IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Strip them out when referencing share_type[] entries.
Apparently, some Windows XP installs create shares set to STYPE_HIDDEN by default, found by
Damir Shayhutdinov <damir@altlinux.org>. This also fixes smb4k crashes as it does call 'net share -l'.
(This used to be commit c3f4fdd37e)
process deep dfs links (ie. links that go to non root
parts of a share). Make the directory handling conanonical
in POSIX and Windows pathname processing.
dfs should not be fully working in client tools. Please
bug me if not.
Jeremy.
(This used to be commit 1c9e10569c)
add [ref] pointers where necessary (top-level [ref] pointers,
by spec, don't appear on the wire).
This brings us closer to the DCE/RPC standard again.
(This used to be commit 580f2a7197)
in the next step we can store them in LDAP to be replicated across DCs.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 3c879745cf)
still doesn't compile with immediate structures and the
NTSTATUS/WERROR separation, as there are still several places where
the two error types are mixed up. I haven't fixed those as they
require decisions about the rpcclient code that I really don't want to
get into (the error handling there is a mess)
So samba3 compiles now, but only becaise HAVE_IMMEDIATE_STRUCTURES is
not used (look for HAVE_IMMEDIATE_STRUCTURES_XX_DISABLED)
(This used to be commit 8438a6a7d4)
This has had some basic testing. I'll do more during the next couple of days and hopefully also
make RPC-SRVSVC from Samba4 pass against it.
(This used to be commit ef10672399)
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
gen_ndr/ndr_security.c in SAMBA_4_0
The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28)
in net_rpc.c: 715 716 732 734 735 736 737 738 739 749
in net_rpc_audit.c: 754 755 756
in net_rpc_join.c: 757
in net_rpc_registry: 766 767
in net_rpc_samsync.c: 771 773
in net_sam.c: 797 798
Volker
(This used to be commit 3df0bf7d60)
The motivating factor is to not require more privileges for
the user account than Windows does when joining a domain.
The points of interest are
* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
using the machine account after the join
Thanks to Guenther and Simo for the review.
Still to do:
* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
'kinit -k' (although we might be able to just use the sAMAccountName
instead)
* Re-add support for pre-creating the machine account in
a specific OU
(This used to be commit 4c4ea7b20f)
servers. Also add a new "net rpc audit" tool. The lsa query infolevels
were taken from samb4 IDL, the lsa policy flags and categories are
partly documented on msdn. I need to cleanup the double
lsa_query_info_policy{2}{_new} calls next.
Guenther
(This used to be commit 0fed66926f)
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a2)
* Fix a couple of related parsing issues.
* in the info3 reply in a samlogon, return the ACB-flags (instead of
returning zero)
Guenther
(This used to be commit 5b89e8bc24)
All 'usage' messages are still printed to stdout.
Fix some compiler warnings for system() calls where we didn't used the
return code. Add appropriate error messages and return with the error
code we got from system() or NT_STATUS_UNSUCCESSFUL.
(This used to be commit f650e3bdaf)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
that's my copyright...that's just how we have to do things at big blue.
Adds subcommand to vampire to allow data to be put into an ldif file instead
of actually writing to the passdb. See "net rpc help vampire" for usage
info. This should be added to docs as well.
(This used to be commit cb5634a305)
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
* Allow to copy share security descriptors to already existing shares
separatly.
* Added abstraction function to enum all or a single share info
Guenther
(This used to be commit 97097497ae)
much straither.
copy_top_level_perms() is jra's work.
I modified the copy_top_level_perms() function to use the copy_clistate.
And I don't forget trunk.
Lars
(This used to be commit 2c68568e52)
dir of a share. Till now we excluded '.' and '..' in general. For the
fix the information about top or lower level dir is stored in the
copy_clistate. src and dst share are now also part of this struct and
we only pass a pointer to the struct to the functions.
This bug was found by Bill Calero of Novell. Thanks Bill!
With this checkin no new functionality was added. But the copy_clistate
already knows about a mode. Later beside the migrate an additional
report mode will be added.
This changes are coordinated with Günther <gd>.
Lars
(This used to be commit 506aaefa37)
rpcclient-tester for some info-levels.
Jerry, I tried to adopt to prs_pointer() where possible and to not
interfere with your work for usrmgr.
- Add "net rpc trustdom vampire"-tool.
This allows to retrieve Interdomain Trust(ed)-Relationships from
NT4-Servers including cleartext-passwords (still stored in the local
secrets.tdb).
The net-hook was done in cooperation with Lars Mueller
<lmuelle@suse.de>.
To vampire trusted domains simply call:
net rpc trustdom vampire -S nt4dc -Uadmin%pass
Guenther
(This used to be commit 5125852939)
bit more effort.
The real fix for this would be to open an schannel netlogon connection to the
remote DC and change the trust account password...
Volker
(This used to be commit ab8991c384)
referencing unknown_6 from sam, because it's just fixed at 1260, the max
len of LOGON_HRS. Need to go in and mark it as "remove me" from passdb.
(This used to be commit ffac752875)
that says the user is in 0 groups, and we issue an RPC to LookupIds for 0 RIDs.
The printing that there are no groups the user is a member of might be overkill
in that it might upset existing scripts that don't expect that output.
(This used to be commit d3482e118f)
Also fix return of NT_STATUS_NO_MORE_ENTRIES should be
ERROR_NO_MORE_ITEMS reported by "Marcin Porwit" <mporwit@centeris.com>.
Jeremy.
