summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_samr_nt.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9956: Ensure accounts with the SeAddUsersPrivilege can modify domain and ↵Gerald Carter1-8/+32
local group attributes (posted to samba ml and confirmed fix) (This used to be commit 005d4cb3c636383ccf70c4891cd7cc4bd3b48ad2)
2007-10-10r9660: real fix for group enumeration bug in 3.0.20; only affected the ↵Gerald Carter1-1/+1
ldapsam code (This used to be commit 62f9fb5e3a9bce539c9fedc5fdec1b8741a922c7)
2007-10-10r9594: return the mapped name in enum_dom_groups()Gerald Carter1-1/+1
(This used to be commit a769aaec88257ae006c61f0fcfd98efd4b639268)
2007-10-10r9275: Remove some dead code. Bugzilla #2982.Tim Potter1-3/+0
(This used to be commit e1fc7d89c26b671e77c7cb14e03690091b671b1d)
2007-10-10r9098: fix another usrmgr.exe crash when viewing user properties at ↵Gerald Carter1-1/+1
debuglevel 10 (This used to be commit f5756c2611df5a026d78f8acb229d7c25f1fd383)
2007-10-10r8971: Fix querydispinfo (still need to look at enumdomusers) to allow to listGünther Deschner1-2/+4
more then 511 users. After the rewrite, the old NT_STATUS-semantics didn't fit any longer. Guenther (This used to be commit 690da51d835fd780b16d8ce6521957146c90da78)
2007-10-10r8564: Sometimes we're too dumb to live... Fix samr calls where we wereJeremy Allison1-35/+35
using USER_INFO_XX structs and functions where XX was sometimes in hex and sometimes in decimal. Now it's all in decimal (should be no functionality change). Jeremy. (This used to be commit 84651aca04cbcbf50ab2e78333cc9d9e49dd92f5)
2007-10-10r7836: Fix the bug where users show up as trusting domains.Volker Lendecke1-9/+22
Volker (This used to be commit 61585fa56b4f838f416815598f4a301aa9ee12d7)
2007-10-10r7581: fix bad mergeGerald Carter1-2/+0
(This used to be commit 55d08311032b75724b525d8e0df506de3e988b15)
2007-10-10r7578: use global well known DOM_SID objects when possibleGerald Carter1-9/+6
(This used to be commit 643dc05eb5a8e41cf9cb1768ef42f5dbc0320846)
2007-10-10r7130: remove 'winbind enable local accounts' code from the 3.0 treeGerald Carter1-20/+0
(This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19)
2007-10-10r6772: Fix a valgrind error for samr_open_alias uncovered by one of John's test.Volker Lendecke1-1/+1
Jerry, in query_aliasmem, set_aliasinfo and set_groupinfo (and possibly others) need become_root()/unbecome_root() around the pdb calls. I'm not sure I would do the access checks correctly, I would much rather leave that to you. Volker (This used to be commit 88a67e96d1c54fddadbb6a33e4bc5fba884e58e6)
2007-10-10r6642: BUG 2686: shouold fix the group_setinfo() failures; similar to ↵Gerald Carter1-0/+5
alias_setinfo() patch from last week (This used to be commit 611cca473ef6c50aeeda79c323f55e8e3402b1b1)
2007-10-10r6601: fixing query and set alias info calls (level 1 from theGerald Carter1-12/+15
MMC manage computer plugin. (This used to be commit c43c1ec80cb52569ccabcdf95e4004386ecb29d6)
2007-10-10r6566: fix a couple of local group bugs.Gerald Carter1-7/+8
* ensure that we set full access on the handle returned from _samr_create_dom_alias() so that future set_alias commands succeed * fix bug when looking for internal domains in winbindd (caused winbindd_getgrgid() for local groups to fail). (This used to be commit 4615c96ccb8906af4eb1fbe6d0cbf6bb3bcc3fcf)
2007-10-10r6421: use add machine script when creating a user (ACB_NORMAL)Gerald Carter1-2/+4
who has a name ending in '$' (usrmgr.exe does this for domain trusts (that's was jfm's original comment I think). avoid an assert() call in libldap. (This used to be commit 0ac57ae94202190ddbe538f7180a0443463b48cf)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-580/+238
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6282: Before converting enum_dom_groups, better get the previous version a bitVolker Lendecke1-5/+13
closer to being correct. 'svn blame' shows CVSIN, but somehow I get the feeling this is my code... Volker (This used to be commit 5d34bd617535a26ae121a72add41dc7b8cec4580)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-3/+0
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-1/+1
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-27/+10
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough1-45/+17
