take a look at this for the cifsfs client ! Once this is working and tested the next step is to write this up for the UNIX extensions spec. documents. Jeremy. (This used to be commit 1bd3f133442a472b4718b94a636f2fec89a2e0dc)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-0/+12
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3697: BUG 2027: fix multiple declaration of MD5_CTX (do we really care ↵Gerald Carter1-5/+0
about DOS compilers?). Will watch build farm though. (This used to be commit b59aeb12c86f3630eb40f033b8c2b70e9a57675c)
2007-10-10r3644: Fixup examples VFS compile.Jeremy Allison1-1/+1
Jeremy. (This used to be commit dfa910e4ab498100d0572838f2ac05faec3c917f)
2007-10-10r3642: Extend vfs to add seekdir/telldir/rewinddir. Yes I know I have toJeremy Allison4-4/+37
fix the modules too... First step in fixing out large directories problem. Jeremy. (This used to be commit 344e9dd33a936b429fefb67cd748ac009a1bab10)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-3/+5
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-0/+1
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r3538: Fix the build with the latest Heimdal code.Jeremy Allison1-6/+2
Jeremy. (This used to be commit 34275bae787762646f02ea1dec19d7b3a9a733a3)
2007-10-10r3495: Fix the build (recent kerberos-changes).Günther Deschner1-1/+3
Guenther (This used to be commit c7eab285d967345510a15e83bce508edb8e06e99)
2007-10-10r3438: fix some kerberos-related prototype warningsGünther Deschner1-0/+3
Guenther (This used to be commit 43c8a9e25961f65677a55e701f54c0227329a756)
2007-10-10r3377: Merge in first part of modified patch from Nalin Dahyabhai ↵Jeremy Allison1-0/+3
<nalin@redhat.com> for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
2007-10-10r3067: patch based on volker's initial work in trunk that fixes the queu ↵Gerald Carter1-1/+7
update problem when using the background daemon (This used to be commit de7af09e727e744aa27af85ef7c0f73ed5c1550a)
2007-10-10r3050: Steal from Samba4 :-). Make us pass most of the new lock tests ↵Jeremy Allison1-2/+1
(except for the cancel lock which I have to add). Jeremy. (This used to be commit cf7f89999e0c6becd4617c812400d1e71b9c0a30)
2007-10-10r2955: fixing a segfault uncovered by the changes for BUG 1519Gerald Carter1-0/+1
(This used to be commit 1664395257eb2425246e200ebde4384aa54484a4)
2007-10-10r2942: Add client-side support of triggering ads printer publishing over msrpcGünther Deschner1-0/+1
setprinter calls inside the net-tool. This is usefull to mimic the same queries a windows-client does. At least win2k returns WERR_IO_PENDING when printer is published via setprinter, samba returns WERR_OK but this does not hurt. Guenther (This used to be commit 69b745fb98b8054d1f52e8a3fe3b933fb04336db)