IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
also needed to use start index properly and generate next index.
both client and server code need to recognise error code 0x105
when there's not enough room to store all the users in one call.
sort this out another time.
LsaLookupNames being incorrect. this is a bit wierd: why would the
lsass.exe on the nt _client_ crash due to an LsaLookupNames response
from a samba _server_?
attempt at taking lib/uid.c and getting a unix security context
change module that is independent of "cnums" and "snums".
a security context is needed for pipes, not just IPC$ or other
services.
- group database API
added add_group/alias_member, del_group/alias_member,
del_group/alias_entry functions. del_builtin_entry() is
deliberately set to NULL to cause an exception, you cannot
delete builtin aliases.
- parse_lsa.c srv_lsa.c
fixed lookup_names code, it was a load of trash and didn't do
anything.
- cmd_samr.c rpcclient.c srv_samr.c
added "deletegroup", "deletealias", "delaliasmem", "delgroupmem",
"addgroupmem", "addaliasmem", "createalias", "creategroup", to
both client and server code.
server code calls into unix stubs right now, which don't actually
do anything. the only instance where they are expected to do
anything is in appliance mode NOT even in the ldap code or anything.
client code modified to call samr_lookup_names() for group code
(because we can) and lsa_lookup_names() for alias code (because
we have to).
- srv_lookup.c
oops, lookup on unsplit name, we got lookup on DOMAIN, DOMAIN\name
instead of DOMAIN, name.
- samr_enum_dom_users, the first 4 bytes is some sort of garbage,
nt5-beta2 clears them out to zeros whereas nt4 does not.
fixed bug where we were assuming that the first 4 bytes of a
response _had_ to be non-zero.
- cli_lsarpc.c: forgot to append the rid on the lsa_lookup_names()
client call.
- added in "addaliasmem" and "addgroupmem" commands. the addaliasmem
command actually turned out to be a "delaliasmem" :-) :-)
- parse_lsa.c: moved assert array check to after the size of useable
array space is set...
- renamed do_lsa_xxx to lsa_xxx
- added "enumgroups [-m]" command, enumerates groups, shows members.
- added cmd_sam_add_groupmem(), need to call these in rpcclient.c
- added cmd_sam_add_aliasmem(), need to call these in rpcclient.c
- modified "enumaliases [-m]" command
- improved "enumgroups" and "enumaliases" to display names not just RIDS/SIDs.
- renamed "samr_unknown_12" to "samr_lookup_rids".
- added the following client-side functions:
get_samr_query_groupmem()
get_samr_query_aliasmem()
get_samr_query_groupinfo()
samr_enum_dom_groups()
samr_enum_dom_aliases()
samr_add_aliasmem()
samr_add_groupmem()
- improved display output (display.c)
samr_query_aliasmembers (cool!)
util_pwdb.c sids.c nmbd.c server.c smbpasswd.c swat.c :
pwdb_initialise(BOOL is_server) now creates / reads DOMAIN_NAME.SID
if is_server is True, and does LsaQueryInfoPolicy(levels 3 and 5)
to obtain member and pdc sids.
i may simply go for a response in the NetSamLogon returning the
unix username, forcing the NT user to appear to be a unix user,
however even that is fraught with implications.
might just have to go the whole hog and do this tuple thing,
"unix_name + nt_name" always associated together...
issue with api_net_sam_logon, getsam21pwent() being called twice,
the second time overwriting static buffer data (argh) so had to
make a copy.
noticed a nested "become_root()"/"unbecome_root()" which will have
to be tracked down...
- lib/sids.c:
generate_sam_sid() modified to take a domain name: it now
generates "DOMAIN_NAME.SID". reasons:
1) if you run multiple samba servers on the same machine
under different netbios names as members of a domain,
they won't all use the same SID, which is a _big_ mistake
but it would happen _by default_.
2) we have (had) a problem with sid_to_string() and string_to_sid()
which cause SIDs to be incorrectly read. one of the major
reasons for *NOT* making this change was so as not to disrupt
existing users. but as they will be anyway by this bug,
we might as well go ahead.
