1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

283 Commits

Author SHA1 Message Date
Andrew Tridgell
0fd9807942 r17823: get rid of most of the samdb_base_dn() calls, as they are no longer
needed in searches
(This used to be commit a5ea749f0a)
2007-10-10 14:16:45 -05:00
Simo Sorce
a23b63a8e5 r17516: Change helper function names to make more clear what they are meant to do
(This used to be commit ad75cf8695)
2007-10-10 14:15:31 -05:00
Andrew Bartlett
f2e8b3202c r16827: Factor out some code into common samdb functions:
- creation of ForeignSecurityPrincipals
 - template duplication code

Rework much of the LSA server to pass the RPC-LSA test.  Much of the
server code was untested.  In implementing the LSA Accounts feature, I
have opted to have it only create entires when privilages are applied,
and not to delete entries, but to delete the privilages.

We skip some parts of the test, but it is much better than not testing
it at all.

Andrew Bartlett
(This used to be commit 10eeea6da4)
2007-10-10 14:09:48 -05:00
Andrew Bartlett
3c9281f014 r16794: Make Samba4 pass it's own RPC-SAMR test, at least in part. There are
still a couple of unimplemented functions, but this is far better than
not testing this at all.  In particular, this exercises the
password_hash module.

Specific changes:
 - Add support for SetDomainInfo
 - Add many more info levels to QueryDomainInfo
 - Set a domain comment in RPC-SAMR, and verify it is kept
 - Refactor QueryUserInfo not to always serach for all attributes
 - Add QueryDiplayInfo3 and QueryDomainInfo2 as aliased calls
 - Make OemChangePassword2 search under the samdb_base_dn(), so it
   finds the user when partitions are active.
 - Skip SetSecurity, DisplayIndex, MemberAttributesOfGroup and
  'Multiple' alias operations in RPC-SAMR for Samba4
 - Add RPC-SAMR as a 'slow' RPC test (it is quite slow)

Andrew Bartlett
(This used to be commit 01d25c9d6c)
2007-10-10 14:09:46 -05:00
Andrew Bartlett
fcce0991c2 r16773: Fix one more RPC-SAMR test (an alias level), and make it clear that
the unknown value in the samr_GroupInfo structures are the group
attributes.

Andrew Bartlett
(This used to be commit c50095efab)
2007-10-10 14:09:45 -05:00
Andrew Bartlett
937e394334 r16772: Clarify comment.
Andrew Bartlett
(This used to be commit fee0716143)
2007-10-10 14:09:45 -05:00
Andrew Bartlett
ad530af48d r16262: Another basedn fix.
Andrew Bartlett
(This used to be commit abf104a0d7)
2007-10-10 14:09:08 -05:00
Andrew Bartlett
7c3af0d06a r16236: Add a proper baseDN to a large number of queries. Searching the NULL
baseDN won't work once the partitions module is loaded.

Andrew Bartlett
(This used to be commit c4ab9e8a75)
2007-10-10 14:09:07 -05:00
Andrew Bartlett
5f44da36e7 r16166: Remove hexidecimal constants from the Samba4 provision files.
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.

Andrew Bartlett
(This used to be commit 81f3cd1c45)
2007-10-10 14:09:03 -05:00
Jelmer Vernooij
e002300f23 r15328: Move some functions around, remove dependencies.
Remove some autogenerated headers (which had prototypes now autogenerated by pidl)
Remove ndr_security.h from a few places - it's no longer necessary
(This used to be commit c19c2b51d3)
2007-10-10 14:05:17 -05:00
Stefan Metzmacher
1af925f394 r14860: create libcli/security/security.h
metze
(This used to be commit 9ec706238c)
2007-10-10 13:59:44 -05:00
Jelmer Vernooij
84f07e56a4 r14570: Move some functions also they are also used from kpasswd
(This used to be commit 89dfb74894)
2007-10-10 13:58:48 -05:00
Jelmer Vernooij
8528016978 r14464: Don't include ndr_BASENAME.h files unless strictly required, instead
try to include just the BASENAME.h files (containing only structs)
(This used to be commit 3dd477ca51)
2007-10-10 13:57:27 -05:00
Stefan Metzmacher
568e77ed23 r14438: fix warnings
metze
(This used to be commit 83d2978da1)
2007-10-10 13:57:24 -05:00
Jelmer Vernooij
e3f2414cf9 r14380: Reduce the size of structs.h
(This used to be commit 1a16a6f1df)
2007-10-10 13:57:16 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 1228358767)
2007-10-10 13:52:24 -05:00
Andrew Bartlett
61fe79d022 r13910: Fix the 'your password has expired' on every login. We now consider
if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.

Andrew Bartlett
(This used to be commit c530ab5dc6)
2007-10-10 13:52:22 -05:00
Jelmer Vernooij
ba564a901e r13903: Don't generate prototypes for modules and binaries in include/proto.h by
default.
(This used to be commit c80a8f1102)
2007-10-10 13:52:21 -05:00
Andrew Bartlett
ff90c1c5c3 r12720: By metze's request, rename the ntPwdHistory attribute to
sambaNTPassword.  Likewise lmPwdHistory -> sambaLMPwdHistory.

The idea here is to avoid having conflicting formats when we get to
replication.  We know the base data matches, but we may need to use a
module to munge formats.

Andrew Bartlett
(This used to be commit 8e608dd4bf)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
4bfe2907e7 r12719: Rename unicodePwd -> sambaPassword.
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name.  It may cause problems later when we get
replication form windows.

