Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
|
|
Also found by the WINREG torture test enhancements by gd.
|
|
Windows 2008
Add more security checks and other corrections to imitate Windows Server >= 2008.
|
|
Make the resultcodes consistent: that means:
result < 0 -> NT_STATUS_INTERNAL_DB_CORRUPTION since our DB had a critical
error
result >= 0 -> depends on the function usage. I tried to let the logic always as
it was before.
|
|
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
|
|
The "count" size specifiers I typed "uint32_t" since they're often returned as
an "uint32_t" (consider the IDL file). LDB counters need to be "signed" if they
count till a limit of a "gendb*" call or "unsigned" if they count directly the
number of objects.
|
|
No need to have "signed" counters at those places.
|
|
really not my day today...
Guenther
|
|
Guenther
|
|
|
|
Previous commit was incomplete. The "service" parameter in the "tcon" structure
should point to "scfg->name". I'm not sure if "share" is right but the first
was used before commit f390daef475126b4ff5a3d0ffd2babbd87d4c22b.
|
|
This should be the right fix (set the service name in the tcon union to the
share name/path). That should be the solution for bug #6784.
|
|
|
|
We need to look for both global and universal group types when querying them.
Found by ekacnet (http://lists.samba.org/archive/samba-technical/2010-March/069777.html).
|
|
"i" needs to be unsigned here since it counts until "r->in.len" which itself is
unsigned and not signed.
|
|
This is needed since this particular "i" counts until "count" which itself is
signed. "count" is set through a signed integer variable parameter from the
"share_list_all" call.
|
|
metze
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Converting the sid to a string and then storing a string does not save the sid
in the right format. Causing following retrievals to fail to read back a sid
with samdb_result_dom_sid().
|
|
Do not use policy_state->sam_ldb and trusted_domain_state->policy->sam_ldb
interchangeably all over the place. Just use sam_ldb everywhere and make the
code slightly more readable.
|
|
|
|
This was causing marshalling faults when we returned errors.
|
|
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.
Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.
Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.
The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.
|
|
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)
This is the same change applied to s3
|
|
Simo, I'm not really sure that those checks are valid. I read MS-NRPC section
3.5.4.1 about LOGONSRV_HANDLEs ("server_name" is of this type). There isn't
stated that the server name has necessarily to be in the DNS form and should
also be valid when it's NULL (if DCE server and client are the same - I don't
know if me make use of it in s4).
|
|
start implementing calls related to trusted domain information
|
|
|
|
Actually return trust relationships by searching the appropriate
entries in the SAM database.
Add checks and return the correct flags, type and attributes.
|
|
remove trailing spaces, tabs and blank lines
|
|
When searching for a trusted domain object to open, search also the DNS Name
attributes for a match. W2K8R2 uses the DNS domain if available.
|
|
|
|
stop this function from maiking my eyes bleed
|
|
This allows the interface version to be forwarded to the remote server
in the RPC proxy, both in the endpoint lookup and the subsequent bind.
Andrew Bartlett
|
|
By recording the association group the remote server assigned to our
proxied RPC connection, we can ensure we use the same value when the
client wishes to use it.
This isn't stored in a private pointer, as mapiproxy will want to use
this feature too.
Andrew Bartlett
|
|
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
|
|
This allows for controls to be added easily where they are needed.
|
|
|
|
Much simpler to use the permissive control instead of manually munging
the SPN list.
|
|
It is not an error if entries already exist.
|
|
One empty line is enough for code part divisions.
|
|
|
|
The last change broke net vampire against w2k8r2
|
|
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
|
|
|