summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23616: Fix bugzilla #4719: must change password is not set from usrmgr.exe.Jim McDonough1-0/+9
This was only affecting the newer versions of usrmgr.exe, because they use a user_info_25 struct. The password is getting set separately inside that code, so the password last set time was getting set from the password change logic. We also were not parsing a number of fields (like logon hours) from the user_info_25. That should also be fixed. (This used to be commit afabd68b6ae874aceba708dc36808ed007ad496c)
2007-10-10r22786: Some cleanup by Karolin Seeger: Remove unused pdb_find_alias, and changeVolker Lendecke1-18/+15
return values of some alias-releated pdb functions from BOOL to NTSTATUS Thanks :-) (This used to be commit 590d2164b3a33250410338771e160f6ebd1aa89d)
2007-10-10r22767: Argl. Typed in 'svn ci' in the wrong branch. Revert.Volker Lendecke1-15/+18
(This used to be commit 2c5b951eba509e826a29775db992aca474476484)
2007-10-10r22766: Merge from 3_0:Volker Lendecke1-18/+15
r22412 | obnox | 2007-04-20 14:23:36 +0200 (Fr, 20 Apr 2007) | 5 lines Add a "deletelocalgroup" subcommand to net sam. Thanks to Karolin Seeger <ks@sernet.de>. (This used to be commit fb6ac8a5b247a961963a9b6a95cd6608c5b53d09)
2007-10-10r22587: Ensure TALLOC_ZERO_ARRAY is consistent.Jeremy Allison1-4/+8
Jeremy. (This used to be commit c3df5d08dd6a983f9d53dc6628a50e571d322e8d)
2007-10-10r22586: Add a modified version of Simo's patch.Jeremy Allison1-13/+28
Jeremy. (This used to be commit 18f47f999d28af56e205cd20d10c72ff6f0a3846)
2007-10-10r22542: Move over to using the _strict varients of the tallocJeremy Allison1-1/+1
calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592)
2007-10-10r22505: Fix buildAlexander Bokovoy1-1/+1
(This used to be commit cc38ffb9a45b008ab7bbc3299610bd0dfec13aa9)
2007-10-10r22504: Fix bug Jerry found during his tutorial. Sorry :-(Jim McDonough1-1/+6
Allows authorized users (e.g. BUILTIN\Administrators members) to set attributes on an account, particularly "user cannot change password". add become_root() around updating attributes, after checking that access has been granted. (This used to be commit b1ab360519a1f67f50446ca8599e5b7aa58e7db3)
2007-10-10r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher1-6/+6
which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
2007-10-10r21784: Replace smb_register_idle_event() with event_add_timed(). This fixes ↵Volker Lendecke1-47/+32
winbind who did not run the idle events to drop ldap connections. Volker (This used to be commit af3308ce5a21220ff4c510de356dbaa6cf9ff997)
2007-10-10r21635: Don't free talloc()'d memory. I wish people would check the callersGerald Carter1-1/+1
when changing how memory is allocated. (This used to be commit 78bf4042dd22bf063846c58729d5b64be3fce8a8)
2007-10-10r21563: Fix a memleak: We only need dispinfo structs for "our" and for the ↵Volker Lendecke1-40/+41
builtin domain. Without this patch we leaked a DISPINFO for the (NULL) domain per samr_connect*() call. Volker (This used to be commit 4423880ff47a94074c625a4f4f81c3b516faa644)
2007-10-10r21551: Ok, this is more subtle. More tomorrow :-)Volker Lendecke1-65/+37
(This used to be commit f63189907efe857ef51ff91470ddb8d21b9a41fa)
2007-10-10r21550: make disp_info_list static to get_samr_dispinfo_by_sid(), add a ↵Volker Lendecke1-2/+18
comment :-) (This used to be commit fad2ee8aa3e99c31a0632a80b4a64dedb6e01495)
2007-10-10r21549: Only create DISP_INFO structs for domain handles, the others don't needVolker Lendecke1-35/+47
them. It just does not make sense to do a querydispinfo on an alias handle... This fixes a memleak: Every samr_connect*() call leaked a DISP_INFO for the (NULL) sid. More cleanup pending: Essentially, we only need the DISP_INFO cache for the get_global_sam_sid() domain. BUILTIN is fixed and small enough, and there are no other domains around where enumerations could happen. This also removes the explicit builtin_domain flags. I don't think this is worth it. If this makes a significant difference, then we have a *VERY* tuned RPC layer... Jeremy, please check this. If it's ok, we might want to merge it across. Volker (This used to be commit 0aceda68a825788895759e79de55b080ad3f971d)
