summaryrefslogtreecommitdiff
path: root/source3/rpc_parse
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4946: Our notion the other_sids in the info3 SamLogon struct wasVolker Lendecke1-12/+33
...hmmm... completely bogus. This does not affect us as a domain controller, as we never set other_sids, but I have *no* idea how winbind got away with it. Please review thoroughly, samba4 idl looks closer to reality here. Test case: Member of w2k3 domain, authenticate as a user who is member of one or more domain local groups. Easiest review with 'client schannel = no'. Thanks, Volker (This used to be commit a0a6388830d9457de3e42686c64bddeba42954f8)
2007-10-10r4875: Fix for bugid #221, inspired by Mrinal Kalakrishnan <mail@mrinal.net>.Jeremy Allison1-13/+69
NT sometimes send garbage bytes in NT security descriptor linearizations when sending well-known sids. Cope with these. Jeremy. (This used to be commit 51b34bb536fdb18c99da1e151eba03ea634e0449)
2007-10-10r4868: Add "net rpc user RENAME"-command.Günther Deschner1-2/+51
Note that Samba3 does not yet support it server-side. Guenther (This used to be commit b2c8220931733593fd312fc25b6c73f440b4567a)
2007-10-10r4746: add server support for lsa_enum_acct_rights(); last checkin for the nightGerald Carter1-0/+27
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2007-10-10r4742: add server support for lsa_add/remove_account_rights() and fix some ↵Gerald Carter1-4/+4
parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-12/+69
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4668: allow the caller to invoke init_unistr2() with a NULL buffer to match ↵Gerald Carter1-0/+8
previous behavior; more checks to come tomorrow (This used to be commit 9a29bef056f92ef6f1df01f56c121088f84be16b)
2007-10-10r4656: Convert the winreg pipe to use WERROR returns (as it should).Jeremy Allison1-25/+25
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>. Jeremy. (This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
2007-10-10r4601: Removed any use of the MAX_XXX_STR style definitions. A little largerJeremy Allison2-78/+71
change than I'd hoped for due to formating changes to tidy up code. Jeremy. (This used to be commit a348f9221a9fe719dc6f0db6eb295575c2f95e1e)
2007-10-10r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hardGünther Deschner1-6/+4
set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-5/+42
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4287: Vampire SAM_DELTA_DOMAIN_INFO.Günther Deschner2-12/+96
Based on samba4-idl. The decoding of account-lockout-string is somewhat experimental though. Guenther (This used to be commit 721bf50d7446b8ce18bc1d45e17d4214d5a43d26)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-6/+20
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains aVolker Lendecke1-17/+6
comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison11-306/+239
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r4005: Fix for bug #2071 reported by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-1/+1
Use correct enum type for comparisons. Jeremy. (This used to be commit b926480d053e42205e959b9808a6e3bb90db9ce5)
2007-10-10r3928: Fix duplicate call to pdb_get_acct_desc(). Bugzilla #2080.Tim Potter1-1/+1
(This used to be commit 3ebfd137b2d8f393874561046ef79f4d9a8cae52)
2007-10-10r3645: Allow deldriverex in rpcclient to delete drivers for a specificGünther Deschner1-2/+8
architecture and a specific version. Guenther (This used to be commit a24df09386f177e625fb99c975896cbe7a594b4b)
2007-10-10r3639: patch from Martin Zielinski <mz@seh.de> to add DeleteDriverEx() ↵Gerald Carter1-0/+24
function to rpcclient (This used to be commit cfd51c02447f7b42cffcaf4cc6179237d58c8229)
2007-10-10r2476: now that PRINTER_ATTRIBUTE_PUBLISHED does not get reset anymore, migrateGünther Deschner1-0/+30
the publishing-state for migrated printers as well. Therefor added client-side-support for setprinter level 7. Next will be a "net rpc printer publish"-command (just for completeness). Guenther (This used to be commit 224920738fdc65ef170152062177421cfed85bbf)
2007-10-10r2396: Fix bug found by Cornelio Bondad Jr <Corny.Bondad@hp.com>.Jeremy Allison1-5/+3
To correct “net rpc vampire” core dump. Jeremy. (This used to be commit cd910ffc510f2007c2619d7a4d31e5e41de7d1d1)
2007-10-10r1692: first commit :)Günther Deschner2-14/+69
* add IA64 to the architecture table of printer-drivers * add new "net"-subcommands: net rpc printer migrate {drivers|printers|forms|security|settings|all} [printer] net rpc share migrate {shares|files|all} [share] this is the first part of the migration suite. this will will (once feature-complete) allow to do 1:1 server-cloning in the best possible way by making heavy use of samba's rpc_client-functions. all migration-steps are implemented as rpc/smb-client-calls; net communicates via rpc/smb with two servers at the same time (a remote, source server and a destination server that currently defaults to the local smbd). this allows e. g. printer-driver migration including driverfiles, recursive mirroring of file-shares including file-acls, etc. almost any migration step can be called with a migrate-subcommand to provide more flexibility during a migration process (at the cost of quite some redundancy :) ). "net rpc printer migrate settings" is still in a bad condition (many open questions that hopefully can be adressed soon). "net rpc share migrate security" as an isolated call to just migrate share-ACLs will be added later. Before playing with it, make sure to use a test-server. Migration is a serious business and this tool-set can perfectly overwrite your existing file/print-shares. * along with the migration functions had to make I the following changes: - implement setprinter level 3 client-side - implement net_add_share level 502 client-side - allow security descriptor to be set in setprinterdata level 2 serverside guenther (This used to be commit 8f1716a29b7e85baf738bc14df7dabf03762f723)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r1202: This hopefully fixes our memory use when unmarshalling strings. The ↵Volker Lendecke1-1/+4