I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.

Andrew Bartlett
(This used to be commit 097d9d0b7f)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
cc37197079 r12684: A better error code for SAMR transaction failures.
Andrew Bartlett
(This used to be commit 9c127f35ce)
2007-10-10 13:49:38 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Andrew Bartlett
c82c9fe7bb r12599: This new LDB module (and associated changes) allows Samba4 to operate
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).

The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code.  We also update the msDS-KeyVersionNumber, and the password
history.  This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.

By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic.  (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB.  This simplfies the KDC code.).

It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e902274321)
2007-10-10 13:49:01 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
9b67a07e62 r12507: This file has had my grubby paws all over it ;-)
Andrew Bartlett
(This used to be commit 865a2552e6)
2007-10-10 13:47:47 -05:00
Andrew Bartlett
40166d7ecb r12506: Fix up issues shown up by the expanded RPC-SAMR testsuite, and add ldb
transactions to the SAMR password change code.

Andrew Bartlett
(This used to be commit dc091c6c06)
2007-10-10 13:47:47 -05:00
Andrew Bartlett
9a3be162b8 r12504: Fix one more transaction cancel bail-out path, and correct comments.
Andrew Bartlett
(This used to be commit 07b885d0c7)
2007-10-10 13:47:46 -05:00
Andrew Bartlett
90535d31c6 r12503: This function was just too simple to leave unimplemented.
Andrew Bartlett
(This used to be commit 2eebd7b3cf)
2007-10-10 13:47:46 -05:00
Andrew Bartlett
6cb5cda53b r12432: Re-indent and consistantly cancel the transaction.
Andrew Bartlett
(This used to be commit 2c8b988eb8)
2007-10-10 13:47:38 -05:00
Andrew Bartlett
77f4910b57 r12427: Move SAMR CreateUser2 to transactions, and re-add support for
different computer account types.  (Earlier code changes removed the
BDC case).

We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif

Andrew Bartlett
(This used to be commit c4520ba2e6)
2007-10-10 13:47:37 -05:00
Andrew Bartlett
bceca72304 r12361: Add a new function: ldb_binary_encode_string()
This is for use on user-supplied arguments to printf style format
strings which will become ldb filters.  I have used it on LSA, SAMR
and the auth/ code so far.

Also add comments to cracknames code.

Andrew Bartlett
(This used to be commit 8308cf6e04)
2007-10-10 13:47:30 -05:00
Andrew Bartlett
d0375cfd43 r11438: Move enum samr_RejectReason into misc.idl so I can use it in a global
prototype.

Andrew Bartlett
(This used to be commit a3abffc758)
2007-10-10 13:45:37 -05:00
Andrew Bartlett
9f67256383 r11221: I don't quite know how I tested this before, but clearly I didn't.
The samdb_set_password_sid helper function now works.

Andrew Bartlett
(This used to be commit 629595f27c)
2007-10-10 13:45:04 -05:00
Andrew Bartlett
02c32587a8 r11195: Add a new helper function (needed by my kpasswdd work, but hooked in
for netlogon as well) to change/set a user's password, given only
their SID.

This avoids the callers doing the lookups, and also performs the
actual 'set', as these callers do not wish any further buisness with
the entry.

Andrew Bartlett
(This used to be commit 060a2a7bcc)
2007-10-10 13:44:59 -05:00
Andrew Tridgell
36d73b0e71 r10894: make the handling of dn/distinguishedName much closer to real
ldap. Also ensure we put a objectclass on our private ldb's, so they
have some chance of being stored in ldap if you want to
(This used to be commit 1af2cc067f)
2007-10-10 13:39:40 -05:00
Andrew Bartlett
1377cca5f4 r10810: This adds the hooks required to communicate the current user from the
authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett
(This used to be commit fd7203789a)
2007-10-10 13:39:32 -05:00
Andrew Bartlett
9b905c9f27 r9930: Use a single samdb_base_dn() function rather than lots of silly
searches all over the place.

This can be extended to cover an NT4 (no ADS) mode in future as well.

Andrew Bartlett
(This used to be commit 0761b22f99)
2007-10-10 13:36:23 -05:00
Simo Sorce
61aaf82b62 r9654: introduce the samdb_search_dn call
(This used to be commit 333ebb40d5)
2007-10-10 13:34:38 -05:00
Simo Sorce
ac90ddfdb2 r9392: Fix ldb_dn_compose to make build farm happy
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655)
2007-10-10 13:33:33 -05:00
Simo Sorce
3e4c4cff21 r9391: Convert all the code to use struct ldb_dn to ohandle ldap like distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b779)
2007-10-10 13:33:32 -05:00
Andrew Bartlett
e0cc4f0f6d r9015: Fix access to BUILTIN again.
Andrew Bartlett
(This used to be commit 2beb694226)
2007-10-10 13:31:08 -05:00
Andrew Bartlett
e7d87f8538 r9011: Remove more references to "name" as a netbios name, using the
cross-reference instead.

Andrew Bartlett
(This used to be commit 0f7b1136f6)
2007-10-10 13:31:07 -05:00
Andrew Bartlett
cf54bfbabf r8983: The KVNO (Kerberos key version number) should be incremented with
every password set.

