summaryrefslogtreecommitdiff
path: root/source3/rpc_client
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-3/+6
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4821: finish off 'net rpc rights [list|grant|revoke]'Gerald Carter1-4/+12
one small todo item is to add a 'accounts' sub option to 'net rpc list' so enumerate all privileged SIDs and their associated rights. (This used to be commit bf4385c79a0ce2e4983ffa11d39367dbf1d4dcfd)
2007-10-10r4751: This is a domain policy, not a user oneVolker Lendecke1-2/+2
(This used to be commit a24df21e66aeafb15e22f9ed4df7d9dded3e3b52)
2007-10-10r4750: Fix cli_samr_queryuseraliases. There can be more than one sid, thus ↵Volker Lendecke1-2/+10
more than one pointer... Volker (This used to be commit f2f08b64a53f6efd3154ff2656ecacc86872a18c)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-0/+58
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-3/+3
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4656: Convert the winreg pipe to use WERROR returns (as it should).Jeremy Allison1-5/+5
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>. Jeremy. (This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
2007-10-10r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for eachVolker Lendecke1-26/+26
supported pipe. Netlogon is still special, as we open that twice, one to do the auth2, the other one with schannel. The client interface is completely unchanged for those who only use a single pie. cli->pipe_idx is used as the index for everything except the "real" client rpc calls, which have been explicitly converted in my last commit. Next step is to get winbind to just use a single smb connection for multiple pipes. Volker (This used to be commit dc294c52e0216424236057ca6cd35e1ebf51d0da)
2007-10-10r4561: This looks a lot larger than it is, this is to reduce the clutter on ↵Volker Lendecke13-145/+145
future patches. Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is referenced. First step towards having multiple pipes on a cli_struct. The idea is to not have a single nt_pipe_fnum but an array for the pipes we support. Volker (This used to be commit 93eab050201d4e55096a8820226749f001597b5d)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-3/+9
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison6-79/+94
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3645: Allow deldriverex in rpcclient to delete drivers for a specificGünther Deschner1-2/+2
architecture and a specific version. Guenther (This used to be commit a24df09386f177e625fb99c975896cbe7a594b4b)
2007-10-10r3639: patch from Martin Zielinski <mz@seh.de> to add DeleteDriverEx() ↵Gerald Carter1-0/+52
function to rpcclient (This used to be commit cfd51c02447f7b42cffcaf4cc6179237d58c8229)
2007-10-10r2935: This is a long-standing one in my patch-queue: A pair of net commandsVolker Lendecke1-0/+88
(usersidlist/allowedusers) to scan a file server's share and list all users who have permission to connect there. Volker (This used to be commit f7f84aa1ded70af3882e4122f34d5c7eed746993)
2007-10-10r2073: Adding getprinter level 7 to rpcclient.Günther Deschner1-0/+24
Is there any other rpc-call to get the guid of a published printer? Guenther (This used to be commit 944ad569c7a88e1d2f14311eed10f80ea9861963)
2007-10-10r1692: first commit :)Günther Deschner1-2/+4
* add IA64 to the architecture table of printer-drivers * add new "net"-subcommands: net rpc printer migrate {drivers|printers|forms|security|settings|all} [printer] net rpc share migrate {shares|files|all} [share] this is the first part of the migration suite. this will will (once feature-complete) allow to do 1:1 server-cloning in the best possible way by making heavy use of samba's rpc_client-functions. all migration-steps are implemented as rpc/smb-client-calls; net communicates via rpc/smb with two servers at the same time (a remote, source server and a destination server that currently defaults to the local smbd). this allows e. g. printer-driver migration including driverfiles, recursive mirroring of file-shares including file-acls, etc. almost any migration step can be called with a migrate-subcommand to provide more flexibility during a migration process (at the cost of quite some redundancy :) ). "net rpc printer migrate settings" is still in a bad condition (many open questions that hopefully can be adressed soon). "net rpc share migrate security" as an isolated call to just migrate share-ACLs will be added later. Before playing with it, make sure to use a test-server. Migration is a serious business and this tool-set can perfectly overwrite your existing file/print-shares. * along with the migration functions had to make I the following changes: - implement setprinter level 3 client-side - implement net_add_share level 502 client-side - allow security descriptor to be set in setprinterdata level 2 serverside guenther (This used to be commit 8f1716a29b7e85baf738bc14df7dabf03762f723)
2007-10-10r1553: Good patch from Guenther Deschner <gd@sernet.de> to display share ACLJeremy Allison1-0/+36
entries from rpcclient. Jeremy. (This used to be commit bd64f0c08143545a8613688402f769a713227557)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-2/+2
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1380: adding debug message when encouting an ASU specific bug in an ↵Gerald Carter1-3/+5
rpc_bind reply (This used to be commit c6e73ff091b4d87111b33735400fdd10d4c8671c)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter2-5/+9
