Age | Commit message (Collapse) | Author | Files | Lines |
|
* added SE_PRIV checks to access_check_samr_object() in order
to deal with the run-time security descriptor and their
interaction with user rights
* Reordered original patch in _samr_set_userinfo[2] to still
allow root/administrative password changes for users and machines.
(This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
|
|
admins who never read what I write :-)
(This used to be commit 1d7a636e0e7f8a0bc3d3ae04b40f79db7f08d619)
|
|
Guenther
(This used to be commit d433c7b476005064b9cfd339bbd8a25b40de59c1)
|
|
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
|
|
Added text explaining units in pdbedit time fields.
Jeremy.
(This used to be commit 3d09c15d8f06ad06fae362291a6c986f7b6107e6)
|
|
* define some const SE_PRIV structure for use when
you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
me forgetting the precedence of * vs. []
(This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
|
|
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in
ldapsam).
Guenther
(This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
|
|
privileges RPC calls
(This used to be commit 3f4f2c80fd157796a7ba56f31f921e8a3ce46bc3)
|
|
(noty enfornced yet though)
* add 'enable privileges (off by default) to control whether or
not any privuleges can be assigned to SIDs
(This used to be commit cf63519169d2f3c56a6acf46b9257f4c11d5ea74)
|
|
* rewrote the tdb layout of privilege records in account_pol.tdb
(allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
structure. The latter is now used for parsing routines mainly.
Still need to incorporate some client support into 'net' so
for setting privileges. And make use of the SeAddUserPrivilege
right.
(This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
|
|
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
|
|
parsing bugs related to that code
(This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
|
|
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
|
|
(This used to be commit 340d7f317332f159460d04db8ccc75116c83d234)
|
|
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
|
|
return the appropriate reg value. Enforcement to be added soon.
Also, fix account policy tdb upgrade so it doesn't just wipe out everything
that was in there from a a previous version.
(This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
|
|
when we have it in smb_msleep.
Jeremy.
(This used to be commit 465c207ffbcd5ee859faee282ef220a6c72e4eeb)
|
|
* In an application with signals, it was possible for functions to block
indefinitely while awaiting timeouts. This patch ensures that if a system
call with a timeout is aborted and needs to be restarted, it is restarted
with a timeout which is adjusted for the amount of time already waited.
Jeremy.
(This used to be commit 3a0d426764ab8bac561a47329500a03a52a00fa3)
|
|
to prevent uninitialized creds being freed.
Jeremy.
(This used to be commit c3f9c81a8fcb26f7110f75b3096d5d1eb30aac13)
|
|
Jeremy.
(This used to be commit c5a8bf3335606c070e1c74f339ea4c22d0adfa57)
|
|
earlier malloc changes.
Jeremy.
(This used to be commit da7ef2517162740bc61a81ae814d48348aa513d5)
|
|
configure.in tests and code for sendfile on AIX.
Jeremy.
(This used to be commit f08aceb9882fb1df1e1e28179f87ac5c3d5afa45)
|
|
Jeremy
(This used to be commit efc1b688cf9b1a17f1a6bf46d481280ed8bd0c46)
|
|
retry-loop.
This fixes a deadlock-situation when ldapsam is used with the ldapi
interface: getpeername won't fail while trying to detect dead
connections on unix domain sockets. When the ldapi-connection was closed
server-side (due to OpenLDAP's idletimeout) we *never* got a new LDAP
connection.
Guenther
(This used to be commit ac8032bacff10451fa03f155d43f0d20389512fa)
|
|
(This used to be commit ad8fdcc6fdb08d206d324a152300933661c72c4b)
|
|
tells the
AFS client when to throw away a token.
Thanks,
Volker
(This used to be commit 836a8277b2281bcdb6eab8339b05bec61b49eb74)
|
|
Thanks,
Volker
(This used to be commit 207625c7ab8ce41d7b59981e6a767dc299178335)
|
|
Jeremy.
(This used to be commit ec9606f00b52eb0d3a1a4c5eb98d171660ef19ad)
|
|
Jeremy.
(This used to be commit 6b25a6e088390d33314ca69c8f17c869cec3904b)
|
|
This was a missing merge from HEAD or rather a commit to 3_0 from the wrong
source. Fixed slightly over HEAD, HEAD merge will follow.
