1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

266 Commits

Author SHA1 Message Date
Andrew Bartlett
1377cca5f4 r10810: This adds the hooks required to communicate the current user from the
authenticated session down into LDB.  This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.

Along the way, I cleaned up a few things, and added new helper functions
to assist.  In particular the LSA pipe uses simpler queries for some of
the setup.

In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.

I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.

Andrew Bartlett
(This used to be commit fd7203789a)
2007-10-10 13:39:32 -05:00
Andrew Bartlett
39daa629ff r10764: To match Win2k3 SP1, we need to set an anonymous user token for
schannel connections.

Test for Win2k3 SP1 behaviour in RPC-SCHANNEL.

Andrew Bartlett
(This used to be commit 1c3911374e)
2007-10-10 13:39:28 -05:00
Andrew Bartlett
b5521a818f r10373: Fix segfault in LookupSids.
Andrew Bartlett
(This used to be commit ddc3a1c79e)
2007-10-10 13:38:33 -05:00
Andrew Bartlett
9b905c9f27 r9930: Use a single samdb_base_dn() function rather than lots of silly
searches all over the place.

This can be extended to cover an NT4 (no ADS) mode in future as well.

Andrew Bartlett
(This used to be commit 0761b22f99)
2007-10-10 13:36:23 -05:00
Günther Deschner
ad44611170 r9888: add IDL for lsa_QueryDomainInformationPolicy to query Kerberos Settings.
Guenther
(This used to be commit d717e878bd)
2007-10-10 13:36:20 -05:00
Jelmer Vernooij
b674411eb4 r9792: Rename StrCaseCmp -> strcasecmp_m. All these years I was thinking
StrCaseCmp was sys_strcasecmp, while it is in fact strcasecmp_m!
(This used to be commit 200a8f6652)
2007-10-10 13:35:01 -05:00
Simo Sorce
61aaf82b62 r9654: introduce the samdb_search_dn call
(This used to be commit 333ebb40d5)
2007-10-10 13:34:38 -05:00
Simo Sorce
ac90ddfdb2 r9392: Fix ldb_dn_compose to make build farm happy
Add ldb_dn_string_compose so that you can build a dn starting from a
struct ldb_dn base and a set of parameters to be composed in a format
string with the same syntax of printf
(This used to be commit 31c69d0655)
2007-10-10 13:33:33 -05:00
Simo Sorce
3e4c4cff21 r9391: Convert all the code to use struct ldb_dn to ohandle ldap like distinguished names
Provide more functions to handle DNs in this form
(This used to be commit 692e35b779)
2007-10-10 13:33:32 -05:00
Andrew Bartlett
e7d87f8538 r9011: Remove more references to "name" as a netbios name, using the
cross-reference instead.

Andrew Bartlett
(This used to be commit 0f7b1136f6)
2007-10-10 13:31:07 -05:00
Andrew Bartlett
639a8afce3 r8982: "name" is not the netbios name, but the RDN. Return the correct
netbios domain name of the host, as well as the sid from the cache we
fetched earlier.

Andrew Bartlett
(This used to be commit c847ca2cc8)
2007-10-10 13:31:03 -05:00
Andrew Bartlett
66b2a04346 r8790: Finish the migration of aliases and privilages with SamSync, by adding
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett
(This used to be commit 1f071b0609)
2007-10-10 13:30:05 -05:00
Andrew Bartlett
b16362fab6 r8700: Propmted by tridge's need to do plaintext auth in ejs, rework the
user_info strcture in auth/

This moves it to a pattern much like that found in ntvfs, with
functions to migrate between PAIN, HASH and RESPONSE passwords.

Instead of make_user_info*() functions, we simply fill in the control
block in the callers, per recent dicussions on the lists.  This
removed a lot of data copies as well as error paths, as we can grab
much of it with talloc.

Andrew Bartlett
(This used to be commit ecbd2235a3)
2007-10-10 13:29:55 -05:00
Andrew Tridgell
e835621799 r8520: fixed a pile of warnings from the build farm gcc -Wall output on
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.