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r704: BUG 1315: fix for schannel client connections to server's that don't ↵Gerald Carter1-6/+18
support 128 bit encryption (This used to be commit 316ba5ad89ddfa445d44d28141c5901fc64aec90)
2007-10-10r485: fix compileGerald Carter1-3/+1
(This used to be commit 2cbcc07b7b1b78b1bed95bfd8b8fc34016553201)
2007-10-10r269: Patch from Krischan Jodies <kj@sernet.de>: Implement 'net rpc group ↵Volker Lendecke1-0/+92
delete'. Volker (This used to be commit ec321674961cc62c048b149ee19b6e36325c8eb3)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-2/+2
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r39: * importing .cvsignore filesGerald Carter1-3/+0
* updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
2004-04-02Implement NETLOGON GetDCName client side. You can ask a DC for the name ofVolker Lendecke1-0/+49
a DC it trusts. Volker (This used to be commit ae6840320ff47827c2817549fe3133a57e3fe77f)
2004-03-27Ensure we correctly set cli->nt_pipe_fnum on failure to correctly open theAndrew Bartlett1-0/+2
NT session. Andrew Bartlett (This used to be commit 01fff20e6e0212e9f70a5a66c3e46f7079b342f1)
2004-03-22remove unused variableGerald Carter1-2/+0
(This used to be commit 170c443b19604c3ec997ae494954c473e356e59d)
2004-03-19missed some of Derrel's changesGerald Carter1-1/+1
(This used to be commit 3aac1e549eaf4693ded84be432a2c94b6331ef6d)
2004-03-17asu/syntax/pc_netlink doesn't fill in the pipe name in the rpc_bind response ↵Gerald Carter1-0/+2
so dont check for it (This used to be commit 4d68d3d5ddeda9589f2e3387144fdac616bb791f)
2004-02-28Add 'net rpc group [add|del]mem' for domain groups and aliases.Volker Lendecke2-0/+277
Volker (This used to be commit e597420421e085b17dcdc062c5900518d0d4e685)
2004-02-24Add 'net rpc group add'. For this parse_samr.c had to be changed: TheVolker Lendecke1-0/+93
group_info4 in set_dom_group_info also has the level in the record itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can still create a domain group on a samba machine. Volker (This used to be commit 76c75bb8a7ad2a2e719dbbe997abf8aefe2fbbb4)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-0/+90
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-15BUG 972; check pointer in cli_ds_getprimarydominfo() before trying to copy a ↵Gerald Carter1-1/+1
structure (This used to be commit 1c15bfacb45d42873f3d7e7cb55ba2cbbbe33d26)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+3
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-40/+48
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-05Correctly handle per-pipe NTLMSSP inside a NULL session. Previously weAndrew Bartlett1-5/+12
would attempt to supply a password to the 'inside' NTLMSSP, which the remote side naturally rejected. Andrew Bartlett (This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett2-8/+28
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2003-11-25Do not add NTLM2 to the NTLMSSP flags unconditionally - allow theAndrew Bartlett1-8/+4
defaults specified by the caller to prevail. Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing. Call ntlmssp_sign_init() unconditionally in the client - we setup the session key, why not setup the rest of the data. Andrew Bartlett (This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)
2003-11-24strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in ↵Gerald Carter1-2/+2
check_bind_response() (This used to be commit 5e062f72baad6f7a70f1a3c8cf190535ccacc89e)
2003-11-22Add support for variable-length session keys in our client code.Andrew Bartlett1-6/+6
This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. (server-side support to follow shortly) Andrew Bartlett (This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett3-19/+38
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-17This fixes a bug when establishing trust against a german W2k3 AD server. InVolker Lendecke1-1/+2
the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at all, so making it a bit more liberal should hopefully not really hurt. Volker (This used to be commit 029dcb351bcfab70ed0afa4acf4bd64316bfd757)
2003-10-24This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+104
used to be commit e569418861a867437cd5e2cce87ad82e752da3fb)
2003-10-24New files for support of initshutdown pipe. Win2k doesn't respond properlyJim McDonough1-0/+104
to all requests on the winreg pipe, so we need to handle this new pipe. First part of fix for bug #534 (This used to be commit 532fab74c12d8c55872c2bad2abead2647f919d7)
2003-10-22Merge from 3_0:Volker Lendecke1-0/+1
In cli_lsa_lookup_sids don't leave the domain field uninitialized if some sid could not be mapped. Otherwise this call is unnecessarily complicated to call. Volker (This used to be commit 198b01fc54ce7a5beeddc680b30da291639b4eda)
2003-10-22In cli_lsa_lookup_sids don't leave the domain field uninitialized ifVolker Lendecke1-0/+1
some sid could not be mapped. Otherwise this call is unnecessarily complicated to call. Volker (This used to be commit 1337338522242a430b3c5655ffdff3f701fbfcce)
2003-10-20Merge Volker's fix.Jeremy Allison1-0/+6
It's a perfectly valid condition to have zero alias members. Jeremy. (This used to be commit aa7fb71357921c9d1fa1d32e5eaff912428e4fdf)
2003-10-20It's a perfectly valid condition to have zero alias members.Volker Lendecke1-0/+6
Volker (This used to be commit ccdcd88732c99497fc563379df7837c35eba72be)
2003-10-18Add client side code to do endpoint map queries. Currently does oneJim McDonough1-0/+61
fixed query. Updates to come soon. (This used to be commit 3ca8240affba20bb26749354f59b83799b4f1e44)