summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r19058: Implement "user cannot change password", and complete "user must changeJim McDonough1-12/+106
password at next logon" code. The "password last set time" of zero now means "user must change password", because that's how windows seems to use it. The "can change" and "must change" times are now calculated based on the "last set" time and policies. We use the "can change" field now to indicate that a user cannot change a password by putting MAX_TIME_T in it (so long as "last set" time isn't zero). Based on this, we set the password-can-change bit in the faked secdesc. (This used to be commit 21abbeaee9b7f7cff1d34d048463c30cda44a2e3)
2007-10-10r18429: fix a regression renaming local group introduced by trying to handle ↵Gerald Carter1-0/+2
renames to the same name (This used to be commit 4faa5004fb7e5814bf8a97cfe8d0b443f0acdb8d)
2007-10-10r18271: Big change:Gerald Carter1-6/+6
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r17797: Just say "ok" when trying to rename a local group to its same name.Gerald Carter1-4/+11
(This used to be commit e6e54125003373f83e6900668ceb9981e8620776)
2007-10-10r17554: CleanupVolker Lendecke1-3/+3
(This used to be commit 761cbd52f0cff6b864c506ec03c94039b6101ef9)
2007-10-10r17468: To minimize the diff later on, pre-commit some changes ↵Volker Lendecke1-3/+3
independently: Change internal mapping.c functions to return NTSTATUS instead of BOOL. Volker (This used to be commit 4ebfc30a28a6f48613098176c5acdfdafbd2941a)
2007-10-10r17451: Change pdb_getgrsid not to take a DOM_SID but a const DOM_SID * as anVolker Lendecke1-3/+3
argument. Volker (This used to be commit 873a5a1211d185fd50e7167d88cbc869f70dfd3f)
2007-10-10r17439: Fix logic error in checking TALLOC return. Spotted by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 06aea05c52ee770a2dd6465e9e2fcd0ccd8c811d)
2007-10-10r17364: Another NT4 join bug: The idealx tools set the primary group sid, ↵Volker Lendecke1-15/+12
and if we do an update_sam_account later on, we want to also set it using the delete/add method. As the idealx tools use the replace method, they don't care about what has been in there before. Jerry, this is a likely 3.0.23b candidate. Not merging, it's your call :-) Volker (This used to be commit f002a3633892fc040f0a6d076723c660bb82a41a)
2007-10-10r17217: Fix a couple of "smbldap_open(): Cannot open when not root" bugsGerald Carter1-1/+7
when viewing or modifying local group membership. (This used to be commit 41e30a9666e1fb736cd2ba8a5ad9285fcde50d47)
2007-10-10r17150: MMC User & group plugins fixes:Gerald Carter1-7/+25
* Make sure to lower case all usernames before calling the create, delete, or rename hooks. * Preserve case for usernames in passdb * Flush the getpwnam cache after renaming a user * Add become/unbecome root block in _samr_delete_dom_user() when trying to verify the account's existence. (This used to be commit bbe11b7a950e7d85001f042bbd1ea3bf33ecda7b)
2007-10-10r16954: Volker reminded me we already have code to do this check.Gerald Carter1-8/+4
Reuse can_create() to prevent renameing a group to an existing user or group. (This used to be commit ce7091fda1eb3c7ea0900f455cec48c3b95a17f6)
2007-10-10r16953: Don't allow groups to be renamed to an existing user or other groupGerald Carter1-5/+22
(This used to be commit 7d619f127ee70fdd486ffaab4546a53d76a2288c)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-6/+11
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16678: Fix bug #3898 reported by jason@ncac.gwu.edu.Jeremy Allison1-4/+12
Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
2007-10-10r16646: Fix bug #3888 reported by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 433d7a1bc91ff479934a256ff84e6866e16d1f85)
2007-10-10r16544: Fix bug #3864 reported by jason@ncac.gwu.edu.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 16e42b446bea171c3ad848aefaa92c7404aade42)
2007-10-10r16409: Fix Klocwork ID's.Volker Lendecke1-5/+18
1177 In reg_perfcount.c: 1200 1202 1203 1204 In regfio.c: 1243 1245 1246 1247 1251 Jerry, the reg_perfcount and regfio.c ones, can you take a look please? This is really your code, and I'm not sure I did the right thing to return an error. smbcacls.c: 1377 srv_eventlog_nt.c: 1415 1416 1417 srv_lsa_nt.c: 1420 1421 srv_netlog_nt.c: 1429 srv_samr_nt: 1458 1459 1460 Volker Volker (This used to be commit d6547d12b1c9f9454876665a5bdb010f46b9f5ff)