The main fixes are:

 - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats

 - use of NULL format statements to perform dn searches.

 - assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
2007-10-10 13:29:34 -05:00
Stefan Metzmacher
58d06f205e r8429: fix compiler warnings
metze
(This used to be commit b9ee581880)
2007-10-10 13:23:02 -05:00
Andrew Tridgell
bdee131f30 r7860: switch our ldb storage format to use a NDR encoded objectSid. This is
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.

metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)

This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:

 - the ltdb index records need to use the string form of the objectSid
   (to keep the DNs sane). Until that it done I have disabled indexing on
   objectSid, which is a big performance hit, but allows us to pass
   all our tests while I rejig the indexing system to use a externally
   supplied conversion function

 - I haven't yet put in place the code that allows client to use the
   "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
   supports this, presumably by looking for the "S-" prefix to
   determine what type of objectSid form is being used by the client. I
   have been working on ways to handle this, but am not happy with
   them yet so they aren't part of this patch

 - I need to change pidl to generate push functions that take a
   "const void *" instead of a "void*" for the data pointer. That will
   fix the couple of new warnings this code generates.

Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8d)
2007-10-10 13:18:44 -05:00
Simo Sorce
9189833a87 r7582: Better way to have a fast path searching for a specific DN.
Old way was ugly and had a bug, you couldn't add an attribute named
dn or distinguishedName and search for it, tdb would change that search in a dn search.
This makes it also possible to search by dn against an ldap server as the old method was
not supported by ldap syntaxes.

sss
(This used to be commit a614466dec)
2007-10-10 13:18:11 -05:00
Andrew Bartlett
79f6bcd5ae r5988: Fix the -P option (use machine account credentials) to use the Samba4
secrets system, and not the old system from Samba3.

This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.

In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v().  The vast majority of this patch is the simple
rename that followed,

(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).

Andrew Bartlett
(This used to be commit e13c671619)
2007-10-10 13:11:12 -05:00
Simo Sorce
b1b14817ea r5585: LDB interfaces change:
changes:
- ldb_wrap disappears from code and become a private structure of db_wrap.c
  thanks to our move to talloc in ldb code, we do not need to expose it anymore

- removal of ldb_close() function form the code
  thanks to our move to talloc in ldb code, we do not need it anymore
  use talloc_free() to close and free an ldb database

- some minor updates to ldb modules code to cope with the change and fix some
  bugs I found out during the process
(This used to be commit d58be9e74b)
2007-10-10 13:10:55 -05:00
Andrew Tridgell
a5bd1ccada r5307: removed db_wrap.h from includes.h
(This used to be commit 826baec7b3)
2007-10-10 13:09:40 -05:00
Andrew Tridgell
759da3b915 r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5)
2007-10-10 13:09:15 -05:00
Andrew Tridgell
3dd17f1288 r5034: - added a type mapping function in pidl, so the type names in our IDL
files don't need to match the type names in the generated headers

- with this type mapping we no longer need definitions for the
  deprecated "int32", "uint8" etc form of types. We can now force
  everyone to use the standard types int32_t, uint8_t etc.

- fixed all the code that used the deprecated types

- converted the IDL types "int64" and "uint64" to "dlong" and
  "udlong". These are the 4 byte aligned 64 bit integers that
  Microsoft internally define as two 32 bit integers in a
  structure. After discussions with Ronnie Sahlberg we decided that
  calling these "int64" was confusing, as it implied a true 8 byte
  aligned type

- fixed all the cases where we incorrectly used things like
  "NTTIME_hyper" in our C code. The generated API now uses a NTTIME for
  those. The fact that it is hyper-aligned on the wire is not relevant
  to the API, and should remain just a IDL property
(This used to be commit f86521677d)
2007-10-10 13:09:15 -05:00
Andrew Bartlett
7588b41e15 r4713: Add initial support for QueryTrustedDomainInfo on LSA.
(more info levels to come)

Andrew Bartlett
(This used to be commit 175ae7599e)
2007-10-10 13:08:47 -05:00
Andrew Bartlett
e54964c618 r4703: Add support for EnumTrustDomain, and expand the testsuite.
Add my copyright to the SAMR server.