test case was 'rpcclient -c "enumprinters 2"' with 4000 printers. At some point this completely exploded in memory usage. For every string we talloc'ed memory up to the end of the buffer. -> O(n^2). This survives valgrind with this number of printers. It might also have influence on winbind with a large number of users. All those who dare to look at samba3 rpc code, could you please take a look? I know this is a burden, but I would like comments ;-))) Volker (This used to be commit af251f4ea63c584604972e1c8add83e65046de80)
2007-10-10r1125: Remove bougus comments. (The real fix was to the sealed pipe padding)Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit 61768f4cb3a268ce30911b15b30f82de36716b5f)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-6/+61
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r977: Implement 'net rpc group rename' -- rename domain groups.Volker Lendecke1-0/+46
Volker (This used to be commit 9ceff803278bdbc09cb5ab678a108cea24ab49a9)
2007-10-10r704: BUG 1315: fix for schannel client connections to server's that don't ↵Gerald Carter1-5/+15
support 128 bit encryption (This used to be commit 316ba5ad89ddfa445d44d28141c5901fc64aec90)
2007-10-10r480: Added Andrew Bartletts pwinfo-parse-error.patch.Jeremy Allison1-3/+3
Jeremy. (This used to be commit b9e79004a4c1e4a472f0627d2c33c966af22ccd2)
2007-10-10r196: merging struct uuid from trunkGerald Carter6-52/+65
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-3/+3
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2007-10-10r39: * importing .cvsignore filesGerald Carter1-2/+0
* updateing WHATSNEW with vl's change (This used to be commit a7e2730ec4389e0c249886a8bfe1ee14c5abac41)
2004-04-02Implement NETLOGON GetDCName client side. You can ask a DC for the name ofVolker Lendecke1-0/+84
a DC it trusts. Volker (This used to be commit ae6840320ff47827c2817549fe3133a57e3fe77f)
2004-03-24fixes for prnadmin.dll APIGerald Carter1-1/+1
* force the PRINTER_ATTRIBUTE_LOCAL (nor PRINTER_ATTRIBUTE_NETWORK) * ensure that we return the sec_desc in smb_io_printer_info_2 (allows prnui.dll to restore security descriptors from a data file). (This used to be commit c335cb80d2e4c687279b7a6038a97518770ccae9)
2004-02-28Add 'net rpc group [add|del]mem' for domain groups and aliases.Volker Lendecke1-3/+3
Volker (This used to be commit e597420421e085b17dcdc062c5900518d0d4e685)
2004-02-24Add 'net rpc group add'. For this parse_samr.c had to be changed: TheVolker Lendecke1-4/+4
group_info4 in set_dom_group_info also has the level in the record itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can still create a domain group on a samba machine. Volker (This used to be commit 76c75bb8a7ad2a2e719dbbe997abf8aefe2fbbb4)
2004-02-12More sync between passdb on 3.0 and HEAD.Jim McDonough1-15/+10
Replace unknown_3 with fields_present. Also causes rpc_samr structure field changes. (This used to be commit 1976843345efb6ca4f9cebd964a61acd8ae11d41)
2004-02-08Make more functions static, and remove duplication in the use of functionsAndrew Bartlett1-1/+1
in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c (These should perhaps be pulled back out to smbpasswd.c, but that can occour later). Andrew Bartlett (This used to be commit fcdc5efb1e245c8fa95cd031f67ec56093b9056e)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-7/+7
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-14source/rpc_parse/parse_prs.c ZERO_STRUCTP(ps) not needed as it is doneHerb Lewis1-1/+0
in prs_init now testsuite/printing/psec.c cannot do a prs_mem_free() when tdb_prs_fetch fails as the prs structure has not been initialized (This used to be commit a363e5d8c549861329506bd87c11d82ace5520e5)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-4/+4
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2004-01-07commiting jra's fix for Exchange clear test authGerald Carter1-1/+2
(This used to be commit 344e113368cb46fc4d26107d1cd276e4c76a6a9b)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett1-2/+2
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2003-12-29Add the alignment required before all 2-byte quantities in NDR. Allows usAndrew Bartlett1-0/+3
to correctly parse plaintext netlogon calls with odd-length passwords Andrew Bartlett (This used to be commit de3c3cbeeb8b674ffc0dd8fe16913f15edcf9022)
2003-12-10Fix UNISTR2 length bug in LsaQueryInfo(3) that cause SID resolution to fail ↵Gerald Carter1-1/+1
on local files on on domain members; bug 875 (This used to be commit c6594e35573186966a4d57404f1c06b98670db06)
2003-12-05fixed a problem with "net rpc vampire" mis-parsing the alias memberAndrew Tridgell1-4/+4
info reply Thanks to a bug report by 'musb' (This used to be commit 310f90f3689d4acd16368a833f23ea5f9aaa0133)
2003-12-04* fix RemoveSidForeignDomain() ; bug 252Gerald Carter1-6/+6
* don't fall back to unmapped UNIX group for get_local_group_from_sid() * remove an extra become/unbecome_root() pair from group enumeration (This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
2003-11-22Add support for variable-length session keys in our client code.Andrew Bartlett1-11/+11
This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. (server-side support to follow shortly) Andrew Bartlett (This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett2-13/+18
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-17Fix from Andrew Bartlett to fix up the munged-dial problem.Jeremy Allison2-6/+16
Jeremy. (This used to be commit 703b1b76e25fc83b3b84767c0e1b64c97c21bf09)