summaryrefslogtreecommitdiff
path: root/source3/rpc_server
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r5264: Log with loglevel 0 when account-administration scripts fail.Günther Deschner1-2/+2
Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321)
2007-10-10r5262: Fix server_role in the samr_query_dom_info calls. When we are a BDC weGünther Deschner1-6/+23
should not say we are a PDC. Guenther (This used to be commit 6cdf3b97de2c28ac92f972621b0ce04c1c80cea5)
2007-10-10r5246: We can't use a pointer to struct lsa_info until is has beenTim Potter1-1/+1
initialised. Fix for bugzilla #2315. Can the privileges dude(s) please verify this? (This used to be commit bc4f884104c04f7c9ab7d370586115a9328ce9b1)
2007-10-10r5205: more fixups for BUG 2291Gerald Carter1-27/+30
(This used to be commit 62e7cc7c3b2fe5187c99e0a1491843579ab997e7)
2007-10-10r5203: additional changes for BUG 2291 to restrict who can join a BDC and ↵Gerald Carter1-8/+18
add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
2007-10-10r5180: Call the "add machine script" to create all kinds of trust accountsGünther Deschner1-1/+1
(this restores old behaviour). Fixes #2291. Guenther (This used to be commit 5ca0d1b87cd20f538a13321eb11ef97d00bf5133)
2007-10-10r5150: consolidate the samr_make.*obj_sd() functions to share codeGerald Carter1-157/+41
(This used to be commit 5bd03d59263ab619390062c1d023ad1ba54dce6a)
2007-10-10r5056: * correct STANDARD_RIGHTS_WRITE_ACCESS bitmask defineGerald Carter2-10/+20
* make sure to apply the rights_mask and not just the saved bits from the mask in access_check_samr_object() * allow root to grant/revoke privileges (in addition to Domain Admins) as suggested by Volker. Tested machine joins from XP, 2K, and NT4 with and without pre-existing machine trust accounts. Also tested basic file operations using cmd.exe and explorer.exe after changing the STANDARD_RIGHTS_WRITE_ACCESS bitmask. (This used to be commit c0e7f7ff60a4110809b8f500fdc68a1bf963da36)
2007-10-10r5028: * check acb_info mask in _samr_create_user instead of the last characterGerald Carter1-36/+21
of the user name * fix some access_mask checks in _samr_set_userinfo2 (getting join from XP without being a member of domain admins working) (This used to be commit 04030534ffd35f8ebc997d9403fd87309403dcbf)
2007-10-10r5015: (based on abartlet's original patch to restrict password changes)Gerald Carter1-336/+407
* added SE_PRIV checks to access_check_samr_object() in order to deal with the run-time security descriptor and their interaction with user rights * Reordered original patch in _samr_set_userinfo[2] to still allow root/administrative password changes for users and machines. (This used to be commit f9f9e6039bd9443d54445e41c3783a2be18925fb)
2007-10-10r4972: Fix a warning and some debugging-outputs.Günther Deschner1-1/+1
Guenther (This used to be commit 1eabfa050b661168b42892c2d841c7891e59cf5f)
2007-10-10r4931: Add get_user_info_7 in SAMR. This just gives out the username. (InGünther Deschner1-0/+42
preparation of adding the ability of renaming users via setuserinfo level 7). Guenther (This used to be commit 6f34ed6c203fa11182640da97581075612d26c0e)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner2-30/+31
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4871: BUG 603: patch by Daniel Beschorner <db@unit-netz.de>. Correct ↵Gerald Carter1-1/+4
access mask check for _samr_lookup_domain() to work with Windows RAS server (This used to be commit 2e7a5608ac6a11f4e9e8bda69abb984fb4f86eb8)
2007-10-10r4856: after testing a simple add printer script, i realized that you still ↵Gerald Carter2-21/+21
have to be root to send the message to all smbds that the config file has been updated (This used to be commit 6409de1a1ef34bb41c3efeebfabdf13be5e08613)
2007-10-10r4852: merge simo changes to srv_srvsvc_nt.c from trunkGerald Carter1-30/+13
