summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter1-3/+6
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-2/+2
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-22/+22
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4646: Allow Account Lockout with Lockout Duration "forever" (until adminGünther Deschner1-3/+9
unlocks) to be set and displayed in User Manager. Guenther (This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1)
2007-10-10r4579: small changes to allow the members og the Domain Admins group on the ↵Gerald Carter1-64/+134
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
2007-10-10r4343: forgot to add info-level 8 to SAMR_UNKNOWN_2E as well.Günther Deschner1-0/+3
Guenther (This used to be commit 5e6ce9a6e3d62190da5427ed7b5e2f2ac22a0c34)
2007-10-10r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hardGünther Deschner1-3/+13
set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-0/+3
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4222: Always compile before commit...Volker Lendecke1-1/+1
(This used to be commit 0f26ba5226fab5b86031a0df6fba16b8e6af6e7d)
2007-10-10r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains aVolker Lendecke1-1/+1
comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-44/+37
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-5/+44
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-44/+35
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r2481: Patch from Igor Belyi <sambauser@katehok.ac93.org>. Ensure pdbJeremy Allison1-8/+9
user is deleted first before deleting UNIX user (LDAP backend needs this ordering). Jeremy. (This used to be commit 2815b31e013e517a58027ba74f118209caf4d85f)
2007-10-10r2369: Fix from Richard Renard <rrenard@idealx.com> to fix usermgr and trust ↵Jeremy Allison1-1/+11
relationships. Jeremy. (This used to be commit b910e530027c19c4e505314a91ffcb72f20d8f09)
2007-10-10r2331: check password script code and example from trunkSimo Sorce1-2/+2
(This used to be commit f836be323a233f3a28cbaa04c532e83ea98ead89)
2007-10-10r2093: Fix for Bug 1416. This must have been a cut&paste error from add_gid....Volker Lendecke1-3/+0
Thanks to Jonas Olsson for the bug report & fix. Volker (This used to be commit de0eaf7be7d0c3aaf4e17b63653ca68b4332c982)
2007-10-10r805: Fix to stop smbd hanging on missing group member from "Jianliang Lu" ↵Jeremy Allison1-5/+1
<j.lu@tiesse.com>. Jeremy. (This used to be commit d5fb5ba9df9fc0f9167e76402c59a971f52e1b1f)
2007-10-10r229: Don't list domain groups from BUILTIN.Volker Lendecke1-0/+7
Volker (This used to be commit b4429d97439e511d40901f809e3923945cb52221)
2007-10-10r196: merging struct uuid from trunkGerald Carter1-2/+2
(This used to be commit 911a28361b9d8dd50597627f245ebfb57c6294fb)
2007-10-10r145: pdb_create_alias now returns NTSTATUS. More of this to follow.Volker Lendecke1-2/+5
Volker (This used to be commit 6e18bed17093e0b1792f68817096e64e0e841f26)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-271/+180
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2004-03-04There's a specific error message NT_STATUS_ALIAS_EXISTS.Volker Lendecke1-1/+1
(This used to be commit f0d99f318c67852ac5bf9b606faa115ad36a5f80)
2004-03-03more usrmgr fixes: display lockout timers in minutes, not seconds, for samr 2eJim McDonough1-2/+2
(This used to be commit 832674c099a3ff9bb747dba6235e47d40a930abd)
2004-02-29net_rpc.c: Don't complain if [add|del]mem was successful.Volker Lendecke1-1/+1
srv_samr_nt.c: Correctly report that a user is not member of an alias. Volker (This used to be commit 540f625036871e7facd094fce49d7317f65f4ffd)
2004-02-25Do the query part of the previous fix...reset time and duration are set in ↵Jim McDonough1-2/+2
minutes, not seconds. Works from usrmgr. (This used to be commit 98833a82facb0bc25d9ba6f4d4c1200627e98d6d)
2004-02-25reset time and duration are set in minutes, not seconds. Works from usrmgr.Jim McDonough1-2/+2
(This used to be commit 700049d9efefc7f8952cc60bc46ba8aa790a28ba)
2004-02-17Be able to set alias info for builtin as well.Volker Lendecke1-1/+2
Volker (This used to be commit 7a947ecdf56f2dd02811262372708f8a74bfedad)
2004-02-17In samr_lookup_names Windows does not return WKN_GRP(5) but ALIAS(4) whenVolker Lendecke1-1/+6
you search in BUILTIN. Match that. Volker (This used to be commit 2863b21d8a5933c309c51edb09fbda4e669e4890)
2004-02-16Cosmetic fix: Use sid_is_in_our_domain instead of doing it per hand.Volker Lendecke1-7/+3
Volker (This used to be commit 04639e8862c360e89faac8b80c63197d514b7455)
2004-02-02remerge andrew's cracklib patch from HEAD and fix a compile warningsGerald Carter1-3/+14
