summaryrefslogtreecommitdiff
path: root/source3/rpc_client/cli_lsarpc.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23627: Allow to pass down the lookup-level to rpccli_lsa_lookup_names().Günther Deschner1-1/+2
Guenther (This used to be commit e9a7512a9f630340004913f1379452eea8a9b6ae)
2007-10-10r23400: Fix lsa crash bug #4683. The "names" enum structJeremy Allison1-13/+7
in a lookup_sidX reply isn't optional - like the lookup_sidX query it needs to be defined in the struct. All this will go away with PIDL (thank goodness....). Jerry - I think this is a showstopper to be merged for 3.0.25b. I'll be watching the build farm to see if anything broke. Jeremy. (This used to be commit 9300b92f7a51eb80fdc039d8dad23ea9ce82aa8f)
2007-10-10r23082: Ooops - that portion of the last checkin was by accident.Michael Adam1-2/+2
Before comitting that, I have to verify that it does not break anything... Michael (This used to be commit 55ea93d47e72d13b7e6d6900eea5da1e9a49ff8d)
2007-10-10r23081: Reorder the lsa_lookup_sids functions so that the order makes more ↵Michael Adam1-113/+113
sense... (This used to be commit 374dea8c6f5192224ee46e0c3c9b63221028858e)
2007-10-10r23073: In the internal rpccli_lsa_lookup_sids_noalloc(), use a temporaryMichael Adam1-8/+16
talloc context for use with the actual rpc query and response. So the the parent context does not get flooded by the posslibly large amount of response data (when looking up a lot of sids). Note: It not possible, to simply use the names and domains arrays as talloc contexts for the talloc_strdup calls, because from rpccli_lsa_lookup_sids_all, this is called with names + offset and domains + offset where names and domains are talloced arraye for the complete response. (This used to be commit 8e60900c5c5fccbe1718b805b6b1628d32b920d0)
2007-10-10r23070: The lsa rpc lookup sids call has a maximum number of SIDS to beMichael Adam1-0/+201
looked up at one time. This limit is at 20480 for w2k3. Our rpccli_lsa_lookup_sids function ignores this limit, so when we give the server too long a list of SIDs, then we will get nothing back. Since typically rpccli_lsa_lookup_sids is given one SID (or a small number of SIDS), this did not do harm up to now. But since I want to use lsa_lookup_sids in a subsequent modification to winbindd_ads.c:lookup_groupmem to get rid of a vast number of dn_lookup calls to the server, I had to make sure we do it correctly. I have added a function rpccli_lsa_lookup_sids_all function that has the same prototype but internally splits the list of SIDs up into hunks of a (conservative, hard coded) 1000 SIDs each for a first go. If this approach is agreed upon, the new function could replace the original rpccli_lsa_lookup_sids function. Michael (This used to be commit 66ff0bc6c39f86a9830dc508cd891e33638b475d)
2007-10-10r22589: Make TALLOC_ARRAY consistent across all uses.Jeremy Allison1-42/+62
Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9)
2007-10-10r22537: Use a (more speaking) macro when there is one.Michael Adam1-1/+1
(This used to be commit 2eec760154a4126df616a3c078b7741c57239c86)
2007-10-10r18747: replace rpccli_lsa_close() with rpccli_lsa_Close()Gerald Carter1-8/+0
(This used to be commit 50d74ce0488a9bd0980cdc6d523a210f6238ef74)
2007-10-10r18654: Rename "struct uuid" => "struct GUID" for consistency.Jelmer Vernooij1-3/+3
(This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19)
2007-10-10r18405: Now that POLICY_HND == struct policy_handle, we canGerald Carter1-8/+1
make rpccli_lsa_close() a real one line wrapper for rpccli_lsa_Close(). I'm still keeping the wrapper for now because I'm not sure what we will do about a usable client API. I don't think calling the autogenerated client code directly is a good idea as the IDL is still evolving. (This used to be commit 47f0c71218ade18cb94b48661f064e8956e06096)
2007-10-10r18404: * swap from POLICY_HND to the struct policy_handle from ndr/misc.hGerald Carter1-10/+0
* move OUR_HANDLE macro to include/rpc_misc.h (This used to be commit 2b37079af2f569df7a58878150a61980c6fe06ee)
2007-10-10r18397: Change rpccli_lsa_close() as a wrapper for the autogeneratedGerald Carter1-25/+8
rpccli_lsa_Close(). (This used to be commit 365c75603d9130f46dd40ab46e14f3c91c687c65)
2007-10-10r18271: Big change:Gerald Carter1-6/+6
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-19/+19
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16644: Fix bug #3887 reported by jason@ncac.gwu.eduJeremy Allison1-6/+8
by converting the lookup_XX functions to correctly return SID_NAME_TYPE enums. Jeremy. (This used to be commit ee2b2d96b60c668e37592c79e86c2fd851e15f69)
2007-10-10r16335: Fix Klocwork IDs 107 108 109 111 112 113 114 116 117 118 121Volker Lendecke1-0/+6
(This used to be commit 555984ea772730a5752905f1130e0bf6ec48207f)
2007-10-10r15041: Adding rpc client calls to manipulate auditing policies on remote CIFSGünther Deschner1-17/+122
servers. Also add a new "net rpc audit" tool. The lsa query infolevels were taken from samb4 IDL, the lsa policy flags and categories are partly documented on msdn. I need to cleanup the double lsa_query_info_policy{2}{_new} calls next. Guenther (This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
2007-10-10r14784: Fix coverity bug #274. Null deref.Jeremy Allison1-12/+33
Jeremy. (This used to be commit f88f2d93686ba6bd317b7bc935888e75b7999c83)
2007-10-10r13475: Fix erroneous initialization caused by my renaming types.Jeremy Allison1-1/+1
