Age | Commit message (Collapse) | Author | Files | Lines |
|
rejects
everything but 1000 here, so there's no point in exposing that to the caller.
Thanks,
Volker
(This used to be commit 03ec1bd9e54b065c0494bc57a3d78ac0ae28e234)
|
|
Thanks,
Volker
(This used to be commit 43dcf0f5cb5dc2dd37ab3cdc2905970d9cc50ba4)
|
|
Could someone else please look at this patch, verifying that I did not break
the ldapsam:trusted = False fallback to the old behaviour? It works fine for
me, but you never know. You're certainly free to review the new code as well :-)
Thanks,
Volker
(This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
|
|
validated with a user, so allow it even if pipe itself had an anonymous
connection.
(This used to be commit 469a649ad7271159960335419fd3ce2633cf2c8b)
|
|
list to zero
and return NT_STATUS_NONE_MAPPED. This does not crash windows and maintains
the benefit of not overallocating memory. The previous response of
truncating to the MAX limit was not useful because it crashed lsass.exe on
windows (bug opened with MS), and it was also misleading the client to
believe that a complete answer was received.
(This used to be commit c03a93957404663bbd026668fb95d6c253524fe9)
|
|
(This used to be commit 9004b7897416d142ab9e3bee60c7bda589f94750)
|
|
(This used to be commit ead54b14f6b34f087d3affc2853e16bbbaceb7cc)
|
|
passdb in 3_0 (they are still in trunk).
Guenther
(This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
|
|
Guenther
(This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
|
|
should not say we are a PDC.
Guenther
(This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5)
|
|
initialised. Fix for bugzilla #2315. Can the privileges dude(s)
please verify this?
(This used to be commit bc4f884104c04f7c9ab7d370586115a9328ce9b1)
|
|
(This used to be commit 62e7cc7c3b2fe5187c99e0a1491843579ab997e7)
|
|
add domain trusts
(This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
|
|
(this restores old behaviour). Fixes #2291.
Guenther
(This used to be commit 5ca0d1b87cd20f538a13321eb11ef97d00bf5133)
|
|
(This used to be commit 5bd03d59263ab619390062c1d023ad1ba54dce6a)
|
|
* make sure to apply the rights_mask and not just the saved
bits from the mask in access_check_samr_object()
* allow root to grant/revoke privileges (in addition to Domain
Admins) as suggested by Volker.
Tested machine joins from XP, 2K, and NT4 with and without
pre-existing machine trust accounts. Also tested basic file
operations using cmd.exe and explorer.exe after changing the
STANDARD_RIGHTS_WRITE_ACCESS bitmask.
(This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
|
|
of the user name
* fix some access_mask checks in _samr_set_userinfo2 (getting join from
XP without being a member of domain admins working)
(This used to be commit 04030534ffd35f8ebc997d9403fd87309403dcbf)
|
|
* added SE_PRIV checks to access_check_samr_object() in order
to deal with the run-time security descriptor and their
interaction with user rights
* Reordered original patch in _samr_set_userinfo[2] to still
allow root/administrative password changes for users and machines.
(This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
|
|
Guenther
(This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
|
|
preparation of adding the ability of renaming users via setuserinfo
level 7).
Guenther
(This used to be commit 6f34ed6c203fa11182640da97581075612d26c0e)
|
|
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.
Guenther
(This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
|
|
access mask check for _samr_lookup_domain() to work with Windows RAS server
(This used to be commit 2e7a5608ac6a11f4e9e8bda69abb984fb4f86eb8)
|
|
have to be root to send the message to all smbds that the config file has been updated
(This used to be commit 6409de1a1ef34bb41c3efeebfabdf13be5e08613)
|
|
that allows the add/change share command to create the directory
passed in as an arguement and not require that it pre-exist.
