summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2003-01-15merging some rpcclient and net functionality from HEADGerald Carter1-0/+12
(This used to be commit 7a4c87484237308cb3ad0d671687da7e0f6e733b)
2003-01-04Merge from HEAD - move user password changes into the NTSTATUS era, and addAndrew Bartlett1-3/+2
suppport for the 'min password age' and 'min passwd len' concepts. (This used to be commit d9417b08d1b649e598b44135bc57008f4e4f7769)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-1/+1
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-9/+7
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-08Merge from HEAD:Andrew Bartlett1-0/+2
- change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
2002-11-02port sec_desc headers reordering from HEAD.Simo Sorce1-44/+44
Thanks to Andrew Brtlet for the diff :-) (This used to be commit cf67981e73cf52803eae589a6b86e1274bf72d2c)
2002-11-02Merge passdb from HEAD -> 3.0Andrew Bartlett1-29/+40
The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f)
2002-10-23Debug level 12 is a typo.Jeremy Allison1-2/+2
Jeremy. (This used to be commit c4e4cc9ce169038c4bb8cdcc477d15a9661d1b8e)
2002-10-23First cut of new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.Jeremy Allison1-1/+1
This is not 100% the same as what SuSE shipped in their Samba, there is a crash bug fix, a race condition fix, and a few logic changes I'd like to discuss with Andreas. Added Andreas to (C) notices for posix_acls.c Jeremy. (This used to be commit 40eafb9dde113af9f7f1808fda22908953f7e8c3)
2002-10-01syncing up with HEAD. Seems to be a lot of differences creeping inGerald Carter1-2/+2
(i ignored the new SAMBA stuff, but the rest of this looks like it should have been merged already). (This used to be commit 3de09e5cf1f667e410ee8b9516a956860ce7290f)
2002-09-26syncing up with HEAD again....Gerald Carter1-6/+17
(This used to be commit e026b84815ad1a5fa981c24fff197fefa73b4928)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-75/+56
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17Sync 3.0 branch with HEADJelmer Vernooij1-27/+115
(This used to be commit e01596853e3eea533baa08c33f26ded75f33fdd4)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-410/+929
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-04-12merged the mangling test and passdb bugfixes into SAMBA_3_0Andrew Tridgell1-15/+0
(This used to be commit 97eb3a121d33200ee7559b2413d6252efc04ebaf)
2002-03-29Don't core dump listing thousands of users in usrmgr.Jeremy Allison1-2/+2
Jeremy. (This used to be commit c6566fa5fadf37a2b133e7be1f13c0de93efab34)
2002-03-21Make sure to initaliase SAM_ACCOUNT pointers to NULL, otherwise pdb_init_sam()Andrew Bartlett1-3/+3
fails. Andrew Bartlett (This used to be commit 56009ffbaa00259d15f286248a7ab73c55371819)
2002-03-19second step to gain free uid<->rid mappingSimo Sorce1-10/+82
we still need to free gid<->rid mapping and few other stuff (This used to be commit aa4b6f8181f34196a28951264dd8b631a5deef7f)
2002-03-18more verbose checking in talloc and util_pwSimo Sorce1-2/+42
fixed tdbsam memory corruption (and segfault) reducing calls to pdb_uid_to_user_rid and countrary to 0 to move to a non alghoritmic rid allocation with some passdb modules. (This used to be commit 9836af7cd623357feaec07bc49cfb78f0aa01fc3)
2002-03-10return the correct SID and domain name for the samr enum_domain andAndrew Tridgell1-8/+30
lookup_domain calls. We were incorrectly returning the PDCs domain nameand SID when we are a domain member. We should only do that when we are the DC (This used to be commit f56d689497eaa670cbfb214486ba88d5972129db)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Add the become_root()/unbecome_root() wrapper around the lookup_name() call,Andrew Bartlett1-1/+9
and its new args. (This used to be commit e7b3d64f6055b5d3b036f525f0ece3c9479d4f7a)
2002-01-20This is another *BIG* change...Andrew Bartlett1-44/+72