that allows the add/change share command to create the directory passed in as an arguement and not require that it pre-exist. Also finish testing of SeDiskOperatorPrivilege via srvmgr.exe (This used to be commit 9af83a7d70324846e6a2660c73589ee68340b4aa)
2007-10-10r4849: * finish SeAddUsers support in srv_samr_nt.cGerald Carter1-100/+258
* define some const SE_PRIV structure for use when you need a SE_PRIV* to a privilege * fix an annoying compiler warngin in smbfilter.c * translate SIDs to names in 'net rpc rights list accounts' * fix a seg fault in cli_lsa_enum_account_rights caused by me forgetting the precedence of * vs. [] (This used to be commit d25fc84bc2b14da9fcc0f3c8d7baeca83f0ea708)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-7/+13
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4825: Printing changesGerald Carter2-45/+136
---------------- * bracket the add/delete/set printer scripts with checks for se_print_op * slight change to the add/set printer script semantics. smbd no longer relies on output from the script (on stdout) to re-read smb.conf * remove SIGHUP from set/add/delete printin script code and now just use MSG_SMB_CONF_UPDATED * bracket the add/delete/set share scripts with checks for se_print_op (this includes setting share ACLs) (This used to be commit 8ab8113d2e1bec6a1dbf464882ad724c7c591be4)
2007-10-10r4824: wrap the shutdown and abort_shutdown calls in check for the ↵Gerald Carter1-1/+24
SE_REMOTE_SHUTDOWN privilege (This used to be commit d11339b7e3b890b8e01744b6b309efaa7ad328e1)
2007-10-10r4822: fix return code when you ask for a non-privileged SID via one of the ↵Gerald Carter1-0/+3
privileges RPC calls (This used to be commit 3f4f2c80fd157796a7ba56f31f921e8a3ce46bc3)
2007-10-10r4805: Last planned change to the privileges infrastructure:Gerald Carter3-47/+72
* rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15)
2007-10-10r4746: add server support for lsa_enum_acct_rights(); last checkin for the nightGerald Carter2-4/+62
(This used to be commit ccdff4a998405544433aa32938963e4c37962fcc)
2007-10-10r4742: add server support for lsa_add/remove_account_rights() and fix some ↵Gerald Carter2-1/+172
parsing bugs related to that code (This used to be commit 7bf1312287cc1ec6b97917ba25fc60d6db09f26c)
2007-10-10r4740: allow SE_PRINT_OPERATORS to have printer admin accessGerald Carter1-2/+4
(This used to be commit 85731706c9d794e8bd3f26ce9b1f881c1ee6a3ba)
2007-10-10r4739: require membership in Domain Admins to be able to set privilegesGerald Carter1-0/+25
(This used to be commit e8b4cedc2081eeff53d86c2d894632e57a17926f)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-2/+2
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4724: Add support for Windows privileges in Samba 3.0Gerald Carter3-181/+194
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
2007-10-10r4656: Convert the winreg pipe to use WERROR returns (as it should).Jeremy Allison1-45/+45
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>. Jeremy. (This used to be commit 511cdec60d431d767fb02f68ca5ddd4ddb59e64a)
2007-10-10r4651: Add "refuse machine password change" policy field. This update will justJim McDonough1-1/+12
return the appropriate reg value. Enforcement to be added soon. Also, fix account policy tdb upgrade so it doesn't just wipe out everything that was in there from a a previous version. (This used to be commit ccae934cf9de4b234bac324b8d878c8ec7862f67)
2007-10-10r4646: Allow Account Lockout with Lockout Duration "forever" (until adminGünther Deschner1-3/+9
unlocks) to be set and displayed in User Manager. Guenther (This used to be commit 8fd7e26fa12a4102def630efa421fad70f3affb1)
2007-10-10r4579: small changes to allow the members og the Domain Admins group on the ↵Gerald Carter1-64/+134
Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180)
2007-10-10r4370: Don't assume the compiler supports declarations after statements.Jelmer Vernooij1-1/+1