Andrew Bartlett
(This used to be commit 71958cb19f)
2007-10-10 13:31:03 -05:00
Andrew Bartlett
66b2a04346 r8790: Finish the migration of aliases and privilages with SamSync, by adding
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett
(This used to be commit 1f071b0609)
2007-10-10 13:30:05 -05:00
Andrew Bartlett
f3f9e09d6d r8670: Remove GUID code from SAMR, it is handled lower down now. I notice
this code also does string SIDs, but I'm not quite sure where that
fits in.

Andrew Bartlett
(This used to be commit 968bcc4fe8)
2007-10-10 13:29:52 -05:00
Andrew Tridgell
e835621799 r8520: fixed a pile of warnings from the build farm gcc -Wall output on
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.

The main fixes are:

 - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats

 - use of NULL format statements to perform dn searches.

 - assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
2007-10-10 13:29:34 -05:00
Stefan Metzmacher
557c78e36d r8370: remove the '$' from in the cn: attribute for computer and dc accounts
metze
(This used to be commit 206f33778e)
2007-10-10 13:20:12 -05:00
Stefan Metzmacher
0b92507760 r8232: remove samr_String and netr_String as they are the same as lsa_String
metze
(This used to be commit e601042c07)
2007-10-10 13:19:22 -05:00
Andrew Bartlett
9a7481bcfe r7993: Further work on the Krb5 PAC.
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.

This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.

In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.

Also in this commit:

The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.

To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.

Andrew Bartlett
(This used to be commit e2015671c2)
2007-10-10 13:18:57 -05:00
Andrew Tridgell
bdee131f30 r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.

metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)

This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:

 - the ltdb index records need to use the string form of the objectSid
   (to keep the DNs sane). Until that it done I have disabled indexing on
   objectSid, which is a big performance hit, but allows us to pass
   all our tests while I rejig the indexing system to use a externally
   supplied conversion function

 - I haven't yet put in place the code that allows client to use the
   "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
   supports this, presumably by looking for the "S-" prefix to
   determine what type of objectSid form is being used by the client. I
   have been working on ways to handle this, but am not happy with
   them yet so they aren't part of this patch

 - I need to change pidl to generate push functions that take a
   "const void *" instead of a "void*" for the data pointer. That will
   fix the couple of new warnings this code generates.

Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8d)
2007-10-10 13:18:44 -05:00
Andrew Bartlett
3e73885ba4 r7756: Don't segfault by trying to search for the NULL DN, if the wrong
password was entered.  We would not use the results of the search in
any case.

Andrew Bartlett
(This used to be commit edeb908aca)
2007-10-10 13:18:31 -05:00
Simo Sorce
9189833a87 r7582: Better way to have a fast path searching for a specific DN.
Old way was ugly and had a bug, you couldn't add an attribute named
dn or distinguishedName and search for it, tdb would change that search in a dn search.
This makes it also possible to search by dn against an ldap server as the old method was
not supported by ldap syntaxes.

sss
(This used to be commit a614466dec)
2007-10-10 13:18:11 -05:00
Andrew Tridgell
694488d29c r7507: fixed the problem with users being shown too many times in acl
editors, and added a test for it.
(This used to be commit 9e428881f6)
2007-10-10 13:18:02 -05:00
Andrew Bartlett
bb6e2059ee r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.
Fill out the group list for the SamLogon reply, so clients get the
supplementary groups.

Andrew Bartlett
(This used to be commit d9c31e60a7)
2007-10-10 13:16:24 -05:00
Simo Sorce
fe4d985b6f r6470: Remove ldb_search_free() it is not needed anymore.
Just use talloc_free() to release the memory after an ldb_search().
(This used to be commit 4f0948dab0)
2007-10-10 13:11:40 -05:00
Tim Potter
6bb0231229 r6325: Rename aliasname -> alias_name in CreateDomAlias function.
(This used to be commit 63dfa9b806)
2007-10-10 13:11:32 -05:00
Simo Sorce
5487ee5e9c r6084: - Introduce the samldb module dependency on samba4
- This module will take care of properly filling an user or group object
  with required fields. You just need to provide the dn and the objectclass
  and a user/group get created

  Simo.
(This used to be commit fb9afcaf53)
2007-10-10 13:11:18 -05:00
Andrew Bartlett
79f6bcd5ae r5988: Fix the -P option (use machine account credentials) to use the Samba4
secrets system, and not the old system from Samba3.

This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.

In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v().  The vast majority of this patch is the simple
rename that followed,

(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).

Andrew Bartlett
(This used to be commit e13c671619)
2007-10-10 13:11:12 -05:00
Andrew Bartlett
5aa2646be8 r5879: Rename SAMR_FIELD_WORKSTATION to SAMR_FIELD_WORKSTATIONS - it is a list.
Andrew Bartlett
(This used to be commit 7822101cb5)
2007-10-10 13:11:06 -05:00
Andrew Bartlett
d830fcd7d1 r5783: Test renaming of accounts in the RPC-SAMR test, and add support into
the SAMR server.