Deal with connection refused according to the specs.
Volker
(This used to be commit 7230cb87eba2c296217bb0255893c55ae5d695d3)
|
|
is reset to C to get ASCII-compatible toupper/lower functions.
Jeremy.
(This used to be commit 8e1b1693abf1e6eb46b23a5fa56776fc2ede7982)
|
|
been in the
bitmap code for ever. Remove silly extra space in paranoid malloc.
Jeremy.
(This used to be commit 0a7d17bc9b178628da371e627014412e9bef5d42)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|
|
Jeremy.
(This used to be commit a1e5a2a6ab1abc9add7a606e2e3f2d6c88dcf96c)
|
|
change the way we check for errors after a dlopen (which
may set internal warnings which get picked up by mistake
in dlsym).
Jeremy
(This used to be commit 6711cb8b02f96d04af82d30b1274f76dc5461dc2)
|
|
consistent
enum type for Protocol extern.
Jeremy.
(This used to be commit 65dfae7ea45d4c9452b2a08efa09b01d870142f3)
|
|
already sent the
header using send(). As our implementation of sendfile can't return EINTR (it
restarts in that case) use an errno of EINTR to signal the linux sendfile fail
after header case. When that happens send the rest of the data and then turn
off sendfile. Sendfile should be safe to enable on all systems now (even though
it may not help in all performance cases).
Jeremy.
(This used to be commit 78236382f7ffe08d7924907be49493779521837f)
|
|
Guenther
(This used to be commit 412ff4a129c5e719aa4d4e4856500ff59c82b939)
|
|
Jeremy.
(This used to be commit ac9b91d805c3ee68119d4b25ab05ed043f0ab8f1)
|
|
simultaeneously to all
DCs found. The first one to reply wins.
Volker
(This used to be commit 84ac54aef2bd56b5c889d3b05b8828aceb8ae00e)
|
|
abartlet, I'd like to ask you to take a severe look at this!
We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.
The parameter to activate this ldapsam behaviour is
ldapsam:trusted = yes
Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
|
|
backends such as nss_ldap.
Volker
(This used to be commit a8bd0b75042f73b753fc1cb8a52e6e90372fd1fe)
|
|
Jeremy
(This used to be commit 089a76f611187e2ba4c3363b657905d04576109e)
|
|
Guenther
(This used to be commit 14a0292250ee9975618b68701a48c72195286d85)
|
|
fix the modules too... First step in fixing out large directories
problem.
Jeremy.
(This used to be commit 344e9dd33a936b429fefb67cd748ac009a1bab10)
|
|
session
setups on its way to open a pipe. This gets rid of many round-trips to the
LDAP server during logon by setting up the server_info_guest once and not
asking the LDAP server and nss every time. Make sure that the ldap connection
is reopened in the child. (I did not look at the sql backends.)
Volker
(This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
|
|
is not
correct anymore. If we actually open the tdb before the fork, we end up
opening the tdb twice. Jerry, jra, this also happens in the locking and
printing subsystems. You might want to check it there (not that it actually
happens right now, but this gave me some confusion lately...).
Volker
(This used to be commit 40cad9dcc14ddec0ce74bb9010d13bd82e4d10af)
|
|
standard_sub_snum() to use the current user's gid; add some (snum == -1) checks to standard_sub_advanced()
(This used to be commit 8c3fd1908d201e9891878ff4c3259ed9690dff97)
|
|
<bill+samba@bfccomputing.com>.
Jeremy.
(This used to be commit 4fd314243e82d9c55bc9849a722424d45553013e)
|
|
I've been grumbling about under-efficient calls in SAMR, and finally
got around to fixing some of them.
We now call sys_getgroups() (which in turn calls initgroups(), until
glibc 3.4 is released) to figure out a user's group membership. This
is far, far more efficient than scanning all the groups looking for a
match, and is still the 'posix way', just using an effiecient call.
The seperate issue of 'who is in this group' remains, but this one has
been biting some people.
I need to talk to VL about how best to exersise nasty corner cases,
but my initial tests hold strong. (The code is also much simpiler
than before, which has to count for something :-)
Andrew Bartlett
(This used to be commit dc19f161698dab5b71d61fa2bacc7e7b8da5fbba)
|