2007-10-10r21507: Fix some "cannot access LDAP when no root" bugs.Gerald Carter1-10/+13
The two culprits were * pdb_get_account_policy() * pdb_get_group_sid() (This used to be commit 6a69caf6907fad01b13aa4358ce5c62506f98495)
2007-10-10r19058: Implement "user cannot change password", and complete "user must changeJim McDonough1-12/+106
password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
2007-10-10r18429: fix a regression renaming local group introduced by trying to handle ↵Gerald Carter1-0/+2
renames to the same name (This used to be commit 4faa5004fb7e5814bf8a97cfe8d0b443f0acdb8d)
2007-10-10r18271: Big change:Gerald Carter1-6/+6
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17797: Just say "ok" when trying to rename a local group to its same name.Gerald Carter1-4/+11
(This used to be commit e6e54125003373f83e6900668ceb9981e8620776)
2007-10-10r17554: CleanupVolker Lendecke1-3/+3
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2007-10-10r17468: To minimize the diff later on, pre-commit some changes ↵Volker Lendecke1-3/+3
independently: Change internal mapping.c functions to return NTSTATUS instead of BOOL. Volker (This used to be commit 4ebfc30a28a6f48613098176c5acdfdafbd2941a)
2007-10-10r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as anVolker Lendecke1-3/+3
argument. Volker (This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
2007-10-10r17439: Fix logic error in checking TALLOC return. Spotted by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 06aea05c52ee770a2dd6465e9e2fcd0ccd8c811d)
2007-10-10r17364: Another NT4 join bug: The idealx tools set the primary group sid, ↵Volker Lendecke1-15/+12
and if we do an update_sam_account later on, we want to also set it using the delete/add method. As the idealx tools use the replace method, they don't care about what has been in there before. Jerry, this is a likely 3.0.23b candidate. Not merging, it's your call :-) Volker (This used to be commit f002a3633892fc040f0a6d076723c660bb82a41a)
2007-10-10r17217: Fix a couple of "smbldap_open(): Cannot open when not root" bugsGerald Carter1-1/+7
when viewing or modifying local group membership. (This used to be commit 41e30a9666e1fb736cd2ba8a5ad9285fcde50d47)
2007-10-10r17150: MMC User & group plugins fixes:Gerald Carter1-7/+25
* Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2007-10-10r16954: Volker reminded me we already have code to do this check.Gerald Carter1-8/+4
Reuse can_create() to prevent renameing a group to an existing user or group. (This used to be commit ce7091fda1eb3c7ea0900f455cec48c3b95a17f6)
2007-10-10r16953: Don't allow groups to be renamed to an existing user or other groupGerald Carter1-5/+22
(This used to be commit 7d619f127ee70fdd486ffaab4546a53d76a2288c)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-6/+11
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16678: Fix bug #3898 reported by jason@ncac.gwu.edu.Jeremy Allison1-4/+12
Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
2007-10-10r16646: Fix bug #3888 reported by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 433d7a1bc91ff479934a256ff84e6866e16d1f85)
2007-10-10r16544: Fix bug #3864 reported by jason@ncac.gwu.edu.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 16e42b446bea171c3ad848aefaa92c7404aade42)
2007-10-10r16409: Fix Klocwork ID's.Volker Lendecke1-5/+18
1177 In reg_perfcount.c: 1200 1202 1203 1204 In regfio.c: 1243 1245 1246 1247 1251 Jerry, the reg_perfcount and regfio.c ones, can you take a look please? This is really your code, and I'm not sure I did the right thing to return an error. smbcacls.c: 1377 srv_eventlog_nt.c: 1415 1416 1417 srv_lsa_nt.c: 1420 1421 srv_netlog_nt.c: 1429 srv_samr_nt: 1458 1459 1460 Volker Volker (This used to be commit d6547d12b1c9f9454876665a5bdb010f46b9f5ff)
2007-10-10r16065: Re-add a strlower_m(account) in samr_create_user that was dropped for noVolker Lendecke1-0/+2