Andrew Bartlett
(This used to be commit fd748f9d2f)
2007-10-10 13:11:03 -05:00
Jelmer Vernooij
c52fb55903 r5437: Allow Samba4 to be compiled by tcc (www.tinycc.org). It still crashes when linking though.
(This used to be commit 2e1e8db6dc)
2007-10-10 13:10:45 -05:00
Tim Potter
abc28d66e9 r5364: Rename string fields called 'domain' and 'name' to be 'domain_name'.
(This used to be commit 6749b9404d)
2007-10-10 13:09:46 -05:00
Andrew Tridgell
a0e6f6c05b r5309: removed ads.h from includes.h
(This used to be commit 196c45b834)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
e82aad1ce3 r5298: - got rid of pstring.h from includes.h. This at least makes it a bit
less likely that anyone will use pstring for new code

 - got rid of winbind_client.h from includes.h. This one triggered a
   huge change, as winbind_client.h was including system/filesys.h and
   defining the old uint32 and uint16 types, as well as its own
   pstring and fstring.
(This used to be commit 9db6c79e90)
2007-10-10 13:09:38 -05:00
Andrew Tridgell
465e089dd3 r5080: patch from ronnie to make our samr IDL a little more consistent
(This used to be commit 7607ddda3f)
2007-10-10 13:09:20 -05:00
Andrew Tridgell
759da3b915 r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5)
2007-10-10 13:09:15 -05:00
Andrew Tridgell
737a000d2c r4745: remove the distinguishedName attribute adds from samr. See the
discussion on samba-technical about this.
(This used to be commit e9dff03f79)
2007-10-10 13:08:49 -05:00
Stefan Metzmacher
c0b55c0e3b r4715: alwys add the distinguishedName attribute
the w2k3 dc join needs that

metze
(This used to be commit 29bc75ba28)
2007-10-10 13:08:47 -05:00
Stefan Metzmacher
9178e7b8bf r4707: w2k3 don't restict passwords on
netr_ServerPasswordSet and netr_ServerPasswordSet2

so we do now

I also add a torture test for this

metze
(This used to be commit d896ac603a)
2007-10-10 13:08:46 -05:00
Andrew Bartlett
e54964c618 r4703: Add support for EnumTrustDomain, and expand the testsuite.
Add my copyright to the SAMR server.

Andrew Bartlett
(This used to be commit 51e94fa26c)
2007-10-10 13:08:45 -05:00
Andrew Bartlett
c0571f6234 r4698: - Initial implementation of trusted domains in LSA.
- Use templates for Secrets and the new trusted domains

 - Auto-add modifiedTime, createdTime and objectGUID to records in the
   samdb layer.

Andrew Bartlett
(This used to be commit 271c8faadf)
2007-10-10 13:08:44 -05:00
Andrew Bartlett
fdebf9dd4c r4680: Make more efficient use of memory in SAMR:
Avoid a strdup, use a talloc_reference
 Use the shortest term memory context possible

Andrew Bartlett
(This used to be commit 5569db0f94)
2007-10-10 13:08:42 -05:00
Stefan Metzmacher
fd4831f1f0 r4650: - make more use of bitmap and enum's
- move some structs out of misc.idl

metze
(This used to be commit b6543a6e30)
2007-10-10 13:08:39 -05:00
Andrew Tridgell
577218b2ad r4640: first stage in the server side support for multiple context_ids on one pipe
this stage does the following:

 - simplifies the dcerpc_handle handling, and all the callers of it

 - split out the context_id depenent state into a linked list of established contexts

 - fixed some talloc handling in several rpc servers that i noticed while doing the above
(This used to be commit fde042b3fc)
2007-10-10 13:08:38 -05:00
Andrew Tridgell
4db9496bb4 r4490: when implementing one rpc server call in terms of another call, you
must zero r.out before making the 2nd call if the 2nd call has any
non-ref out parameters. This is needed for the case where the 2nd call
fails, and the 1st call would then fill in its out fields based on
uninitialised memory.
(This used to be commit 202470326d)
2007-10-10 13:08:12 -05:00
Andrew Tridgell
54c63eb7e4 r4487: fixed the use of ldb_msg_add_*() in the samr password backend
(This used to be commit d79cc8b901)
2007-10-10 13:08:11 -05:00
Andrew Tridgell
500d5523d2 r4475: fixed smbd to work with the small changes in the ldb API (the most important
change was in the ldb_msg_add_*() routines, which now use the msg as a context,
and thus it needs to be a talloc ptr)
(This used to be commit 1a4713bfd0)
2007-10-10 13:07:55 -05:00
Volker Lendecke
6372b4e4a4 r4417: Reply to samr_QueryDomainInfo with the same static value as level2 does.
Volker
(This used to be commit 04cf580ef3)
2007-10-10 13:07:46 -05:00
Volker Lendecke
6aaefee85f r4415: Implement samr_RemoveMemberFromForeignDomain. This is needed to delete a user
with usrmgr.exe.

To fix: Remove domain group membership attrib values when a user is deleted.

Volker
(This used to be commit 83d180c732)
2007-10-10 13:07:46 -05:00
Volker Lendecke
8da7a60557 r4414: Various bits&pieces:
* Implement samr_search_domain, filter out all elements with no "objectSid"
  attribute and all objects outside a specified domain sid.

* Minor cleanups in dcerpc_samr.c due to that.

* Implement srvsvc_NetSrvGetInfo level 100. A quick hack to get usrmgr.exe
  one step further.

* Same for samr_info_DomInfo1.

Volker
(This used to be commit cdec896113)
2007-10-10 13:07:46 -05:00
Volker Lendecke
b386af06d0 r4399: Implement samr_GetAliasMembership and samr_GetGroupsForUser. With these two,
usrmgr.exe seems to become usable. Some quirks, but it's worth a try.