(This used to be commit 7fa2caec5ec2de4c5e7359621745a65ca9df255c)
2007-10-10r4351: Vampire Logon-Hours. Update Logon-Hours only when they have changed.Günther Deschner1-2/+6
Guenther (This used to be commit 0930ad662770278cbe9fd4e3deaa523957b96697)
2007-10-10r4343: forgot to add info-level 8 to SAMR_UNKNOWN_2E as well.Günther Deschner1-0/+3
Guenther (This used to be commit 5e6ce9a6e3d62190da5427ed7b5e2f2ac22a0c34)
2007-10-10r4336: Apply some other samba4 SAMR idl that is just too obvious. Don't hardGünther Deschner1-3/+13
set the value "forcibly disconnect remote users from server when logon hours expire" to "no", instead take the value from our account-policy storage. Guenther (This used to be commit e3bd2a22a5cebc4adf6910d3ec31bc6fada8cd35)
2007-10-10r4331: Implement SAMR query_dom_info-call info-level 8 server- and client-side,Günther Deschner1-0/+3
based on samba4-idl. This saves us an enormous amount of totally unnecessary ldap-traffic when several hundreds of winbind-daemons query a Samba3 DC just to get the fake SAM-sequence-number (time(NULL)) by enumerating all users, all groups and all aliases when query-dom-info level 2 is used. Note that we apparently never get the sequence number right (we parse a uint32, although it's a uint64, at least in samba4 idl). For the time being, I would propose to stay with that behaviour. Guenther (This used to be commit f9ab15a986626581000d4b93961184c501f36b93)
2007-10-10r4222: Always compile before commit...Volker Lendecke1-1/+1
(This used to be commit 0f26ba5226fab5b86031a0df6fba16b8e6af6e7d)
2007-10-10r4219: Fix samba3 samr "idl"... According to samba4 idl samr_DomInfo2 contains aVolker Lendecke1-1/+1
comment string and not an unknown 12 byte structure... Found after abartlet's smbtorture extended this string to "Tortured by Samba4: Fri Nov 26 15:40:18 2004 CET" ;-)) Volker (This used to be commit b41d94d8186f66136918432cf32e9dcef5a8bd12)
2007-10-10r4184: Removed unused extern.Jeremy Allison1-1/+0
Jeremy. (This used to be commit 72e39041e9fbb7f252292182d56b1927a8133be0)
2007-10-10r4134: check the setprinter(3) based on the access permissions on the handle ↵Gerald Carter1-14/+11
and avoid the call to print_access_chaeck() (This used to be commit 426634df9c221fbe4f48b4ff9d1b4b8426a581f7)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison14-219/+211
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r4083: consolidate printer searches to use find_service rather than for loopsGerald Carter1-16/+6
(This used to be commit 12440744ba36445186042c8c254785766cce5385)
2007-10-10r3929: Dead code elimination fix for bug #2075 from jason@ncac.gwu.edu.Jeremy Allison1-6/+1
Jeremy. (This used to be commit 9d367ac636d7d88cd4756531bd8412f8d6d16d14)
2007-10-10r3875: Allow to look up at least or own sid in _lsa_lookup_sids.Günther Deschner1-2/+2
This fixes Bugzilla #1076 and Exchange 5.5 SP4 can then be finally installed on NT4 in a samba-controlled domain. Guenther (This used to be commit bb191c1098dea06bf2cd89276c74e32279fbb3d4)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke2-64/+44
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke2-219/+35
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r3069: add 'force printername' service parameter for people that want to ↵Gerald Carter1-14/+30
enforce printername == sharename for spoolss printing (This used to be commit d47b8a0b4f348171df35b3b0028ce7d99fab8af3)
2007-10-10r3066: BUG 1519: fix segfault caused by double free of a printerGerald Carter1-1/+0
(This used to be commit 3760464193c540e82f0ba4e61d1d3b96a9803aca)
2007-10-10r3065: BUG 1519 (more): apparently the server_name notify request is used to ↵Gerald Carter1-13/+4
fill in the title bar of the port monitor window and unless we get it right, you cannot open the printer properties from the port monitor window (This used to be commit fc691572c9ba5ae85c63db5202b7777efdbf7260)