2007-10-10r16065: Re-add a strlower_m(account) in samr_create_user that was dropped for noVolker Lendecke1-0/+2
reason but to increase fidelity with W2k3. Tom Bork has raised valid concerns that Unix scripts might rely on the account names being lower-case, so keep that. We might later decide to only lower-case the unix name passed to 'add [user|group] script' but keep the passdb entry upper-case. But there are enough user-visible changes in 3_0 already so that we should push this off to a later date. Tom, waiting for more bug reports from you ;-)) Thanks for insisting! Volker (This used to be commit bc78cca290559c5ca7623b9f6d9933e32668b9c4)
2007-10-10r16060: This is one of the more dirty patches I've put in lately. Parse ↵Volker Lendecke1-0/+52
enough of SetUserInfo level 25 to survive the join method XP uses if the user did not exist before. For good taste this contains way too much cut&paste, but for a real fix there is just not enough time. Up to 3.0.22 we completely ignored that a full level 21 is being sent together with level 25, but we got away with that because on creation we did not set the "disabled" flag on the workstation account. Now we correctly follow W2k3 in this regard, and we end up with a disabled workstation after join. Man, I hate rpc_parse/. The correct fix would be to import PIDL generated samr parsing, but this is would probably be a bit too much for .23... Thanks to Tom Bork for finding this one. Volker (This used to be commit 5a37aba10551456042266443cc0a92f28f8c3d0d)
2007-10-10r15455: Add rpccli_samr_query_dom_info2() and return the comment string inGünther Deschner1-0/+3
samr_query_domain_info(2) for consistency reasons. Guenther (This used to be commit 870495e2c8628deee0498e68cc1d93abfbc56da4)
2007-10-10r15454: As testing, documentation and samba4 idl indicate that there is no knownGünther Deschner1-126/+10
difference between samr_query_domain_info and samr_query_domain_info2, wrap the info2 call around the info call. There have been various "could not access LDAP when not root" bugs lurking around in samr_query_domain_info2 anyway. Guenther (This used to be commit 3e181b46bea87797d654d57a6c8231cba6ff5a7b)
2007-10-10r15452: Again purely cosmetic reformat of the samr query domain info calls.Günther Deschner1-6/+8
Guenther (This used to be commit 6ed7d7fa70e3f750f921192c0f75594d608875b7)
2007-10-10r15442: Add some more client rpc for the querydominfo calls (from samba4 idl).Günther Deschner1-5/+11
Also return the hostname for the level 6 call (to be consistent with the server name in level 2). Guenther (This used to be commit 41b72e77ae70c96de4659af6b4b6bd842dd67981)
2007-10-10r15438: Fix samrQueryDomainInfo level 5 where we returned our netbiosGünther Deschner1-2/+2
name eversince instead of the domain name when we are a DC. Yes, there are applications relying on this call to be correct. Guenther (This used to be commit 26dd22c9af8caf3db236984e4683ba210376ca59)
2007-10-10r14646: Adding samr querygroup infolevels 2 & 5.Günther Deschner1-0/+26
Guenther (This used to be commit 6c4fe819c69f281915ad0f4c3bde4dfb194aa33a)
2007-10-10r14634: Many bug fixes thanks to train rides and overnight stays in airportsGerald Carter1-1/+39
* Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-0/+12
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r13778: When deleting machine accounts it's the SeMachineAccountPrivilegeJeremy Allison1-1/+9
that counts. Jeremy. (This used to be commit aa85ba4f3799ffbe5c6f84f768f03a4c68d879dc)
2007-10-10r13715: Put back the code that actually modify the account,Simo Sorce1-0/+6
removed, I presume by mistake, by Jerry in the recent patch the removes the primary group SID stuff. set_user_info_21 is called to update many other things like the description of a user for example (that's what failed on me). Jerry, please review this one. (This used to be commit 239a37d201168d095f600042b1ffcd047f18ba8a)
2007-10-10r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16.Günther Deschner1-2/+2
* Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-10/+9