reason but to increase fidelity with W2k3. Tom Bork has raised valid concerns that Unix scripts might rely on the account names being lower-case, so keep that. We might later decide to only lower-case the unix name passed to 'add [user|group] script' but keep the passdb entry upper-case. But there are enough user-visible changes in 3_0 already so that we should push this off to a later date. Tom, waiting for more bug reports from you ;-)) Thanks for insisting! Volker (This used to be commit bc78cca290559c5ca7623b9f6d9933e32668b9c4)
2007-10-10r16060: This is one of the more dirty patches I've put in lately. Parse ↵Volker Lendecke1-0/+52
enough of SetUserInfo level 25 to survive the join method XP uses if the user did not exist before. For good taste this contains way too much cut&paste, but for a real fix there is just not enough time. Up to 3.0.22 we completely ignored that a full level 21 is being sent together with level 25, but we got away with that because on creation we did not set the "disabled" flag on the workstation account. Now we correctly follow W2k3 in this regard, and we end up with a disabled workstation after join. Man, I hate rpc_parse/. The correct fix would be to import PIDL generated samr parsing, but this is would probably be a bit too much for .23... Thanks to Tom Bork for finding this one. Volker (This used to be commit 5a37aba10551456042266443cc0a92f28f8c3d0d)
2007-10-10r15455: Add rpccli_samr_query_dom_info2() and return the comment string inGünther Deschner1-0/+3
samr_query_domain_info(2) for consistency reasons. Guenther (This used to be commit 870495e2c8628deee0498e68cc1d93abfbc56da4)
2007-10-10r15454: As testing, documentation and samba4 idl indicate that there is no knownGünther Deschner1-126/+10
difference between samr_query_domain_info and samr_query_domain_info2, wrap the info2 call around the info call. There have been various "could not access LDAP when not root" bugs lurking around in samr_query_domain_info2 anyway. Guenther (This used to be commit 3e181b46bea87797d654d57a6c8231cba6ff5a7b)
2007-10-10r15452: Again purely cosmetic reformat of the samr query domain info calls.Günther Deschner1-6/+8
Guenther (This used to be commit 6ed7d7fa70e3f750f921192c0f75594d608875b7)
2007-10-10r15442: Add some more client rpc for the querydominfo calls (from samba4 idl).Günther Deschner1-5/+11
Also return the hostname for the level 6 call (to be consistent with the server name in level 2). Guenther (This used to be commit 41b72e77ae70c96de4659af6b4b6bd842dd67981)
2007-10-10r15438: Fix samrQueryDomainInfo level 5 where we returned our netbiosGünther Deschner1-2/+2
name eversince instead of the domain name when we are a DC. Yes, there are applications relying on this call to be correct. Guenther (This used to be commit 26dd22c9af8caf3db236984e4683ba210376ca59)
2007-10-10r14646: Adding samr querygroup infolevels 2 & 5.Günther Deschner1-0/+26
Guenther (This used to be commit 6c4fe819c69f281915ad0f4c3bde4dfb194aa33a)
2007-10-10r14634: Many bug fixes thanks to train rides and overnight stays in airportsGerald Carter1-1/+39
* Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-0/+12
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13778: When deleting machine accounts it's the SeMachineAccountPrivilegeJeremy Allison1-1/+9
that counts. Jeremy. (This used to be commit aa85ba4f3799ffbe5c6f84f768f03a4c68d879dc)
2007-10-10r13715: Put back the code that actually modify the account,Simo Sorce1-0/+6
removed, I presume by mistake, by Jerry in the recent patch the removes the primary group SID stuff. set_user_info_21 is called to update many other things like the description of a user for example (that's what failed on me). Jerry, please review this one. (This used to be commit 239a37d201168d095f600042b1ffcd047f18ba8a)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner1-2/+2
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-10/+9
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13622: Allow to rename machine accounts in a Samba Domain. This still uses theGünther Deschner1-2/+36
"rename user script" to do the rename of the posix machine account (this might be changed later). Fixes #2331. Guenther (This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16)