- passdb/smbpass.c:
wanted to change the meaning of the name in the smbpasswd
file to an "nt" name not a "unix" name. this is probably
not a good idea: reverted this.
- output formatting / bug-fixing in rpcclient query_useraliases code.
- split sam_passwd and smb_passwd into separate higher-order function tables
- renamed struct smb_passwd's "smb_user" to "unix_user". added "nt_user"
plus user_rid, and added a "wrap" function in both sam_passwd and smb_passwd
password databases to fill in the blank entries that are not obtained
from whatever password database API instance is being used.
NOTE: whenever a struct smb_passwd or struct sam_passwd is used, it MUST
be initialised with pwdb_sam_init() or pwd_smb_init(), see chgpasswd.c
for the only example outside of the password database APIs i could find.
- added query_useraliases code to rpcclient.
- dealt with some nasty interdependencies involving non-smbd programs
and the password database API. this is still not satisfactorily
resolved completelely, but it's the best i can do for now.
- #ifdef'd out some password database options so that people don't
mistakenly set them unless they recompile to _use_ those options.
lots of debugging done, it's still not finished. the unix/NT uid/gid
and user-rid/group-rid issues are better, but not perfect. the "BUILTIN"
domain is still missing: users cannot be added to "BUILTIN" groups yet,
as we only have an "alias" db API and a "group" db API but not "builtin-alias"
db API...
now need search capability on S-1-5-20, which will need argh, a
"group database API" on S-1-5-20, and the ability to add BUILTIN\Admins
etc to "local group map" argh.
Tidied up some of the mess (no other word for it). Still doesn't
compile cleanly. There are calls with incorrect parameters that
don't seem to be doing the right thing.
This code still needs surgery :-(.
Jeremy.
the pre-alpha "domain group" etc parameters have disappeared.
- interactive debug detection
- re-added mem_man (andrew's memory management, detects memory corruption)
- american spellings of "initialise" replaced with english spelling of
"initialise".
- started on "lookup_name()" and "lookup_sid()" functions. proper ones.
- moved lots of functions around. created some modules of commonly used
code. e.g the password file locking code, which is used in groupfile.c
and aliasfile.c and smbpass.c
- moved RID_TYPE_MASK up another bit. this is really unfortunate, but
there is no other "fast" way to identify users from groups from aliases.
i do not believe that this code saves us anything (the multipliers)
and puts us at a disadvantage (reduces the useable rid space).
the designers of NT aren't silly: if they can get away with a user-
interface-speed LsaLookupNames / LsaLookupSids, then so can we. i
spoke with isaac at the cifs conference, the only time for example that
they do a security context check is on file create. certainly not on
individual file reads / writes, which would drastically hit their
performance and ours, too.
- renamed myworkgroup to global_sam_name, amongst other things, when used
in the rpc code. there is also a global_member_name, as we are always
responsible for a SAM database, the scope of which is limited by the role
of the machine (e.g if a member of a workgroup, your SAM is for _local_
logins only, and its name is the name of your server. you even still
have a SID. see LsaQueryInfoPolicy, levels 3 and 5).
- updated functionality of groupname.c to be able to cope with names
like DOMAIN\group and SERVER\alias. used this code to be able to
do aliases as well as groups. this code may actually be better
off being used in username mapping, too.
- created a connect to serverlist function in clientgen.c and used it
in password.c
- initialisation in server.c depends on the role of the server. well,
it does now.
- rpctorture. smbtorture. EXERCISE EXTREME CAUTION.
changes from yesterday by me, jeremy and andrew.
jeremy, your ACB_PWNOTREQ mod would have caused a crash if the user
didn't exist (first check should be for smb_pass != NULL)
client/client.c:
client/clitar.c:
include/client.h:
smbwrapper/smbw_dir.c:
smbwrapper/smbw_stat.c:
smbwrapper/smbw.c:
lib/util.c: Converted all use of 'mode' to uint16.
smbd/quotas.c: Fixed stupid comment bug I put in there :-(.
printing/printing.c: Fix from J.F. to new code.
Jeremy.