Volker
(This used to be commit 9c62a239cd)
2007-10-10 13:07:43 -05:00
Volker Lendecke
4fd56d5d1a r4393: Trivial bugfix for a silly bug
(This used to be commit ae3c329e9d)
2007-10-10 13:07:42 -05:00
Volker Lendecke
03a914931e r4381: Add my copyright
(This used to be commit 9e27a83ac3)
2007-10-10 13:07:40 -05:00
Volker Lendecke
a7a1fada8d r4380: Implement samr_QueryDisplayInfo. This probably needs some polishing (Do we
have to sort the entries?)

Volker
(This used to be commit 26d21bb5cc)
2007-10-10 13:07:40 -05:00
Volker Lendecke
e08d8505d2 r4378: Implement samr_EnumDomainGroups and samr_EnumDomainAliases.
Hmmm. How do I tell ldb not to descend into cn=Builtin?

Volker
(This used to be commit c95d20cd7c)
2007-10-10 13:07:40 -05:00
Volker Lendecke
e14a5a9167 r4376: Implement samr_AddAliasMember, samr_DeleteAliasMember and
samr_GetMembersInAlias.

Volker
(This used to be commit 78802720ae)
2007-10-10 13:07:40 -05:00
Volker Lendecke
2333ea56f3 r4375: Implement samr_OpenAlias, samr_QueryAliasInfo and samr_SetAliasInfo. Fix IDL
for samr_SetAliasInfo.

Volker
(This used to be commit d70e237190)
2007-10-10 13:07:39 -05:00
Volker Lendecke
296c0d8eac r4374: Follow metzes hint, change LookupRids a bit
(This used to be commit b8fa5b9419)
2007-10-10 13:07:39 -05:00
Volker Lendecke
f0d3e9de7e r4372: Implement samr_LookupRids
(This used to be commit 1bab3254f6)
2007-10-10 13:07:39 -05:00
Volker Lendecke
77529ae792 r4367: Implement samr_AddGroupMember, samr_DeleteGroupMember and
samr_QueryGroupMember.

Volker
(This used to be commit 43581c3711)
2007-10-10 13:07:39 -05:00
Volker Lendecke
e4b8399af6 r4344: Unify memory handling in dcerpc_samr.c a bit
(This used to be commit 79ec28ade8)
2007-10-10 13:07:36 -05:00
Volker Lendecke
61b1620fc4 r4335: Fix some potential memleaks, implement CreateDomAlias. Hmmmm. Isn't there
enough stuff to do in 3_0??? ;-)

Volker
(This used to be commit c0fa7a92d9)
2007-10-10 13:07:35 -05:00
Volker Lendecke
7f773c9ae8 r4332: Fix a potential memleak.
Volker
(This used to be commit 8f2b9c9d32)
2007-10-10 13:07:35 -05:00
Stefan Metzmacher
33cbe33678 r4320: fix locations of new trusting domains and domsin controller
computer accounts

metze
(This used to be commit f75c2004a0)
2007-10-10 13:07:34 -05:00
Stefan Metzmacher
8d0c3eefbc r4096: move the samdb code to source/dsdb/
the idea is to have a directory service db layer
which will be used by the ldap server, samr server, drsuapi server
authentification...

I plan to make different implementations of this interface possible
- current default will be the current samdb code with sam.ldb
- a compat implementation for samba3 (if someone wants to write one)
- a new dsdb implementation which:
  - understands naming contexts (directory parrtitions)
  - do schema and acl checking checking
  - maintain objectGUID, timestamps and USN number,
    maybe linked attributes ('member' and 'memberOf' attributes)
  - store metadata on a attribute=value combination...

metze
(This used to be commit 893a8b8bca)
2007-10-10 13:06:26 -05:00
Andrew Tridgell
990acc9f77 r3977: fixed the lmPwdHash change in the rpc server (we were not fetching the
lm hash from the samdb, and thus not checking the verifier)

fixed the client side to calculate the lm verifier based on the nt
hash, not the lm hash (confirmed using w2k3)
(This used to be commit 27e7fb3baf)
2007-10-10 13:06:10 -05:00
Andrew Tridgell
a99bf33294 r3953: the lm verifier key in passwoed ChangePasswordUser3 is based on the nt
hash, not the lm hash
(This used to be commit 8d4f0dc7d0)
2007-10-10 13:06:07 -05:00
Andrew Tridgell
cf91ad8122 r3952: added validation of the lm and nt verifiers to our server side password change code.
(This used to be commit f70e8f02d6)
2007-10-10 13:06:07 -05:00
Andrew Bartlett
5d35fe6f71 r3885: Add security descriptor comparison to our RPC-SAMSYNC test. We now
verify that the security descriptor found in the SamSync is the same
as what is available over SAMR.

Unfortunately, the administrator seems unable to retrieve the SACL on
the security descriptor, so I've added a new function to compare with
a mask.

Andrew Bartlett
(This used to be commit 39ae5e1dac)
2007-10-10 13:06:01 -05:00
Stefan Metzmacher
856ee66537 r3810: create a LIB_SECURITY subsystem
- move dom_sid, security_descriptor, security_* funtions to one place
  and rename some of them

metze
(This used to be commit b620bdd672)
2007-10-10 13:05:56 -05:00
Andrew Bartlett
5ad5c6cc70 r3807: Cross-check the basic attributes for groups and aliases in RPC-SAMSYNC.
Andrew Bartlett
(This used to be commit 90398fda41)
2007-10-10 13:05:56 -05:00
Andrew Bartlett
9aec081fd9 r3804: Add more comparison tests in RPC-SAMSYNC.
This compares values for the domain and for secrets.  We still have
some problems we need to sort out for secrets.