Samba now features a pluggable passdb interface, along the same lines as the one in use in the auth subsystem. In this case, only one backend may be active at a time by the 'normal' interface, and only one backend per passdb_context is permitted outside that. This pluggable interface is designed to allow any number of passdb backends to be compiled in, with the selection at runtime. The 'passdb backend' paramater has been created (and documented!) to support this. As such, configure has been modfied to allow (for example) --with-ldap and the old smbpasswd to be selected at the same time. This patch also introduces two new backends: smbpasswd_nua and tdbsam_nua. These two backends accept 'non unix accounts', where the user does *not* exist in /etc/passwd. These accounts' don't have UIDs in the unix sense, but to avoid conflicts in the algroitmic mapping of RIDs, they use the values specified in the 'non unix account range' paramter - in the same way as the winbind ranges are specifed. While I was at it, I cleaned up some of the code in pdb_tdb (code copied directly from smbpasswd and not really considered properly). Most of this was to do with % macro expansion on stored data. It isn't easy to get the macros into the tdb, and the first password change will 'expand' them. tdbsam needs to use a similar system to pdb_ldap in this regard. This patch only makes minor adjustments to pdb_nisplus and pdb_ldap, becouse I don't have the test facilities for these. I plan to incoroprate at least pdb_ldap into this scheme after consultation with Jerry. Each (converted) passdb module now no longer has any 'static' variables, and only exports 1 init function outside its .c file. The non-unix-account support in this patch has been proven! It is now possible to join a win2k machine to a Samba PDC without an account in /etc/passwd! Other changes: Minor interface adjustments: pdb_delete_sam_account() now takes a SAM_ACCOUNT, not a char*. pdb_update_sam_account() no longer takes the 'override' argument that was being ignored so often (every other passdb backend). Extra checks have been added in some places. Minor code changes: smbpasswd no longer attempts to initialise the passdb at startup, this is now done on first use. pdbedit has lost some of its 'machine account' logic, as this behaviour is now controlled by the passdb subsystem directly. The samr subsystem no longer calls 'local password change', but does the pdb interactions directly. This allow the ACB_ flags specifed to be transferred direct to the backend, without interference. Doco: I've updated the doco to reflect some of the changes, and removed some paramters no longer applicable to HEAD. (This used to be commit ff354c99c585068af6dc1ff35a1f109a806b326b)
2002-01-20Kill off another ugly wart from the side of the passdb subsystem.Andrew Bartlett1-36/+3
This time its the pdb_getsampwuid() function - which was only being used by the SAMR rpc subsystem to gain a 'user session key'. This 'user session key' is actually generated at login time, and the other changes here simply move that data around. This also means that (when I check some details) we will be able to use the user session key, even when we are not actually the DC, becouse its one of the components of the info3 struct returned on logon. Andrew Bartlett (This used to be commit 799ac01fe08a338e4e94289f5d6767ebf905c1fa)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-3/+3
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)
2002-01-17A nice *big* change to the fundemental way we do things.Andrew Bartlett1-3/+14
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
2002-01-02Actually enforce the passdb API.Andrew Bartlett1-25/+21
Thou shalt not reference SAM_ACCOUNT members directly - always use pdb_get/pdb_set. This is achived by making the whole of SAM_ACCOUNT have a .private member, where the real members live. This caught a pile of examples, and these have beeen fixed. The pdb_get..() functions are 'const' (have been for some time) and this required a few small changes to constify other functions. I've also added some debugs to the pdb get and set, they can be removed if requested. I've rewritten the copy_id2x_to_sam_pass() functions to use the new passdb interface, but I need the flags info to do it properly. The pdb_free_sam() funciton now blanks out the LM and NT hashes, and as such I have removed many extra 'samr_clear_sam_passwd(smbpass)' calls as a result. Finally, any and all testing is always appriciated - but the basics seem to work. Andrew Bartlett (This used to be commit d3dd28f6c443187b8d820d5a39c7c5b3be2fa95c)