Jeremy. (This used to be commit e8e2fc79b4afd6625e1d50e23b31eb49f67526d9)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-10/+101
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r11854: Remove unused DOM_SID.Günther Deschner1-1/+1
Guenther (This used to be commit 8609484ff65aaf075d2f768960246dad398855a4)
2007-10-10r11336: Start to get my control back :-). Volker, I thinkJeremy Allison1-20/+58
Andrew Bartlett is right - making lsa code do it the netlogon way, not vica-versa. Jeremy. (This used to be commit f313757e36215cb3dd956e4a73de6d30258a6974)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-562/+161
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-35/+122
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7391: - Added client-support for various lsa_query_trust_dom_info-calls and aGünther Deschner1-0/+195
rpcclient-tester for some info-levels. Jerry, I tried to adopt to prs_pointer() where possible and to not interfere with your work for usrmgr. - Add "net rpc trustdom vampire"-tool. This allows to retrieve Interdomain Trust(ed)-Relationships from NT4-Servers including cleartext-passwords (still stored in the local secrets.tdb). The net-hook was done in cooperation with Lars Mueller <lmuelle@suse.de>. To vampire trusted domains simply call: net rpc trustdom vampire -S nt4dc -Uadmin%pass Guenther (This used to be commit 512585293963a1737f831af697ea1dc092d63cb0)
2007-10-10r6228: remove BUFHDR2 and clean up LsaEnumTrustedDomains()Gerald Carter1-55/+35
Tested client and server code. (This used to be commit efb3ac4c69c72c0fa01c558951fa357893562bce)
2007-10-10r6071: * clean up UNISTR2_ARRAY ( really just an array of UNISTR4 + count )Gerald Carter1-6/+11
* add some backwards compatibility to 'net rpc rights list' * verify privilege name in 'net rpc rights privileges <name>' in order to give back better error messages. (This used to be commit 0e29dc8aa384dfa6d2495beb8a9ffb5371e60a13)
2007-10-10r5726: merge LsaLookupPrivValue() code from trunkGerald Carter1-6/+6
(This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-3/+6
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4821: finish off 'net rpc rights [list|grant|revoke]'Gerald Carter1-4/+12
one small todo item is to add a 'accounts' sub option to 'net rpc list' so enumerate all privileged SIDs and their associated rights. (This used to be commit bf4385c79a0ce2e4983ffa11d39367dbf1d4dcfd)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-0/+58
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-3/+3
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4561: This looks a lot larger than it is, this is to reduce the clutter on ↵Volker Lendecke1-18/+18
future patches. Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is referenced. First step towards having multiple pipes on a cli_struct. The idea is to not have a single nt_pipe_fnum but an array for the pipes we support. Volker (This used to be commit 93eab050201d4e55096a8820226749f001597b5d)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-25/+18
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-2/+2
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-40/+48
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-1/+1
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2003-10-22In cli_lsa_lookup_sids don't leave the domain field uninitialized ifVolker Lendecke1-0/+1
some sid could not be mapped. Otherwise this call is unnecessarily complicated to call. Volker (This used to be commit 1337338522242a430b3c5655ffdff3f701fbfcce)
2003-10-06split some security related functions in their own files.Simo Sorce1-3/+3
(no need to include all of smbd files to use some basic sec functions) also minor compile fixes couldn't compile to test these due to some kerberos problems wirh 3.0, but on HEAD they're working well, so I suppose it's ok to commit (This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1)
2003-02-25Merge: const fixes.Tim Potter1-2/+3
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
2003-01-29Merge tridge's client priv code from HEAD.Jeremy Allison1-4/+49
Jeremy (This used to be commit 49739be1e2f047fa2cc2fd42eadb190a82114485)
2003-01-28Merging tridge's privillage client changes from HEAD.Jeremy Allison1-0/+40
Jeremy. (This used to be commit 30a33920b4d834edc877cc0080291fbda983083a)
2003-01-15merging some rpcclient and net functionality from HEADGerald Carter1-0/+57
(This used to be commit 7a4c87484237308cb3ad0d671687da7e0f6e733b)
2002-10-04merge of new client side support the Win2k LSARPC UUID in rpcbindGerald Carter1-1/+1
from APP_HEAD (This used to be commit 1cfd2ee433305e91e87804dd55d10e025d30a69e)
2002-08-12Add lsa 0x2e (queryinfo2) client sideJim McDonough1-0/+86
(This used to be commit c3b05b21a0340d8ff02a79401399e3d43d9e759a)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-2/+3
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-02Moved rpc client routines from libsmb back to rpc_client where they belong.Tim Potter1-0/+1169
(This used to be commit cb946b5dadf3cfd21bf584437c6a8e9425f6d5a7)
2001-11-16I *love* removing code :-). Removed 4 files that weren't being used.Jeremy Allison1-693/+0
All this stuff was being pulled in due to *one* unneeded call to fetch a domain SID which smbpasswd already puts in the database... Jeremy. (This used to be commit 6bf2505cce7db770fd4db5b19999a78588e96b58)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter1-2/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)