Age | Commit message (Collapse) | Author | Files | Lines |
|
This was only affecting the newer versions of usrmgr.exe, because they
use a user_info_25 struct. The password is getting set separately
inside that code, so the password last set time was getting set from the
password change logic.
We also were not parsing a number of fields (like logon hours) from the
user_info_25. That should also be fixed.
(This used to be commit afabd68b6ae874aceba708dc36808ed007ad496c)
|
|
return values of some alias-releated pdb functions from BOOL to NTSTATUS
Thanks :-)
(This used to be commit 590d2164b3a33250410338771e160f6ebd1aa89d)
|
|
(This used to be commit 2c5b951eba509e826a29775db992aca474476484)
|
|
r22412 | obnox | 2007-04-20 14:23:36 +0200 (Fr, 20 Apr 2007) | 5 lines
Add a "deletelocalgroup" subcommand to net sam.
Thanks to Karolin Seeger <ks@sernet.de>.
(This used to be commit fb6ac8a5b247a961963a9b6a95cd6608c5b53d09)
|
|
Jeremy.
(This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
|
|
Jeremy.
(This used to be commit 18f47f999d28af56e205cd20d10c72ff6f0a3846)
|
|
calls. No functional changes. Looks bigger than it is :-).
Jeremy.
(This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592)
|
|
(This used to be commit cc38ffb9a45b008ab7bbc3299610bd0dfec13aa9)
|
|
Allows authorized users (e.g. BUILTIN\Administrators members) to
set attributes on an account, particularly "user cannot change
password".
add become_root() around updating attributes, after checking that
access has been granted.
(This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
|
|
which matches what samba4 has.
also fix all the callers to prevent compiler warnings
metze
(This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
|
|
winbind
who did not run the idle events to drop ldap connections.
Volker
(This used to be commit af3308ce5a21220ff4c510de356dbaa6cf9ff997)
|
|
when changing how memory is allocated.
(This used to be commit 78bf4042dd22bf063846c58729d5b64be3fce8a8)
|
|
builtin
domain. Without this patch we leaked a DISPINFO for the (NULL) domain per
samr_connect*() call.
Volker
(This used to be commit 4423880ff47a94074c625a4f4f81c3b516faa644)
|
|
(This used to be commit f63189907efe857ef51ff91470ddb8d21b9a41fa)
|
|
comment :-)
(This used to be commit fad2ee8aa3e99c31a0632a80b4a64dedb6e01495)
|
|
them. It just does not make sense to do a querydispinfo on an alias handle...
This fixes a memleak: Every samr_connect*() call leaked a DISP_INFO for the
(NULL) sid.
More cleanup pending: Essentially, we only need the DISP_INFO cache for the
get_global_sam_sid() domain. BUILTIN is fixed and small enough, and there are
no other domains around where enumerations could happen.
This also removes the explicit builtin_domain flags. I don't think this is
worth it. If this makes a significant difference, then we have a *VERY* tuned
RPC layer...
Jeremy, please check this. If it's ok, we might want to merge it across.
Volker
(This used to be commit 0aceda68a825788895759e79de55b080ad3f971d)
|
|
The two culprits were
* pdb_get_account_policy()
* pdb_get_group_sid()
(This used to be commit 6a69caf6907fad01b13aa4358ce5c62506f98495)
|
|
password at next logon" code. The "password last set time" of zero now
means "user must change password", because that's how windows seems to
use it. The "can change" and "must change" times are now calculated
based on the "last set" time and policies.
We use the "can change" field now to indicate that a user cannot change
a password by putting MAX_TIME_T in it (so long as "last set" time isn't
zero). Based on this, we set the password-can-change bit in the
faked secdesc.
(This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
|
|
renames to the same name
(This used to be commit 4faa5004fb7e5814bf8a97cfe8d0b443f0acdb8d)
|
|
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
gen_ndr/ndr_security.c in SAMBA_4_0
The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
|
|
(This used to be commit e6e54125003373f83e6900668ceb9981e8620776)
|
|
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
|
|
independently: Change
internal mapping.c functions to return NTSTATUS instead of BOOL.
Volker
(This used to be commit 4ebfc30a28a6f48613098176c5acdfdafbd2941a)
|
|
argument.
Volker
(This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
|
|
Jeremy.
(This used to be commit 06aea05c52ee770a2dd6465e9e2fcd0ccd8c811d)
|
|
and if we do
an update_sam_account later on, we want to also set it using the delete/add
method. As the idealx tools use the replace method, they don't care about what
has been in there before.
Jerry, this is a likely 3.0.23b candidate. Not merging, it's your call :-)
Volker
(This used to be commit f002a3633892fc040f0a6d076723c660bb82a41a)
|
|
when viewing or modifying local group membership.
(This used to be commit 41e30a9666e1fb736cd2ba8a5ad9285fcde50d47)
|
|
* Make sure to lower case all usernames before
calling the create, delete, or rename hooks.
* Preserve case for usernames in passdb
* Flush the getpwnam cache after renaming a user
* Add become/unbecome root block in _samr_delete_dom_user()
when trying to verify the account's existence.
(This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
|
|
Reuse can_create() to prevent renameing a group to
an existing user or group.
(This used to be commit ce7091fda1eb3c7ea0900f455cec48c3b95a17f6)
|
|
(This used to be commit 7d619f127ee70fdd486ffaab4546a53d76a2288c)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Jeremy.
(This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
|
|
Jeremy.
(This used to be commit 433d7a1bc91ff479934a256ff84e6866e16d1f85)
|
|
Jeremy.