Andrew Bartlett
(This used to be commit 51e94fa26c)
2007-10-10 13:08:45 -05:00
Andrew Bartlett
c0571f6234 r4698: - Initial implementation of trusted domains in LSA.
- Use templates for Secrets and the new trusted domains

 - Auto-add modifiedTime, createdTime and objectGUID to records in the
   samdb layer.

Andrew Bartlett
(This used to be commit 271c8faadf)
2007-10-10 13:08:44 -05:00
Andrew Bartlett
9eaf1b45c0 r4695: Leave less memory handing around on long-term TALLOC_CTX.
Add lsa_Delete() support for secrets.

Andrew Bartlett
(This used to be commit be4cd59f33)
2007-10-10 13:08:44 -05:00
Andrew Bartlett
4e052c1704 r4694: 'fix' the behaviour for setting only the old, but not the new secret.
(The behaviour is a little odd, but we wanted bug-for-bug, right? :-)

Andrew Bartlett
(This used to be commit 6a09a84320)
2007-10-10 13:08:44 -05:00
Andrew Bartlett
a249198d53 r4682: A LDB-based secrets implementation in Samba4.
This uses LDB (a local secrets.ldb and the global samdb) to fill out
the secrets from an LSA perspective.

Some small changes to come, but the bulk of the work is now done.

A re-provision is required after this change.

Andrew Bartlett
(This used to be commit ded3303352)
2007-10-10 13:08:42 -05:00
Andrew Tridgell
577218b2ad r4640: first stage in the server side support for multiple context_ids on one pipe
this stage does the following:

 - simplifies the dcerpc_handle handling, and all the callers of it

 - split out the context_id depenent state into a linked list of established contexts

 - fixed some talloc handling in several rpc servers that i noticed while doing the above
(This used to be commit fde042b3fc)
2007-10-10 13:08:38 -05:00
Stefan Metzmacher
46a32687da r4620: - add interface functions to the auth subsystem so that callers doesn't need to
use function pointers anymore
- make the module init much easier
- a lot of cleanups

don't try to read the diff in auth/ better read the new files

it passes test_echo.sh and test_rpc.sh

abartlet: please fix spelling fixes

metze
(This used to be commit 3c0d16b823)
2007-10-10 13:08:34 -05:00
Andrew Tridgell
42cf0af758 r4563: fixed lsa_EnumAccounts() server side to return all accounts that have privileges, as
volker discovered
(This used to be commit 09edc31f3b)
2007-10-10 13:08:28 -05:00
Andrew Tridgell
90a322f6d7 r4447: implement server side of lsa_LookupSids3() and lsa_LookupNames3()
(This used to be commit e535f84504)
2007-10-10 13:07:51 -05:00
Andrew Tridgell
e046e9dd73 r4433: added the boilerplate for the new w2k3 LSA functions in preparation
for adding LookupSids3 (needed for ACL editing from w2k3)
(This used to be commit 745bbc0e17)
2007-10-10 13:07:49 -05:00
Volker Lendecke
6f2e88a09c r4416: [in,out] variables do have an r->out component...
Volker
(This used to be commit 97247c9029)
2007-10-10 13:07:46 -05:00
Stefan Metzmacher
5b07d37110 r4340: - simplify lsa_GetUserName() server code,
we don't need to do db lookups as we already known who the user is

metze
(This used to be commit cef0d1eb29)
2007-10-10 13:07:36 -05:00
Stefan Metzmacher
a86387d42c r4323: - implement the lsa_GetUserName() server call
- give lsa_lookup_sid() a chance with foreign SIDS
  returning NT_STATUS_NO_MEMORY makes no sense here
  as the ldb_msg_find_string() doesn't allocate the string