2002-01-02Make user enumeration work for w2k and win9x.Jeremy Allison1-71/+85
This means different return sizes depending on client bugs. This sucks :-(. Jeremy. (This used to be commit f6592628eb526c487069bb3fcd809aca930e668e)
2001-12-31last_enum not used.Jeremy Allison1-4/+0
Jeremy. (This used to be commit efbec935fe727d5d5bd852c7bae9baf92df18686)
2001-12-31Fixed enumeration of a large (<1500) users from a Samba PDC to a W2kJeremy Allison1-6/+0
member server. Firstly, use the same max enumeration size (0x400) as W2K uses, otherwise W2K won't ask for any more. Secondly, if a enumeration request with a non-zero offset comes in on a handle that hasn't started an enumeration, don't bitch about it (return NT_STATUS_UNSUCCESSFUL), just load the db on that handle and return at that offset. Jeremy. (This used to be commit 0b7da4a50ea02e28ab23e71de1e5f8b9194a9af3)
2001-12-21Removed unused variables.Jeremy Allison1-2/+0
Jeremy. (This used to be commit 621fa227bdf6af15daa13f62287978dc2310c04c)
2001-12-21The jf_get_sampasswd_entries() is not used anymore.Jeremy Allison1-335/+0
Jeremy. (This used to be commit bf1816099707b816c9b62ad5ab794dc49b833181)
2001-12-21added a copyright notice.Jean-François Micouleau1-1/+1
J.F. (This used to be commit 87928c4d91940447191af4fe83a2be7ac3477361)
2001-12-21doesn't keep track of the struct's size we enumerate. W2K doesn'tJean-François Micouleau1-71/+76
calculate them and always reply a size of 32 bytes whereas NT4 did the maths. Anyway, it looks like the clients don't complain. in query_dom_info() at level 2, return the real number of users and groups. That's the fix to the W95/98 userlist bug ! as W95/98 does a query_dom_info(2) followed by a query_disp_info(4) on the SAME context handle (err we call it an lsa policy handle ! plain wrong name), I was tempted to keep the snapshoot in memory, to prevent 2 full user db enumerations in a row and just have one shared. But if some client does the 2 calls on two different handles, we would have 2 copies in memory not free'ed before the samr_close(). We still have too many fixed constant and too many magic values in that code. And btw, I really hates how the sequence number is generated ! J.F. (This used to be commit c0178e1a03f8225e5b350feb8fcbfb02f43327b4)
2001-12-21Fixup some DEBUG statements (0 -> 10).Jeremy Allison1-3/+3
Jeremy. (This used to be commit bf65331cb49299189d35ad5834167ec24b3a1ecb)
2001-12-21Use pdb_free_sam() to free a SAM_ACCOUNT struct, not safe_free(). ThereJeremy Allison1-1/+1
are pointers withing the SAM_ACCOUNT struct that also need freeing. Jeremy. (This used to be commit a7d099cc75f813b4010a5f313c3fa6e6e8284b6d)
2001-12-21re-done all of samr_query_disp_info()Jean-François Micouleau1-86/+310
instead of enumerating the whole user db or group db every time, we store a in memory copy linked to the handle. that's much faster for large enumeration where the db can't fit in a single rpc packet. And as it's a copy, it's constant between enumeration. still some stuff to clean. But now I can fix the W95 userlist bug, as I've finally found it. J.F. (This used to be commit 3ab45215369e8e93d750f4687e9c1f7d47782590)
2001-12-19added info level 1 to samr_query_alias()Jean-François Micouleau1-0/+5
(This used to be commit 589aa4fe226ee5bdae0a244631193714b0b556ac)
2001-12-18Fixed bad args to debug statements.Tim Potter1-3/+3
(This used to be commit 5e0f0716ca9826de110fd9eeaf231970e7c19b42)
2001-12-10added info level 3 to samrgetgroupinfo. I don't know what the value is.Jean-François Micouleau1-12/+164
It's just to keep usermanager happy ;-) clean up a bit samr_query_aliasinfo to return the group description added: samr_del_aliasmem, samr_del_groupmem and samr_del_domuser with the correct scripts, you can now entirely manage the users from usermanager ! Closer to full PDC every day ;-) J.F. (This used to be commit 0a727afc669704cda9b44d44dbac9e989e906ae3)
2001-12-08small comment I don't want to loose.Jean-François Micouleau1-0/+5
J.F. (This used to be commit a0b5ae58228d01ff5099180f16ffba4353bd28a7)
2001-12-06again an intrusive patch:Jean-François Micouleau1-2/+5
- removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the definition of standard_sub_basic() to cope with that. - removed the smb.conf: 'domain admin group' and 'domain guest group' parameters ! We're not playing anymore with the user's group RIDs ! - in get_domain_user_groups(), if the user's gid is a group, put it first in the group RID list. I just have to write an HOWTO now ;-) J.F. (This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50)
2001-12-05added samr_queryuseralias(). instead of returning BUILTIN_ALIAS_RID_USERS,Jean-François Micouleau1-16/+48
now return the alias correctly. time to look at the netlogon case. J.F. (This used to be commit 72ee1791084d09e73d8057e37ced4a79cecffb35)
2001-12-04added a boolean to the group mapping functions to specify if we need orJean-François Micouleau1-84/+40
not the privileges. Usually we don't need them, so the memory is free early. lib/util_sid.c: added some helper functions to check an SID. passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass an RID all the way. If the group doesn't exist on the domain SID, don't return a faked one as it can collide with a builtin one. Some rpc structures have been badly designed, they return only rids and force the client to do subsequent lsa_lookup_sid() on the domain sid and the builtin sid ! rpc_server/srv_util.c: wrote a new version of get_domain_user_groups(). Only the samr code uses it atm. It uses the group mapping code instead of a bloody hard coded crap. The netlogon code will use it too, but I have to do some test first. J.F. (This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)
2001-12-03added a tdb to store the account policy informations.Jean-François Micouleau1-87/+168
You can change them with either usermanager->policies->account or from a command prompt on NT/W2K: net accounts /domain we can add a rpc accounts to the net command. As the net_rpc.c is still empty, I did not start. How should I add command to it ? Should I take the rpcclient/cmd_xxx functions and call them from there ? alse changed the SAM_UNK_INFO_3 parser, it's an NTTIME. This one is more for jeremy ;-) J.F. (This used to be commit bc28a8eebd9245ce3004ae4b1a359db51f77bf21)
2001-12-02added queryuseraliases to rpcclientJean-François Micouleau1-0/+33
and some comments to the samr server code, to explain what we should return here. J.F. (This used to be commit 06cb20a46d9d9f8abf0d92ba4cfa4d23187ad715)
2001-12-02there was a bug in samr_lookup_names (my fault)Jean-François Micouleau1-42/+77
and added comments and some debugs. J.F. (This used to be commit 114eba496fa020a7f491eb549c91fb38ca34dabb)
2001-11-29Changed again how the privilege list is handled in the group mapping code.Jean-François Micouleau1-7/+56
This time it's a PRIVILEGE_SET struct instead of a simple uint32 array. It makes much more sense. Also added a uint32 systemaccount to the GROUP_MAP struct as some privilege showing in USRMGR.EXE are not real privs but a bitmask flag. I guess it's an heritage from NT 3.0 ! I could setup an NT 3.1 box to verify, but I'm too lazy (yes I still have my CDs). Added 3 more LSA calls: SetSystemAccount, AddPrivileges and RemovePrivileges, we can manage all this privilege from UserManager. Time to change the NT_USER_TOKEN struct and add checks in all the rpc functions. Fun, fun, fun. J.F. (This used to be commit 3f0a9ef2b8c626cfa2878394bb7b642342342bf3)
2001-11-28added samr_set_domain_info and samr_unknown_2E.Jean-François Micouleau1-0/+98
We now get the full account policy window in usermanager, and the framework to store all those values. I plan to add a TDB file to store them. oh, and found that the last value in a sam_unknown_info_12_inf struct is an uint16 and not a uint32. andrewb: you hardcoded the MAX_PASSWORD_AGE to 21 days. We can now turn it to a value setable in usermanager. J.F. (This used to be commit 99471d25693f6672d433b90a060378f6faad867f)
2001-11-24Kill off that crazy copy_sam_passwd(). You simply can't do that if theAndrew Bartlett1-24/+11
structre contains pointers (well not if you intend of free those pointers at some stage) There is no reason (given the new passdb interface) that you can't modify a SAM_ACCOUNT in any case. Andrew Bartlett (This used to be commit e8e73f7f0fcd86c8c2bfe3fc0b44ea2fd6570cc5)