(This used to be commit b60f6ec30d05e4e5bba9934a416ddc8bc089824f)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-2/+2
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-15Bug 381: check builtin (not local) group SID. Patch from Jianliang Lu ↵Gerald Carter1-1/+1
<j.lu@tiesse.com> (This used to be commit 2fd2c07df42df42103e81f5eb39bd1778de6ca0a)
2004-01-14revert the cracklib changes until post 3.0.2Gerald Carter1-14/+3
(This used to be commit 6202e0fa727a4307f51bf42f5ced401a7c7b8214)
2004-01-12First stab at cracklib support (password quality checking) in Samba 3.0Andrew Bartlett1-3/+14
This adds a configure test, that tries to find out if we have a working cracklib installation, and tries to pick up the debian hints on where the dictionary might be found. Default is per my Fedora Core 1 system - I'm not sure how much it changes. Andrew Bartlett (This used to be commit bc770edb788f0b6f719011cda683f045b76b7ba5)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-1/+1
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2004-01-02Match Win2k, and return NT_STATUS_INVALID_PARAMETERAndrew Bartlett1-2/+2
if this parameter is not an account type Andrew Bartlett (This used to be commit faddf5d8f9821176f4367caaf61844980df9f79c)
2004-01-02JHT came up with a nasty (broken) torture case in preparing examples forAndrew Bartlett1-99/+50
his book. This prompted me to look at the code that reads the unix group list. This code did a lot of name -> uid -> name -> sid translations, which caused problems. Instead, we now do just name->sid I also cleaned up some interfaces, and client tools. Andrew Bartlett (This used to be commit f9e59f8bc06fae7e5c8cb0980947f78942dc25c0)
2003-12-16make sure we delete the group mapping before calling the delete group ↵Gerald Carter1-2/+4
script; patch from Jianliang Lu <j.lu@tiesse.com> (This used to be commit 19a8dd523a4ee50ba9066efd60a29cf3ba9ae419)
2003-12-10more group lookup access fixes on the neverending bug 281Gerald Carter1-1/+6
(This used to be commit 9359a6ea80d1228e87ea825a100a2d289c37162d)
2003-12-04* fix RemoveSidForeignDomain() ; bug 252Gerald Carter1-46/+81
* don't fall back to unmapped UNIX group for get_local_group_from_sid() * remove an extra become/unbecome_root() pair from group enumeration (This used to be commit da12bbdb0dd9179b1ed457fa009679e2da4a8440)
2003-12-02Match Win2k and return 'invalid parameter' for creating of a new account withAndrew Bartlett1-0/+6
account flags of 0. Andrew Bartlett (This used to be commit 601120f335b69e5b8a003038dfac00f3f234a5c1)
2003-11-24more access fixes for group enumeration in LDAP; bug 281Gerald Carter1-3/+5
(This used to be commit 68283407e0f366d8315f4be6caed67eb6fe84b85)
2003-11-23Add server-side support for variable-length session keys (as used byAndrew Bartlett1-9/+6
DES based krb5 logins). Andrew Bartlett (This used to be commit 240b0d178e1b4a3556207bdf2e342c70155f64ee)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-3/+15
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-17* make sure we only enumerate group mapping entriesGerald Carter1-135/+44
(not /etc/group) even when doing local aliases * remove "hide local users" parameter; we have this behavior built into 3.0 (This used to be commit a7685a069766ac720f0b26fe01b0e17fc388fca3)
2003-11-07* only install swat html files onceGerald Carter1-3/+17
* revert the change that prevent the guest account from being added to a passdb backend since it broke the build farm. * apply patch from Alex Deiter to fix the "smbldap_open: cannot access when not root error" messages when looking up group information (bug 281) (This used to be commit 9b8bf6a950186bd95abe952af4a7d35829b34ff8)
2003-11-07Handle munged dial string. Patch from Aur?lien Degr?mont ↵Jeremy Allison1-1/+36
<adegremont@idealx.com>with memory leak fixes by me. Jeremy. (This used to be commit e591854eda8568ed1a4ad6b9de64e523c02b4392)
2003-09-25Fix for #480. Change the interface for init_unistr2 to not take a lengthJeremy Allison1-14/+9
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. This is not the case. Count it after conversion. Jeremy. (This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
2003-09-19Ensure that dup_sec_desc copies the 'type' field correctly. This causedJeremy Allison1-4/+4
me to expose a type arguement to make_sec_desc(). We weren't copying the SE_DESC_DACL_AUTO_INHERITED flag which could cause errors on auto inherited checks. Jeremy. (This used to be commit 28b315a7501f42928d73efaa75f74146ba95cf2d)
generated by cgit (git 2.34.1) at 2025-01-08 09:57:09 +0000