Also rename a number of structures in samr.idl and netlogon.idl, to
better express their consistancy.

Andrew Bartlett
(This used to be commit 3f52fa3a42)
2007-10-10 13:05:55 -05:00
Stefan Metzmacher
fa8f1c1ffe r3788: give new accounts and groups a objectGUID
metze
(This used to be commit 4839ea156f)
2007-10-10 13:05:53 -05:00
Stefan Metzmacher
8a18778286 r3783: - don't use make proto for ldb anymore
- split ldh.h out of samba's includes.h

- make ldb_context and ldb_module private to the subsystem

- use ltdb_ prefix for all ldb_tdb functions

metze
(This used to be commit f5ee40d6ce)
2007-10-10 13:05:52 -05:00
Andrew Bartlett
50916c8f2f r3724: Rename a number of structures, for better consistance between SAMR and
NETLOGON.

In particular, rename samr_Name to samr_String - given that many
strings in this pipe are not 'names', the previous was just confusing.
(I look forward to PIDL turning these into simple char * some day...).

Also export out a few changes from testjoin.c to allow for how I have
written the new RPC-SAMSYNC test.

Andrew Bartlett
(This used to be commit 9cd666bcfb)
2007-10-10 13:05:47 -05:00
Andrew Tridgell
c051779a0a r3468: split out dcerpc_server.h
(This used to be commit 729e0026e4)
2007-10-10 13:05:17 -05:00
Andrew Tridgell
a1d0b97ed4 r3462: separate out the crypto includes
(This used to be commit 3f75117db9)
2007-10-10 13:05:16 -05:00
Andrew Tridgell
edbfc0f6e7 r3453: - split out the auth and popt includes
- tidied up some of the system includes

- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
  knows about inter-IDL dependencies
(This used to be commit 7b7477ac42)
2007-10-10 13:05:13 -05:00
Andrew Tridgell
ead3508ac8 r3447: more include/system/XXX.h include files
(This used to be commit 264ce91810)
2007-10-10 13:05:12 -05:00
Andrew Tridgell
90067934cd r3428: switched to using minimal includes for the auto-generated RPC code.
The thing that finally convinced me that minimal includes was worth
pursuing for rpc was a compiler (tcc) that failed to build Samba due
to reaching internal limits of the size of include files. Also the
fact that includes.h.gch was 16MB, which really seems excessive. This
patch brings it back to 12M, which is still too large, but
better. Note that this patch speeds up compile times for both the pch
and non-pch case.

This change also includes the addition iof a "depends()" option in our
IDL files, allowing you to specify that one IDL file depends on
another. This capability was needed for the auto-includes generation.
(This used to be commit b8f5fa8ac8)
2007-10-10 13:05:09 -05:00
Andrew Tridgell
475c958450 r3425: got rid of a bunch of cruft from rewrite.h
(This used to be commit 3f902f8d85)
2007-10-10 13:05:08 -05:00
Andrew Bartlett
8050be6ea3 r3080: Make the Samba4 SAMR server pass the new, nasty torture test (now that
SAMR_FIELD_PASSWORD has been split up).

Andrew Bartlett
(This used to be commit 5f2295a5fb)
2007-10-10 13:01:57 -05:00
Andrew Bartlett
7afe85725f r3077: Add initial handling of Account Flags in SAMR user info level 21 and 25.
Andrew Bartlett
(This used to be commit 51774a9bca)
2007-10-10 13:01:56 -05:00
Andrew Tridgell
12ea0fd34c r3005: added talloc wrappers around tdb_open() and ldb_connect(), so that the
caller doesn't have to worry about the constraint of only opening a
database a single time in a process. These wrappers will ensure that
only a single open is done, and will auto-close when the last instance
is gone.

When you are finished with a database pointer, use talloc_free() to
close it.

note that this code does not take account of the threads process
model, and does not yet take account of symlinks or hard links to tdb
files.
(This used to be commit 04e1171996)
2007-10-10 12:59:56 -05:00
Andrew Tridgell
1429ed54f1 r2792: got rid of talloc_ldb_alloc() and instead created talloc_realloc_fn(),
so talloc now doesn't contain any ldb specific functions.

allow NULL to be passed to a couple more talloc() functions
(This used to be commit 1246f80d80)
2007-10-10 12:59:34 -05:00
Andrew Tridgell
c567d64d66 r2734: the samdb_destructor can be static
(This used to be commit feb63e74f9)
2007-10-10 12:59:27 -05:00
Andrew Tridgell
aa12305945 r2680: switched the libcli/raw/ code over to use talloc_reference(), which simplifies things quite a bit
(This used to be commit c82a9cf750)
2007-10-10 12:59:21 -05:00
Andrew Tridgell
61a7dfc237 r2675: added a convenience function
void *talloc_reference(const void *context, const void *ptr);

this function makes a secondary reference to ptr, and hangs it off the
given context. This greatly simplifies some of the current reference
counting code in the samr server and I suspect it will be widely used
in other places too.

the way you use it is like this:

	domain_state->connect_state = talloc_reference(domain_state, connect_state);

that makes the element connect_state of domain_state a secondary
reference to connect_state. The connect_state structure will then only
be freed when both domain_state and the original connect_state go
away, allowing you to free them independently and in any order.