(This used to be commit 511cdec60d)
supported pipe. Netlogon is still special, as we open that twice, one to do
the auth2, the other one with schannel.
The client interface is completely unchanged for those who only use a single
pie. cli->pipe_idx is used as the index for everything except the "real"
client rpc calls, which have been explicitly converted in my last commit. Next
step is to get winbind to just use a single smb connection for multiple pipes.
Volker
(This used to be commit dc294c52e0)
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
setprinter calls inside the net-tool.
This is usefull to mimic the same queries a windows-client does. At
least win2k returns WERR_IO_PENDING when printer is published via
setprinter, samba returns WERR_OK but this does not hurt.
Guenther
(This used to be commit 69b745fb98)
(usersidlist/allowedusers) to scan a file server's share and list all users
who have permission to connect there.
Volker
(This used to be commit f7f84aa1de)
'..' from all #include preprocessor commands. This fixes bugzilla #1880
where OpenVMS gets confused about the '.' characters.
(This used to be commit 7f161702fa)
local netbios-alias bound to non-loopback interface as a migration target.
It's now possible to migrate printers|shares|files from Server A to
Server B while running the net-command on client C.
Guenther
(This used to be commit 0cfd2866df)
It's now possible to migrate files preserving dos-attributes and correct
timestamps. Also added some small docu- and syntax-fixes.
Guenther
(This used to be commit 0e990582a0)
* add IA64 to the architecture table of printer-drivers
* add new "net"-subcommands:
net rpc printer migrate {drivers|printers|forms|security|settings|all}
[printer]
net rpc share migrate {shares|files|all} [share]
this is the first part of the migration suite. this will will (once
feature-complete) allow to do 1:1 server-cloning in the best possible way by
making heavy use of samba's rpc_client-functions. all migration-steps
are implemented as rpc/smb-client-calls; net communicates via rpc/smb
with two servers at the same time (a remote, source server and a
destination server that currently defaults to the local smbd). this
allows e. g. printer-driver migration including driverfiles, recursive
mirroring of file-shares including file-acls, etc. almost any migration
step can be called with a migrate-subcommand to provide more flexibility
during a migration process (at the cost of quite some redundancy :) ).
"net rpc printer migrate settings" is still in a bad condition (many
open questions that hopefully can be adressed soon).
"net rpc share migrate security" as an isolated call to just migrate
share-ACLs will be added later.
Before playing with it, make sure to use a test-server. Migration is a
serious business and this tool-set can perfectly overwrite your
existing file/print-shares.
* along with the migration functions had to make I the following
changes:
- implement setprinter level 3 client-side
- implement net_add_share level 502 client-side
- allow security descriptor to be set in setprinterdata level 2
serverside
guenther
(This used to be commit 8f1716a29b)
field with indiviual bits what to retrieve. Set this to 0xffff as NT4
usrmgr.exe does to get everything. I'm too lazy (sorry) to get this through to
rpc_parse/ etc.
Volker
(This used to be commit d7239c2611)
net rpc did not inform you if no smbd is running.
I never liked the error message (!) Success! when we established a trust.
Volker
(This used to be commit 4191a434d4)
group_info4 in set_dom_group_info also has the level in the record
itself. This seems not to be an align. Tested with NT4 usrmgr.exe. It can
still create a domain group on a samba machine.
Volker
(This used to be commit 76c75bb8a7)
to, despite any smb.conf settings.
Work to allow the same for 'net rpc vampire', but instead give a clear
error message on what is incorrect.
Andrew Bartlett
(This used to be commit 6b629344c5)
This adds the very simple 'admin set password' capability to 'net rpc',
much as we have it for 'net ads'.
Andrew Bartlett
(This used to be commit ced7fb5527)
As well as avoiding DOS charset issues, this scheme returns useful error
codes, that we can map back via the pam interface.
This patch also cleans up the interfaces used for password buffers, to
avoid duplication of code.
Andrew Bartlett
(This used to be commit 2a2b1f0c87)
initialized.
Also split out the oldstyle join into a new fn, allowing us to call it
with no failure message from net rpc join, but displaying a failure message
when used with net rpc oldjoin.
(This used to be commit 07d6ed4343)
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096)
his book.
This prompted me to look at the code that reads the unix group list. This
code did a lot of name -> uid -> name -> sid translations, which caused
problems. Instead, we now do just name->sid
I also cleaned up some interfaces, and client tools.
Andrew Bartlett
(This used to be commit f9e59f8bc0)
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit 9ecf9408d9)
winreg pipe if it doesn't work. Fixes bug #534.
I will go back and add the same logic for the shutdown itself, even though
that works so far against win2k (haven't tested all win clients).
(This used to be commit e660b04e8f)
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda42)
this world than 'status more entires'...
Also move all the cases to 'NT_STATUS_EQUAL()' to test it.
Andrew Bartlett
(This used to be commit b4645bf066)
Net.exe on windows won't allow more than 50 characters to be entered, but
through AD you can have much more than this.
(This used to be commit ca2886c938)
>When calling cli_samr_enum_{dom,als}_groups in a while loop, the
>terminating condition should be result != STATUS_MORE_ENTRIES, not
>result == NT_STATUS_OK otherwise we get stuck in an infinite loop
>when there's any sign of trouble.
(This used to be commit 4998a72cf8)
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd11)
from HEAD. I had to do this for him as he was *so* tired, the poor
chap, plus he has this bad leg, plus the dog ate his homework etc. etc.
Jeremy.
(This used to be commit 1e752b48a1)