metze
(This used to be commit b43f34e873)
2007-10-10 13:07:35 -05:00
Andrew Tridgell
2057121d14 r4283: adding a privilege that an account already has is not an error
(This used to be commit 2a4c562896)
2007-10-10 13:07:31 -05:00
Andrew Tridgell
134769f9ad r4280: added server side support for lsa_AddPrivilegesToAccount() and lsa_RemovePrivilegesFromAccount()
these are the last of the server side privileges functions. We should
now have a complete privileges implementation.
(This used to be commit 76db300232)
2007-10-10 13:07:31 -05:00
Andrew Tridgell
424844da32 r4278: - added server support for lsa_EnumPrivsAccount()
(This used to be commit a80c82d263)
2007-10-10 13:07:31 -05:00
Andrew Tridgell
9b3ea6dc4e r4277: - added server support for lsa_EnumAccounts()
- expanded the lsa test suite to better test lsa_EnumAccounts()
(This used to be commit bafdb17729)
2007-10-10 13:07:31 -05:00
Andrew Tridgell
c6a420fd1e r4276: added server side support for lsa_OpenAccount()
(This used to be commit 4716334502)
2007-10-10 13:07:30 -05:00
Andrew Tridgell
113cacf94c r4206: fixed a status code check in lsa_LookupNames2 that could cause a segv
(This used to be commit 31ab04f790)
2007-10-10 13:07:26 -05:00
Andrew Tridgell
4d545e09c8 r4202: added smbclient commands "addprivileges" and "delprivileges" for
easily adding/removing privileges from users
(This used to be commit 8764909c05)
2007-10-10 13:07:26 -05:00
Andrew Tridgell
916170d9dc r4199: - added server side code for lsa_RemoveAccountRights (sharing code
with lsa_AddAccountRights)
(This used to be commit 9bd806b7a2)
2007-10-10 13:07:25 -05:00
Andrew Tridgell
463ba76d44 r4198: - added server side code for lsa_AddAccountRights
(This used to be commit ba87142586)
2007-10-10 13:07:25 -05:00
Andrew Tridgell
c80d77cdb8 r4196: - added server side code for lsa_LookupPrivDisplayName
- added english descriptions of privileges. We should add other
  languages in the future.
(This used to be commit 3eee8b7c13)
2007-10-10 13:07:25 -05:00
Andrew Tridgell
02f7d260a2 r4195: added IDL, test suite and server side code for lsa_LookupPrivValue
(This used to be commit 7bddd47403)
2007-10-10 13:07:25 -05:00
Andrew Tridgell
9927ffd600 r4194: added server side implementation of lsa_EnumPrivs
(This used to be commit 7107320332)
2007-10-10 13:07:24 -05:00
Andrew Tridgell
8a3d15127b r4193: added server side implementation of lsa_EnumAccountsWithUserRight
(This used to be commit 5088a6cbf7)
2007-10-10 13:07:24 -05:00
Andrew Tridgell
7b7c26cfce r4192: added server side implementation of lsa_EnumAccountRights
the "privilege" command in smbclient now works against Samba4
(This used to be commit 8a3f265050)
2007-10-10 13:07:24 -05:00
Andrew Tridgell
c33283df20 r4012: split out the lsa lookup single name logic into a separate function
(This used to be commit 44d9761962)
2007-10-10 13:06:14 -05:00
Andrew Tridgell
f11aa23296 r3994: - removed the unused reference count code in lsa server
- fixed the sid_index field in lsa LookupSids and LookupNames
(This used to be commit 677f701e71)
2007-10-10 13:06:12 -05:00
Andrew Tridgell
b393de7f05 r3992: provide hooks for lsa to lookup sids allocated using the linear id->sid mapping
(This used to be commit e611405109)
2007-10-10 13:06:11 -05:00
Andrew Tridgell
56ea10795c r3980: added server side support for lsa_LookupNames() and lsa_LookupNames2()
(This used to be commit da12780bd9)
2007-10-10 13:06:10 -05:00
Andrew Tridgell
20c0900edb r3979: added server side code for lsa_LookupSids2() and fixed authority_name
return code to include our own domain.

editing of ACLs via the w2k3 GUI works nicely (and faster) with these changes
(This used to be commit a3f7f34b39)
2007-10-10 13:06:10 -05:00
Andrew Bartlett
88baaee093 r3917: A few more LSA RPCs found in my wanderings (for trusted domains, these
seem to be 'shortcut' RPCs, that just avoid an open/query pair).