you could do this alrady using a talloc destructor, and that is what
the samr server did previously, but that meant this construct was
being reinvented in several places. So this convenience function sets
up the destructor for you, giving a much more convenient and less
error prone API.
(This used to be commit dc53150861)
2007-10-10 12:59:20 -05:00
Andrew Tridgell
f095a8e748 r2670: use a destructor to auto-close the samr ldb when the last user
disconnects. Previously the ldb was always kept open.
(This used to be commit d78eea9eb8)
2007-10-10 12:59:20 -05:00
Andrew Tridgell
223e78990a r2628: got rid of some warnings and converted a few more places to use hierarchical memory allocation
(This used to be commit 26da45a801)
2007-10-10 12:59:14 -05:00
Andrew Tridgell
1954070a7e r2592: this fixes one of the security memory leaks in the server
(This used to be commit efb2b88edd)
2007-10-10 12:59:10 -05:00
Andrew Bartlett
814cd2bc3f r2537: Add static and use strlen_m instead of str_charnum().
Andrew Bartlett
(This used to be commit f3bf57ca6b)
2007-10-10 12:59:04 -05:00
Tim Potter
0e71bf8148 r2458: Rename policy handle parameters for the SAMR pipe. Parameters now
have the handle type implied by the parameter name.  There are four
types of handle: connect, domain, user and group handles.  The
various samr_Connect functions return a connect handle, and the
samr_OpenFoo functions return a foo handle.

There is one exception - the samr_{Get,Set}Security function can
take any type of handle.

Fix up all C callers.
(This used to be commit 32f0f3154a)
2007-10-10 12:58:55 -05:00
Andrew Bartlett
15a96c4298 r2290: Fix 'lsakey' for the server-side, it is static for
'authenticated' connections.

Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.

Andrew Bartlett
(This used to be commit b80d849b6b)
2007-10-10 12:58:40 -05:00
Andrew Bartlett
d987a32c8c r2282: Remove one more magic constant from the source, replace with sizeof().
Andrew Bartlett
(This used to be commit a089bcf503)
2007-10-10 12:58:39 -05:00
Andrew Tridgell
fa419c9255 r2280: fixed the session key choice for ncacn_np and ncacn_ip_tcp in the rpc server
(This used to be commit 3b4ed24f4b)
2007-10-10 12:58:38 -05:00
Tim Potter
8293df91bc r2247: talloc_destroy -> talloc_free
(This used to be commit 6c1a72c5d6)
2007-10-10 12:58:34 -05:00
Stefan Metzmacher
275efb936f r2059: abartlet: is there a better way to fix this compiler warning
(the same problem as in -r 2056)

metze
(This used to be commit 98e4b23d45)
2007-10-10 12:58:22 -05:00
Andrew Bartlett
5e869b4eab r2055: Add PRINTF_ATTRIBUTE to many more parts of the code, and a new
--enable-developer warning for when they are missing.

Andrew Bartlett
(This used to be commit 8115e44d47)
2007-10-10 12:58:21 -05:00
Andrew Tridgell
ede02ee038 r2051: switched the samdb over to using the new destructor and reference
count features of talloc, instead of re-implementing both those
features inside of samdb (which is what we did before).

This makes samdb considerably simpler, and also fixes some bugs, as I
found some error paths that didn't call samdb_close(). Those are now
handled by the fact that a talloc_free() will auto-close and destroy
the samdb context, using a destructor.
(This used to be commit da60987a92)
2007-10-10 12:58:21 -05:00
Andrew Tridgell
b83ba93eae r1983: a completely new implementation of talloc
This version does the following:

  1) talloc_free(), talloc_realloc() and talloc_steal() lose their
     (redundent) first arguments

  2) you can use _any_ talloc pointer as a talloc context to allocate
     more memory. This allows you to create complex data structures
     where the top level structure is the logical parent of the next
     level down, and those are the parents of the level below
     that. Then destroy either the lot with a single talloc_free() or
     destroy any sub-part with a talloc_free() of that part

  3) you can name any pointer. Use talloc_named() which is just like
     talloc() but takes the printf style name argument as well as the
     parent context and the size.

The whole thing ends up being a very simple piece of code, although
some of the pointer walking gets hairy.

So far, I'm just using the new talloc() like the old one. The next
step is to actually take advantage of the new interface
properly. Expect some new commits soon that simplify some common
coding styles in samba4 by using the new talloc().
(This used to be commit e35bb094c5)
2007-10-10 12:58:14 -05:00
Stefan Metzmacher
b82881591c r1335: NT_STATUS_INTERNAL_DB_CORRUPTION
should cause DEBUG(0,(...));

metze
(This used to be commit 80851e6778)
2007-10-10 12:56:50 -05:00
Andrew Bartlett
dc9f55dbec r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.

This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal).  This causes
changes in all the existing gensec users.

Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.

Gensec has also taken over the role of auth/auth_ntlmssp.c

An important part of gensec, is the output of the 'session_info'
struct.  This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.

The schannel code is reworked, to be in the same file for client and
server.

ntlm_auth is reworked to use gensec.

The major problem with this code is the way it relies on subsystem
auto-initialisation.  The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.

There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
  valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.