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13622: Allow to rename machine accounts in a Samba Domain. This still uses theGünther Deschner1-2/+36
"rename user script" to do the rename of the posix machine account (this might be changed later). Fixes #2331. Guenther (This used to be commit b2eac2e6eb6ddd1bcb4ed5172e7cd64144c18d16)
2007-10-10r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new()Gerald Carter1-36/+33
* replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f)
2007-10-10r13576: This is the beginnings of moving the SAM_ACCOUNT data structureGerald Carter1-62/+62
to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0)
2007-10-10r13511: Fix bug in the samr dispinfo enumeration code.Gerald Carter1-0/+11
Make sure to associate the DOMAIN dispinfo cache with a User/Group SAMR handle (not the SID of the user or group). Ensure that enumeration after deleting a user works. (This used to be commit 7967f89caa17ea93cb7e9d8695f1904ccb9a2864)
2007-10-10r13494: Merge the stuff I've done in head the last days.Volker Lendecke1-424/+103
Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899)
2007-10-10r13444: Add REJECT_REASON_OTHER for samr_chgpasswd_user3Günther Deschner1-1/+2
Guenther (This used to be commit 58baf718be90d750f51cf51a25714fcdcd5679b7)
2007-10-10r13442: Implement samr_chgpasswd_user3 server-side.Günther Deschner1-7/+98
Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
2007-10-10r13399: Get closer to passing RPC-SCHANNEL test.Jeremy Allison1-0/+5
Jeremy. (This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de)
2007-10-10r13396: Add in userinfo26, re-enable userinfo25 - took the knowledgeJeremy Allison1-14/+36
from Samba4 on how to decode the 532 byte password buffers. Getting closer to passing samba4 RPC-SCHANNEL test. Jeremy. (This used to be commit 205db6968a26c43dec64c14d8053d8e66807086f)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-126/+153
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13138: old fix I forgot to commitSimo Sorce1-2/+5
need to access info when using the ldap backend (This used to be commit 80c0625667f28253e9b6f1ac1a5c88aa8261f9b0)
2007-10-10r12935: After discussion with Volker fix bug #3397 using a variant of the ↵Alexander Bokovoy1-2/+51
patch by Alex Deiter (tiamat@komi.mts.ru). Introduces level 9 of getuserinfo and allows to successfully install MS SMS2003 on a member of a Samba domain. Also added support for this level in rpcclient. The code for infolevel 9 is modelled upon Samba-TNG by Alex Deiter. Jerry, we need this in 3.0.21b. (This used to be commit 93461646ce2ad6e2f8b11d40ce98722d56a83b43)
2007-10-10r12262: * patch from Brian Moran to fix segv in eventlogadm when not eventlogsGerald Carter1-0/+2
are listed in smb.conf * initialize the local group description in set_alias_info() (This used to be commit 58f8b42069a69c0b61da2609e5706a6c0d512e09)
2007-10-10r12133: Fix an uninitialized variable in new code in rpc_server/srv_samr_nt.c.Volker Lendecke1-5/+8
Fix winbind_lookup_name for the local domain, ie for aliases on a member server. Volker (This used to be commit 4ba50c823e8d61f87ab5627f15e826e73e45ffcc)
2007-10-10r12051: Merge across the lookup_name and lookup_sid work. Lets see how the ↵Volker Lendecke1-60/+84
build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7)
2007-10-10r12043: It's amazing the warnings you find when compiling on a 64-bitJeremy Allison1-14/+18
box with gcc4 and -O6... Fix a bunch of C99 dereferencing type-punned pointer will break strict-aliasing rules errors. Also added prs_int32 (not uint32...) as it's needed in one place. Find places where prs_uint32 was being used to marshall/unmarshall a time_t (a big no no on 64-bits). More warning fixes to come. Thanks to Volker for nudging me to compile like this. Jeremy. (This used to be commit c65b752604f8f58abc4e7ae8514dc2c7f086271c)
2007-10-10r11964: rename flag to password_properties in SAM_UNK_INFO_1 because that's whatGünther Deschner1-1/+1
it is. (SAM_UNK_INFO_1 should get a better name as well). Guenther (This used to be commit d94aaeb625c39b6205fe61c274aed57b1399bafc)
2007-10-10r11927: No users or groups to return in BUILTIN domain.Jeremy Allison1-0/+14
Jeremy. (This used to be commit 908e671c75f78b87fe0ee9129f0aca004565c407)