Rename a few others to give us a slightly sensible pattern.

Andrew Bartlett
(This used to be commit d6a7ab57e7)
2007-10-10 13:06:05 -05:00
Andrew Bartlett
b6b61cec79 r3907: * Rename lsa_Name to lsa_String
* Add new IDL to LSA, to query information about trusted domains (for
  cross-check with SamSync).

Andrew Bartlett
(This used to be commit 174c077842)
2007-10-10 13:06:04 -05:00
Andrew Bartlett
be7a3e3ce0 r3904: * Add new LSA calls to open trusted domains
* Add new tests for ACCOUNTs in SamSync

* Clean up names in NETLOGON and LSA

* Verify Security Descriptors against LSA, as well as SamR

Andrew Bartlett
(This used to be commit 7094502fe0)
2007-10-10 13:06:03 -05:00
Andrew Tridgell
9b6c08a0d1 r3837: added support for LsaLookupSids in the LSA rpc server. This allows the GUI ACL editor on w2k to
correctly display names instead of SIDs.
(This used to be commit fdaa753578)
2007-10-10 13:05:58 -05:00
Andrew Tridgell
c051779a0a r3468: split out dcerpc_server.h
(This used to be commit 729e0026e4)
2007-10-10 13:05:17 -05:00
Andrew Tridgell
90067934cd r3428: switched to using minimal includes for the auto-generated RPC code.
The thing that finally convinced me that minimal includes was worth
pursuing for rpc was a compiler (tcc) that failed to build Samba due
to reaching internal limits of the size of include files. Also the
fact that includes.h.gch was 16MB, which really seems excessive. This
patch brings it back to 12M, which is still too large, but
better. Note that this patch speeds up compile times for both the pch
and non-pch case.

This change also includes the addition iof a "depends()" option in our
IDL files, allowing you to specify that one IDL file depends on
another. This capability was needed for the auto-includes generation.
(This used to be commit b8f5fa8ac8)
2007-10-10 13:05:09 -05:00
Andrew Tridgell
159f81ee32 r2635: mem_ctx cleanups on the lsa and netlogon pipes in the rpc server
(This used to be commit 1ee5ed4197)
2007-10-10 12:59:15 -05:00
Andrew Tridgell
ede02ee038 r2051: switched the samdb over to using the new destructor and reference
count features of talloc, instead of re-implementing both those
features inside of samdb (which is what we did before).

This makes samdb considerably simpler, and also fixes some bugs, as I
found some error paths that didn't call samdb_close(). Those are now
handled by the fact that a talloc_free() will auto-close and destroy
the samdb context, using a destructor.
(This used to be commit da60987a92)
2007-10-10 12:58:21 -05:00
Volker Lendecke
6706ba5bb4 r1814: Fix the build.
Tridge, in rpc_epmapper.c there's a whole bunch of "return
NT_STATUS_NOT_IMPLEMENTED". You told me that's wrong, you should generate the
correct fault pdu. Or is epmapper special in that respect?

Volker
(This used to be commit 48df39c133)
2007-10-10 12:57:58 -05:00
Andrew Tridgell
7f3d4cc980 r919: - added lsa_QueryInfoPolicy2() to IDL, test suite and server
- added lsa_OpenPolicy2() to server

- added guid handling in samdb

- added a couple more info policy levels in lsa server

- added some DNS info in the provisioning template and script

With the above changes WinXP professional can join a Samba4 domain
(This used to be commit d6dca96352)
2007-10-10 12:56:20 -05:00
Andrew Tridgell
db3c011977 r917: - added the start of a LSA server to samba4.
- added start of QueryDomainInfo in samr server

"net rpc info" from samba3 now works against a samba4 server. I
suspect join will work fairly soon.
(This used to be commit 0a2c6a1062)
2007-10-10 12:56:19 -05:00