Andrew Bartlett
(This used to be commit 07fd885fd4)
2007-10-10 12:56:49 -05:00
Tim Potter
d2ac885df0 r1270: Start to break samdb into general bits so we can share code with other
similar dbs.
(This used to be commit 1162e2fcff)
2007-10-10 12:56:47 -05:00
Tim Potter
37fcf22364 r1268: varient -> variant
(This used to be commit de5984c956)
2007-10-10 12:56:46 -05:00
Stefan Metzmacher
db8c78c497 r1235: as the pidl code init all output data.
we should do it manualy too.

metze
(This used to be commit d3b80fd40a)
2007-10-10 12:56:46 -05:00
Stefan Metzmacher
b717b40235 r1078: the dxesrv_crypto_* implementations should now explicit set
the dce_conn->auth_state.session_info
( the ntlmssp one works fine, but the schannel one isn't implemented yet)

this is also set by the ntvfs_ipc backend on the endpoint connect.

metze
(This used to be commit ad3dd1789e)
2007-10-10 12:56:37 -05:00
Andrew Tridgell
bd40d94a05 r1060: check for an invalid session key in samr_set_password()
(This used to be commit 5a90187c2c)
2007-10-10 12:56:35 -05:00
Andrew Bartlett
c455b0a935 r1028: More consistancy fixes, which should also fix the build.
Andrew Bartlett
(This used to be commit 0d2ae66d3a)
2007-10-10 12:56:30 -05:00
Andrew Bartlett
5b04ca8080 r1025: Rename (across the samr and netlogon pipes, so far)
pwd -> password
passwd -> password

username -> account_name

Also work on consistant structure feild names between these two pipes,
and fix up some callers to use samr_Password for the netlogon
credential code.

Andrew Bartlett
(This used to be commit 4e35418c27)
2007-10-10 12:56:30 -05:00
Andrew Tridgell
1a993b800e r1016: - store the schannel session key after it is established
- move to a centralised way of handling talloc/ldb interaction
(This used to be commit 2b9b752875)
2007-10-10 12:56:27 -05:00
Stefan Metzmacher
0413849c3b r1013: WE NEED ALWAYS TO INIT THE OUTPUT VARS!
in rpc server code!

add missing ZERO_STRUCT(r->out.info);
in samr_GetDomPwInfo

metze
(This used to be commit e21f8a3430)
2007-10-10 12:56:26 -05:00
Andrew Bartlett
9eb6afb00d r1009: Make all users of NT and LM passwords use the samr_Password structure.
This includes the netlogon pipe, for the machine account password
change system.

Andrew Bartlett
(This used to be commit 49d545a820)
2007-10-10 12:56:26 -05:00
Andrew Tridgell
8087d844ef r995: - renamed many of our crypto routines to use the industry standard
names rather than our crazy naming scheme. So DES is now called
  des_crypt() rather than smbhash()

- added the code from the solution of the ADS crypto challenge that
  allows Samba to correctly handle a 128 bit session key in all of the
  netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard
  from PADL for solving this one!

- restructured the server side rpc authentication to allow for other
  than NTLMSSP sign and seal. This commit just adds the structure, the
  next commit will add schannel server side support.

- added 128 bit session key support to our client side code, and
  testing against w2k3 with smbtorture. Works well.
(This used to be commit 729b2f41c9)
2007-10-10 12:56:25 -05:00
Andrew Tridgell
d9538e7412 r937: - added a simple QuerySecurity implementation in samr server
- moved some sec desc defines into misc.idl

 - fixed pw_len field in UserInfo26

 - made some pipes available on TCP

 - added netr_DsrEnumerateDomainTrusts() to netlogon

 - added templates for remaining netlogon IDL calls (from ethereal)

 - added a unistr_noterm vs unistr error detector in ndr basic decoder

 - added torture test for netr_DsrEnumerateDomainTrusts()
(This used to be commit ae5a5113fb)
2007-10-10 12:56:20 -05:00
Andrew Tridgell
7f3d4cc980 r919: - added lsa_QueryInfoPolicy2() to IDL, test suite and server
- added lsa_OpenPolicy2() to server

- added guid handling in samdb

- added a couple more info policy levels in lsa server

- added some DNS info in the provisioning template and script

With the above changes WinXP professional can join a Samba4 domain
(This used to be commit d6dca96352)
2007-10-10 12:56:20 -05:00
Andrew Tridgell
db3c011977 r917: - added the start of a LSA server to samba4.
- added start of QueryDomainInfo in samr server

"net rpc info" from samba3 now works against a samba4 server. I
suspect join will work fairly soon.
(This used to be commit 0a2c6a1062)
2007-10-10 12:56:19 -05:00
Andrew Tridgell
39a236883e r904: - fixed account expiry testing in auth_sam
- added printf style format attribute checking to samdb varargs fns

- fix nt_time_to_unix() for zero and -1 times
(This used to be commit 41f9b144f9)
2007-10-10 12:56:19 -05:00
Andrew Tridgell
0eb7588cc4 r903: used samdb_result_passwords() in samr_ChangePasswordUser2() and fix the error handling on a bad change.
With this change WinXP can now successfully change the password on a
Samba4 server via SAMR. After the change you can't login because the
handling of much_change_time seems to be broken in the auth code, but
that should be easy to fix.
(This used to be commit 8feeecf303)
2007-10-10 12:56:19 -05:00
Andrew Tridgell
d66c2b477d r901: w2k3 completely ignores the domain name argument to GetDomPwInfo,
always returning the info for the primary domain. I noticed this
because WinXP sends the wrong information in this field (it sends
\\server_name) and gets away with it
(This used to be commit e128bcca56)
2007-10-10 12:56:19 -05:00