Also finish testing of SeDiskOperatorPrivilege via srvmgr.exe
(This used to be commit 9af83a7d70324846e6a2660c73589ee68340b4aa)
|
|
* define some const SE_PRIV structure for use when
you need a SE_PRIV* to a privilege
* fix an annoying compiler warngin in smbfilter.c
* translate SIDs to names in 'net rpc rights list accounts'
* fix a seg fault in cli_lsa_enum_account_rights caused by
me forgetting the precedence of * vs. []
(This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
|
|
This allows the ldap-backend to search much more effeciently. Machines
will be searched in the ldap_machine_suffix and users in the
ldap_users_suffix. (Note that we already use the ldap_group_suffix in
ldapsam_setsamgrent for quite some time).
Using the specific ldap-bases becomes notably important in large
domains: On my testmachine "net rpc trustdom list" has to search through
40k accounts just to list 3 interdomain-trust-accounts, similiar effects
show up the non-user query_dispinfo-calls, etc.
Also renamed all_machines to only_machines in load_sampwd_entries()
since that reflects better what is really meant.
Guenther
(This used to be commit 6394257cc721ca739bda0e320375f04506913533)
|
|
----------------
* bracket the add/delete/set printer scripts with checks for se_print_op
* slight change to the add/set printer script semantics. smbd no longer
relies on output from the script (on stdout) to re-read smb.conf
* remove SIGHUP from set/add/delete printin script code and now just
use MSG_SMB_CONF_UPDATED
* bracket the add/delete/set share scripts with checks for se_print_op
(this includes setting share ACLs)
(This used to be commit 8ab8113d2e1bec6a1dbf464882ad724c7c591be4)
|
|
SE_REMOTE_SHUTDOWN privilege
(This used to be commit d11339b7e3b890b8e01744b6b309efaa7ad328e1)
|
|
privileges RPC calls
(This used to be commit 3f4f2c80fd157796a7ba56f31f921e8a3ce46bc3)
|
|
* rewrote the tdb layout of privilege records in account_pol.tdb
(allow for 128 bits instead of 32 bit flags)
* migrated to using SE_PRIV structure instead of the PRIVILEGE_SET
structure. The latter is now used for parsing routines mainly.
Still need to incorporate some client support into 'net' so
for setting privileges. And make use of the SeAddUserPrivilege
right.
(This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
|
|
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
|
|
parsing bugs related to that code
(This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
|
|
(This used to be commit 85731706c9d794e8bd3f26ce9b1f881c1ee6a3ba)
|
|
(This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
|
|
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
|
|
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
|
|
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be
ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>.
Jeremy.
(This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
|
|
return the appropriate reg value. Enforcement to be added soon.
Also, fix account policy tdb upgrade so it doesn't just wipe out everything
that was in there from a a previous version.
(This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
|
|
unlocks) to be set and displayed in User Manager.
Guenther
(This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1)
|
|
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing
(This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
|
|
(This used to be commit 7fa2caec5ec2de4c5e7359621745a65ca9df255c)
|
|
Guenther
(This used to be commit 0930ad662770278cbe9fd4e3deaa523957b96697)
|
|
Guenther
(This used to be commit 5e6ce9a6e3d62190da5427ed7b5e2f2ac22a0c34)
|
|
set the value "forcibly disconnect remote users from server when logon
hours expire" to "no", instead take the value from our account-policy
storage.
Guenther
(This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
|
|
based on samba4-idl.
This saves us an enormous amount of totally unnecessary ldap-traffic
when several hundreds of winbind-daemons query a Samba3 DC just to get
the fake SAM-sequence-number (time(NULL)) by enumerating all users, all
groups and all aliases when query-dom-info level 2 is used.
Note that we apparently never get the sequence number right (we parse a
uint32, although it's a uint64, at least in samba4 idl). For the time
being, I would propose to stay with that behaviour.
Guenther
(This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
|
|
(This used to be commit 0f26ba5226fab5b86031a0df6fba16b8e6af6e7d)
|
|
comment string and not an unknown 12 byte structure...
Found after abartlet's smbtorture extended this string to
"Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET"
;-))
Volker
(This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
|
|
Jeremy.
(This used to be commit 72e39041e9fbb7f252292182d56b1927a8133be0)
|
|
and avoid the call to print_access_chaeck()
(This used to be commit 426634df9c221fbe4f48b4ff9d1b4b8426a581f7)
|
|
allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
|