(This used to be commit 16e42b446bea171c3ad848aefaa92c7404aade42)
|
|
1177
In reg_perfcount.c: 1200 1202 1203 1204
In regfio.c: 1243 1245 1246 1247 1251
Jerry, the reg_perfcount and regfio.c ones, can you take a look please? This
is really your code, and I'm not sure I did the right thing to return an
error.
smbcacls.c: 1377
srv_eventlog_nt.c: 1415 1416 1417
srv_lsa_nt.c: 1420 1421
srv_netlog_nt.c: 1429
srv_samr_nt: 1458 1459 1460
Volker
Volker
(This used to be commit d6547d12b1c9f9454876665a5bdb010f46b9f5ff)
|
|
reason but to increase fidelity with W2k3. Tom Bork has raised valid concerns
that Unix scripts might rely on the account names being lower-case, so keep
that. We might later decide to only lower-case the unix name passed to
'add [user|group] script' but keep the passdb entry upper-case. But there are
enough user-visible changes in 3_0 already so that we should push this off to
a later date.
Tom, waiting for more bug reports from you ;-))
Thanks for insisting!
Volker
(This used to be commit bc78cca290559c5ca7623b9f6d9933e32668b9c4)
|
|
enough of
SetUserInfo level 25 to survive the join method XP uses if the user did not
exist before. For good taste this contains way too much cut&paste, but for a
real fix there is just not enough time.
Up to 3.0.22 we completely ignored that a full level 21 is being sent together
with level 25, but we got away with that because on creation we did not set
the "disabled" flag on the workstation account. Now we correctly follow W2k3
in this regard, and we end up with a disabled workstation after join.
Man, I hate rpc_parse/. The correct fix would be to import PIDL generated samr
parsing, but this is would probably be a bit too much for .23...
Thanks to Tom Bork for finding this one.
Volker
(This used to be commit 5a37aba10551456042266443cc0a92f28f8c3d0d)
|
|
samr_query_domain_info(2) for consistency reasons.
Guenther
(This used to be commit 870495e2c8628deee0498e68cc1d93abfbc56da4)
|
|
difference between samr_query_domain_info and samr_query_domain_info2,
wrap the info2 call around the info call. There have been various "could
not access LDAP when not root" bugs lurking around in
samr_query_domain_info2 anyway.
Guenther
(This used to be commit 3e181b46bea87797d654d57a6c8231cba6ff5a7b)
|
|
Guenther
(This used to be commit 6ed7d7fa70e3f750f921192c0f75594d608875b7)
|
|
Also return the hostname for the level 6 call (to be consistent with the
server name in level 2).
Guenther
(This used to be commit 41b72e77ae70c96de4659af6b4b6bd842dd67981)
|
|
name eversince instead of the domain name when we are a DC.
Yes, there are applications relying on this call to be correct.
Guenther
(This used to be commit 26dd22c9af8caf3db236984e4683ba210376ca59)
|
|
Guenther
(This used to be commit 6c4fe819c69f281915ad0f4c3bde4dfb194aa33a)
|
|
* Finally fix parsing idmap uid/gid ranges not to break with spaces
surrounding the '-'
* Allow local groups to renamed by adding info level 2 to
_samr_set_aliasinfo()
* Fix parsing bug in _samr_del_dom_alias() reply
* Prevent root from being deleted via Samba
* Prevent builting groups from being renamed or deleted
* Fix bug in pdb_tdb that broke renaming user accounts
* Make sure winbindd is running when trying to create the Administrators
and Users BUILTIN groups automatically from smbd (and not just check the
winbind nexted groups parameter value).
* Have the top level rid allocator verify that the RID it is about to
grant is not already assigned in our own SAM (retries up to 250 times).
This fixes passdb with existing SIDs assigned to users from the RID algorithm
but not monotonically allocating the RIDs from passdb.
(This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
|
|
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'
* Add a SID domain to the group mapping enumeration passdb call
to fix the checks for local and builtin groups. The SID can be
NULL if you want the old semantics for internal maintenance.
I only updated the tdb group mapping code.
* remove any group mapping from the tdb that have a
gid of -1 for better consistency with pdb_ldap.c.
The fixes the problem with calling add_group_map() in
the tdb code for unmapped groups which might have had
a record present.
* Ensure that we distinguish between groups in the
BUILTIN and local machine domains via getgrnam()
Other wise BUILTIN\Administrators & SERVER\Administrators
would resolve to the same gid.
* Doesn't strip the global_sam_name() from groups in the
local machine's domain (this is required to work with
'winbind default domain' code)
Still todo.
* Fix fallback Administrators membership for root and domain Admins
if nested groups = no or winbindd is not running
* issues with "su - user -c 'groups'" command
* There are a few outstanding issues with BUILTIN\Users that
Windows apparently tends to assume. I worked around this
presently with a manual group mapping but I do not think
this is a good solution. So I'll probably add some similar
as I did for Administrators.
(This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
|
|
that counts.
Jeremy.
(This used to be commit aa85ba4f3799ffbe5c6f84f768f03a4c68d879dc)
|
|
removed, I presume by mistake, by Jerry in the recent
patch the removes the primary group SID stuff.
set_user_info_21 is called to update many other things
like the description of a user for example (that's what
failed on me).
Jerry, please review this one.
(This used to be commit 239a37d201168d095f600042b1ffcd047f18ba8a)
|
|
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
|
|
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
|
|
"rename user script" to do the rename of the posix machine account (this
might be changed later). Fixes #2331.
Guenther
(This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16)
|