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5961: final round of compiler warning fixes based on feedback from Jason MaderGerald Carter1-3/+3
(This used to be commit 9e77da9320c900b3e437d534e31fa5ff81e9acfd)
2007-10-10r5950: more compiler warning's from Jason MaderGerald Carter1-4/+2
(This used to be commit 27c6e85ad59a86ab45ae3297c7445c4ff15546c8)
2007-10-10r5943: remove unneccessary se_priv_copy()Gerald Carter1-3/+1
(This used to be commit 2db04a90c4197a3950bbc322948468cb306b3557)
2007-10-10r5647: Caches are good for performance, but you get a consistency problem.Volker Lendecke1-0/+2
Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687)
2007-10-10r5471: In cli_samr_lookup_rids, flags is not a flags but an array size. W2k3 ↵Volker Lendecke1-3/+4
rejects everything but 1000 here, so there's no point in exposing that to the caller. Thanks, Volker (This used to be commit 03ec1bd9e54b065c0494bc57a3d78ac0ae28e234)
2007-10-10r5469: Fix error codes of samr_lookup_rids: There's also STATUS_SOME_UNMAPPED.Volker Lendecke1-11/+26
Thanks, Volker (This used to be commit 43dcf0f5cb5dc2dd37ab3cdc2905970d9cc50ba4)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-38/+14
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5419: Fix some unitialized variable warningsVolker Lendecke1-3/+3
(This used to be commit 9004b7897416d142ab9e3bee60c7bda589f94750)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner1-29/+29
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner1-2/+2
Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10r5262: Fix server_role in the samr_query_dom_info calls. When we are a BDC weGünther Deschner1-6/+23
should not say we are a PDC. Guenther (This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5)
2007-10-10r5205: more fixups for BUG 2291Gerald Carter1-27/+30
(This used to be commit 62e7cc7c3b2fe5187c99e0a1491843579ab997e7)
2007-10-10r5203: additional changes for BUG 2291 to restrict who can join a BDC and ↵Gerald Carter1-8/+18
add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
2007-10-10r5180: Call the "add machine script" to create all kinds of trust accountsGünther Deschner1-1/+1
(this restores old behaviour). Fixes #2291. Guenther (This used to be commit 5ca0d1b87cd20f538a13321eb11ef97d00bf5133)
2007-10-10r5150: consolidate the samr_make.*obj_sd() functions to share codeGerald Carter1-157/+41
(This used to be commit 5bd03d59263ab619390062c1d023ad1ba54dce6a)
2007-10-10r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask defineGerald Carter1-4/+4
* make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2007-10-10r5028: * check acb_info mask in _samr_create_user instead of the last characterGerald Carter1-36/+21
of the user name * fix some access_mask checks in _samr_set_userinfo2 (getting join from XP without being a member of domain admins working) (This used to be commit 04030534ffd35f8ebc997d9403fd87309403dcbf)
2007-10-10r5015: (based on abartlet's original patch to restrict password changes)Gerald Carter1-336/+407
* added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
2007-10-10r4972: Fix a warning and some debugging-outputs.Günther Deschner1-1/+1
Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
2007-10-10r4931: Add get_user_info_7 in SAMR. This just gives out the username. (InGünther Deschner1-0/+42
preparation of adding the ability of renaming users via setuserinfo level 7). Guenther (This used to be commit 6f34ed6c203fa11182640da97581075612d26c0e)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-29/+30
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4871: BUG 603: patch by Daniel Beschorner <db@unit-netz.de>. Correct ↵Gerald Carter1-1/+4
access mask check for _samr_lookup_domain() to work with Windows RAS server (This used to be commit 2e7a5608ac6a11f4e9e8bda69abb984fb4f86eb8)
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-100/+258
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-7/+13
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter1-3/+6
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-2/+2
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter1-22/+22
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4646: Allow Account Lockout with Lockout Duration "forever" (until adminGünther Deschner1-3/+9
unlocks) to be set and displayed in User Manager. Guenther (This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1)
generated by cgit (git 2.34.1) at 2024-10-20 01:51:55 +0000